From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754207AbdKIMDh (ORCPT ); Thu, 9 Nov 2017 07:03:37 -0500 Received: from mga07.intel.com ([134.134.136.100]:35221 "EHLO mga07.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753882AbdKIMDg (ORCPT ); Thu, 9 Nov 2017 07:03:36 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,369,1505804400"; d="asc'?scan'208";a="5673831" From: Felipe Balbi To: Greg KH , Andrew Gabbasov Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] usb: gadget: f_fs: Fix use-after-free in ffs_free_inst In-Reply-To: <20171109120147.GA7776@kroah.com> References: <1510161195-24838-1-git-send-email-andrew_gabbasov@mentor.com> <20171109120147.GA7776@kroah.com> Date: Thu, 09 Nov 2017 14:03:28 +0200 Message-ID: <87h8u3r75b.fsf@linux.intel.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Greg KH writes: > On Wed, Nov 08, 2017 at 10:13:15AM -0700, Andrew Gabbasov wrote: >> KASAN enabled configuration reports an error >>=20 >> BUG: KASAN: use-after-free in ffs_free_inst+... [usb_f_fs] at addr ... >> Write of size 8 by task ... >>=20 >> This is observed after "ffs-test" is run and interrupted. If after that >> functionfs is unmounted and g_ffs module is unloaded, that use-after-free >> occurs during g_ffs module removal. >>=20 >> Although the report indicates ffs_free_inst() function, the actual >> use-after-free condition occurs in _ffs_free_dev() function, which >> is probably inlined into ffs_free_inst(). >>=20 >> This happens due to keeping the ffs_data reference in device structure >> during functionfs unmounting, while ffs_data itself is freed as no longer >> needed. The fix is to clear that reference in ffs_closed() function, >> which is a counterpart of ffs_ready(), where the reference is stored. >>=20 >> Fixes: 3262ad824307 ("usb: gadget: f_fs: Stop ffs_closed NULL pointer de= reference") >> Cc: stable@vger.kernel.org >> Signed-off-by: Andrew Gabbasov >> --- >> drivers/usb/gadget/function/f_fs.c | 1 + >> 1 file changed, 1 insertion(+) > > Felipe, want me to take this directly? If you can still squeeze it into the merge window, sure: Acked-by: Felipe Balbi Thanks =2D-=20 balbi --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEElLzh7wn96CXwjh2IzL64meEamQYFAloERBAACgkQzL64meEa mQaEww//X9MpO0uq9QcugfJiGGRrgXFBebSC1jObIoerg8cKh/ChhkPxHk7tDGEJ 1eAViXum8ts8y/mD3jpwmeiiPBxV1sf46g5fdtG936qol/qOc2A9qaQ4NcnvtoHk Sx/DF51sT7v/ecQzaxvcWO+i2H09iDYmNJWZ0xh+XEq+Macb2TiuC3CBVe0lTfu5 zhH0nRKGpv5SjodluumoqYH7vXr4d4OVhytsY6MijCxB9F1+JaBLELcimgjGQEXG qSoMeSGRev3X3rylA5WY35oCMAWSt6gc3UuvQo+7sAFtd97UZxYNfsHmKJ2KiWC5 qlIXyGhCcp3tZq0SKdPauJ+5Qv+w5gmAZnupq/MvNwD5xsB/XUjhzVbF00K7J0j4 lIqbkb2+UcuCDxiGbMQtTL48dZd7wBT9ONY1wGrtK9M447qtoKJYa6trosqV5UyV XspW3O/dJJYoGA80yBFnUBfuZXYRtV4Qqciwoqqpz5YLbk9gnWjUkw6haqHeuiCy leynwhJU8hXELL1EncFTtCGz0fmvizwhIzRgJYTG6m8Qy11AbAWaXXsEq9Hil158 YG/2rFxN8NVjJVftcEkbW3zvxei0q7IHxeMoCELneyQUmo3KSuBZtcIpVjQrf2c+ mdKlwJaOiFKRTW9Vvc0icNgkiv8UkwrK1VLV+sPC0QWqoCD9Of4= =/GTg -----END PGP SIGNATURE----- --=-=-=--