Android SDK
  1. Android SDK

linux-imx

Public

Commits

Peter Chen
150ce1ee8ee
Peter Chen committed 67481f9ff87
MLK-20585-2 usb: cdns3: gadget: fix the KASAN issue

BUG: KASAN: use-after-free in pending_setup_status_handler+0x4c/0x9c
Read of size 8 at addr ffff8008b2fb6130 by task kworker/0:1/4432

CPU: 0 PID: 4432 Comm: kworker/0:1 Not tainted 4.14.78-06631-gd2e1817-dirty #18
Hardware name: Freescale i.MX8QM MEK (DT)
Workqueue: events_freezable pending_setup_status_handler
Call trace:
[<ffff20000808dff8>] dump_backtrace+0x0/0x49c
[<ffff20000808e4a8>] show_stack+0x14/0x1c
[<ffff20000967b808>] dump_stack+0xa0/0xc8
[<ffff200008344f80>] print_address_description+0x124/0x2f8
[<ffff200008345404>] kasan_report+0x200/0x348
[<ffff200008343780>] __asan_load8+0x6c/0x84
[<ffff200008d897d8>] pending_setup_status_handler+0x4c/0x9c
[<ffff2000081236e4>] process_one_work+0x250/0x72c
[<ffff200008123c58>] worker_thread+0x98/0x69c
[<ffff20000812cd00>] kthread+0x170/0x1b0
[<ffff200008085cd8>] ret_from_fork+0x10/0x18

Allocated by task 4689:
 kasan_kmalloc.part.5+0x50/0x124
 kasan_kmalloc+0xc4/0xe4
 kmem_cache_alloc_trace+0x13c/0x298
 usb_ss_gadget_ep_alloc_request+0x48/0x50
 usb_ep_alloc_request+0x44/0x16c
 composite_dev_prepare+0x4c/0x1b8
 configfs_composite_bind+0x6c/0x694
 udc_bind_to_driver+0xcc/0x218
 usb_gadget_probe_driver+0x108/0x1b0
 gadget_dev_desc_UDC_store+0xf4/0x174
 configfs_write_file+0x184/0x25c
 vfs_write+0xf0/0x26c
 SyS_write+0x64/0xd4
 el0_svc_naked+0x34/0x38

Freed by task 3406:
 kasan_slab_free+0xb0/0x1c0
 kfree+0x7c/0x270
 usb_ss_gadget_ep_free_request+0x10/0x18
 usb_ep_free_request+0x44/0x158
 composite_dev_cleanup+0x188/0x230
 configfs_composite_unbind+0x48/0x80
 usb_gadget_remove_driver+0x84/0xf0
 usb_gadget_unregister_driver+0x10c/0x134
 gadget_dev_desc_UDC_store+0xa0/0x174
 configfs_write_file+0x184/0x25c
 vfs_write+0xf0/0x26c
 SyS_write+0x64/0xd4
 el0_svc_naked+0x34/0x38

The buggy address belongs to the object at ffff8008b2fb6100
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 48 bytes inside of
 128-byte region [ffff8008b2fb6100, ffff8008b2fb6180)
The buggy address belongs to the page:
page:ffff7e0022cbed80 count:1 mapcount:0 mapping:          (null) index:0x0

Reported-by: Yang Tian <yang.tian@nxp.com>
Tested-by: Yang Tian <yang.tian@nxp.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
(cherry picked from commit 0cf9ae2a80c243f4c8191e447374d466cdbb2bd6)