Re: usb/gadget: use-after-free in gadgetfs_setup

Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> · Mon, 12 Dec 2016 15:09:22 -0500 (EST)

On Mon, 12 Dec 2016, Andrey Konovalov wrote:

> On Mon, Dec 12, 2016 at 7:44 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> > I'm still puzzled.  Can you try running the test with the diagnostic
> > patch below?  The resulting kernel log ought to help pin down where the
> > problem comes from.
> 
> Sure, here's the log:
> 
> usb 1-1: string descriptor 0 read error: -71
> usb 1-1: New USB device found, idVendor=0000, idProduct=0002
> usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=7
> usb 1-1: can't set config #131, error -71
> usb 1-1: USB disconnect, device number 45
> gadgetfs: bound to dummy_udc driver
> dummy: stop_activity
> usb 1-1: new full-speed USB device number 46 using dummy_hcd
> gadgetfs: connected
> dummy: queue ffff88006addc300 ep ep0
> dummy: complete ffff88006addc300 ep ep0
> dummy: stop_activity
> gadgetfs: disconnected
> gadgetfs: connected
> dummy: queue ffff88006addc300 ep ep0
> dummy: complete ffff88006addc300 ep ep0
> dummy: queue ffff88006addc300 ep ep0
> dummy: complete ffff88006addc300 ep ep0
> dummy: queue ffff88006addc300 ep ep0
> dummy: complete ffff88006addc300 ep ep0
> usb 1-1: config 131 has too many interfaces: 158, using maximum allowed: 32
> usb 1-1: config 131 has 1 interface, different from the descriptor's value: 158
> dummy: queue ffff88006addc300 ep ep0
> dummy: stop_activity
> gadgetfs: disconnected
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 4892 at drivers/usb/gadget/udc/dummy_hcd.c:675
> dummy_free_request+0x153/0x170

Ah, good, that clears it up.  The problem is that stop_activity() nukes 
all the endpoints except for endpoint 0!

The patch below should fix the problem.

Alan Stern



Index: usb-4.x/drivers/usb/gadget/udc/dummy_hcd.c
===================================================================

--- usb-4.x.orig/drivers/usb/gadget/udc/dummy_hcd.c
+++ usb-4.x/drivers/usb/gadget/udc/dummy_hcd.c
@@ -338,6 +338,7 @@ static void stop_activity(struct dummy *
 	/* The timer is left running so that outstanding URBs can fail */
 
 	/* nuke any pending requests first, so driver i/o is quiesced */
+	nuke(dum, &dum->ep[0]);
 	list_for_each_entry(ep, &dum->gadget.ep_list, ep.ep_list)
 		nuke(dum, ep);
 

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






