From patchwork Fri Nov 4 13:10:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sascha Hauer X-Patchwork-Id: 15508 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp392065wru; Fri, 4 Nov 2022 06:11:37 -0700 (PDT) X-Google-Smtp-Source: AMsMyM682B0iv6rtnKqYEy3oyw+18Mk5x+WeU5sC53VuTaY+J+Igcz29+rPvCdp9/e1Jh3oPPSjd X-Received: by 2002:a17:903:41cc:b0:186:b756:a5f0 with SMTP id u12-20020a17090341cc00b00186b756a5f0mr35577170ple.132.1667567496937; Fri, 04 Nov 2022 06:11:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667567496; cv=none; d=google.com; s=arc-20160816; b=mOsaX4jafo0JiSGY2vHuHy+lEidACc5Ej+87fm3xGj+DisBlfaLkiKzwMsKgYKSdui fS5ktRR2//MLq4rLEDbl7/fkEdEsbQJUXGZ86CW3RuRP6d928Ynje4iaHpz8HKq3fpyU maI/foERAYOEmVIOFx2OOJDmSD+e4N/G28kEuZEMqjOhQ94raiVPmqI9ULBgd5/co2LN Ev5WTrlb9dMDvBIpO3W/h/nmXQCGZpfMjGLeVNp+YGxtrc0//tPQPpSojlN1oOvf5V0h UYQsTOMjcvSQtdcuU8pE2eGKgXGO227x+pTLrZK5xmu/nylccYLl39OpWbt4n2app3m8 0k3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=Wcca4ILqaO7Rr4N4Hr+TmOHJCHvqcbbnhwCBC0vAZC0=; b=yR+DBy3hZxvqYvcx8diJoOm8uw7nrYMUZbjyD7/nY3r+g6vWxhPT23FT6VdTo5couN XCjVSeLlyDYgEPpr8DAY6s5oiWQwhtaSZ8UI2XTYWGG3o+i1VFXV4PNJhV1Fx0WqiVWs eI4N8kyf/kx4l6/K96MdEyLqns8CJnEbnyysvkPcFtX+cyKJhnvumwrPNrXlEyq2QQDB 9fuip7QUI64ZRrT8SYU7DVn77kSoA2Vdv3Cg8Gj3dttamcEWqUojIhVEh/A1n6JEhI8m q2WJ+iooZLy4HNzoK5tHg3wzMBeqItbBMxRLCY0SjWNb5KXzieuA4Ksv93e347dm/TmC Jz1w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l15-20020a170903244f00b0018388edd187si5518734pls.56.2022.11.04.06.11.22; Fri, 04 Nov 2022 06:11:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231747AbiKDNKn (ORCPT + 99 others); Fri, 4 Nov 2022 09:10:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45770 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231634AbiKDNKi (ORCPT ); Fri, 4 Nov 2022 09:10:38 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0B2A42CDDA for ; Fri, 4 Nov 2022 06:10:37 -0700 (PDT) Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oqwSw-0000Yo-Sl; Fri, 04 Nov 2022 14:10:34 +0100 Received: from [2a0a:edc0:0:1101:1d::28] (helo=dude02.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from ) id 1oqwSx-002HHl-3T; Fri, 04 Nov 2022 14:10:34 +0100 Received: from sha by dude02.red.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from ) id 1oqwSv-004043-44; Fri, 04 Nov 2022 14:10:33 +0100 From: Sascha Hauer To: linux-usb@vger.kernel.org Cc: Greg Kroah-Hartman , linux-kernel@vger.kernel.org, kernel@pengutronix.de, Sascha Hauer Subject: [PATCH 1/2] usb: gadget: u_ether: Do not make UDC parent of the net device Date: Fri, 4 Nov 2022 14:10:30 +0100 Message-Id: <20221104131031.850850-2-s.hauer@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221104131031.850850-1-s.hauer@pengutronix.de> References: <20221104131031.850850-1-s.hauer@pengutronix.de> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: sha@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1748571255867682636?= X-GMAIL-MSGID: =?utf-8?q?1748571255867682636?= The UDC is not a suitable parent of the net device as the UDC can change or vanish during the lifecycle of the ethernet gadget. This can be illustrated with the following: mkdir -p /sys/kernel/config/usb_gadget/mygadget cd /sys/kernel/config/usb_gadget/mygadget mkdir -p configs/c.1/strings/0x409 echo "C1:Composite Device" > configs/c.1/strings/0x409/configuration mkdir -p functions/ecm.usb0 ln -s functions/ecm.usb0 configs/c.1/ echo "dummy_udc.0" > UDC rmmod dummy_hcd The 'rmmod' removes the UDC from the just created gadget, leaving the still existing net device with a no longer existing parent. Accessing the ethernet device with commands like: ip --details link show usb0 will result in a KASAN splat: ================================================================== BUG: KASAN: use-after-free in if_nlmsg_size+0x3e8/0x528 Read of size 4 at addr c5c84754 by task ip/357 CPU: 3 PID: 357 Comm: ip Not tainted 6.1.0-rc3-00013-gd14953726b24-dirty #324 Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from print_report+0x134/0x4d4 print_report from kasan_report+0x78/0x10c kasan_report from if_nlmsg_size+0x3e8/0x528 if_nlmsg_size from rtnl_getlink+0x2b4/0x4d0 rtnl_getlink from rtnetlink_rcv_msg+0x1f4/0x674 rtnetlink_rcv_msg from netlink_rcv_skb+0xb4/0x1f8 netlink_rcv_skb from netlink_unicast+0x294/0x478 netlink_unicast from netlink_sendmsg+0x328/0x640 netlink_sendmsg from ____sys_sendmsg+0x2a4/0x3b4 ____sys_sendmsg from ___sys_sendmsg+0xc8/0x12c ___sys_sendmsg from sys_sendmsg+0xa0/0x120 sys_sendmsg from ret_fast_syscall+0x0/0x1c Solve this by not setting the parent of the ethernet device. Signed-off-by: Sascha Hauer --- drivers/usb/gadget/function/u_ether.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index e06022873df16..8f12f3f8f6eeb 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -798,7 +798,6 @@ struct eth_dev *gether_setup_name(struct usb_gadget *g, net->max_mtu = GETHER_MAX_MTU_SIZE; dev->gadget = g; - SET_NETDEV_DEV(net, &g->dev); SET_NETDEV_DEVTYPE(net, &gadget_type); status = register_netdev(net); @@ -873,8 +872,6 @@ int gether_register_netdev(struct net_device *net) struct usb_gadget *g; int status; - if (!net->dev.parent) - return -EINVAL; dev = netdev_priv(net); g = dev->gadget; @@ -905,7 +902,6 @@ void gether_set_gadget(struct net_device *net, struct usb_gadget *g) dev = netdev_priv(net); dev->gadget = g; - SET_NETDEV_DEV(net, &g->dev); } EXPORT_SYMBOL_GPL(gether_set_gadget); From patchwork Fri Nov 4 13:10:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sascha Hauer X-Patchwork-Id: 15507 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp391695wru; Fri, 4 Nov 2022 06:11:04 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5FawCIS4nSienQy3rnnW5BgT+CzB6lmeUyX6WLVMsSEWuln7Fmb6uxntRQ+uKvjrvn4GK7 X-Received: by 2002:aa7:888e:0:b0:56c:f16d:2eb0 with SMTP id z14-20020aa7888e000000b0056cf16d2eb0mr35673036pfe.19.1667567463984; Fri, 04 Nov 2022 06:11:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667567463; cv=none; d=google.com; s=arc-20160816; b=KYJ1ciQSZ++VrmvBXC5/ZHUavs+VSx8keyW/YbBIbZKcTyFMpWT5xxhLcSriIyDg6H tj58CW42mYowQQWM0mTYOUaCR91kUGHFzdlvDZNOqFiuM/3MzQomguN52qV3LLTfyp59 iW/2NW/1hp8A6YnOleR/NBhRvj57Nt3Rex6Rvu1v2waqtwJMU6nr3pAu7bXevtewzED4 nTEPGmTXysuBj3ofq2CWALi0Q8lHQCbjBf5CaKCOgiqd3PXXRe0lHbtSiQvAmDCYRmW2 8Fksz9TgO4qbcdELA962jVGTvVvqRg5FB71GUrdMpezf5ShHnTmUgcEipgVZt2jQwVH+ t2uQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=l3/ovoYw2gF6L/q4NB8AiNjkUY+Opg1IlQWtK3FxSIk=; b=RoTD54DQV6pin6T2q8Y6nLAUCegrjVBJO13MBrue29IYFWgqopQOBtTX7+uQa839YZ /TrLcsL4aziBkGfNCOPtZEMXVGAHCUssZUCJlWuMoaPhqPMyZL4NSNQMxgQ3aHgeelMM 8pJBD0cDO6sy5myBRYyu1XrM6AZaLooTEBSp6Izinajk+1saAU/76pErHDwjgXxr7xe6 Vywdmcn7zSqfpbhv8Lq2e3Gcsa5mjUF1svLNL+h2LHKZiKFf4v4dphSOx7gSUwURMHI3 7gPclxLPuEHRP9ykKW200OzsOd9rY5QnW11Qq84j3Rh4Xiam5SDXGXztUMXQPjbzkjMv frUw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i129-20020a625487000000b0056ce7a12b25si3886877pfb.137.2022.11.04.06.10.48; Fri, 04 Nov 2022 06:11:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231653AbiKDNKk (ORCPT + 99 others); Fri, 4 Nov 2022 09:10:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45962 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231596AbiKDNKh (ORCPT ); Fri, 4 Nov 2022 09:10:37 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9EFC828E06 for ; Fri, 4 Nov 2022 06:10:36 -0700 (PDT) Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oqwSw-0000Yk-F9; Fri, 04 Nov 2022 14:10:34 +0100 Received: from [2a0a:edc0:0:1101:1d::28] (helo=dude02.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from ) id 1oqwSw-002HHf-My; Fri, 04 Nov 2022 14:10:33 +0100 Received: from sha by dude02.red.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from ) id 1oqwSv-004046-4s; Fri, 04 Nov 2022 14:10:33 +0100 From: Sascha Hauer To: linux-usb@vger.kernel.org Cc: Greg Kroah-Hartman , linux-kernel@vger.kernel.org, kernel@pengutronix.de, Sascha Hauer Subject: [PATCH 2/2] usb: gadget: f_ecm: Always set current gadget in ecm_bind() Date: Fri, 4 Nov 2022 14:10:31 +0100 Message-Id: <20221104131031.850850-3-s.hauer@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221104131031.850850-1-s.hauer@pengutronix.de> References: <20221104131031.850850-1-s.hauer@pengutronix.de> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: sha@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1748571221446901076?= X-GMAIL-MSGID: =?utf-8?q?1748571221446901076?= The gadget may change over bind/unbind cycles, so set it each time during bind, not only the first time. Without it we get a use-after-free with the following example: cd /sys/kernel/config/usb_gadget/; mkdir -p mygadget; cd mygadget mkdir -p configs/c.1/strings/0x409 echo "C1:Composite Device" > configs/c.1/strings/0x409/configuration mkdir -p functions/ecm.usb0 ln -s functions/ecm.usb0 configs/c.1/ rmmod dummy_hcd modprobe dummy_hcd KASAN will complain shortly after the 'modprobe': usb 2-1: New USB device found, idVendor=0000, idProduct=0000, bcdDevice= 6.01 usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 ================================================================== BUG: KASAN: use-after-free in gether_connect+0xb8/0x30c Read of size 4 at addr cbef170c by task swapper/3/0 CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.1.0-rc3-00014-g41ff012f50cb-dirty #322 Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from print_report+0x134/0x4d4 print_report from kasan_report+0x78/0x10c kasan_report from gether_connect+0xb8/0x30c gether_connect from ecm_set_alt+0x124/0x254 ecm_set_alt from composite_setup+0xb98/0x2b18 composite_setup from configfs_composite_setup+0x80/0x98 configfs_composite_setup from dummy_timer+0x8f0/0x14a0 [dummy_hcd] ... Signed-off-by: Sascha Hauer --- drivers/usb/gadget/function/f_ecm.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/drivers/usb/gadget/function/f_ecm.c b/drivers/usb/gadget/function/f_ecm.c index ffe2486fce71c..a7ab30e603e20 100644 --- a/drivers/usb/gadget/function/f_ecm.c +++ b/drivers/usb/gadget/function/f_ecm.c @@ -685,7 +685,7 @@ ecm_bind(struct usb_configuration *c, struct usb_function *f) struct usb_composite_dev *cdev = c->cdev; struct f_ecm *ecm = func_to_ecm(f); struct usb_string *us; - int status; + int status = 0; struct usb_ep *ep; struct f_ecm_opts *ecm_opts; @@ -695,23 +695,19 @@ ecm_bind(struct usb_configuration *c, struct usb_function *f) ecm_opts = container_of(f->fi, struct f_ecm_opts, func_inst); - /* - * in drivers/usb/gadget/configfs.c:configfs_composite_bind() - * configurations are bound in sequence with list_for_each_entry, - * in each configuration its functions are bound in sequence - * with list_for_each_entry, so we assume no race condition - * with regard to ecm_opts->bound access - */ + mutex_lock(&ecm_opts->lock); + + gether_set_gadget(ecm_opts->net, cdev->gadget); + if (!ecm_opts->bound) { - mutex_lock(&ecm_opts->lock); - gether_set_gadget(ecm_opts->net, cdev->gadget); status = gether_register_netdev(ecm_opts->net); - mutex_unlock(&ecm_opts->lock); - if (status) - return status; ecm_opts->bound = true; } + mutex_unlock(&ecm_opts->lock); + if (status) + return status; + ecm_string_defs[1].s = ecm->ethaddr; us = usb_gstrings_attach(cdev, ecm_strings,