Received: by 2002:a05:6358:e9c4:b0:b2:91dc:71ab with SMTP id hc4csp3026304rwb; Sat, 6 Aug 2022 10:53:26 -0700 (PDT) X-Google-Smtp-Source: AA6agR48t9IFCFu9NzRALcL0qGerIbyUdYXX+xKL5wDVfmfX3NBa6OV1NXZ20bM5Om67w9ZEkJqR X-Received: by 2002:a17:907:9687:b0:730:bc30:da36 with SMTP id hd7-20020a170907968700b00730bc30da36mr8237240ejc.417.1659808406131; Sat, 06 Aug 2022 10:53:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659808406; cv=none; d=google.com; s=arc-20160816; b=O/yBIKjVcyjneUWSUCVMENenJjVUhIQldyb4DvoPB50uX9ZTXougXMWnAePObwv0By fvpi1sw36D+BuHKL7g/Lb5ey7UHHD2hdVPQbdif4LbwcEvM61J4FUMKUtue8kSgq5gmG A7yETOf+ie/DhXtK8m8nvqWOXbiJVydBGUjP6W+ncru1EhxkcSG0iicoOk4D85rGrYtV XaciVNB8oATZEg5DdIPJd0b4dtg7eVUMG/C5vvDTcrBAA7WlyaBP4gL1LguvFbG4uu4g 9pE+IcM5V39/jXlnq7xmbUY53kpQGHXZskwUF6b2+4+LgK9uYiyB7496sNsvHkhagXVu CdHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=EeVXZM18o949tN0qq5RHF4dl6C4L5bffGDwRqH8GiUU=; b=ZRQzHD5Px6PTINyL51G2M5vN455cavQwPTUQhPRQuJlJiHQWR3+GrHLoUq1DnYXC6u HafmsWRhxSD6FLsEQfUqMlStA2m249OjM9BXKsvl3B/VgRkJV7PGgyNyQJakHnlHnVGQ G6XtExpcEzVLpcy+ReMsxuq0KSp60NxoMG9BH52ZnJIaSn+vuRZ/c2Usn4O+AJ2b8RWA DxLfPw3J97mqfKje4mEnqyT9H9l+j//fEOyLBiB0o0JIT6yFVEw9YxHyNTJGNxY8rcJc 0LcWDkfwrRbUCJNR2Etot1anaHc4041EWW7TuavlnTLyaoKzapOCOx40vUft8FKO6/WR TXkw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=xQcDen4r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f7-20020a05640214c700b0043d58fba67csi2213236edx.312.2022.08.06.10.53.01; Sat, 06 Aug 2022 10:53:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=xQcDen4r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233838AbiHFQow (ORCPT + 99 others); Sat, 6 Aug 2022 12:44:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233782AbiHFQor (ORCPT ); Sat, 6 Aug 2022 12:44:47 -0400 Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 68709B494 for ; Sat, 6 Aug 2022 09:44:45 -0700 (PDT) Received: by mail-pf1-x42f.google.com with SMTP id f28so4761996pfk.1 for ; Sat, 06 Aug 2022 09:44:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=EeVXZM18o949tN0qq5RHF4dl6C4L5bffGDwRqH8GiUU=; b=xQcDen4rmkms9d2IMbQOqk5TIScNtuNMuhz7oPH4Hl05YdCwGN0N7niRmyFza+nrNc uSqw+CWMwkNT5y2WEpVOrXCCwNxnVwW6y6r8ziqM8mWL9JhEzTOCY8ayweKOEWPRaiG6 uHr+69m3di/tJbcooBQH8QIhHosVYCHaS6YgvihezHzvUTNICFZZllFeuZRFmiI3q/Rg O9F1V6MBG4zz4rFIlwO8s0pSsDYQd5Y7g35FL+iv6iQl0pcFMoABjC/wvF8jq6iIDPGj xgMmLW+9MoWPmq4s/hgk/4x3IurGNfwxV5A8Mj0BRQ15ZOUctAsiXkiZ2nzcQGGU+/ux +Waw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=EeVXZM18o949tN0qq5RHF4dl6C4L5bffGDwRqH8GiUU=; b=vJ7tjkbFXrdQZkKCrW7yHpAfpEIFcDq/MOE4pz0VIePqQJlYehOlLjLHkBOxmnzY+v +QYuNjPxAxx28ZayIt4w9lbQlPzUPYWsZeufjde8fA6eMElSUh2lii/idQvVYEupvsjh FyJReWKeZAIHGQAxmQXZJRJt2cwqIUQHUOik7LjiX1HUWWQHBziTuTKgPetflsn5lW1O +69Xj3BnDyIrqV7BZgeLmqscJkkj0I11H58seTA0lhMYlHfT58ucJMkIq8EQUsH0t8XJ DFXPOp0hrUlXnFwA+BWvY5Wvs1iwYWrspvUHuW1WM8fCWeEfgPutPwo+AIFxgqtykSsw WCLw== X-Gm-Message-State: ACgBeo0VrhLFYljRv1P/o96BUKwutnjG34QC9ov5hlw8rQxDv3woRpLV BD1CD7HvdifIhnvnt0kX1BvY X-Received: by 2002:a63:2bcc:0:b0:40c:95b5:46a4 with SMTP id r195-20020a632bcc000000b0040c95b546a4mr9907552pgr.535.1659804284859; Sat, 06 Aug 2022 09:44:44 -0700 (PDT) Received: from thinkpad ([117.202.188.20]) by smtp.gmail.com with ESMTPSA id x26-20020aa78f1a000000b0052e2435784asm5378736pfr.8.2022.08.06.09.44.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 06 Aug 2022 09:44:44 -0700 (PDT) Date: Sat, 6 Aug 2022 22:14:35 +0530 From: Manivannan Sadhasivam To: Johan Hovold Cc: Johan Hovold , Greg Kroah-Hartman , Felipe Balbi , Rob Herring , Krzysztof Kozlowski , Andy Gross , Bjorn Andersson , Konrad Dybcio , Krishna Kurapati , Stephen Boyd , Doug Anderson , Matthias Kaehlcke , Pavankumar Kondeti , quic_ppratap@quicinc.com, quic_vpulyala@quicinc.com, linux-arm-msm@vger.kernel.org, linux-usb@vger.kernel.org, devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v2 4/9] usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup Message-ID: <20220806164435.GL14384@thinkpad> References: <20220804151001.23612-1-johan+linaro@kernel.org> <20220804151001.23612-5-johan+linaro@kernel.org> <20220806143311.GE14384@thinkpad> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Aug 06, 2022 at 06:08:51PM +0200, Johan Hovold wrote: > On Sat, Aug 06, 2022 at 08:03:11PM +0530, Manivannan Sadhasivam wrote: > > On Thu, Aug 04, 2022 at 05:09:56PM +0200, Johan Hovold wrote: > > > The Qualcomm dwc3 runtime-PM implementation checks the xhci > > > platform-device pointer in the wakeup-interrupt handler to determine > > > whether the controller is in host mode and if so triggers a resume. > > > > > > After a role switch in OTG mode the xhci platform-device would have been > > > freed and the next wakeup from runtime suspend would access the freed > > > memory. > > > > > > Note that role switching is executed from a freezable workqueue, which > > > guarantees that the pointer is stable during suspend. > > > > > > Also note that runtime PM has been broken since commit 2664deb09306 > > > ("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which > > > incidentally also prevents this issue from being triggered. > > > > > > Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") > > > Cc: stable@vger.kernel.org # 4.18 > > > Signed-off-by: Johan Hovold > > > > It'd be good to mention the introduction of dwc3_qcom_is_host() function. > > Initially I thought it is used in a single place, but going through the rest of > > the patches reveals that it is used later on. > > I think the helper is warranted on its own as it serves as documentation > of the underlying assumptions that this code relies on. > That's even better. Thanks, Mani > > > +/* Only usable in contexts where the role can not change. */ > > > +static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) > > > +{ > > > + struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); > > > + > > > + return dwc->xhci; > > > +} > > > + > > > static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom) > > > { > > > struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); > > > @@ -460,7 +468,11 @@ static irqreturn_t qcom_dwc3_resume_irq(int irq, void *data) > > > if (qcom->pm_suspended) > > > return IRQ_HANDLED; > > > > > > - if (dwc->xhci) > > > + /* > > > + * This is safe as role switching is done from a freezable workqueue > > > + * and the wakeup interrupts are disabled as part of resume. > > > + */ > > > + if (dwc3_qcom_is_host(qcom)) > > > pm_runtime_resume(&dwc->xhci->dev); > > > > > > return IRQ_HANDLED; > > > diff --git a/drivers/usb/dwc3/host.c b/drivers/usb/dwc3/host.c > > > index f56c30cf151e..f6f13e7f1ba1 100644 > > > --- a/drivers/usb/dwc3/host.c > > > +++ b/drivers/usb/dwc3/host.c > > > @@ -135,4 +135,5 @@ int dwc3_host_init(struct dwc3 *dwc) > > > void dwc3_host_exit(struct dwc3 *dwc) > > > { > > > platform_device_unregister(dwc->xhci); > > > + dwc->xhci = NULL; > > > } > > > -- > > > 2.35.1 > > Johan -- மணிவண்ணன் சதாசிவம்