* [PATCH v2] phy: tegra: xusb: Fix use-after-free issue
@ 2023-05-08 10:03 Haotien Hsu
2023-06-06 9:39 ` Jon Hunter
2023-06-06 12:35 ` Thierry Reding
0 siblings, 2 replies; 5+ messages in thread
From: Haotien Hsu @ 2023-05-08 10:03 UTC (permalink / raw)
To: JC Kuo, Vinod Koul, Kishon Vijay Abraham I, Thierry Reding,
Jonathan Hunter, Philipp Zabel, linux-phy, linux-tegra,
linux-kernel
Cc: Wayne Chang, EJ Hsu, Haotien Hsu
From: EJ Hsu <ejh@nvidia.com>
For the dual-role port, it will assign the phy dev to usb-phy dev and
use the port dev driver as the dev driver of usb-phy.
When we try to destroy the port dev, it will destroy its dev driver
as well. But we did not remove the reference from usb-phy dev. This
might cause the use-after-free issue in KASAN.
Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support")
Cc: stable@vger.kernel.org
Signed-off-by: EJ Hsu <ejh@nvidia.com>
Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
---
V1 -> V2: Remove extra movements to clarify the change
---
drivers/phy/tegra/xusb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c
index 78045bd6c214..26b66a668f3b 100644
--- a/drivers/phy/tegra/xusb.c
+++ b/drivers/phy/tegra/xusb.c
@@ -568,6 +568,7 @@ static void tegra_xusb_port_unregister(struct tegra_xusb_port *port)
usb_role_switch_unregister(port->usb_role_sw);
cancel_work_sync(&port->usb_phy_work);
usb_remove_phy(&port->usb_phy);
+ port->usb_phy.dev->driver = NULL;
}
if (port->ops->remove)
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] phy: tegra: xusb: Fix use-after-free issue
2023-05-08 10:03 [PATCH v2] phy: tegra: xusb: Fix use-after-free issue Haotien Hsu
@ 2023-06-06 9:39 ` Jon Hunter
2023-06-08 11:48 ` Vinod Koul
2023-06-06 12:35 ` Thierry Reding
1 sibling, 1 reply; 5+ messages in thread
From: Jon Hunter @ 2023-06-06 9:39 UTC (permalink / raw)
To: Haotien Hsu, JC Kuo, Vinod Koul, Kishon Vijay Abraham I,
Thierry Reding, Philipp Zabel, linux-phy, linux-tegra,
linux-kernel
Cc: Wayne Chang, EJ Hsu
Hi Vinod,
On 08/05/2023 11:03, Haotien Hsu wrote:
> From: EJ Hsu <ejh@nvidia.com>
>
> For the dual-role port, it will assign the phy dev to usb-phy dev and
> use the port dev driver as the dev driver of usb-phy.
>
> When we try to destroy the port dev, it will destroy its dev driver
> as well. But we did not remove the reference from usb-phy dev. This
> might cause the use-after-free issue in KASAN.
>
> Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support")
> Cc: stable@vger.kernel.org
>
> Signed-off-by: EJ Hsu <ejh@nvidia.com>
> Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
> ---
> V1 -> V2: Remove extra movements to clarify the change
> ---
> drivers/phy/tegra/xusb.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c
> index 78045bd6c214..26b66a668f3b 100644
> --- a/drivers/phy/tegra/xusb.c
> +++ b/drivers/phy/tegra/xusb.c
> @@ -568,6 +568,7 @@ static void tegra_xusb_port_unregister(struct tegra_xusb_port *port)
> usb_role_switch_unregister(port->usb_role_sw);
> cancel_work_sync(&port->usb_phy_work);
> usb_remove_phy(&port->usb_phy);
> + port->usb_phy.dev->driver = NULL;
> }
>
> if (port->ops->remove)
Are you OK to pick this up now?
FWIW ...
Acked-by: Jon Hunter <jonathanh@nvidia.com>
I believe Thierry already ACK'ed V1.
Jon
--
nvpublic
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] phy: tegra: xusb: Fix use-after-free issue
2023-05-08 10:03 [PATCH v2] phy: tegra: xusb: Fix use-after-free issue Haotien Hsu
2023-06-06 9:39 ` Jon Hunter
@ 2023-06-06 12:35 ` Thierry Reding
2023-06-07 2:34 ` Haotien Hsu
1 sibling, 1 reply; 5+ messages in thread
From: Thierry Reding @ 2023-06-06 12:35 UTC (permalink / raw)
To: Haotien Hsu
Cc: JC Kuo, Vinod Koul, Kishon Vijay Abraham I, Jonathan Hunter,
Philipp Zabel, linux-phy, linux-tegra, linux-kernel, Wayne Chang,
EJ Hsu
[-- Attachment #1: Type: text/plain, Size: 999 bytes --]
On Mon, May 08, 2023 at 06:03:20PM +0800, Haotien Hsu wrote:
> From: EJ Hsu <ejh@nvidia.com>
>
> For the dual-role port, it will assign the phy dev to usb-phy dev and
> use the port dev driver as the dev driver of usb-phy.
>
> When we try to destroy the port dev, it will destroy its dev driver
> as well. But we did not remove the reference from usb-phy dev. This
> might cause the use-after-free issue in KASAN.
>
> Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support")
> Cc: stable@vger.kernel.org
>
> Signed-off-by: EJ Hsu <ejh@nvidia.com>
> Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
> ---
> V1 -> V2: Remove extra movements to clarify the change
> ---
> drivers/phy/tegra/xusb.c | 1 +
> 1 file changed, 1 insertion(+)
Haotien,
I had already given an Acked-by on v1. Typically you should add such
tags when you post new versions so that people don't have to repeat
them. Anyway, here it is again:
Acked-by: Thierry Reding <treding@nvidia.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] phy: tegra: xusb: Fix use-after-free issue
2023-06-06 12:35 ` Thierry Reding
@ 2023-06-07 2:34 ` Haotien Hsu
0 siblings, 0 replies; 5+ messages in thread
From: Haotien Hsu @ 2023-06-07 2:34 UTC (permalink / raw)
To: thierry.reding
Cc: kishon, vkoul, Jonathan Hunter, EJ Hsu, linux-tegra, Wayne Chang,
linux-kernel, p.zabel, Jui Chang Kuo, linux-phy
On Tue, 2023-06-06 at 14:35 +0200, Thierry Reding wrote:
> On Mon, May 08, 2023 at 06:03:20PM +0800, Haotien Hsu wrote:
> > From: EJ Hsu <ejh@nvidia.com>
> >
> > For the dual-role port, it will assign the phy dev to usb-phy dev
> > and
> > use the port dev driver as the dev driver of usb-phy.
> >
> > When we try to destroy the port dev, it will destroy its dev driver
> > as well. But we did not remove the reference from usb-phy dev. This
> > might cause the use-after-free issue in KASAN.
> >
> > Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support")
> > Cc: stable@vger.kernel.org
> >
> > Signed-off-by: EJ Hsu <ejh@nvidia.com>
> > Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
> > ---
> > V1 -> V2: Remove extra movements to clarify the change
> > ---
> > drivers/phy/tegra/xusb.c | 1 +
> > 1 file changed, 1 insertion(+)
>
> Haotien,
>
> I had already given an Acked-by on v1. Typically you should add such
> tags when you post new versions so that people don't have to repeat
> them. Anyway, here it is again:
>
> Acked-by: Thierry Reding <treding@nvidia.com>
Hi Thierry,
I see.
My mistake.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] phy: tegra: xusb: Fix use-after-free issue
2023-06-06 9:39 ` Jon Hunter
@ 2023-06-08 11:48 ` Vinod Koul
0 siblings, 0 replies; 5+ messages in thread
From: Vinod Koul @ 2023-06-08 11:48 UTC (permalink / raw)
To: Jon Hunter
Cc: Haotien Hsu, JC Kuo, Kishon Vijay Abraham I, Thierry Reding,
Philipp Zabel, linux-phy, linux-tegra, linux-kernel, Wayne Chang,
EJ Hsu
On 06-06-23, 10:39, Jon Hunter wrote:
> Hi Vinod,
>
> On 08/05/2023 11:03, Haotien Hsu wrote:
> > From: EJ Hsu <ejh@nvidia.com>
> >
> > For the dual-role port, it will assign the phy dev to usb-phy dev and
> > use the port dev driver as the dev driver of usb-phy.
> >
> > When we try to destroy the port dev, it will destroy its dev driver
> > as well. But we did not remove the reference from usb-phy dev. This
> > might cause the use-after-free issue in KASAN.
> >
> > Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support")
> > Cc: stable@vger.kernel.org
> >
> > Signed-off-by: EJ Hsu <ejh@nvidia.com>
> > Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
> > ---
> > V1 -> V2: Remove extra movements to clarify the change
> > ---
> > drivers/phy/tegra/xusb.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c
> > index 78045bd6c214..26b66a668f3b 100644
> > --- a/drivers/phy/tegra/xusb.c
> > +++ b/drivers/phy/tegra/xusb.c
> > @@ -568,6 +568,7 @@ static void tegra_xusb_port_unregister(struct tegra_xusb_port *port)
> > usb_role_switch_unregister(port->usb_role_sw);
> > cancel_work_sync(&port->usb_phy_work);
> > usb_remove_phy(&port->usb_phy);
> > + port->usb_phy.dev->driver = NULL;
> > }
> > if (port->ops->remove)
>
>
> Are you OK to pick this up now?
Changes looks good to me. But title should describe the change, so if
Haotien can change title to reflect the change in patch, I would be
happy to apply
>
> FWIW ...
>
> Acked-by: Jon Hunter <jonathanh@nvidia.com>
ofc this should be carried too
>
> I believe Thierry already ACK'ed V1.
>
> Jon
>
> --
> nvpublic
--
~Vinod
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-06-08 11:48 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-08 10:03 [PATCH v2] phy: tegra: xusb: Fix use-after-free issue Haotien Hsu
2023-06-06 9:39 ` Jon Hunter
2023-06-08 11:48 ` Vinod Koul
2023-06-06 12:35 ` Thierry Reding
2023-06-07 2:34 ` Haotien Hsu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).