Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp2261177pxb; Mon, 11 Jan 2021 05:27:00 -0800 (PST) X-Google-Smtp-Source: ABdhPJzuWAOVWaQDEoQvLjKWlHffp6SNYcXllAwYjIt83qeWf5NwLaUU1GcHRErtWost1MKoMq1m X-Received: by 2002:a17:907:9495:: with SMTP id dm21mr10732161ejc.462.1610371619859; Mon, 11 Jan 2021 05:26:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610371619; cv=none; d=google.com; s=arc-20160816; b=CMK2CQL4bkeSt/nquRbpSyvzVmM2ypgGUNKyrKu7s85jmOoCwkSTfUmKAEdjjG/Tk0 T9rhHBAaQdC0zgItZb8v0KYTa+8Fs8Cf9Nn0aLI5j7pizgX80x5AESRADoMkPDtqiB35 2wbVl+JmbX4VVs4lV5RmHyV/BZoAkcQD+4RTt4FWPIAMqT0Z49x9f6BPliXdm7h2UiwP /DdIe95eMo4pfM17mJgPiSrmoqmTerQTWNbCl7L8R5Ml+u/8JbwTPR5h1wOEW4cqQriD 1yrYm434hZ9NrIyvY7pZLQZBuGGtbDPOEdKLjds2gtz5NeGoZBSR6v90zGDmgYEZcW8Z 3MdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mFSLxgzzFm3JYUc+rahu18AURJyfCtgz2TUHxhWRn0g=; b=saUdRmZotoz4gIPDZpZL7ALImYGiigh6g79tQn87vAE2XeTaDmj4GkfXmKzQXHmRQV rss4FKQib5Gc5y9GUTMo7T2ZZWg6vt6qyiur3sfvhqlvi9sU3bAAvu2VLiYehMT9xlVi X7UEJ7GJdadCK3tXMX52e6lsEEa5tLR4qeFVoJLso8RKFavVIocke+6YfRvbNPqkMUAC RFTzzDuGpjz6cejxlT3g/NlhZQJjkwBvwovQ5PxNBrRlotQFrt8qhi7Jf15TCZl1mlyJ Dy8AMFBfd2l9ciPQ64kbMvMo2LwPRrSbBSzyYXf7VW0qJWQXOiDGTAn80524lsjRWla1 y53w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=OzT3vNmR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d21si6901264eds.481.2021.01.11.05.26.35; Mon, 11 Jan 2021 05:26:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=OzT3vNmR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731745AbhAKNNQ (ORCPT + 99 others); Mon, 11 Jan 2021 08:13:16 -0500 Received: from mail.kernel.org ([198.145.29.99]:59032 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730994AbhAKNM2 (ORCPT ); Mon, 11 Jan 2021 08:12:28 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id CC9A22250F; Mon, 11 Jan 2021 13:12:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1610370732; bh=JBQRMPwzIFk3BqsNYbbGrUdQvze5NXP34K6QtpsmpPY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OzT3vNmRaReonBwtE7RgdhyH3ZiXqhHIZXfKIG3PBT10gnV8Bmb3W0FPTKN+yjYz5 s1CkJuNYX1wsSeixMPSg9FqNyzbY+gxS8hA4I5uz1gFXYexqdnLEvoFWEzfYODToTT qll8mBJWGMo2KUTosUcARjmoKHlLHDF2Nq6vKDOI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eddie Hung , Macpaul Lin , Peter Chen Subject: [PATCH 5.4 74/92] usb: gadget: configfs: Fix use-after-free issue with udc_name Date: Mon, 11 Jan 2021 14:02:18 +0100 Message-Id: <20210111130042.718347779@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210111130039.165470698@linuxfoundation.org> References: <20210111130039.165470698@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eddie Hung commit 64e6bbfff52db4bf6785fab9cffab850b2de6870 upstream. There is a use-after-free issue, if access udc_name in function gadget_dev_desc_UDC_store after another context free udc_name in function unregister_gadget. Context 1: gadget_dev_desc_UDC_store()->unregister_gadget()-> free udc_name->set udc_name to NULL Context 2: gadget_dev_desc_UDC_show()-> access udc_name Call trace: dump_backtrace+0x0/0x340 show_stack+0x14/0x1c dump_stack+0xe4/0x134 print_address_description+0x78/0x478 __kasan_report+0x270/0x2ec kasan_report+0x10/0x18 __asan_report_load1_noabort+0x18/0x20 string+0xf4/0x138 vsnprintf+0x428/0x14d0 sprintf+0xe4/0x12c gadget_dev_desc_UDC_show+0x54/0x64 configfs_read_file+0x210/0x3a0 __vfs_read+0xf0/0x49c vfs_read+0x130/0x2b4 SyS_read+0x114/0x208 el0_svc_naked+0x34/0x38 Add mutex_lock to protect this kind of scenario. Signed-off-by: Eddie Hung Signed-off-by: Macpaul Lin Reviewed-by: Peter Chen Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/1609239215-21819-1-git-send-email-macpaul.lin@mediatek.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/configfs.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) --- a/drivers/usb/gadget/configfs.c +++ b/drivers/usb/gadget/configfs.c @@ -233,9 +233,16 @@ static ssize_t gadget_dev_desc_bcdUSB_st static ssize_t gadget_dev_desc_UDC_show(struct config_item *item, char *page) { - char *udc_name = to_gadget_info(item)->composite.gadget_driver.udc_name; + struct gadget_info *gi = to_gadget_info(item); + char *udc_name; + int ret; - return sprintf(page, "%s\n", udc_name ?: ""); + mutex_lock(&gi->lock); + udc_name = gi->composite.gadget_driver.udc_name; + ret = sprintf(page, "%s\n", udc_name ?: ""); + mutex_unlock(&gi->lock); + + return ret; } static int unregister_gadget(struct gadget_info *gi)