1. Patchew
  2. linux
  3. View series

[PATCH v3] usb: gadget : fix use-after-free in composite_dev_cleanup()

Tao Xue posted 1 patch 2 months, 2 weeks ago
There is a newer version of this series
drivers/usb/gadget/composite.c | 5 +++++
1 file changed, 5 insertions(+)
[PATCH v3] usb: gadget : fix use-after-free in composite_dev_cleanup()
Posted by Tao Xue 2 months, 2 weeks ago 
1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():
if kmalloc fails, the pointer cdev->os_desc_req will be freed but not
set to NULL. Then it will return a failure to the upper-level function.
2. in func configfs_composite_bind() -> composite_dev_cleanup():
it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it
will attempt to use it.This will lead to a use-after-free issue.

BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0
Read of size 8 at addr 0000004827837a00 by task init/1

CPU: 10 PID: 1 Comm: init Tainted: G           O      5.10.97-oh #1
 kasan_report+0x188/0x1cc
 __asan_load8+0xb4/0xbc
 composite_dev_cleanup+0xf4/0x2c0
 configfs_composite_bind+0x210/0x7ac
 udc_bind_to_driver+0xb4/0x1ec
 usb_gadget_probe_driver+0xec/0x21c
 gadget_dev_desc_UDC_store+0x264/0x27c

Fixes: 37a3a533429e ("usb: gadget: OS Feature Descriptors support")
Signed-off-by: Tao Xue <xuetao09@huawei.com>
---
v3: add comment in patch
v2: update Signed-off and commit message
v1: initial submission

 drivers/usb/gadget/composite.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 8dbc132a505e..adf0a79b3d3d 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -2489,6 +2489,11 @@ int composite_os_desc_req_prepare(struct usb_composite_dev *cdev,
 	if (!cdev->os_desc_req->buf) {
 		ret = -ENOMEM;
 		usb_ep_free_request(ep0, cdev->os_desc_req);
+		/* composite_dev_cleanup() will check whether cdev->os_desc_req
+		 * is NULL and will use it when it is not NULL, so we need to set
+		 * NULL here.
+		 */
+		cdev->os_desc_req = NULL;
 		goto end;
 	}
 	cdev->os_desc_req->context = cdev;
-- 
2.17.1
Re: [PATCH v3] usb: gadget : fix use-after-free in composite_dev_cleanup()
Posted by Greg KH 2 months, 2 weeks ago 
On Mon, Jul 21, 2025 at 03:29:46PM +0800, Tao Xue wrote:
> 1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():
> if kmalloc fails, the pointer cdev->os_desc_req will be freed but not
> set to NULL. Then it will return a failure to the upper-level function.
> 2. in func configfs_composite_bind() -> composite_dev_cleanup():
> it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it
> will attempt to use it.This will lead to a use-after-free issue.
> 
> BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0
> Read of size 8 at addr 0000004827837a00 by task init/1
> 
> CPU: 10 PID: 1 Comm: init Tainted: G           O      5.10.97-oh #1
>  kasan_report+0x188/0x1cc
>  __asan_load8+0xb4/0xbc
>  composite_dev_cleanup+0xf4/0x2c0
>  configfs_composite_bind+0x210/0x7ac
>  udc_bind_to_driver+0xb4/0x1ec
>  usb_gadget_probe_driver+0xec/0x21c
>  gadget_dev_desc_UDC_store+0x264/0x27c
> 
> Fixes: 37a3a533429e ("usb: gadget: OS Feature Descriptors support")
> Signed-off-by: Tao Xue <xuetao09@huawei.com>
> ---
> v3: add comment in patch
> v2: update Signed-off and commit message
> v1: initial submission
> 
>  drivers/usb/gadget/composite.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
> index 8dbc132a505e..adf0a79b3d3d 100644
> --- a/drivers/usb/gadget/composite.c
> +++ b/drivers/usb/gadget/composite.c
> @@ -2489,6 +2489,11 @@ int composite_os_desc_req_prepare(struct usb_composite_dev *cdev,
>  	if (!cdev->os_desc_req->buf) {
>  		ret = -ENOMEM;
>  		usb_ep_free_request(ep0, cdev->os_desc_req);
> +		/* composite_dev_cleanup() will check whether cdev->os_desc_req
> +		 * is NULL and will use it when it is not NULL, so we need to set
> +		 * NULL here.
> +		 */

Didn't checkpatch complain that this is not the correct way to do a
multi-line comment?

And that's a bit verbose, how about
		/* Set os_desc_req to NULL so that composite_dev_cleanup() will not try to free it again */

And you ignored my patch bot for some reason :(

{sigh}
Re: [PATCH v3] usb: gadget : fix use-after-free in composite_dev_cleanup()
Posted by Greg KH 2 months, 2 weeks ago 
On Mon, Jul 21, 2025 at 03:29:46PM +0800, Tao Xue wrote:
> 1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():
> if kmalloc fails, the pointer cdev->os_desc_req will be freed but not
> set to NULL. Then it will return a failure to the upper-level function.
> 2. in func configfs_composite_bind() -> composite_dev_cleanup():
> it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it
> will attempt to use it.This will lead to a use-after-free issue.
> 
> BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0
> Read of size 8 at addr 0000004827837a00 by task init/1
> 
> CPU: 10 PID: 1 Comm: init Tainted: G           O      5.10.97-oh #1
>  kasan_report+0x188/0x1cc
>  __asan_load8+0xb4/0xbc
>  composite_dev_cleanup+0xf4/0x2c0
>  configfs_composite_bind+0x210/0x7ac
>  udc_bind_to_driver+0xb4/0x1ec
>  usb_gadget_probe_driver+0xec/0x21c
>  gadget_dev_desc_UDC_store+0x264/0x27c
> 
> Fixes: 37a3a533429e ("usb: gadget: OS Feature Descriptors support")
> Signed-off-by: Tao Xue <xuetao09@huawei.com>
> ---
> v3: add comment in patch
> v2: update Signed-off and commit message
> v1: initial submission
> 
>  drivers/usb/gadget/composite.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
> index 8dbc132a505e..adf0a79b3d3d 100644
> --- a/drivers/usb/gadget/composite.c
> +++ b/drivers/usb/gadget/composite.c
> @@ -2489,6 +2489,11 @@ int composite_os_desc_req_prepare(struct usb_composite_dev *cdev,
>  	if (!cdev->os_desc_req->buf) {
>  		ret = -ENOMEM;
>  		usb_ep_free_request(ep0, cdev->os_desc_req);
> +		/* composite_dev_cleanup() will check whether cdev->os_desc_req
> +		 * is NULL and will use it when it is not NULL, so we need to set
> +		 * NULL here.
> +		 */
> +		cdev->os_desc_req = NULL;
>  		goto end;
>  	}
>  	cdev->os_desc_req->context = cdev;
> -- 
> 2.17.1
> 
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:


- You have marked a patch with a "Fixes:" tag for a commit that is in an
  older released kernel, yet you do not have a cc: stable line in the
  signed-off-by area at all, which means that the patch will not be
  applied to any older kernel releases.  To properly fix this, please
  follow the documented rules in the
  Documentation/process/stable-kernel-rules.rst file for how to resolve
  this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.