Patch "usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition" has been added to the 5.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-gadget-udc-renesas_usb3-fix-use-after-free-bug-i.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 0da70f52a0af22cc65e00368a94d076f161e9354
Author: Zheng Wang <zyytlz.wz@xxxxxxx>
Date:   Mon Mar 20 14:29:31 2023 +0800

    usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition
    
    [ Upstream commit 2b947f8769be8b8181dc795fd292d3e7120f5204 ]
    
    In renesas_usb3_probe, role_work is bound with renesas_usb3_role_work.
    renesas_usb3_start will be called to start the work.
    
    If we remove the driver which will call usbhs_remove, there may be
    an unfinished work. The possible sequence is as follows:
    
    CPU0                                    CPU1
    
                                             renesas_usb3_role_work
    renesas_usb3_remove
    usb_role_switch_unregister
    device_unregister
    kfree(sw)
    //free usb3->role_sw
                                             usb_role_switch_set_role
                                             //use usb3->role_sw
    
    The usb3->role_sw could be freed under such circumstance and then
    used in usb_role_switch_set_role.
    
    This bug was found by static analysis. And note that removing a
    driver is a root-only operation, and should never happen in normal
    case. But the root user may directly remove the device which
    will also trigger the remove function.
    
    Fix it by canceling the work before cleanup in the renesas_usb3_remove.
    
    Fixes: 39facfa01c9f ("usb: gadget: udc: renesas_usb3: Add register of usb role switch")
    Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
    Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@xxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230320062931.505170-1-zyytlz.wz@xxxxxxx
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c
index 601829a6b4bad..a10f41c4a3f2f 100644
--- a/drivers/usb/gadget/udc/renesas_usb3.c
+++ b/drivers/usb/gadget/udc/renesas_usb3.c
@@ -2568,6 +2568,7 @@ static int renesas_usb3_remove(struct platform_device *pdev)
 	debugfs_remove_recursive(usb3->dentry);
 	device_remove_file(&pdev->dev, &dev_attr_role);
 
+	cancel_work_sync(&usb3->role_work);
 	usb_role_switch_unregister(usb3->role_sw);
 
 	usb_del_gadget_udc(&usb3->gadget);



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux