Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp1834505rdb; Sun, 24 Dec 2023 04:15:15 -0800 (PST) X-Google-Smtp-Source: AGHT+IGrw6Cbf94IPHFe1hkGpbOs1H2Zf+Te1U6AITWW6bSh1iBFTN0P/ggt/PxUFLZPcnyBM2j6 X-Received: by 2002:a50:9356:0:b0:553:8e4a:75b1 with SMTP id n22-20020a509356000000b005538e4a75b1mr2733015eda.32.1703420115373; Sun, 24 Dec 2023 04:15:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703420115; cv=none; d=google.com; s=arc-20160816; b=fF6+LVZ9BFDRKV+n+FTZ5DfMe4DEPEflDB17By+4RPBqDUHCDKerQOjNP49+Jgh+GB i7SWZ7W+CI/7dpwXD4ZgMwWKtKUYHfNmNBEZB+UmrsUIgon82LcPwhW0Gmuutrgj+Gbp ctlRXum1z1aiZzUZnQsvATpNk6mV2wwAkevj/42wzLOLseuhGJBsb2IVInl6XGrWZ9ic +hqOH6Vl6+SI7BiwOKxAAtSCPVAjYgae1sVNxaYMmcC+6A/UQe6ST66nmibj8WXlMts5 F+dA6Jb2QPSfGd3iQdNIVcmcHJupQfAtfrxWxZ1wuwwQdyM39jP54cLS+F9Y4qhYS4ZG SSPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date; bh=ltKsvo0rXKFfSX5PbpijiOvlHSUOo1BkQGJFDeRLlZ0=; fh=z6pII/4SDt0FK1pd/9ydCJuIKKtLCrJTMwA19Rq1g0E=; b=YDvHa/FQmqWB2CMosU8X9hsQ5KibhigkS0qQie4sBmgVJ0GCLPqYJsD6/Brxg9xumE pnfvhLb5qp/GYjm/AOFNOqWb20EDUmZViM22qoxTtA+6K/VQn6I2iFp9PLWShUpLP1M+ jIzFG7+VQR41PfQKC8VcyxJSFfBM1NIFPcVRY0L0IG8YK8UJfg6Xo1x/6dvCQiw8fA3n oPaajGRX40ISwikxJq7RbokZQQn9hlRUmDOLFbI790oTo8ELbf4N6BtDZa+px/t66Tps bLzxqLqiUsoNPjohKiE6NeWnRAD0cUHtY/6s9kZ1Sd1eQpR0nyNog3QWFVzyDFf47WRA Mnzw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-10708-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10708-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id t14-20020a056402524e00b005548f93ea00si1387311edd.589.2023.12.24.04.15.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 24 Dec 2023 04:15:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-10708-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-10708-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10708-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 2213B1F219B8 for ; Sun, 24 Dec 2023 12:15:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E98EE3D7F; Sun, 24 Dec 2023 12:15:04 +0000 (UTC) X-Original-To: linux-kernel@vger.kernel.org Received: from cae.in-ulm.de (cae.in-ulm.de [217.10.14.231]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 43703610D; Sun, 24 Dec 2023 12:14:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=c--e.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=c--e.de Received: by cae.in-ulm.de (Postfix, from userid 1000) id 324C4140155; Sun, 24 Dec 2023 13:14:52 +0100 (CET) Date: Sun, 24 Dec 2023 13:14:52 +0100 From: "Christian A. Ehrhardt" To: Chris Bainbridge Cc: rdbabiera@google.com, heikki.krogerus@linux.intel.com, Greg KH , LKML , linux-usb@vger.kernel.org Subject: Re: BUG: use-after-free bisected to "usb: typec: class: fix typec_altmode_put_partner to put plugs" Message-ID: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Hi Chris, [ Cc: linux-usb@vger.kernel.org ] On Sun, Dec 24, 2023 at 12:54:11AM +0000, Chris Bainbridge wrote: > Hello, > > A use-after-free error has appeared after a recent commit. This occurs > when I unplug the USB-C dock (HP G5). > > > b17b7fe6dd5c6ff74b38b0758ca799cdbb79e26e is the first bad commit > commit b17b7fe6dd5c6ff74b38b0758ca799cdbb79e26e > Author: RD Babiera > Date: Wed Nov 29 19:23:50 2023 +0000 > > usb: typec: class: fix typec_altmode_put_partner to put plugs I'm not very familiar with the code in question but the double free seems rather obvious to me as typec_altmode_put_partner() frees the altmode itself (which is already being releasee) and not the partner. I think this might fix it. Can you give it a try? If it does I can cook up a proper patch later this week. regards Christian diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c index 16a670828dde..2da19feacd91 100644 --- a/drivers/usb/typec/class.c +++ b/drivers/usb/typec/class.c @@ -263,11 +263,13 @@ static void typec_altmode_put_partner(struct altmode *altmode) { struct altmode *partner = altmode->partner; struct typec_altmode *adev; + struct typec_altmode *partner_adev; if (!partner) return; adev = &altmode->adev; + partner_adev = &partner->adev; if (is_typec_plug(adev->dev.parent)) { struct typec_plug *plug = to_typec_plug(adev->dev.parent); @@ -276,7 +278,7 @@ static void typec_altmode_put_partner(struct altmode *altmode) } else { partner->partner = NULL; } - put_device(&adev->dev); + put_device(&partner_adev->dev); } /**