Message ID | 20230413074926.239605-1-zyytlz.wz@163.com |
---|---|
State | New |
Headers | show |
Series | [RESEND] usb: renesas_usbhs: Fix use after free bug in usbhs_remove due to race condition | expand |
Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> 于2023年4月13日周四 20:19写道: > > Hi, > > > From: Zheng Wang, Sent: Thursday, April 13, 2023 4:49 PM > > > > In usbhs_probe, &priv->notify_hotplug_work is bound with > > usbhsc_notify_hotplug. It will be started then. > > > > If we remove the driver which will call usbhs_remove > > to make cleanup, there may be a unfinished work. > > > > The possible sequence is as follows: > > > > Fix it by finishing the work before cleanup in the usbhs_remove > > > > CPU0 CPU1 > > > > |usbhsc_notify_hotplug > > usbhs_remove | > > usbhs_mod_remove | > > usbhs_mod_gadget_remove| > > kfree(gpriv); | > > |usbhsc_hotplug > > |usbhs_mod_call start > > |usbhsg_start > > |usbhsg_try_start > > |//use gpriv > > Thank you for the patch! > > You should adjust the figure like followings because Greg mentioned it on other patch [1]. Thanks for your advice. Will apply in the next. Best regards, Zheng > ----- > CPU0 CPU1 > > | usbhsc_notify_hotplug > usbhs_remove | > usbhs_mod_remove | > usbhs_mod_gadget_remove | > kfree(gpriv); | > | usbhsc_hotplug > | usbhs_mod_call start > | usbhsg_start > | usbhsg_try_start > | //use gpriv > ----- > > [1] > https://lore.kernel.org/lkml/ZBNCam0XjWehrF3c@kroah.com/ > > Best regards, > Yoshihiro Shimoda > > > Fixes: bc57381e6347 ("usb: renesas_usbhs: use delayed_work instead of work_struct") > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > > --- > > drivers/usb/renesas_usbhs/common.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c > > index 96f3939a65e2..17a0987ef4f5 100644 > > --- a/drivers/usb/renesas_usbhs/common.c > > +++ b/drivers/usb/renesas_usbhs/common.c > > @@ -768,6 +768,7 @@ static int usbhs_remove(struct platform_device *pdev) > > > > dev_dbg(&pdev->dev, "usb remove\n"); > > > > + cancel_delayed_work_sync(&priv->notify_hotplug_work); > > /* power off */ > > if (!usbhs_get_dparam(priv, runtime_pwctrl)) > > usbhsc_power_ctrl(priv, 0); > > -- > > 2.25.1 >
diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c index 96f3939a65e2..17a0987ef4f5 100644 --- a/drivers/usb/renesas_usbhs/common.c +++ b/drivers/usb/renesas_usbhs/common.c @@ -768,6 +768,7 @@ static int usbhs_remove(struct platform_device *pdev) dev_dbg(&pdev->dev, "usb remove\n"); + cancel_delayed_work_sync(&priv->notify_hotplug_work); /* power off */ if (!usbhs_get_dparam(priv, runtime_pwctrl)) usbhsc_power_ctrl(priv, 0);
In usbhs_probe, &priv->notify_hotplug_work is bound with usbhsc_notify_hotplug. It will be started then. If we remove the driver which will call usbhs_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows: Fix it by finishing the work before cleanup in the usbhs_remove CPU0 CPU1 |usbhsc_notify_hotplug usbhs_remove | usbhs_mod_remove | usbhs_mod_gadget_remove| kfree(gpriv); | |usbhsc_hotplug |usbhs_mod_call start |usbhsg_start |usbhsg_try_start |//use gpriv Fixes: bc57381e6347 ("usb: renesas_usbhs: use delayed_work instead of work_struct") Signed-off-by: Zheng Wang <zyytlz.wz@163.com> --- drivers/usb/renesas_usbhs/common.c | 1 + 1 file changed, 1 insertion(+)