On 5/31/2022 2:14 AM, John Keeping wrote:
On Tue, May 10, 2022 at 04:01:05PM +0800, Michael Wu wrote:
On arm64 android12 and possibly other platforms, during the usb gadget
function switching procedure (e.g. from mtp to midi), a synchronization
issue could occur, which causes an use-after-free panic as shown below:
I assume this is the path through ffs_epfile_io() with !io_data->aio.
It looks like there is no check there for epfile->ep == ep which the
other paths do check.
Does the patch below fix the problem without needing to add a new
completion?
Hi John,
Thanks for your suggestion. I've tested your patch and it did work --
When my issue occurs, (epfile->ep != ep) is satisfied, and the error is
handled.
-- >8 --
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1084,16 +1084,22 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
*/
usb_ep_dequeue(ep->ep, req);
wait_for_completion(&done);
- interrupted = ep->status < 0;
+ interrupted = true;
}
- if (interrupted)
+ spin_lock_irq(&epfile->ffs->eps_lock);
+ if (epfile->ep != ep)
+ ret = -ESHUTDOWN;
+ else if (interrupted && ep->status < 0)
ret = -EINTR;
- else if (io_data->read && ep->status > 0)
- ret = __ffs_epfile_read_data(epfile, data, ep->status,
- &io_data->data);
else
ret = ep->status;
+ spin_unlock_irq(&epfile->ffs->eps_lock);
+
+ if (io_data->read && ret > 0)
+ ret = __ffs_epfile_read_data(epfile, data, ret,
+ &io_data->data);
+
goto error_mutex;
} else if (!(req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC))) {
ret = -ENOMEM;
Tested-by: Michael Wu <michael@xxxxxxxxxxxxxxxxx>
I also tested Linyu's patch [1][2]. It also works.
Is there a preference on these solutions?
[1]
https://lore.kernel.org/linux-usb/1654056916-2062-2-git-send-email-quic_linyyuan@xxxxxxxxxxx/
[2]
https://lore.kernel.org/linux-usb/1654056916-2062-3-git-send-email-quic_linyyuan@xxxxxxxxxxx/
--
Regards,
Michael Wu
