Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp3206372lqp; Tue, 26 Mar 2024 02:44:06 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXnAQVjxuG0lIlt9Y+bNmEMwW7GRUxPQD+8dLsKcbp9n/g0pJ7+LXzJIFC2RtJp7sGiY7EwKsTV7yrrbc5FhPfOzbnBNsk9oSYl19Y7Vg== X-Google-Smtp-Source: AGHT+IFABZI9RnIS/T5THpUM+kXHPBg6ocEEwCS3+7acS4T1Sg69jNeGhALQqIIKe0Lm+npgwAuv X-Received: by 2002:a05:6808:198b:b0:3c3:cc00:7dab with SMTP id bj11-20020a056808198b00b003c3cc007dabmr731024oib.48.1711446246497; Tue, 26 Mar 2024 02:44:06 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711446246; cv=pass; d=google.com; s=arc-20160816; b=xNV7biHYLs1HiP0TZSi3H/EIu0OBZ0ObwcNcUD61Y9VDNpxlfR5HAUansmxg4yo+WZ 1iMLXwGe6d/RP5w3W1K2fsr0v95a1TtapvU23Z40L+QqldCD/EB7FHQPOySoHRUIYN26 71B+pDRJexegDPFCd3t4EU3YD7pEzF2SSHMF2ZZ84qezl8DW7BlyPVeD15/OXcezMmqD 6dbcRm5puq5e1TMIZa4ZbNKKi3jADxv01cD6prw7XrEO0FJomKdHFQHUNOQGvDo/DZjC TPjji2p3pxySTg0yDivLn3K971Au97OtYVtzdPLQ1Nrefr5/UtasrMS/45JAWH+YCcPB o+8Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=DkDJwlaxNSvk/dk+x4ailWbpU/M61dD/vO/GjqB4tcQ=; fh=PM+1mlEAVEPeNkpnE8yYDnZ7/CewhCpvXKESci9UK4E=; b=cy2R+ABwYmCz5yo5eILzUu0RYiHr36OCWtmnTvwfqIbIUK4C6s06fPNKLhnKe0HHgy S4Vnb1Wo8jVyftufxoShcZFJsBFcnr9CUDWgw0kMvOaISTvPzfj3l1RkQe2EUkVG/2CC DbjW908/aU2qQN9H4mJXKQeLvw1m9UfXT9VEOUd7dhMoWvFN/Ix8vDpsMYX1XPmLcMkX R2ALEVKsea4C7EKkGD18cYQZm7l0lOE3ZjcoM/uOamKEDAtv+n1j2HzyO4lB7RYbUiRF kaVxIvWyayXYEPHd8km0zPVRf3EWSuT1rfksduNB/EFEZAHWS/xx6yCf10qUgvb2tQ5J R7XA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XSho6UBJ; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-118693-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-118693-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id 35-20020a631363000000b005dbed76d0b0si9042075pgt.779.2024.03.26.02.44.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Mar 2024 02:44:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-118693-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XSho6UBJ; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-118693-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-118693-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id ABFE02E14B2 for ; Tue, 26 Mar 2024 09:42:30 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 975FE86ACB; Tue, 26 Mar 2024 09:36:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="XSho6UBJ" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BFA8A44393; Tue, 26 Mar 2024 09:36:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711445803; cv=none; b=ZGEiowBSBMgTHcSUMXuqjZGvLqLcGsw6OZ7gJe5dHoMkeI46vvmQhTJWjZKasNwNnpnsb5Enwxic16eUbDjn4/gQoktwu2BDgZlgWa4H1QoHxEQeBzICpS//08XQfDvqWl/eWKALrVFibR6twyyQeZ+HZ4H2hQ+7GcelT5RW04k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711445803; c=relaxed/simple; bh=bUSotWxJh0g3WPBp7fnN4CIuL+eIbn21aAkgwOWp/Y0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=WpbJsNT1+yurtwSH9N6/E84MhU+e08sKBphv+UFOkpDhxpMG6VOr74a7STK0B6wk2n5URGpzXXqZTWyf83ZE/8WtfDhLcOm3i5FAdGYSoEtjCv3QKHiQiSXkS0KNQ4Y85IU+zc6NFdSSmGqhIFLGRkM1PYBrkZ+C+sM05HxBO0U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=XSho6UBJ; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id CD3B0C43390; Tue, 26 Mar 2024 09:36:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1711445803; bh=bUSotWxJh0g3WPBp7fnN4CIuL+eIbn21aAkgwOWp/Y0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=XSho6UBJdX0LbqGaq0TZGNX6OiSvXoXgTs/JZBWDK93ssuiYxJJcInEqEKBtrqxIu sBqtNPhQpymGmVZLyY29ldGb4hEoiMhPjjsgvKXQ6abDQzfR2MzVnSdRv756ztAWBt OOUgjq8fjignsRkSO1IiLDCGROIUVHk6ZWFtAJD8= Date: Tue, 26 Mar 2024 10:36:40 +0100 From: Greg KH To: Norihiko Hama Cc: balbi@kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error Message-ID: <2024032629-frolic-obtain-ad55@gregkh> References: <20240325094543.5362-1-Norihiko.Hama@alpsalpine.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240325094543.5362-1-Norihiko.Hama@alpsalpine.com> On Mon, Mar 25, 2024 at 06:45:43PM +0900, Norihiko Hama wrote: > When ncm function is working and then stop usb0 interface for link down, > eth_stop() is called. At this piont, accidentally if usb transport error > should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled. > > After that, ncm_disable() is called to disable for ncm unbind > but gether_disconnect() is never called since 'in_ep' is not enabled. > > As the result, ncm object is released in ncm unbind > but 'dev->port_usb' associated to 'ncm->port' is not NULL. > > And when ncm bind again to recover netdev, ncm object is reallocated > but usb0 interface is already associated to previous released ncm object. > > Therefore, once usb0 interface is up and eth_start_xmit() is called, > released ncm object is dereferrenced and it might cause use-after-free memory. > > [function unlink via configfs] > usb0: eth_stop dev->port_usb=ffffff9b179c3200 > --> error happens in usb_ep_enable(). > NCM: ncm_disable: ncm=ffffff9b179c3200 > --> no gether_disconnect() since ncm->port.in_ep->enabled is false. > NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200 > NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm > > [function link via configfs] > NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 > NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000 > NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0 > usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm > usb0: eth_start dev->port_usb=ffffff9b179c3200 <-- > > Unable to handle kernel paging request at virtual address dead00000000014f > > This patch addresses the issue by checking if 'ncm->netdev' is not NULL at > ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'. > It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect > rather than check 'ncm->port.in_ep->enabled' since it might not be enabled > but the gether connection might be established. > > Signed-off-by: Norihiko Hama > --- > drivers/usb/gadget/function/f_ncm.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c > index bd095ae569ed..23960cd16463 100644 > --- a/drivers/usb/gadget/function/f_ncm.c > +++ b/drivers/usb/gadget/function/f_ncm.c > @@ -888,7 +888,7 @@ static int ncm_set_alt(struct usb_function *f, unsigned intf, unsigned alt) > if (alt > 1) > goto fail; > > - if (ncm->port.in_ep->enabled) { > + if (ncm->netdev) { > DBG(cdev, "reset ncm\n"); > ncm->netdev = NULL; > gether_disconnect(&ncm->port); > @@ -1365,7 +1365,7 @@ static void ncm_disable(struct usb_function *f) > > DBG(cdev, "ncm deactivated\n"); > > - if (ncm->port.in_ep->enabled) { > + if (ncm->netdev) { > ncm->netdev = NULL; > gether_disconnect(&ncm->port); > } > -- > 2.17.1 > What commit id does this change fix? thanks, greg k-h