This is caused by uninitialization of list_head.
BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
Call trace: dump_backtrace+0x0/0x298 show_stack+0x24/0x34 dump_stack+0x130/0x1a8 print_address_description+0x88/0x56c __kasan_report+0x1b8/0x2a0 kasan_report+0x14/0x20 __asan_load8+0x9c/0xa0 __list_del_entry_valid+0x34/0xe4 mtu3_req_complete+0x4c/0x300 [mtu3] mtu3_gadget_stop+0x168/0x448 [mtu3] usb_gadget_unregister_driver+0x204/0x3a0 unregister_gadget_item+0x44/0xa4
Fixes: 83374e035b62 ("usb: mtu3: add tracepoints to help debug") Cc: stable@vger.kernel.org Reported-by: Yuwen Ng yuwen.ng@mediatek.com Signed-off-by: Chunfeng Yun chunfeng.yun@mediatek.com --- v2: add Fixes and Cc suggested by Greg --- drivers/usb/mtu3/mtu3_gadget.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index c51be015345b..b6c8a4a99c4d 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -235,6 +235,7 @@ struct usb_request *mtu3_alloc_request(struct usb_ep *ep, gfp_t gfp_flags) mreq->request.dma = DMA_ADDR_INVALID; mreq->epnum = mep->epnum; mreq->mep = mep; + INIT_LIST_HEAD(&mreq->list); trace_mtu3_alloc_request(mreq);
return &mreq->request;
On 18.12.2021 12:57, Chunfeng Yun wrote:
This is caused by uninitialization of list_head.
Again, there's no such word as "uninitialization" (even if it existed, it wouldn't mean what you wanted to say); please replace by "not initializing".
BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
Call trace: dump_backtrace+0x0/0x298 show_stack+0x24/0x34 dump_stack+0x130/0x1a8 print_address_description+0x88/0x56c __kasan_report+0x1b8/0x2a0 kasan_report+0x14/0x20 __asan_load8+0x9c/0xa0 __list_del_entry_valid+0x34/0xe4 mtu3_req_complete+0x4c/0x300 [mtu3] mtu3_gadget_stop+0x168/0x448 [mtu3] usb_gadget_unregister_driver+0x204/0x3a0 unregister_gadget_item+0x44/0xa4
Fixes: 83374e035b62 ("usb: mtu3: add tracepoints to help debug") Cc: stable@vger.kernel.org Reported-by: Yuwen Ng yuwen.ng@mediatek.com Signed-off-by: Chunfeng Yun chunfeng.yun@mediatek.com
[...]
MBR, Sergey
On Sun, Dec 19, 2021 at 01:14:25PM +0300, Sergei Shtylyov wrote:
On 18.12.2021 12:57, Chunfeng Yun wrote:
This is caused by uninitialization of list_head.
Again, there's no such word as "uninitialization" (even if it existed, it wouldn't mean what you wanted to say); please replace by "not initializing".
We are not English language scholars, most of us do not have English as their native language. We all can understand what is being said here, there's no need for any change, please do not be so critical.
thanks,
greg k-h
On 19.12.2021 13:40, Greg Kroah-Hartman wrote: [...]
This is caused by uninitialization of list_head.
Again, there's no such word as "uninitialization" (even if it existed, itwouldn't mean what you wanted to say); please replace by "not initializing".
We are not English language scholars, most of us do not have English as their native language. We all can understand what is being said here, there's no need for any change, please do not be so critical.
OK, noted... I was just somewhat upset that my 1st comment was ignored. :-/
thanks,
greg k-h
MBR, Sergey
On Sun, 2021-12-19 at 14:00 +0300, Sergei Shtylyov wrote:
On 19.12.2021 13:40, Greg Kroah-Hartman wrote: [...]
This is caused by uninitialization of list_head.
Again, there's no such word as "uninitialization" (even if itexisted, it wouldn't mean what you wanted to say); please replace by "not initializing".
We are not English language scholars, most of us do not have English as their native language. We all can understand what is being said here, there's no need for any change, please do not be so critical.
OK, noted... I was just somewhat upset that my 1st comment was ignored. :-/
Very sorry, I planned to fix it, but forgot it;
Please feel free to point out my mistakes;
Thanks a lot
thanks,
greg k-h
MBR, Sergey
linux-stable-mirror@lists.linaro.org
-
Chunfeng Yun -
Greg Kroah-Hartman -
Sergei Shtylyov