Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp673915rwd; Thu, 8 Jun 2023 06:21:58 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4fQwul+Q01HY/vgMf2zNfqz+s8IknDGnP/jyogIyezvQqj8CX5IRcJvmOxG5YDRpveigmC X-Received: by 2002:a17:902:e983:b0:1ac:8475:87c5 with SMTP id f3-20020a170902e98300b001ac847587c5mr4140692plb.56.1686230517760; Thu, 08 Jun 2023 06:21:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686230517; cv=none; d=google.com; s=arc-20160816; b=D/28E+TqLrYxx0Y+sknHsYo+RnlVFt2IdBnmb6sE2nnK/IEYnUmlwTCagXxKfOe978 ClE9T1W58/Gd9fitIz7dcKEE++Kqi5iHY4Bu47mnZR23Ue/LQNXLriMkK4K4Y9Hy2zBJ 3Q7ARLclPylCmgPyxA0EonKINYIBgmxKFuA4rb8ZqsSwhHsSu5gOMLZEDxwx5vDrvqD9 KSLLwq8ekCN0EzJx0HbB733YjwQfTlgX89/i4/8WBhaGgD6IZwSOMzwXSFQ1dVLUEAwe a6azv/sEB1osoAUE2RCzSBRZ25gCbOE06S8HcsZixZYjXshw3yqOQM8nF2p2hGmMOk3t KIMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=wJJc1V68zytxlSZxHDKouUJnDncXqORS0BgqZ9c3oC8=; b=kd/hLlD8c0noR1U/72HIPR14PtskCtgDf6g9wQqa5oFij2W7BAjz5WEQ+QqCXMzb2G 0hrVwHm6ZJIXjhoPBThn9Q5MaSKJdziWIRIQl5N81zUnRXQf9X241+bfP0pv3iYdq2AW /OWrJY5yCreiVSVTUWs5fZlpOdTrccUBMJ+J+k05dv4f8iR/OlooUruMIF4ViC5oixKz V3uAWfOwVK3/eIJg+I2qQfzF6tCkboeldGrfzsGLwgHl3uZH/3jYBBxyjD43M4YGLnmE j//GgLDRzcbGPdXV+BlPQB8QYZ+BvYl3ctv8nW3NvkQ41RtB/16VQxz6JsuwV5MsbcaQ r97w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=cX5KA6wE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c14-20020a170902d48e00b001b025685062si1069654plg.574.2023.06.08.06.21.43; Thu, 08 Jun 2023 06:21:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=cX5KA6wE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236534AbjFHNJF (ORCPT + 99 others); Thu, 8 Jun 2023 09:09:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44750 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232139AbjFHNJD (ORCPT ); Thu, 8 Jun 2023 09:09:03 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D94F1988; Thu, 8 Jun 2023 06:09:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A2FCC64D67; Thu, 8 Jun 2023 13:09:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EF4E8C433EF; Thu, 8 Jun 2023 13:09:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1686229742; bh=XJFyzxyzQog03Y2H8SeTcQtE79dhC9sQakEAuil2jm0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=cX5KA6wERDqpAZubEQUCvUoHTzVVo13JHxluW9SV1bfTnbnEFXQ//RyyxhOojGYze ADVkS7ItlgonD3M9nO2F8Rl5Okj88hKxtzT8pAADaF8+sAene36qINELweca3Jnrw7 fpmOuc8PDUGxjbl8+9+a2JwOSOfyo8mxx6wcPyYwa+AIFSMiHUvRsbxU9HVDAsCxRY VJlDfZXplN+wz4mBfzBdbKPGDfQgHVXV0zTCjcXL5DIr5sq/MSvWog7pF1uIVCS1nJ Lr7O9++v+MngJQ6FT79yG/kQyuYVc4VDZbpY422NhRpHl/bG1Q14dLYJxjd/cI03J+ eQPAzEolN9kvg== Received: from johan by xi.lan with local (Exim 4.94.2) (envelope-from ) id 1q7FOJ-0007xj-JZ; Thu, 08 Jun 2023 15:09:27 +0200 Date: Thu, 8 Jun 2023 15:09:27 +0200 From: Johan Hovold To: Manivannan Sadhasivam Cc: Johan Hovold , Thinh Nguyen , Greg Kroah-Hartman , Andy Gross , Bjorn Andersson , Konrad Dybcio , Krishna Kurapati , linux-usb@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Li Jun , Sandeep Maheswaram Subject: Re: [PATCH 2/2] USB: dwc3: fix use-after-free on core driver unbind Message-ID: References: <20230607100540.31045-1-johan+linaro@kernel.org> <20230607100540.31045-3-johan+linaro@kernel.org> <20230608130246.GF5672@thinkpad> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230608130246.GF5672@thinkpad> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 08, 2023 at 06:32:46PM +0530, Manivannan Sadhasivam wrote: > On Wed, Jun 07, 2023 at 12:05:40PM +0200, Johan Hovold wrote: > > Some dwc3 glue drivers are currently accessing the driver data of the > > child core device directly, which is clearly a bad idea as the child may > > not have probed yet or may have been unbound from its driver. > > > > As a workaround until the glue drivers have been fixed, clear the driver > > data pointer before allowing the glue parent device to runtime suspend > > to prevent its driver from accessing data that has been freed during > > unbind. > > @@ -1929,6 +1929,11 @@ static int dwc3_remove(struct platform_device *pdev) > > pm_runtime_disable(&pdev->dev); > > pm_runtime_dont_use_autosuspend(&pdev->dev); > > pm_runtime_put_noidle(&pdev->dev); > > + /* > > + * HACK: Clear the driver data, which is currently accessed by parent > > + * glue drivers, before allowing the parent to suspend. > > + */ > > + platform_set_drvdata(pdev, NULL); > > This is required because you have seen the glue driver going to runtime suspend > once the below pm_runtime_set_suspended() is completed? This is based on analysis of the code. The parent (glue) can not suspend while the child (core) is in the active state, but once we set the suspended state that could happen. > > > > dwc3_free_event_buffers(dwc); Johan