Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp1292976rwl; Fri, 24 Mar 2023 08:39:11 -0700 (PDT) X-Google-Smtp-Source: AKy350byYsRHE838eSirnsX/b8m/HTF14OQ6q8T7R7nhmej51mnErpHJHe/U6K7UDgLMBZdIg5cx X-Received: by 2002:a17:906:3118:b0:930:d319:d947 with SMTP id 24-20020a170906311800b00930d319d947mr3341128ejx.74.1679672351513; Fri, 24 Mar 2023 08:39:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679672351; cv=none; d=google.com; s=arc-20160816; b=BAR6W0UkZBauIKjN3J7dZhtWd+ZbyNkB1UzSV81+ai+CoVEfZ/RO3c4E6xNnw8ul4b xzO+FP+6J0M3C8pDSiMCnNz1UZuw+ZIRE9A46cjA7QxUptkRqQQxDNpqkr2w10y+j2ZA JGgcs1XLg9ZcUmZDUs17utcc/RUWQ0cPnudwREdOOTygRmVgVJ80EHF/6mi825UsQL5t 4MEFkAKJoLfC+3cMGMkucjYWYHfuIVCarM4EKgNHi98YT7N8EYNiHb79PlkPUwsChsB8 wSAq0vb0H1sMcmkBL2rn1r9Tea3bJR0GIIcfVg88kvmsedrgM6uJiIdyLjbxY4vCTCTD a3uQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=4uioeUW0b5QfjzsCcQLCYz9oQ5uQ4Sn5bsToPRxmO2s=; b=k4sH86UqJdCskzVevCICh7yte47zSsgt/nzhm8pQlcyDKTni7M65BdBRvqw6WZ14/p R/T2NnYSWD6MTHlTWTDz5vf45OnEeEFN0jt+QM4V7EiNms3bm+uf3gD3rjwUCrjZiB3D HuU2tEqQAHAi53szX3d5936RwFnpqMBosFHlJLNNoFSLUmcfj03owB9ejEXe7UWlFOT1 eb4Kf3Qujkqmc9Qd7BZoFWTKOmexnbySAgl/XTx+SVLYOOo5VuTquphZ90xHI5ZSTQEa yGdsr0K/U+gu0SVbiHTFMvLnZxeVdv/A2VELKFXzomO+z3DKPZkdbTaBW/86OKopGr0J D0AA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=D6KxP1oA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jz12-20020a17090775ec00b0092fd27697ecsi19271290ejc.908.2023.03.24.08.38.46; Fri, 24 Mar 2023 08:39:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=D6KxP1oA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232282AbjCXPfg (ORCPT + 99 others); Fri, 24 Mar 2023 11:35:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38432 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232432AbjCXPfc (ORCPT ); Fri, 24 Mar 2023 11:35:32 -0400 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DB98A1ADF6; Fri, 24 Mar 2023 08:35:12 -0700 (PDT) Received: by mail-pj1-x1032.google.com with SMTP id h12-20020a17090aea8c00b0023d1311fab3so1962919pjz.1; Fri, 24 Mar 2023 08:35:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679672112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=4uioeUW0b5QfjzsCcQLCYz9oQ5uQ4Sn5bsToPRxmO2s=; b=D6KxP1oArJBJV2Y65xV8DroR8s9jDS60ScwNt9HIijqtklBCb1N+fbYuWUn/nKvwXS rBW8xktv8HDDH/KrSyQrPgFMJru8YCUAlCigoy4HRYHrJOhJ5MRbbCQSD5gX7GN6EaXz xWRG4T0sc0Wy3QFRnFZW9u6IGx+IjSMVPf5ASwg2CcXTdkhj2DFN8/oCu+COido8mqUR uK/Hn+xut7BCvLN1Bu9UWMW2sGKuGn1JnGup+BbMF+/VylMR51pue2Blokpi2wuoKRoI AC/PiLnRKpA2JnymMy7bQeurM8oZkkPuyhm1I4kBuD8aj0sZ4ZrDpuxmGJexAGal8GP3 pJsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679672112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4uioeUW0b5QfjzsCcQLCYz9oQ5uQ4Sn5bsToPRxmO2s=; b=cOwmu+ntUdKf1sd7bSEhj9PfAdgt8eXPrau5JjLWITePqR3tp1Id1WggtSI4fYAv+q Hr007tPQor3sAmEmnHYrEDC3dS5Z62YYe6TJwhcBH/09FR3ahGAGzx4bSIb1c3Bhinbc kl9HdWeclFqRzmwO1P4DdTUFZFGXk/7vHe6YtQ08wh0FwxRQv62XFJR+XLK+p4lo7XgR JSqE806Qv5BjNhLOhzknKS65unAGkdK+CiWTaeIX68O7SC3XLl+3WVY2YqdeMJyzg+Q7 PIfa9SzTEf9D1GWDRy6HkyLOAnRK36KcMEZgkel5+5EnrnBwa6P6v4G5eIFZrpIk4smd xcPw== X-Gm-Message-State: AAQBX9cVyKGAYdr6p9zgrGw+E9eQ7pzeVqR82wbbGgZX7XHTXhNWWMxK ZOx1NBf/0g4tldgo4neBX4lV9FlOqKfyiBJtSzgfcNfnmnkQ0CU6 X-Received: by 2002:a17:902:ecd2:b0:1a2:278d:1824 with SMTP id a18-20020a170902ecd200b001a2278d1824mr123343plh.12.1679672112173; Fri, 24 Mar 2023 08:35:12 -0700 (PDT) MIME-Version: 1.0 References: <20230310070039.1288927-1-zyytlz.wz@163.com> In-Reply-To: From: Zheng Hacker Date: Fri, 24 Mar 2023 23:34:59 +0800 Message-ID: Subject: Re: [PATCH] USB: gadget: udc: Fix use after free bug in udc_plat_remove due to race condition To: Greg KH Cc: Zheng Wang , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, 1395428693sheep@gmail.com, alex000young@gmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Greg KH =E4=BA=8E2023=E5=B9=B43=E6=9C=8824=E6= =97=A5=E5=91=A8=E4=BA=94 00:20=E5=86=99=E9=81=93=EF=BC=9A > > On Fri, Mar 10, 2023 at 03:00:39PM +0800, Zheng Wang wrote: > > In udc_plat_probe, &udc->drd_work is bound with > > udc_drd_work. udc_drd_work may be called by > > usbd_connect_notify to start the work. > > > > Besides, there is a invoking chain: > > udc_plat_probe > > ->udc_probe > > ->usb_add_gadget_udc_release > > ->usb_add_gadget > > > > It will add a new gadget to the udc class driver > > list. In usb_add_gadget, it uses usb_udc_release > > as its release function, which will kfree(udc) > > to when destroying the gadget. > > > > If we remove the module which will call udc_plat_remove > > to make cleanup, there may be a unfinished work. > > The possible sequence is as follows: > > > > Fix it by finishing the work before cleanup in the udc_plat_remove > > > > Fixes: 1b9f35adb0ff ("usb: gadget: udc: Add Synopsys UDC Platform drive= r") > > Signed-off-by: Zheng Wang > > --- > > drivers/usb/gadget/udc/snps_udc_plat.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/drivers/usb/gadget/udc/snps_udc_plat.c b/drivers/usb/gadge= t/udc/snps_udc_plat.c > > index 8bbb89c80348..6228e178cc0a 100644 > > --- a/drivers/usb/gadget/udc/snps_udc_plat.c > > +++ b/drivers/usb/gadget/udc/snps_udc_plat.c > > @@ -230,6 +230,7 @@ static int udc_plat_remove(struct platform_device *= pdev) > > struct udc *dev; > > > > dev =3D platform_get_drvdata(pdev); > > + cancel_delayed_work_sync(&dev->drd_work); > > > > usb_del_gadget_udc(&dev->gadget); > > /* gadget driver must not be registered */ > > -- > > 2.25.1 > > > > Please test this to verify that it actually works. > Hi, Sorry for my late reply. I will try to simulate a device in qemu to test. Best regards, Zheng > thanks, > > greg k-h