diff mbox series

[v3] phy: tegra: xusb: Clear the driver reference in usb-phy dev

Message ID 20230609062932.3276509-1-haotienh@nvidia.com
State Accepted
Commit c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d
Headers show
Series [v3] phy: tegra: xusb: Clear the driver reference in usb-phy dev | expand

Commit Message

HaoTien Hsu June 9, 2023, 6:29 a.m. UTC 
From: EJ Hsu <ejh@nvidia.com>

For the dual-role port, it will assign the phy dev to usb-phy dev and
use the port dev driver as the dev driver of usb-phy.

When we try to destroy the port dev, it will destroy its dev driver
as well. But we did not remove the reference from usb-phy dev. This
might cause the use-after-free issue in KASAN.

Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support")
Cc: stable@vger.kernel.org

Signed-off-by: EJ Hsu <ejh@nvidia.com>
Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
---
V1 -> V2: Remove extra movements to clarify the change
V2 -> V3: Update patch title
---
 drivers/phy/tegra/xusb.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Jon Hunter June 20, 2023, 1:51 p.m. UTC | #1 
Hi Vinod,

On 09/06/2023 07:29, Haotien Hsu wrote:
> From: EJ Hsu <ejh@nvidia.com>
> 
> For the dual-role port, it will assign the phy dev to usb-phy dev and
> use the port dev driver as the dev driver of usb-phy.
> 
> When we try to destroy the port dev, it will destroy its dev driver
> as well. But we did not remove the reference from usb-phy dev. This
> might cause the use-after-free issue in KASAN.
> 
> Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support")
> Cc: stable@vger.kernel.org
> 
> Signed-off-by: EJ Hsu <ejh@nvidia.com>
> Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
> Acked-by: Thierry Reding <treding@nvidia.com>
> Acked-by: Jon Hunter <jonathanh@nvidia.com>
> ---
> V1 -> V2: Remove extra movements to clarify the change
> V2 -> V3: Update patch title
> ---
>   drivers/phy/tegra/xusb.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c
> index 78045bd6c214..26b66a668f3b 100644
> --- a/drivers/phy/tegra/xusb.c
> +++ b/drivers/phy/tegra/xusb.c
> @@ -568,6 +568,7 @@ static void tegra_xusb_port_unregister(struct tegra_xusb_port *port)
>   		usb_role_switch_unregister(port->usb_role_sw);
>   		cancel_work_sync(&port->usb_phy_work);
>   		usb_remove_phy(&port->usb_phy);
> +		port->usb_phy.dev->driver = NULL;
>   	}
>   
>   	if (port->ops->remove)


OK to pick this up now?

Thanks
Jon
Vinod Koul June 21, 2023, 12:01 p.m. UTC | #2 
On 09-06-23, 14:29, Haotien Hsu wrote:
> From: EJ Hsu <ejh@nvidia.com>
> 
> For the dual-role port, it will assign the phy dev to usb-phy dev and
> use the port dev driver as the dev driver of usb-phy.
> 
> When we try to destroy the port dev, it will destroy its dev driver
> as well. But we did not remove the reference from usb-phy dev. This
> might cause the use-after-free issue in KASAN.

Applied, thanks
diff mbox series

Patch

diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c
index 78045bd6c214..26b66a668f3b 100644
--- a/drivers/phy/tegra/xusb.c
+++ b/drivers/phy/tegra/xusb.c
@@ -568,6 +568,7 @@  static void tegra_xusb_port_unregister(struct tegra_xusb_port *port)
 		usb_role_switch_unregister(port->usb_role_sw);
 		cancel_work_sync(&port->usb_phy_work);
 		usb_remove_phy(&port->usb_phy);
+		port->usb_phy.dev->driver = NULL;
 	}
 
 	if (port->ops->remove)