From patchwork Fri Feb 2 15:42:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Li X-Patchwork-Id: 13543089 Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on2047.outbound.protection.outlook.com [40.107.13.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A12FA1468F9; Fri, 2 Feb 2024 15:42:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.13.47 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706888562; cv=fail; b=rP7KIRCccKTD1nxzk3wKGhY5t25N11yWL6U1Qpo+7fwL38TRVLVqEmuSow21ov71XOWVo9Kgbnm3DEmzrpCiPWFdPJQ63AXkMWGvehOXEvaNDZVFzKww0BRhfC4BbfqlIPquWaqeZoA+vREZrDXy0f9m1CR18FDd20Fs/FFaxx8= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706888562; c=relaxed/simple; bh=0Gnm79Y5y/ZgtdMkZrkSs78F/+iANLNaJtyM8bEIzjM=; h=From:To:Cc:Subject:Date:Message-Id:Content-Type:MIME-Version; b=ouW6s4Hj3E9OUkesDaFZi3nbdh2xTsfbGMtbfXu9msCNaMhlwC3HEnvOmAUddLhhZjhpGJ4ThNWBv3ZqQHrX6AX3U9O+AkrDayyOo8h7JA58hXuGFC0RIy+/cNb3lp7BTgydwmucRx2Fl7Q0hw7GKd1Sqb+T4So98pZ5f+JDQ2k= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (1024-bit key) header.d=nxp.com header.i=@nxp.com header.b=HP6SsjWa; arc=fail smtp.client-ip=40.107.13.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=nxp.com header.i=@nxp.com header.b="HP6SsjWa" ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M2jrD+eN/gq0HL81j0FKQo19dRxHkcxBHpeXCMEW3EtmEYx4QoXodhFCOYv/E3XpBJz2BkldAlZ0auTzcfC6RI4137tP1FhNt0xA5ShKUgbXmxEmEqkEZceDDsl8xlDRzrpqH2ukapNPU3Ohc+NlOGW2he6hGeEYEdJwXvzvvht0HfTpbSJVHLNPUU4/LL0kYEhcUWNzXqcN6DrX/jNgpROzEVSlU/DMFQb3TWmFSILz6SVI6pMR5HJ+oTfAohMmViXn3uylE5egPVdu3OtwOrSN9gA/d2D242EyMb/8cA3pkaqcj4dO703FHDWOo9FysOMYbWo6lYbDHjAFbdbd0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HkYv4xu25IP9RUEGBzlsy0h7FYv3OvD0/xtAdObJPcQ=; b=Rb0gqYspVoil1aDuae5CtSzpVF5qh4dsT2nvaCqlAwVfsxYLeWRj/Q2bspC3OMcqok4gpeyh8x7mY+n5nxysP+zTYTEp5JoMw/NcMYweeKo/T385v8PfrOXvIHU0vkHSF9kPuYni7pbLUxBe7LkH4WFXbiJqUEnBHVlZQp5Qz7vcV2j3798eyP/u0xrxlU4EMNRErwvRyBaPgTMhw4nCOmXELVLU/8gjbnElOt3xUAm5iwA84NyyPhIKOztvTUN/M98vnPGps5yj003XuX4MlnCmnevADRtbTyx/2zHBudTZoJyi1DtzHtCZKaABGFOAd/upuPOYr2BTWf7sx6RHkQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HkYv4xu25IP9RUEGBzlsy0h7FYv3OvD0/xtAdObJPcQ=; b=HP6SsjWat7ORx2SMXOPcikgC6z97nZx6Yl697CrchTDrDYfMNKhtT6DKzxzOoSLeg4c1XF9DX3/BolY1WK8QauxyOYuofI1cg/Ne8DhpWgLJS8PrFZJf4ayM1y80n4DYQCY2Vzp3g3wo8DqK8QfZ/YU+6MjSrckZdPCff3hAYgo= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from PAXPR04MB9642.eurprd04.prod.outlook.com (2603:10a6:102:240::14) by DU2PR04MB8502.eurprd04.prod.outlook.com (2603:10a6:10:2d1::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.30; Fri, 2 Feb 2024 15:42:37 +0000 Received: from PAXPR04MB9642.eurprd04.prod.outlook.com ([fe80::c8b4:5648:8948:e85c]) by PAXPR04MB9642.eurprd04.prod.outlook.com ([fe80::c8b4:5648:8948:e85c%3]) with mapi id 15.20.7249.027; Fri, 2 Feb 2024 15:42:37 +0000 From: Frank Li To: rogerq@kernel.org Cc: Frank.Li@nxp.com, felipe.balbi@linux.intel.com, gregkh@linuxfoundation.org, imx@lists.linux.dev, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, pawell@cadence.com, peter.chen@kernel.org Subject: [PATCH v2 1/2] usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() Date: Fri, 2 Feb 2024 10:42:16 -0500 Message-Id: <20240202154217.661867-1-Frank.Li@nxp.com> X-Mailer: git-send-email 2.34.1 X-ClientProxiedBy: SJ0PR03CA0114.namprd03.prod.outlook.com (2603:10b6:a03:333::29) To PAXPR04MB9642.eurprd04.prod.outlook.com (2603:10a6:102:240::14) Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR04MB9642:EE_|DU2PR04MB8502:EE_ X-MS-Office365-Filtering-Correlation-Id: 1ab15353-dff4-43e3-4aa6-08dc240594f1 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: sKdHNVIKEqPJGLXJqMR5pB4OAZ0xClesHd1tOCJvyTCRs+YiFRydZGBrE6YX8sdWZWTaWfWmnnsKourChFbtUB69TMCBQ3cs7eTw/10nDkjB9Xo/a57GbWTF5EAssIQb23R6LfStjub1tkSL99YDC626aJZaSyvm7xk3ccZb3nqDR3HKlmmzA7Y/A+i4Ny9cEmHCx0YlT8G1LNaNoSOkZNeYabz0eFrEhg3Qxt7GZNPTrquCEWWn8WNimXWNMCU+sn2QDgCxtdk8fhA0hk3l1gzc39yOc7l+puC4AHM6WTrCJ84v0FKRsoXEOl8HXQkXQbOLpMdV8IiPdoGb51UmOxpjar1YnkhM7yn1D+EOvhhwGEDPe9g9LZlKpOYkAq9Werv1FRy/1vL3ZehI/O0dD6fZ5VMK7YOSEn+vbuljqk8PCs9ShaxMS1QfgyiJzW5h4acDKh7dcJw3xPGBlvgRXMSa5R3wa5HRf5f5xqqZ4lKZn3C4KFkufpunjFwCi7OuYXFHZcjlhREVW2NTKYdBAkRIBGkcU0gv5UMhgf73JwWesLIv7QDRuKsQxAvdJcdBdsiz5FDAjovI4IXR79HvBTDrvxnTbKL7lu/2opxi9LQgPUm8fsOA3IsCuS3zQ7wx X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR04MB9642.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(39860400002)(396003)(346002)(366004)(376002)(136003)(230922051799003)(64100799003)(451199024)(1800799012)(186009)(38100700002)(52116002)(6506007)(83380400001)(2616005)(6512007)(5660300002)(86362001)(2906002)(38350700005)(8676002)(6916009)(36756003)(316002)(8936002)(4326008)(6666004)(66476007)(66556008)(66946007)(1076003)(41300700001)(6486002)(26005)(478600001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: BgYNxMumC3thFlnLjZiA2vbhC82KTtwmADix47vlaS54q5y9gA9LxzZs9jYFbK8yShIOM2MiHElHN9p82SQjz24e9zxGoqfmZ4YcR6cZ0QqzGKSdk+fxKP9FCoJNXahHLcHFfC2RXGPVvj3anT/6Hmn9QcA43YJ2ledi4Aa6emTpObiVFQ9iMvfYeaafSHeJeKtmdfZbU1lIhxkPqpZqhcoTDki4duw53xMTzcPn0X4/phuOqAaQCnZCO5PAFScoY/EeVJAXwpAJC2yJYhngw5Qtl396Fa2PBkRMYCaNJdcn+Fcv8uZn1dPR+91BnnBdBnCL8g/DjdgwMbUL+xEdRyZcWe/FU2vvEwPcSsdtV2ylKlhk5QXbULIkzjJwJK5qNXvwm9LW18PVdera24f+f6Dmul39i9h07zfQdfgfiRcQ6OUCdaO7bAdzdUG/xDRT8X6zwt0sGG07olypjqA+URfqtf2rBNG7nLVThKC0DYG29+f3UAncU+r6GEVCIWesGwxcO0ENkITx79K3TyiWBVAmbBs47ezOXNzrS5hi1/wVPt1QDJfBc6xsusP8aGAE/R/wH77czAlndh9UeuqFXXMMhthP7DqznPTgV2+A2ibQrBUQyp0ObhQCqGQteu8lOFoBsqVrtHnhzZ/UgClX7ix4QfYFZ8BUBCy65d4n6tWvGQ50FbNhSzz1zlfT4FadOjfvgt6PASKNLSRFrZ1/4j8d4r00meBYX6xBnKzgWeSTEmy1kaDqZPqAAVo8AFMJoKrSxQgCfR5lwuHBrHE9uWoLiOKw8oP2JqqeUWLCy9WgaqVKRheNF1Lza/924/+Ydfgl2HtPbL1bXsnqDbEmes/8LUN8aNyeSLxu4H0Wk8k+KQnImQJ0FL+OXe6tgkSjypyXvTQky9NiahX0LzwWegzJhBLaOQvqvd8A67h0wXR0rgyebQLxD3xwx5bCZk9y+dADbBUXnAvF7WN0KSrr/XT3RmLZi2gUg1FXH8WxuxDLbwL3ow3itZEyWWwKaLwXswpxMxomX+DpyfBpCHusrvDHilgAMK0QRaJYKJgf4+LPgG1N8J+Cc2EXBVK6pVxYXX1F54bl6OqYunqTq60qBb0mHXSkvH/DTManHew04HpJLK/T06RDKNR/fHwfZd6csMrRV4TyWtmm7O7dPgwVnK+9mpqiTaAFGhzZ7oAujc4kEXkdmwnXfZxG7fuKiPgIorT4kb2lFyzUzXleiWwmY60PKC8oCAV0pMivVqg+sHjpoU4TQy3rtifOeeVc6g0BlSAbT3NJpeUE/lvSzcNuL9uyKPYToreohapx4UEgJQQSkDssVFj2+QtwAEjKSMoB50Fu2fPPUQNUmgCZjoA/B7eIqsnzBbYIvvxBK+P2W379aFLMoBhntW1N9LaiW/KCWQ1iefKBdfvbRKyd9/kTc7CfFNafu8e36XjiDOOBEchXvy+iXvN8eYV1Qh/9MrvjzKebKrrq2JvMfFTiIPQ2MwDDXQUlVhZnJs3IDbE1kJBzSR0hH9WhAaLSDLH9zXA+oM+ZBg0l+MSgazcwDeyXu0bb+KCLT7L/TUiQlqUE+HB1OCimLOr1g08J4vTap35o X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1ab15353-dff4-43e3-4aa6-08dc240594f1 X-MS-Exchange-CrossTenant-AuthSource: PAXPR04MB9642.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Feb 2024 15:42:37.3280 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 91+ayK2r+fbGc5ZeX1oHrfy5T03jdx8isNrfyzPVhhd73ZjwwZNd2/2TgdTCo9RRa/PYhuhIvO6U+9q5rT4XUw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU2PR04MB8502 ... cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); list_del_init(&priv_req->list); ... 'priv_req' actually free at cdns3_gadget_ep_free_request(). But list_del_init() use priv_req->list after it. [ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4 [ 1542.642868][ T534] [ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3): [ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4 [ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3] [ 1542.671571][ T534] usb_ep_disable+0x44/0xe4 [ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8 [ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368 [ 1542.685478][ T534] ffs_func_disable+0x18/0x28 Move list_del_init() before cdns3_gadget_ep_free_request() to resolve this problem. Cc: Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") Signed-off-by: Frank Li Reviewed-by: Roger Quadros Acked-by: Peter Chen --- drivers/usb/cdns3/cdns3-gadget.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c index aeca902ab6cc4..d6723d31fc6e2 100644 --- a/drivers/usb/cdns3/cdns3-gadget.c +++ b/drivers/usb/cdns3/cdns3-gadget.c @@ -2540,11 +2540,11 @@ static int cdns3_gadget_ep_disable(struct usb_ep *ep) while (!list_empty(&priv_ep->wa2_descmiss_req_list)) { priv_req = cdns3_next_priv_request(&priv_ep->wa2_descmiss_req_list); + list_del_init(&priv_req->list); kfree(priv_req->request.buf); cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); - list_del_init(&priv_req->list); --priv_ep->wa2_counter; } From patchwork Fri Feb 2 15:42:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Li X-Patchwork-Id: 13543090 Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2061.outbound.protection.outlook.com [40.107.104.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DFAAA14690D; Fri, 2 Feb 2024 15:42:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.104.61 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706888564; cv=fail; b=hFqsaNCnxX/DNtJCIvbianvILq2aOnZ/knE7MKwzLyzo8El00GOwvpjJExySd6cIOo6p+xh8Z+jDSauIggmy0F9mXkirc8fSOf386uw+ccz64b7y2JglAi7l/ip/2fBszYHgA8knBZRqYxVEAMMCEEvmNN1tE41dZT1VnL2HHTA= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706888564; c=relaxed/simple; bh=ZVkt3JRVj4oqGl9FqwohEjcseYFWK4/w54reTUQix8g=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: Content-Type:MIME-Version; b=FMsBIPpQs8cRRci7hUOS4Z9mEKyTFuDN2+bmeGY6UE7clWDHRKgYbanBKNcRBOsqe621iwp3JYlIdz+o2FLbMJn4sdcccjbhj0K+i5dfLyVx/Hto6StF4HF1DJW00WynGrma9Ha+wGFleYACjEz6Bp4qva5wfWOkm2FnXGsS5l4= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (1024-bit key) header.d=nxp.com header.i=@nxp.com header.b=j8gFWkl0; arc=fail smtp.client-ip=40.107.104.61 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=nxp.com header.i=@nxp.com header.b="j8gFWkl0" ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZV4ExnH5JT6viiN1EltDIeUReJvE5F55T5N9tev5A2qBGTSiNWV1jOiMCJQS4QpcDP/ZTovvRDR5IPE1djYD28bZSjadiYL7T6MrNGvQdJDtBxYFqmiZCB+PnrIsX1ZvYNkQLGIHWpNfS94zx4dGhRol7G7zlKxVsjbiz6qMQj73vjF/4bXmRuoIcFRvuvLasKqnO1lG24xbAYcQcKcXnciQ1ju7syATasfHEfsavGBQXHPnF6/E2205uXjWCi/wBvLdqnMbRN7QnZmdJGMUsXD0YH2ry9jefxlbdF1CwGpDG8bY6nJ26UXq2Lxcd3LzI0YESoeiDofhPURfH1J0aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lpcePnpOAqcw4rGrDwPN0NuwX62GVRdoRYtmCz6eTv8=; b=dCodJoVQaQ4akmsv+BGctxrSuOYxmvKAdCsQh0Ol3BDeXhShCoql2fOPc+2kgxoWrP9RVx3mAOwHiRdwXLqZN5ieHFfoOW+t5eLp8b6sweK8hf0PEkorG26dfPX32TmW83c531r6U9Yfnk68q8J22jhyM9nyBHTf4xkEfaoOXnwO644CvSdgNpoq2H3XUiPEGvGeNxhgo43iEvyuAfKS7ORypaShf6CKxqKz6GTBROLQxAtYc69lP5MN7IKqF5D/+L+YKA5JF2T8fNqGW/Nk3eg4yPPjmW2eA68tSV/XSqNk+e6ooXF1Lc/rG7zjonZ7fMyJL2LHeb1IOehHTyji/w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lpcePnpOAqcw4rGrDwPN0NuwX62GVRdoRYtmCz6eTv8=; b=j8gFWkl0MbBmq08bAycdP1PJC8sVD5iMShbCF7wzy5xzDnigJIi5iYv9lpwborvT+E98EB+A1vp/ty6SQoEhsQqrxHw8Fm+6DGcgK64U1SZt6fwLOWjFNOd6sFZ+oozOY9IMnFLqy5G/pHayYm72+FeJYn9RDDeHQkBsIuW17DM= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from PAXPR04MB9642.eurprd04.prod.outlook.com (2603:10a6:102:240::14) by PAWPR04MB10008.eurprd04.prod.outlook.com (2603:10a6:102:38b::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.24; Fri, 2 Feb 2024 15:42:40 +0000 Received: from PAXPR04MB9642.eurprd04.prod.outlook.com ([fe80::c8b4:5648:8948:e85c]) by PAXPR04MB9642.eurprd04.prod.outlook.com ([fe80::c8b4:5648:8948:e85c%3]) with mapi id 15.20.7249.027; Fri, 2 Feb 2024 15:42:39 +0000 From: Frank Li To: rogerq@kernel.org Cc: Frank.Li@nxp.com, felipe.balbi@linux.intel.com, gregkh@linuxfoundation.org, imx@lists.linux.dev, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, pawell@cadence.com, peter.chen@kernel.org Subject: [PATCH v2 2/2] usb: cdns3: fix memory double free when handle zero packet Date: Fri, 2 Feb 2024 10:42:17 -0500 Message-Id: <20240202154217.661867-2-Frank.Li@nxp.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240202154217.661867-1-Frank.Li@nxp.com> References: <20240202154217.661867-1-Frank.Li@nxp.com> X-ClientProxiedBy: SJ0PR03CA0114.namprd03.prod.outlook.com (2603:10b6:a03:333::29) To PAXPR04MB9642.eurprd04.prod.outlook.com (2603:10a6:102:240::14) Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR04MB9642:EE_|PAWPR04MB10008:EE_ X-MS-Office365-Filtering-Correlation-Id: 0f7883ed-0d09-4b4f-47dc-08dc2405966b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: hOgIqxs28aHMDjiIfT4WoNFOSsfSAFbCUuefcc4yLvCI+wRPh/ddKBA8XJ988dvMnAANWwiMEFPSolpm5+uP3R7wF5S5i9xQutj9NpCcSt60MM9cbKdY55OhRkxZN2/YYpY9zUJeNuDYuqooa3xE1DqG9Y6+18ueuI8xNrskJutvPjyrTEPaU44L0ZIPINEwP1J8+2mMl/ZzihJmfpsUVVJvDVDNjQLZ9rQFDWqqaEJcB+hxPel2TQ0kWFETaamDW8+zfMtQUIutuVayVZ5hPtamoXi9xaFReoVtmoJOsy/gbgmKHYZU/RRT0JnW/08DqDXPWfiv9GPO6wbabWWre9BYzrne9TFm0sDJ0s/CqE6u4aq+vng7yiCK2xtj3yAlZtBLm62UXx2anSRqgLI1TKsulvhKpY7V+NzefIKN1bpvjEL/+hZrrlz4UbTGEimrqp1XcNZWw0lqIFGcJejh/uIj4gikAKzj70qxmnlm/FCCVmboLZL003K7eJNxpaOOREwNVOmp2VB3/S/nI1n6eLt9/D1squW/M877c3oCHaIgJs5GrlUl0R8afKsuLd98MnjJ2MwWBVwtvKfu9ZJbfm5Hhxm2R7+ZayezAYPjsWYj627Y3QpOcKOfxHX6ciq8 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR04MB9642.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(396003)(376002)(366004)(346002)(39860400002)(136003)(230922051799003)(64100799003)(186009)(1800799012)(451199024)(6916009)(316002)(86362001)(66476007)(66556008)(52116002)(66946007)(38100700002)(4326008)(8676002)(8936002)(5660300002)(478600001)(2616005)(26005)(6506007)(6486002)(83380400001)(6666004)(1076003)(6512007)(2906002)(36756003)(38350700005)(41300700001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: XbDhKyZsA3x2v+704X/Fe/prhi4ygmLNZgCQ1rcCrTmg0txA6KvFLTvmpJ6m+xOnCC7EGcqiHXH5MJV8UgDrG2RBXhHM158YAsP8b3G0rsKMDm6W1J89jOtoiZh0K8D47YB6d3FizlMbqwEyM1OHTXHC/lJR8SkCpSxPCsYN/LDhL9S0dxFPaOaD651rw8AkwOZgmAUGYot1b271xEUcu0gbCUy2OPvfOtkVkif6dpBPoCpgK36Xw3nONIk3IbvGccdLLCTV0hb6z9A0ETBJQI4IJHgvXyH4F2GPgCW/FC64XscVj3iJvc8nwJmFhy/moMa8KgCjPmIKMUeG/8ZLEv0U6NEHzRi87i/H2504fCrk6P/YcOLodjy+6jQOeX+OYdpt2NGk+4Mru4Zk2sepnCNCtIa14fUp8Nsh7bkncnu968YbQAwU6FfJEJmdxbOLFsFuQj42hUyGUW0nTAejab3C+YKFq3K9/E5Dyztq37IADnvO72mpwOcA9f/4VMZBDojZvypUvyuJoksGMiLs2e2aasXF640eSHaI0x3nVBu+DxO7m+DZoM1q5mvLkLW2hSae8GHEcKawgM9DYa4/6MhrD0BGXP4k+KdfVscaGacysFYpSxUKOwGw31BjRPehbuxYwa/bVh3erFTZx+o6TbXtHu1p8j/CR2TLxOf3Xmne+jvYa8wVpjbkxuWZy8EXEv1lZncVoNzxhxU3JTJlLDJfh7gQDoDdDthxhDx61QxVAS3LrcT2VS63MOxxArbp67M1RVtTiPO8Lj3iRgsIWB8unMC3i7tiu1k/iRKdEFrlJf7U747ouK85Hqr4iIz6zAOCCv+ogVBzYfsAFtZzJZWxMov31n1o08TMlBNobwnt46OXseTg0SvmC9lJoN4B5wlKibJtNtK57AGbDfUJ1cXl+qNNN04pUW27FyDviCkz9LaTIo+brzgYPdbmshdoDkMfvMtzBDegZyTahhy7UrLyHLIeLgXVG1DA3J3+3fb6TfqhMdUKJ//IFkq8W3UBmawCzEOO3TBaROMoBEUCKTRLf3VItD3CKY9Gvh/JdW1O+XmUqEuCxln/XEAnj1zSdlICXMiPkPdWmL7QwCeywcHS/ZyXOu7VkGJXgI4et1lDpyG1Kz2yDK/abB8u1Ezjyn1uOsmyWyYuUAVpacGr2qzQN5ha8sFuAcbwt1stSOgSWoM9cv01Ubp58lOapArsVgqP3xo2aS8dEoA9A98dm4DL9muEu4BHNTAhjt0VrHNBXZ2ouAQmAp+tu1vWmYQGmcK7emnQd+ayNV1FZ4ojOQWzmQ2vXq4GYgetEBaquFXrFUl+LsvZh9DHv9KptcOY9fXLkA0je2y5BVXbkR/aw9Udhot/3fkfmUlGy2wes22O0M9CVYDIDXzYApua4eIyNaNhNBskDhPgkSNWjscqEMDj1cw34ulTF8+XMfsXlvL0wZ2IdrofHYqEAvQSglngZzTjrwsFPsO0mxnun/ZyQN+nY35+qpmPWDyFyIyyGaJM8PoZmcUs8byYBioiXs900CdoSnRgzEHMvhZoRpqasR8xjM2cNN0t9FjN1CcuSbAGnx+mtw2S2Qxz4Vhz+CsM X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0f7883ed-0d09-4b4f-47dc-08dc2405966b X-MS-Exchange-CrossTenant-AuthSource: PAXPR04MB9642.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Feb 2024 15:42:39.8086 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9YfhmrYk6sWVYlSD4ynAPBocYsHQIddiKFlq0VFFPMT/keTlvlXGIjSA25CMM1GHsVf3CvgSyDWFFFzFCKbyRg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR04MB10008 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver. Cc: Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") Signed-off-by: Frank Li Acked-by: Peter Chen Reviewed-by: Roger Quadros --- drivers/usb/cdns3/cdns3-gadget.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c index d6723d31fc6e2..fd1beb10bba72 100644 --- a/drivers/usb/cdns3/cdns3-gadget.c +++ b/drivers/usb/cdns3/cdns3-gadget.c @@ -828,7 +828,11 @@ void cdns3_gadget_giveback(struct cdns3_endpoint *priv_ep, return; } - if (request->complete) { + /* + * zlp request is appended by driver, needn't call usb_gadget_giveback_request() to notify + * gadget composite driver. + */ + if (request->complete && request->buf != priv_dev->zlp_buf) { spin_unlock(&priv_dev->lock); usb_gadget_giveback_request(&priv_ep->endpoint, request);