Hello Greg, On 25.10.22 10:12, Greg KH wrote: > On Tue, Oct 25, 2022 at 08:54:58AM +0200, Ahmad Fatoum wrote: >> Hi everybody, >> >> I am running v6.0.2 and can reliably trigger a use-after-free by allocating >> a USB gadget, binding it to the chipidea UDC and the removing the UDC. > > How do you remove the UDC? I originally saw this while doing reboot -f on the device. The imx_usb driver's shutdown handler is equivalent to the remove handler and that removes the UDC. It could also be triggered with: echo ci_hdrc.0 > /sys/class/udc/ci_hdrc.0/device/driver/unbind >> The network interface is not removed, but the chipidea SoC glue driver will >> remove the platform_device it had allocated in the probe, which is apparently >> the parent of the network device. When rtnl_fill_ifinfo runs, it will access the >> device parent's name for IFLA_PARENT_DEV_NAME, which is now freed memory. > > The gadget removal logic is almost non-existant for most of the function > code. See Lee's patch to try to fix up the f_hid.c driver last week as > one example. I imagine they all have this same issue as no one has ever > tried the "remove the gadget device from the running Linux system" > before as it was not an expected use case. I see. FTR: https://lore.kernel.org/all/20221017112737.230772-1-lee@xxxxxxxxxx/ > Is this now an expected use case of the kernel? If so, patches are > welcome to address this in all gadget drivers. I don't really care for unbinding via sysfs. I want to avoid the use-after-free on reboot/shutdown. See the last splat in my original mail. Cheers, Ahmad > > thanks, > > greg k-h > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
