From patchwork Mon Mar 20 06:29:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zheng Wang X-Patchwork-Id: 72004 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp1048770wrt; Sun, 19 Mar 2023 23:32:52 -0700 (PDT) X-Google-Smtp-Source: AK7set/f4n5ZnR/0T5s2ti8QvzLRjSdWxO0oRLrfGzUXHLWp9vDpIfFFoKaF0lU9KBtt8P/L3Gay X-Received: by 2002:a05:6a00:234e:b0:5e2:3086:f977 with SMTP id j14-20020a056a00234e00b005e23086f977mr14725030pfj.2.1679293972569; Sun, 19 Mar 2023 23:32:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679293972; cv=none; d=google.com; s=arc-20160816; b=nspWRzH+EKDUDHK2hrqacrzqRi5lodhbymhhhCRpYsxSutW4sECaSuCDjYjP+l39vu da7PxnCnxDaVQjp1Ubhsy7FZOQGHIi9aGNV4kTNpavxd5/gno9klIuaDHZINo4q98niC GNfuHxhgcKkM3JORn9Q6JzvWO6TSaxFMmpOfAGdLzcyBauopJvxDEc61f8qOGcdv84d3 ZmxBS56gLMttJllsoIgeAMudjy5uhFdM7BeF257SYgFZH8o2jDyr/M9n1/I60MUB3heX gEvh/UPG0IQ35iTsUibgDV5OwjDS2t4JPwwXD/raeeXJwDGD5z+AUxvCyoS0dxESluTN zLAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=+cK5sdjG2f6eCmqfChn9RZ11JmPlxYp8lmMC3DuUyt8=; b=GQzXNdkxR6B6P5Sh6WqQzw0V6dO8FNk0g1xNXLlnfqIU0AiIcaakvTZKy81Wc3DCEx Db20wlTHdD+gOiz0UplMzbP4xT84Ucmp9FlC18JZZRFK3zRkmPCjim8egDzuc+Vgel9y D0FZiR3cRvpv2dfCpOOVT1CLaN0p0scE3oGBEmn1F2WfmjA8+rJ5uUljklmv1RBphufs PVyaFZR5Ey+58JmuPNG0QSUDQASFAN7sf5HiLAuX6kLbL7y8Lavg2dAny4y0UGY9O1aN s/iiOYTsU8gMzfZwki3JXRAW4bpI5rfexeb3KN/HdrCfSfhJ96rJRVTSvwBcJ177ih9L cczw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=N1hyjII0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i22-20020a635856000000b0050bed672839si9870728pgm.742.2023.03.19.23.32.40; Sun, 19 Mar 2023 23:32:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=N1hyjII0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229866AbjCTGaH (ORCPT + 99 others); Mon, 20 Mar 2023 02:30:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58304 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229582AbjCTGaE (ORCPT ); Mon, 20 Mar 2023 02:30:04 -0400 Received: from m12.mail.163.com (m12.mail.163.com [220.181.12.198]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2E33DDBEF; Sun, 19 Mar 2023 23:30:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=+cK5s djG2f6eCmqfChn9RZ11JmPlxYp8lmMC3DuUyt8=; b=N1hyjII0lGKPcPYApYmwk oWoSNqe/WHS1m8kBAHUeTuMwBAV0WJ1zlxokY86sUXd7yO4YZjcn6CgmxxSKUH4L MD87H9cHkbNje89jIS910EHhkE9UPktBDIZCdm1yGmeyMX7nHAQddmWqc7xhSAjX I/g4ZZtRGh3wn1ce6UWdUA= Received: from leanderwang-LC2.localdomain (unknown [111.206.145.21]) by zwqz-smtp-mta-g0-3 (Coremail) with SMTP id _____wDHcQRM_Rdkg4AHAg--.24891S2; Mon, 20 Mar 2023 14:29:32 +0800 (CST) From: Zheng Wang To: gregkh@linuxfoundation.org Cc: skhan@linuxfoundation.org, p.zabel@pengutronix.de, biju.das.jz@bp.renesas.com, phil.edworthy@renesas.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, hackerzheng666@gmail.com, 1395428693sheep@gmail.com, alex000young@gmail.com, yoshihiro.shimoda.uh@renesas.com, Zheng Wang Subject: [PATCH v10] usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition Date: Mon, 20 Mar 2023 14:29:31 +0800 Message-Id: <20230320062931.505170-1-zyytlz.wz@163.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CM-TRANSID: _____wDHcQRM_Rdkg4AHAg--.24891S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7Zr45Xr15Jry8JFW3Zr4UCFg_yoW8KrW5pF WDKFW5Ar4rJFWqv3y7GFykZFyruFnrKryUZFWxGw48uF1rG3y0qry2qF45CrnrJFZ3AF40 vayDu34jva47Ca7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0ziIJPiUUUUU= X-Originating-IP: [111.206.145.21] X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/1tbiQg04U1aEEuBELQAAst X-Spam-Status: No, score=-0.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_VALIDITY_RPBL,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1760867356496714929?= X-GMAIL-MSGID: =?utf-8?q?1760867356496714929?= In renesas_usb3_probe, role_work is bound with renesas_usb3_role_work. renesas_usb3_start will be called to start the work. If we remove the driver which will call usbhs_remove, there may be an unfinished work. The possible sequence is as follows: CPU0 CPU1 renesas_usb3_role_work renesas_usb3_remove usb_role_switch_unregister device_unregister kfree(sw) //free usb3->role_sw usb_role_switch_set_role //use usb3->role_sw The usb3->role_sw could be freed under such circumstance and then used in usb_role_switch_set_role. This bug was found by static analysis. And note that removing a driver is a root-only operation, and should never happen in normal case. But the root user may directly remove the device which will also trigger the remove function. Fix it by canceling the work before cleanup in the renesas_usb3_remove. Fixes: 39facfa01c9f ("usb: gadget: udc: renesas_usb3: Add register of usb role switch") Signed-off-by: Zheng Wang Reviewed-by: Yoshihiro Shimoda --- v10: - modify the commit message suggested by Yoshihiro Shimoda v9: - append with more information suggested by Greg KH v8: - replace | with spaces to make line up suggested by Greg KH v7: - add more details about how the bug was found suggested by Shuah v6: - beautify the format and add note suggested by Greg KH v5: - fix typo v4: - add Reviewed-by label and resubmit v4 suggested by Greg KH v3: - modify the commit message to make it clearer suggested by Yoshihiro Shimoda v2: - fix typo, use clearer commit message and only cancel the UAF-related work suggested by Yoshihiro Shimoda --- drivers/usb/gadget/udc/renesas_usb3.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c index bee6bceafc4f..a301af66bd91 100644 --- a/drivers/usb/gadget/udc/renesas_usb3.c +++ b/drivers/usb/gadget/udc/renesas_usb3.c @@ -2661,6 +2661,7 @@ static int renesas_usb3_remove(struct platform_device *pdev) debugfs_remove_recursive(usb3->dentry); device_remove_file(&pdev->dev, &dev_attr_role); + cancel_work_sync(&usb3->role_work); usb_role_switch_unregister(usb3->role_sw); usb_del_gadget_udc(&usb3->gadget);