From nobody Wed Jan 22 09:56:09 2025 Received: from mail-ua1-f73.google.com (mail-ua1-f73.google.com [209.85.222.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B370D196 for ; Wed, 22 Jan 2025 02:44:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737513899; cv=none; b=oaSNysJwjeP4rW5Oz838/G/2GMo0t61wSyO6T+adcNjP1SXAWarBXh+sxVH8VZ8e486IDylqAlIGMofT+hoJGOb3AlczwqFZTSj5QJncaeclvnZ5HkCOK32J/D27hwDxcGpEm0U9ExDsWS9QtZSbw/Cg3ZR78qScHl9I8Bnnj8o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737513899; c=relaxed/simple; bh=IRfCQlGNBI14dGgWbLUqBYq6UbkHZtsNZuki1VY/Pyk=; h=Date:Mime-Version:Message-ID:Subject:From:To:Content-Type; b=M2UJ1QyJ5Vc5OK4JGU1SztUsteGo3yPR79JlbdkBCnyniLKfAoxeBnxOy4FlSBdRpwPjAd2TVDFf2nbKFJFOg95WPK02HQS3csz2195F/4rX7MCDvPxVWIQkzwr1XnrhCLS8/LpFi/CBmbw4IfoPi5UMG2qbdO1W07jRuhXWHMQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--royluo.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ml8OfI4C; arc=none smtp.client-ip=209.85.222.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--royluo.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ml8OfI4C" Received: by mail-ua1-f73.google.com with SMTP id a1e0cc1a2514c-85c4a38c3b3so4351485241.3 for ; Tue, 21 Jan 2025 18:44:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1737513895; x=1738118695; darn=vger.kernel.org; h=to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=iYI4Is8tFz7183dmiA/Adb/IqIca/hVoNlpc9Jn5AMQ=; b=ml8OfI4COPwvkdpLLDqZy3pnfCsstBAIUqtODq3rfFvQ8ewji2uV9g90FS41DcPrJx 3qxfI9RwJuB5/JVw3PLOjxcFok1NfiNIEjTLIvLIlM3aPmunZh2lzMEWzVgorySy/F/A vwGjKvpWFJydwyO1tUTqmVScvlo1WoIU0357+RqvtbcaLqhsaWT93jqg8MUr2gqnuau8 ayPX7fS07BSRwlyYuQ6O5W7DWgX5dEmBYMVAahMvuMIkLd2qXhf+KeabypbWPC2VaIGz EicSXR/rDzK5ZdYMawhbKRFoS/B5T3+I0wb/U2qadniPPYzrv4/vsqXjYSPCI5khYYKS Oi2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737513895; x=1738118695; h=to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=iYI4Is8tFz7183dmiA/Adb/IqIca/hVoNlpc9Jn5AMQ=; b=kQ6cetpSM8KUW02f5tyAype01FhAAfcEODsfYnE9r5OHqK74ZGnHPKYLJXnJfEVmmn GHkyyss7TRmfKcJ2WhyGGxl3cjlms+wB0iWyrPRoHxVmSnq7lC9ccqqpLMnnr6OD0sqD yq/Ah0C3LjnfU0Uu+lPNJz0aBmVqiNdiPpysewLP+LzEnMz8cvs6SLSBppa91H4bFfdk xp3qqqS29yy03s+4Wtx8kb9cRLra9XOEcY1+Qj/eEB770rVxppBVUFW7F8I8PYy2W+uy YjwlZBJk2SMQA6aGmuZAXd6E2dxjl55FMDEloZxHFzFsDTQdCNhMBQriLHoqgqiURTGg Crzg== X-Forwarded-Encrypted: i=1; AJvYcCVVKvfWcAdTAWa0vPwgIRCEAVNzhVXk7CnIs8WdsctG3CmKaALLFXr6IfkXyyqAucSpEf/YHBVrHl+p9+o=@vger.kernel.org X-Gm-Message-State: AOJu0YzOS+JP1fjzl9Gak6JTV+Rcnj75GK1RvW/ELvWYSYoQZHy7uYGD b5wl8C0Dh3It4G+IX3ptDtsY50D/YJQ+DPix86bluhBMWZ2rxHeh6h3XXY5sbGLH8B+UI9J0UIb Zuw== X-Google-Smtp-Source: AGHT+IGr7CNqNXlep6s6g3pF24HHv2RMHWVEZzMyY4IQTETR5upITEMCVxNK1Q9bl605QUzRhf6J2ENJrBI= X-Received: from vsbia19.prod.google.com ([2002:a05:6102:4b13:b0:4b6:1ac7:43de]) (user=royluo job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6102:3f03:b0:4b2:7534:f26e with SMTP id ada2fe7eead31-4b690c77e52mr16282688137.16.1737513895517; Tue, 21 Jan 2025 18:44:55 -0800 (PST) Date: Wed, 22 Jan 2025 02:44:52 +0000 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.48.0.rc2.279.g1de40edade-goog Message-ID: <20250122024452.50289-1-royluo@google.com> Subject: [PATCH v1] usb: dwc3: gadget: fix gadget workqueue use-after-free From: Roy Luo To: royluo@google.com, Thinh.Nguyen@synopsys.com, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, andre.draszik@linaro.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" `dwc3_gadget_soft_disconnect` function, called as part of `device_del(&gadget->dev)`, queues a new work item to the gadget workqueue after the workqueue has been flushed in `usb_del_gadget`. This leads to a potential use-after-free issue. To fix this, flush the workqueue in the `release` function before freeing the gadget. This ensures that all work items are processed before the gadget is destroyed. Fixes: 1ff24d40b3c3 ("usb: dwc3: gadget: Fix incorrect UDC state after manu= al deconfiguration") Signed-off-by: Roy Luo --- drivers/usb/dwc3/gadget.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index d27af65eb08a..12055e3af622 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4580,6 +4580,7 @@ static void dwc_gadget_release(struct device *dev) { struct usb_gadget *gadget =3D container_of(dev, struct usb_gadget, dev); =20 + flush_work(&gadget->work); kfree(gadget); } =20 base-commit: f066b5a6c7a06adfb666b7652cc99b4ff264f4ed --=20 2.48.0.rc2.279.g1de40edade-goog