Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2627667rwl; Thu, 13 Apr 2023 08:50:14 -0700 (PDT) X-Google-Smtp-Source: AKy350bBT0z12i0SB6SygLD0y0kIkf1j0/oR7U1moTZiwqAgROGi+Gx9E9KWEboe9SwGDDU0lbJw X-Received: by 2002:a05:6a20:bb07:b0:eb:837c:5192 with SMTP id fc7-20020a056a20bb0700b000eb837c5192mr3044537pzb.27.1681401013957; Thu, 13 Apr 2023 08:50:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681401013; cv=none; d=google.com; s=arc-20160816; b=k6jqPlkmZUmsgIzcsvuIvxhL/zI3v9lw8w/rnq+ivq5WXHTpcVjL6ikTqMMsHU9LIL oSXuXluc2R6F+eXXPOjzcETe0HlnzOTlaXJTuFQPdClE4jJiOPhrbZcmWVFQmsHkSrFM FmRS0UUrLlwgRXxlkEm3pfngZPM36qrdEyz6lo66EDajp1x3XS+VCbo8hkXkf0jeYLjL E8h9/WdyGXUPdfA42rmFBdxEiYJNmttrryobMiwZDZBf8vFP5IZ7WEz6MTpgPfzCXvMN /TJe4yh+V1oNSMoWlVZvuxH901uIeNJ2k+dH1aVHL4MiIujpuZ/WRVa9/w+10lWHRglw oZnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=59frgasnmq9NimzS/UOjzhA/IREWt1W+yRUKs3C2aWc=; b=gxv+OplpymcjSf2OA/px58GiZiLAerFjZrwM6yrfxDBH4/2WtOpED+Q1Nf7USYgxOc y5dkgnRfGSrHJl1y6mCG2J2R2LPVWa3tzUy8GJIuUo65oP1nVL/w4VCG8Pjb0mh4mC5m Sv3IttVIwkdUJRy2Ky0K+xRLMhB+LyJxY0HqLWqwp5PPVKvkJ0BP9ABGPhtEvYHKSYy6 QTq1a0VD+O24Q8+g1bjdwp0PitXj23+wD1ZXpji+JZoaSm9Vri9W4proSL/9wZPn5BWw o8FL+A9jNsijjpNeANtWqWdqWesuSBvlcBvL8Iubn8YJIsXnhT1TWkTDvCxRjZNaFypm SAJQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=h3E71BUT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 19-20020a631753000000b0051b618ec7d0si52075pgx.617.2023.04.13.08.50.01; Thu, 13 Apr 2023 08:50:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=h3E71BUT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231408AbjDMPix (ORCPT + 99 others); Thu, 13 Apr 2023 11:38:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57746 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229784AbjDMPiw (ORCPT ); Thu, 13 Apr 2023 11:38:52 -0400 Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6259E1712; Thu, 13 Apr 2023 08:38:51 -0700 (PDT) Received: by mail-pg1-x531.google.com with SMTP id az2so741059pgb.11; Thu, 13 Apr 2023 08:38:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681400330; x=1683992330; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=59frgasnmq9NimzS/UOjzhA/IREWt1W+yRUKs3C2aWc=; b=h3E71BUTuttYr47xowM1MYGFL3EvRvKlLYCgsDg/GVORmslcypP6EuDapgqBvh5Dra wtU9vzigSVySkUoGGtPGEAqzc03LGloX34k4oxrt3bSgsEbVci4TOAfpSGS+2FT5+zEq XEZORjtUIB1IsMGkKwmxyQYW2j7lelkFM7w0rgdt43DQOr+LXxcNsyKqbejMWkkc1My7 AoIY025i96B15wwi3Haw8KxlUgSuC8nPPyoTjjOUSCvDnR7Bc4gvC+VpdCnea9vupiDg 6pUadE78/RiROHJBbCt7gBmiwNdx7lOtdsIXIt6Pl6i2rMzi6BeVgkNT/nt4LU3LE6zt WHhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681400330; x=1683992330; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=59frgasnmq9NimzS/UOjzhA/IREWt1W+yRUKs3C2aWc=; b=ZEUv8ePBQf9RRo7VWaH0vXxBWFXUhCAR9+fvmDkOQldeSwca++y2p+n5WAKhfgtOqB h0MiI+hwt/Rcz3HC8IlYC3JpwQC0GJ2JXowbGRiLBz/oUsGF1f6Y244sgxdvvSnrA71r q9okGnR4kyG2I+5hG7nhwnbWV9O2rML2j8OZOwxG7ULmrzzSX+pb1mlrs5iln7tZuo5S ktf8Hk0JSIF1i8oBMTyVavg6PVRbpXxPaJdZM3tvNWNL4oVw6ll61bp0LAqbsu7Wdgjx Hi+O7qNPvFIhjemNvVWevBKEOmh/cBBnXxZyHBVDlV5wRG9N1LPjTreNgUYOw+RNy4Q5 ppvQ== X-Gm-Message-State: AAQBX9fqMcwEjNjdHDgVaRgaCJAKTJ4XAZV9sFe5qrHCDPzHypequBhM xJXYwELdVsuGMCTqBUyt6E/k3LOj19I4C4WPOpI= X-Received: by 2002:a65:67d9:0:b0:51b:4755:ba69 with SMTP id b25-20020a6567d9000000b0051b4755ba69mr652169pgs.9.1681400330400; Thu, 13 Apr 2023 08:38:50 -0700 (PDT) MIME-Version: 1.0 References: <20230413074926.239605-1-zyytlz.wz@163.com> In-Reply-To: From: Zheng Hacker Date: Thu, 13 Apr 2023 23:38:38 +0800 Message-ID: Subject: Re: [RESEND PATCH] usb: renesas_usbhs: Fix use after free bug in usbhs_remove due to race condition To: Yoshihiro Shimoda Cc: Zheng Wang , "gregkh@linuxfoundation.org" , "p.zabel@pengutronix.de" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "1395428693sheep@gmail.com" <1395428693sheep@gmail.com>, "alex000young@gmail.com" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Yoshihiro Shimoda =E4=BA=8E2023=E5=B9=B4= 4=E6=9C=8813=E6=97=A5=E5=91=A8=E5=9B=9B 20:19=E5=86=99=E9=81=93=EF=BC=9A > > Hi, > > > From: Zheng Wang, Sent: Thursday, April 13, 2023 4:49 PM > > > > In usbhs_probe, &priv->notify_hotplug_work is bound with > > usbhsc_notify_hotplug. It will be started then. > > > > If we remove the driver which will call usbhs_remove > > to make cleanup, there may be a unfinished work. > > > > The possible sequence is as follows: > > > > Fix it by finishing the work before cleanup in the usbhs_remove > > > > CPU0 CPU1 > > > > |usbhsc_notify_hotplug > > usbhs_remove | > > usbhs_mod_remove | > > usbhs_mod_gadget_remove| > > kfree(gpriv); | > > |usbhsc_hotplug > > |usbhs_mod_call start > > |usbhsg_start > > |usbhsg_try_start > > |//use gpriv > > Thank you for the patch! > > You should adjust the figure like followings because Greg mentioned it on= other patch [1]. Thanks for your advice. Will apply in the next. Best regards, Zheng > ----- > CPU0 CPU1 > > | usbhsc_notify_hotplug > usbhs_remove | > usbhs_mod_remove | > usbhs_mod_gadget_remove | > kfree(gpriv); | > | usbhsc_hotplug > | usbhs_mod_call start > | usbhsg_start > | usbhsg_try_start > | //use gpriv > ----- > > [1] > https://lore.kernel.org/lkml/ZBNCam0XjWehrF3c@kroah.com/ > > Best regards, > Yoshihiro Shimoda > > > Fixes: bc57381e6347 ("usb: renesas_usbhs: use delayed_work instead of w= ork_struct") > > Signed-off-by: Zheng Wang > > --- > > drivers/usb/renesas_usbhs/common.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_u= sbhs/common.c > > index 96f3939a65e2..17a0987ef4f5 100644 > > --- a/drivers/usb/renesas_usbhs/common.c > > +++ b/drivers/usb/renesas_usbhs/common.c > > @@ -768,6 +768,7 @@ static int usbhs_remove(struct platform_device *pde= v) > > > > dev_dbg(&pdev->dev, "usb remove\n"); > > > > + cancel_delayed_work_sync(&priv->notify_hotplug_work); > > /* power off */ > > if (!usbhs_get_dparam(priv, runtime_pwctrl)) > > usbhsc_power_ctrl(priv, 0); > > -- > > 2.25.1 >