Greg KH <greg@xxxxxxxxx> writes: > On Wed, Nov 08, 2017 at 10:13:15AM -0700, Andrew Gabbasov wrote: >> KASAN enabled configuration reports an error >> >> BUG: KASAN: use-after-free in ffs_free_inst+... [usb_f_fs] at addr ... >> Write of size 8 by task ... >> >> This is observed after "ffs-test" is run and interrupted. If after that >> functionfs is unmounted and g_ffs module is unloaded, that use-after-free >> occurs during g_ffs module removal. >> >> Although the report indicates ffs_free_inst() function, the actual >> use-after-free condition occurs in _ffs_free_dev() function, which >> is probably inlined into ffs_free_inst(). >> >> This happens due to keeping the ffs_data reference in device structure >> during functionfs unmounting, while ffs_data itself is freed as no longer >> needed. The fix is to clear that reference in ffs_closed() function, >> which is a counterpart of ffs_ready(), where the reference is stored. >> >> Fixes: 3262ad824307 ("usb: gadget: f_fs: Stop ffs_closed NULL pointer dereference") >> Cc: stable@xxxxxxxxxxxxxxx >> Signed-off-by: Andrew Gabbasov <andrew_gabbasov@xxxxxxxxxx> >> --- >> drivers/usb/gadget/function/f_fs.c | 1 + >> 1 file changed, 1 insertion(+) > > Felipe, want me to take this directly? If you can still squeeze it into the merge window, sure: Acked-by: Felipe Balbi <felipe.balbi@xxxxxxxxxxxxxxx> Thanks -- balbi
Attachment:
signature.asc
Description: PGP signature