diff mbox series

[3/3] usb: mtu3: fix list_head check warning

Message ID 20211209031424.17842-3-chunfeng.yun@mediatek.com (mailing list archive)
State Superseded
Headers show
Series [1/3] usb: mtu3: fix interval value for intr and isoc | expand

Commit Message

Chunfeng Yun (云春峰) Dec. 9, 2021, 3:14 a.m. UTC
This is caused by uninitialization of list_head.

BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4

Call trace:
dump_backtrace+0x0/0x298
show_stack+0x24/0x34
dump_stack+0x130/0x1a8
print_address_description+0x88/0x56c
__kasan_report+0x1b8/0x2a0
kasan_report+0x14/0x20
__asan_load8+0x9c/0xa0
__list_del_entry_valid+0x34/0xe4
mtu3_req_complete+0x4c/0x300 [mtu3]
mtu3_gadget_stop+0x168/0x448 [mtu3]
usb_gadget_unregister_driver+0x204/0x3a0
unregister_gadget_item+0x44/0xa4

Reported-by: Yuwen Ng <yuwen.ng@mediatek.com>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
---
 drivers/usb/mtu3/mtu3_gadget.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Sergey Shtylyov Dec. 9, 2021, 9:10 a.m. UTC | #1
Hello!

On 09.12.2021 6:14, Chunfeng Yun wrote:

> This is caused by uninitialization of list_head.

    No such word, suggesting to replace with "not initializing". :-)

> BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
> 
> Call trace:
> dump_backtrace+0x0/0x298
> show_stack+0x24/0x34
> dump_stack+0x130/0x1a8
> print_address_description+0x88/0x56c
> __kasan_report+0x1b8/0x2a0
> kasan_report+0x14/0x20
> __asan_load8+0x9c/0xa0
> __list_del_entry_valid+0x34/0xe4
> mtu3_req_complete+0x4c/0x300 [mtu3]
> mtu3_gadget_stop+0x168/0x448 [mtu3]
> usb_gadget_unregister_driver+0x204/0x3a0
> unregister_gadget_item+0x44/0xa4
> 
> Reported-by: Yuwen Ng <yuwen.ng@mediatek.com>
> Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
[...]

MBR, Sergey
Chunfeng Yun (云春峰) Dec. 10, 2021, 1:19 a.m. UTC | #2
On Thu, 2021-12-09 at 12:10 +0300, Sergey Shtylyov wrote:
> Hello!
> 
> On 09.12.2021 6:14, Chunfeng Yun wrote:
> 
> > This is caused by uninitialization of list_head.
> 
>     No such word, suggesting to replace with "not initializing". :-)
Will fix it, thanks

> 
> > BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
> > 
> > Call trace:
> > dump_backtrace+0x0/0x298
> > show_stack+0x24/0x34
> > dump_stack+0x130/0x1a8
> > print_address_description+0x88/0x56c
> > __kasan_report+0x1b8/0x2a0
> > kasan_report+0x14/0x20
> > __asan_load8+0x9c/0xa0
> > __list_del_entry_valid+0x34/0xe4
> > mtu3_req_complete+0x4c/0x300 [mtu3]
> > mtu3_gadget_stop+0x168/0x448 [mtu3]
> > usb_gadget_unregister_driver+0x204/0x3a0
> > unregister_gadget_item+0x44/0xa4
> > 
> > Reported-by: Yuwen Ng <yuwen.ng@mediatek.com>
> > Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
> 
> [...]
> 
> MBR, Sergey
Greg Kroah-Hartman Dec. 13, 2021, 2:19 p.m. UTC | #3
On Thu, Dec 09, 2021 at 11:14:24AM +0800, Chunfeng Yun wrote:
> This is caused by uninitialization of list_head.
> 
> BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
> 
> Call trace:
> dump_backtrace+0x0/0x298
> show_stack+0x24/0x34
> dump_stack+0x130/0x1a8
> print_address_description+0x88/0x56c
> __kasan_report+0x1b8/0x2a0
> kasan_report+0x14/0x20
> __asan_load8+0x9c/0xa0
> __list_del_entry_valid+0x34/0xe4
> mtu3_req_complete+0x4c/0x300 [mtu3]
> mtu3_gadget_stop+0x168/0x448 [mtu3]
> usb_gadget_unregister_driver+0x204/0x3a0
> unregister_gadget_item+0x44/0xa4
> 
> Reported-by: Yuwen Ng <yuwen.ng@mediatek.com>
> Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
> ---
>  drivers/usb/mtu3/mtu3_gadget.c | 1 +
>  1 file changed, 1 insertion(+)

What commit does this fix?  Should it go to stable kernels?

thanks,

greg k-h
Chunfeng Yun (云春峰) Dec. 16, 2021, 8:43 a.m. UTC | #4
On Mon, 2021-12-13 at 15:19 +0100, Greg Kroah-Hartman wrote:
> On Thu, Dec 09, 2021 at 11:14:24AM +0800, Chunfeng Yun wrote:
> > This is caused by uninitialization of list_head.
> > 
> > BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
> > 
> > Call trace:
> > dump_backtrace+0x0/0x298
> > show_stack+0x24/0x34
> > dump_stack+0x130/0x1a8
> > print_address_description+0x88/0x56c
> > __kasan_report+0x1b8/0x2a0
> > kasan_report+0x14/0x20
> > __asan_load8+0x9c/0xa0
> > __list_del_entry_valid+0x34/0xe4
> > mtu3_req_complete+0x4c/0x300 [mtu3]
> > mtu3_gadget_stop+0x168/0x448 [mtu3]
> > usb_gadget_unregister_driver+0x204/0x3a0
> > unregister_gadget_item+0x44/0xa4
> > 
> > Reported-by: Yuwen Ng <yuwen.ng@mediatek.com>
> > Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
> > ---
> >  drivers/usb/mtu3/mtu3_gadget.c | 1 +
> >  1 file changed, 1 insertion(+)
> 
> What commit does this fix?  Should it go to stable kernels?
I add it in next version, thanks
> 
> thanks,
> 
> greg k-h
diff mbox series

Patch

diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
index c51be015345b..b6c8a4a99c4d 100644
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -235,6 +235,7 @@  struct usb_request *mtu3_alloc_request(struct usb_ep *ep, gfp_t gfp_flags)
 	mreq->request.dma = DMA_ADDR_INVALID;
 	mreq->epnum = mep->epnum;
 	mreq->mep = mep;
+	INIT_LIST_HEAD(&mreq->list);
 	trace_mtu3_alloc_request(mreq);
 
 	return &mreq->request;