Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp111467pxx; Tue, 27 Oct 2020 23:12:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwYzJRwP2U0GvtoeO+DSZvAZx7kuPNjd9d6a6XoDUftPUsDBcRzChyS4ydi6ooOlBI4nymn X-Received: by 2002:a17:906:19c8:: with SMTP id h8mr6283761ejd.318.1603865569096; Tue, 27 Oct 2020 23:12:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603865569; cv=none; d=google.com; s=arc-20160816; b=wD+6m8Hd3EGonPFYZ0r1niL4bFwskW4IZYy08FgBcwa7NJI8lg5oLNKez1pP6mrlUy T+ACPf49TjldGodxIpIEK1h4ywmDToLqEKDX2Bk2pBcevt1VB0xCfuWq/nC7tBsKH8wc pc0hZho9MtDKSvrNbZyFW5JMRt0vsDV2CEQK2hatipGNDdWjonAAaRXzkIoKpgxOqvAu n0vTtchHUVX19RlKnJmLPET7tDfGrdzCNKec3VdTmJkRqoXoxef55dHdKieJrzoD0WUV JS0S4lzh2FyYO6IJvKfe8n5lWtSBtn3BLTT+oPpv7pqgQqqSBqxlhqgdPKtiSeOUkHtx h3vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:dkim-signature; bh=k0q1UXQyIMVNWtmVhow0jpMDJ0XmJolwwLg8XgByQUg=; b=CibByianjIp4C1i57u5KE5zJJpRfJxVfDLQ+tpuVnPHRXq/i9UdwzgHn9y/lpn8dUE 3EJXf+gxWImw1CyDgG2nnJ2oJjmQoTm7vO/V6aGjM2oBN87k8WtudWL0A17NfzwrIzEy 7F0TQlS3DM0smvp/qssjmkb3AxJcbF1sNzzpurq10Sie5zyIHmZ/edr3JWvCA5UPBz8y K/t82VsUWbvkKc9B0I+lyEfBBWpnalTPrnaeDr4xKWsg4piwTrIQqFUWB7UmFn25GTm7 cniQC/cuK5vMpyb2aY3Qyi6/4z/7L4+fdwEyi3M4N31Mgn9VmLFB20ZmStGXE/P5Iceu XGIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UWF6aOhC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cc15si2635751edb.150.2020.10.27.23.12.27; Tue, 27 Oct 2020 23:12:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UWF6aOhC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2509829AbgJ0JYA (ORCPT + 99 others); Tue, 27 Oct 2020 05:24:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:34150 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2509822AbgJ0JX7 (ORCPT ); Tue, 27 Oct 2020 05:23:59 -0400 Received: from saruman (88-113-213-94.elisa-laajakaista.fi [88.113.213.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 57E2A20829; Tue, 27 Oct 2020 09:23:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603790638; bh=k0q1UXQyIMVNWtmVhow0jpMDJ0XmJolwwLg8XgByQUg=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=UWF6aOhC4q0nsNt2300n7nUokiHRXjqrNCtWimEBvdk0KNDuCgoBjaOxMVuIC4plq 8JeKxkI/G1EwQKZnPg6XKCDPDiunZ5JpcfK8EuHs+Kv7TYYdqtJsaYjSidnhC/KmzA Z3vOQRDLZojGT4Vbr1wWnXwS9Vi2CNnzZzXkfMrw= From: Felipe Balbi To: Macpaul Lin , Greg Kroah-Hartman , Matthias Brugger , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Cc: Mediatek WSD Upstream , Macpaul Lin , Macpaul Lin , Eddie Hung , stable@vger.kernel.org Subject: Re: [PATCH v2] usb: gadget: configfs: Fix use-after-free issue with udc_name In-Reply-To: <1595040303-23046-1-git-send-email-macpaul.lin@mediatek.com> References: <1594881666-8843-1-git-send-email-macpaul.lin@mediatek.com> <1595040303-23046-1-git-send-email-macpaul.lin@mediatek.com> Date: Tue, 27 Oct 2020 11:23:49 +0200 Message-ID: <87eelkc996.fsf@kernel.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Macpaul Lin writes: > From: Eddie Hung > > There is a use-after-free issue, if access udc_name > in function gadget_dev_desc_UDC_store after another context > free udc_name in function unregister_gadget. > > Context 1: > gadget_dev_desc_UDC_store()->unregister_gadget()-> > free udc_name->set udc_name to NULL > > Context 2: > gadget_dev_desc_UDC_show()-> access udc_name > > Call trace: > dump_backtrace+0x0/0x340 > show_stack+0x14/0x1c > dump_stack+0xe4/0x134 > print_address_description+0x78/0x478 > __kasan_report+0x270/0x2ec > kasan_report+0x10/0x18 > __asan_report_load1_noabort+0x18/0x20 > string+0xf4/0x138 > vsnprintf+0x428/0x14d0 > sprintf+0xe4/0x12c > gadget_dev_desc_UDC_show+0x54/0x64 > configfs_read_file+0x210/0x3a0 > __vfs_read+0xf0/0x49c > vfs_read+0x130/0x2b4 > SyS_read+0x114/0x208 > el0_svc_naked+0x34/0x38 > > Add mutex_lock to protect this kind of scenario. > > Signed-off-by: Eddie Hung > Signed-off-by: Macpaul Lin > Reviewed-by: Peter Chen > Cc: stable@vger.kernel.org patch doesn't apply: $ patch -p1 --dry-run /usr/bin/patch: **** Only garbage was found in the patch input. Please resend using git send-email and make sure your smtp server sends it as plain text, not base64. =2D-=20 balbi --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEElLzh7wn96CXwjh2IzL64meEamQYFAl+X5yURHGJhbGJpQGtl cm5lbC5vcmcACgkQzL64meEamQZtZg//coyB3wE6OkS6Hlv+h19vVYx+t2brKcxC g5bumXnlkQ9Alqu77kfPmqXkdtGtTTCIF/hM3WsrvfnHUaewkm2XpFpLfsL4grDQ cI6VO1basL0cPUDsYYkVcujkTNNpQfAkQ1dcaUn7+Q7OM0uYMDI164AKENynlF+e pJKHzeo5WJY+FETSac0fqwDoDBuPucHcx+dPjZH4QYCIyEmmCinzrp4CISOpjXCv mu2n9Ix8CfuFbocuXtqHRZq/t7ZlmhPo9y2+hX1+F33oBRLx4L37/GdicJXWp+Rd DeZCO5klDOnXheRXK/pyIPOMWrGCar2jyjw1EdqPvW34aabTb2Ms7NuH0u2LaOxu AGUfuFXML/iWAnBuU1S/Gkjn7+hnZJiLJIV6EM380frH/dz7QXYUdjAlMnCp9qCY grjypjGIW87GmF8IQS3G2Ip/Ique0rRt03ioUlG/4zq+OKiRaVXCFCvxOyARELmu r/AlOo+fugXhAaJqcjIS2lYc0j6qp0NV27LVQDDFJI+dJzTXLbENIrxGacn/M0ll JQnEA0iDmDWXQU1Dv+Lki4ezHg7NWNQSNDBqY/LjdymwtYQd8XcjKo/11Dlq4cpJ TT72bdl7Rqg/Qm4JB/KWryxSdJlYzK1iLxZLsfuUD5w3I8AO5L+QRurTAhtZ2FT8 fVqBmJhM+/w= =y0xX -----END PGP SIGNATURE----- --=-=-=--