Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp7112833rwb;
        Tue, 15 Nov 2022 07:51:41 -0800 (PST)
X-Google-Smtp-Source: AA0mqf5ddHCmooLMNhAlpKOI1SFN/1gWxNrSDYgwV5NT+bBS6rm4HfXc+xOT1uPvISLoDTwfolkF
X-Received: by 2002:a17:906:6581:b0:7ac:2e16:eb05 with SMTP id x1-20020a170906658100b007ac2e16eb05mr15148888ejn.26.1668527501320;
        Tue, 15 Nov 2022 07:51:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668527501; cv=none;
        d=google.com; s=arc-20160816;
        b=wrsiiZe+xy/LpzxPLHDEniD8TGAtOxmyICGMnAFHP9UIsTpeZzoS4gBsLtp2mAJ3L9
         QYA3URR4/5n2fjz/XBI+u/AA58MxrhuRmNGi5kZPPUR98SXG5cs56PVZBCIwg0pg/Pnf
         k/SykiX2RnPWBOxYSchHbIkAsAE6IHkXbeP3/jUs3tvbf4W7wFfQDoo6yY4Wf5PVOUS6
         KMkOJ4Wgo8TvcQKGxhOEOysvB2MBcYd3q1pESm81Lolnx0gAWBfmievtacDn/gdWstb2
         cN6VlxZPOUx4pmRg1Gfc9M0Z7tQ4aAcPNmbvmWx6uj+6emy3dllBU1JfQ+PDE3SUQcY9
         MrGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=xI++n/JXy9X/4QiAyai86zOnh5P3ZCC5ueO4iRSrfk0=;
        b=j/pHmOgY+t2iauczOzmhanhtBF+ExO9ossTlyiminpGsnf9okTmHna/B4UFE4sEgK+
         QT7yUV7I+fnb/oFZhZ2ORigD0yZtv5BsJ+ADdqT1sWhJDEA6nNMIxZxF8qV4gUZPyxVI
         hIY/XkBC4KmJmRvkR5XJxZ+M1uUvbWLeTdEHkPJ6FRP78tyvG/SwutwJ3+m+DagkHiNC
         S2i1lgAeYK4fJnFTWRqLueDM5Ee3uQPtzSt97MkpLKqmdGgKdsSN9vNHqBPmNYcEkUWk
         UcPvEnz3oGkAdAOiceWTjrVHNfryPO2kU6lFipHJ8WWfGxtgRmtWEFrwMGCkzdwGHoum
         rvTA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id z16-20020a1709060f1000b007806a130086si9968058eji.302.2022.11.15.07.51.18;
        Tue, 15 Nov 2022 07:51:41 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230481AbiKOPpa (ORCPT <rfc822;gvb.lkml@gmail.com> + 90 others);
        Tue, 15 Nov 2022 10:45:30 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42892 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229583AbiKOPp2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 15 Nov 2022 10:45:28 -0500
Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5])
        by lindbergh.monkeyblade.net (Postfix) with SMTP id B314F1127
        for <linux-kernel@vger.kernel.org>; Tue, 15 Nov 2022 07:45:26 -0800 (PST)
Received: (qmail 173854 invoked by uid 1000); 15 Nov 2022 10:45:25 -0500
Date:   Tue, 15 Nov 2022 10:45:25 -0500
From:   Alan Stern <stern@rowland.harvard.edu>
To:     jiantao zhang <water.zhangjiantao@huawei.com>
Cc:     gregkh@linuxfoundation.org, jakobkoschel@gmail.com,
        geert+renesas@glider.be, colin.i.king@gmail.com,
        =?utf-8?B?6Jab5rab?= <xuetao09@huawei.com>,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        Caiyadong <caiyadong@huawei.com>,
        xuhaiyang <xuhaiyang5@hisilicon.com>
Subject: Re: [PATCH v3] USB: gadget: Fix use-after-free during usb config
 switch
Message-ID: <Y3O0FbIjiGCIzct4@rowland.harvard.edu>
References: <20221115065404.6067-1-xuetao09@huawei.com>
 <d3393e2f-a79c-d2c1-f752-71bd21a7ddbf@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <d3393e2f-a79c-d2c1-f752-71bd21a7ddbf@huawei.com>
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,
        HEADER_FROM_DIFFERENT_DOMAINS,SPF_HELO_PASS,SPF_PASS autolearn=no
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Nov 15, 2022 at 08:52:02PM +0800, jiantao zhang wrote:
> In the process of switching USB config from rndis to other config,
> if the hardware does not support the ->pullup callback, or the
> hardware encounters a low probability fault, both of them may cause
> the ->pullup callback to fail, which will then cause a system panic
> (use after free).
> 
> The gadget drivers sometimes need to be unloaded regardless of the
> hardware's behavior.
> 
> Analysis as follows:
> =======================================================================
> (1) write /config/usb_gadget/g1/UDC "none"
> 
> gether_disconnect+0x2c/0x1f8
> rndis_disable+0x4c/0x74
> composite_disconnect+0x74/0xb0
> configfs_composite_disconnect+0x60/0x7c
> usb_gadget_disconnect+0x70/0x124
> usb_gadget_unregister_driver+0xc8/0x1d8
> gadget_dev_desc_UDC_store+0xec/0x1e4
> 
> (2) rm /config/usb_gadget/g1/configs/b.1/f1
> 
> rndis_deregister+0x28/0x54
> rndis_free+0x44/0x7c
> usb_put_function+0x14/0x1c
> config_usb_cfg_unlink+0xc4/0xe0
> configfs_unlink+0x124/0x1c8
> vfs_unlink+0x114/0x1dc
> 
> (3) rmdir /config/usb_gadget/g1/functions/rndis.gs4
> 
> panic+0x1fc/0x3d0
> do_page_fault+0xa8/0x46c
> do_mem_abort+0x3c/0xac
> el1_sync_handler+0x40/0x78
> 0xffffff801138f880
> rndis_close+0x28/0x34
> eth_stop+0x74/0x110
> dev_close_many+0x48/0x194
> rollback_registered_many+0x118/0x814
> unregister_netdev+0x20/0x30
> gether_cleanup+0x1c/0x38
> rndis_attr_release+0xc/0x14
> kref_put+0x74/0xb8
> configfs_rmdir+0x314/0x374
> 
> If gadget->ops->pullup() return an error, function rndis_close() will be
> called, then it will causes a use-after-free problem.
> =======================================================================
> 
> Fixes: 0a55187a1ec8 ("USB: gadget core: Issue ->disconnect() callback from
> usb_gadget_disconnect()")
> Signed-off-by: Jiantao Zhang <water.zhangjiantao@huawei.com>
> Signed-off-by: TaoXue <xuetao09@huawei.com>
> ---

Acked-by: Alan Stern <stern@rowland.harvard.edu>

It looks like you accidentally typed a ' ' character at the start of the 
second line of the patch, the line that says:

	ret = gadget->ops->pullup(gadget, 0);

This would explain why Greg said the patch was corrupted.

Alan Stern

> V2 -> V3: Solved the format issues of Fixes and backtraces.
> V1 -> V2: V1 will affect the original function, V2 just move the callback
> after "if" statement, so that the original function will not be affected.
> And fixed formatting issues.
> 
>  drivers/usb/gadget/udc/core.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c
> index c63c0c2cf649..bf9878e1a72a 100644
> --- a/drivers/usb/gadget/udc/core.c
> +++ b/drivers/usb/gadget/udc/core.c
> @@ -734,13 +734,13 @@ int usb_gadget_disconnect(struct usb_gadget *gadget)
>  	}
>   	ret = gadget->ops->pullup(gadget, 0);
> -	if (!ret) {
> +	if (!ret)
>  		gadget->connected = 0;
> -		mutex_lock(&udc_lock);
> -		if (gadget->udc->driver)
> -			gadget->udc->driver->disconnect(gadget);
> -		mutex_unlock(&udc_lock);
> -	}
> +
> +	mutex_lock(&udc_lock);
> +	if (gadget->udc->driver)
> +		gadget->udc->driver->disconnect(gadget);
> +	mutex_unlock(&udc_lock);
>   out:
>  	trace_usb_gadget_disconnect(gadget, ret);
> -- 
> 2.17.1
>