Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp601931pxj; Tue, 18 May 2021 10:02:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJEcV7zBE2HIMEEfZAD+4iN+HlL3bT3ZkFhwdMNPmJUnXg0SODwns92DCaKyW7wIVAvJcB X-Received: by 2002:a17:906:c01a:: with SMTP id e26mr7128135ejz.300.1621357360612; Tue, 18 May 2021 10:02:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621357360; cv=none; d=google.com; s=arc-20160816; b=YiprswtRyZthx8/rwxHMU9oqhj2ykL28HKS5ZcuhgXPh3JLYESxXlMcjozhYXNN1sk JHiAU+4uNl3O9tUU6u+8/T/MLezDtgbWmeYNSwRPgzFtPgxkjGsKe88JhrLbSNJhErGP Rjgx8ZiBQeI+xBD3kie590XekUMV1UhrAGQxkOaGZYJLnnwCITynR2C/3cppsRfRl8GZ ybvyeJSvO2ChjyhLXC6/qXU3nn+eW+BsI+6lRQuexigBUPlvHjMcxkVDVRCnclzGsAt6 4JA3hZTRJPYkyDcSCDwbtkXXu4VtjFhpsGjhQq2Jr/INv3rt+C1oOX81SXABwwImYUm9 XtjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Yzl6CYKaojZ7FesYBqQl3sYga3YaFT0+KxeJqcNiv48=; b=ZtuFckw0WrgKPJAlUojenvItGt+Df6gQIh4pyqydtVq8vUhkaRW3/B73Pe1M0a4Sad 9c9x/tblvHMK2hwpsYhCDgii/Or700h2LGBVQVP+rOTJn7Itev1ODxRHIFr6+IV2SbeU L9c8m+Tsj/zCDJJ9WgLaiLP+K1X2m50GbKM6LI69cfhCNbM2hP/rXtW+LtIMglztuXml 2zcT3r7T1lmFA7qePyky/1zJITa6iMk9DLypLNY0g9pD+matNsoHeoBtExGcvvoKBWRF yDI0yJjIiFOmVjuBLvGO4M5CShGgQrfihqQCUibyDcKoj0PiCf8LXs0PeQlLpna5wivS 39vA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rIeUHEGD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l3si20807122ejd.203.2021.05.18.10.01.53; Tue, 18 May 2021 10:02:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rIeUHEGD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345106AbhEQQHU (ORCPT + 99 others); Mon, 17 May 2021 12:07:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:55058 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344487AbhEQPon (ORCPT ); Mon, 17 May 2021 11:44:43 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 90B4A61D21; Mon, 17 May 2021 14:43:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621262601; bh=EDO3RclybQGy3YqOroCi95bJy+M1XUMA544bAQr6lAQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rIeUHEGDGTFLC3H+EiOjP7Y3RB2hlinjdw/3xrjX7Hg1I4j3XICrFT+VBMu1FrwmS tkFrs80HggaI566Ngv7XWe28c6MDrtb7r3DAF8lsD5Alkmsy5wyN5Ovj1kHgpOZDuO MdmMtBt1ATD6dnh8OiFaCSgYnTd38p7o4RhM7gyk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peter Chen , Jack Pham , Sasha Levin Subject: [PATCH 5.10 222/289] usb: dwc3: gadget: Free gadget structure only after freeing endpoints Date: Mon, 17 May 2021 16:02:27 +0200 Message-Id: <20210517140312.626006320@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517140305.140529752@linuxfoundation.org> References: <20210517140305.140529752@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jack Pham [ Upstream commit bb9c74a5bd1462499fe5ccb1e3c5ac40dcfa9139 ] As part of commit e81a7018d93a ("usb: dwc3: allocate gadget structure dynamically") the dwc3_gadget_release() was added which will free the dwc->gadget structure upon the device's removal when usb_del_gadget_udc() is called in dwc3_gadget_exit(). However, simply freeing the gadget results a dangling pointer situation: the endpoints created in dwc3_gadget_init_endpoints() have their dep->endpoint.ep_list members chained off the list_head anchored at dwc->gadget->ep_list. Thus when dwc->gadget is freed, the first dwc3_ep in the list now has a dangling prev pointer and likewise for the next pointer of the dwc3_ep at the tail of the list. The dwc3_gadget_free_endpoints() that follows will result in a use-after-free when it calls list_del(). This was caught by enabling KASAN and performing a driver unbind. The recent commit 568262bf5492 ("usb: dwc3: core: Add shutdown callback for dwc3") also exposes this as a panic during shutdown. There are a few possibilities to fix this. One could be to perform a list_del() of the gadget->ep_list itself which removes it from the rest of the dwc3_ep chain. Another approach is what this patch does, by splitting up the usb_del_gadget_udc() call into its separate "del" and "put" components. This allows dwc3_gadget_free_endpoints() to be called before the gadget is finally freed with usb_put_gadget(). Fixes: e81a7018d93a ("usb: dwc3: allocate gadget structure dynamically") Reviewed-by: Peter Chen Signed-off-by: Jack Pham Link: https://lore.kernel.org/r/20210501093558.7375-1-jackp@codeaurora.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/dwc3/gadget.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 84d1487e9f06..dab9b5fd15a9 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -3948,8 +3948,9 @@ int dwc3_gadget_init(struct dwc3 *dwc) void dwc3_gadget_exit(struct dwc3 *dwc) { - usb_del_gadget_udc(dwc->gadget); + usb_del_gadget(dwc->gadget); dwc3_gadget_free_endpoints(dwc); + usb_put_gadget(dwc->gadget); dma_free_coherent(dwc->sysdev, DWC3_BOUNCE_SIZE, dwc->bounce, dwc->bounce_addr); kfree(dwc->setup_buf); -- 2.30.2