From: Macpaul Lin <macpaul@gmail.com>
To: Eugeniu Rosca <erosca@de.adit-jv.com>, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Felipe Balbi <balbi@kernel.org>,
Andrew Gabbasov <andrew_gabbasov@mentor.com>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
Eugeniu Rosca <roscaeugeniu@gmail.com>,
Macpaul Lin <macpaul.lin@mediatek.com>,
Eddie Hung <eddie.hung@mediatek.com>
Subject: Re: [PATCH] usb: gadget: f_fs: Fix setting of device and driver data cross-references
Date: Fri, 2 Jul 2021 23:01:57 +0800 [thread overview]
Message-ID: <CACCg+XO+D+2SWJq0C=_sWXj53L1fh-wra8dmCb3VQ4bYCZQryA@mail.gmail.com> (raw)
In-Reply-To: <20210604110503.GA23002@vmlxhi-102.adit-jv.com>
Eugeniu Rosca <erosca@de.adit-jv.com> wrote:
>
> Hello,
>
> On Thu, Jun 03, 2021 at 12:15:07PM -0500, Andrew Gabbasov wrote:
> > FunctionFS device structure 'struct ffs_dev' and driver data structure
> > 'struct ffs_data' are bound to each other with cross-reference pointers
> > 'ffs_data->private_data' and 'ffs_dev->ffs_data'. While the first one
> > is supposed to be valid through the whole life of 'struct ffs_data'
> > (and while 'struct ffs_dev' exists non-freed), the second one is cleared
> > in 'ffs_closed()' (called from 'ffs_data_reset()' or the last
> > 'ffs_data_put()'). This can be called several times, alternating in
> > different order with 'ffs_free_inst()', that, if possible, clears
> > the other cross-reference.
> >
[Skip some comment...]
> I confirm there are at least two KASAN use-after-free issues
> consistently/100% reproducible on v5.13-rc4-88-gf88cd3fb9df2:
>
> https://gist.github.com/erosca/b5976a96789e574b319cb9e076938b5c
> https://gist.github.com/erosca/4ded55ed32f0133bc2f4ccfe821c7776
>
> These two can no longer be seen after the patch is applied.
>
> In addition, below static analysis tools did not spot any regressions:
> cppcheck 2.4, smatch v0.5.0-7445-g58776ae33ae8, make W=1, coccicheck
>
> Reviewed-by: Eugeniu Rosca <erosca@de.adit-jv.com>
> Tested-by: Eugeniu Rosca <erosca@de.adit-jv.com>
>
> --
> Best regards,
> Eugeniu Rosca
It like there is similar issue on kernel-4.14 reported by our customer
(Android).
The back trace are similar.
It looks like this patch has fixed issue existed in earlier kernels.
Could Engeniu and Andrew help to comment if this fix is suggested to be pick to
stable-tree? I've tried to port it onto kernel-4.14, kernel-4.19, and
kernel-5.10.
But it seems there is some revise work to do.
If the origin issue affect multiple LTS kernel versions, then it will
be better to be
cherry-pick to stable-tree after it has been merged.
Thanks!
--
Best regards,
Macpaul Lin
next prev parent reply other threads:[~2021-07-02 15:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-03 17:15 [PATCH] usb: gadget: f_fs: Fix setting of device and driver data cross-references Andrew Gabbasov
2021-06-04 11:05 ` Eugeniu Rosca
2021-07-02 15:01 ` Macpaul Lin [this message]
2021-07-02 18:49 ` Andrew Gabbasov
2021-07-02 18:49 ` [PATCH v4.14] " Andrew Gabbasov
2021-07-05 7:07 ` Greg Kroah-Hartman
2021-07-05 10:24 ` Andrew Gabbasov
2021-07-05 10:42 ` 'Greg Kroah-Hartman'
2021-07-11 15:37 ` Andrew Gabbasov
2021-07-11 15:51 ` Andrew Gabbasov
2021-07-11 16:07 ` Greg Kroah-Hartman
2021-07-11 16:44 ` Andrew Gabbasov
2021-07-15 12:01 ` 'Greg Kroah-Hartman'
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACCg+XO+D+2SWJq0C=_sWXj53L1fh-wra8dmCb3VQ4bYCZQryA@mail.gmail.com' \
--to=macpaul@gmail.com \
--cc=andrew_gabbasov@mentor.com \
--cc=balbi@kernel.org \
--cc=eddie.hung@mediatek.com \
--cc=erosca@de.adit-jv.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=macpaul.lin@mediatek.com \
--cc=roscaeugeniu@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).