| Message ID | 20250321143728.4092417-2-akuchynski@chromium.org |
|---|---|
| State | New |
| Headers | show |
| Series | Fix invalid pointer access | expand |
On Fri, Mar 21, 2025 at 02:37:26PM +0000, Andrei Kuchynski wrote: > Concurrent calls to typec_partner_unlink_device can lead to a NULL pointer > dereference. This patch adds a mutex to protect USB device pointers and > prevent this issue. The same mutex protects both the device pointers and > the partner device registration. > > Cc: stable@vger.kernel.org > Fixes: 59de2a56d127 ("usb: typec: Link enumerated USB devices with Type-C partner") > Signed-off-by: Andrei Kuchynski <akuchynski@chromium.org> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> > --- > drivers/usb/typec/class.c | 15 +++++++++++++-- > drivers/usb/typec/class.h | 1 + > 2 files changed, 14 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c > index 9c76c3d0c6cf..eadb150223f8 100644 > --- a/drivers/usb/typec/class.c > +++ b/drivers/usb/typec/class.c > @@ -1052,6 +1052,7 @@ struct typec_partner *typec_register_partner(struct typec_port *port, > partner->usb_mode = USB_MODE_USB3; > } > > + mutex_lock(&port->partner_link_lock); > ret = device_register(&partner->dev); > if (ret) { > dev_err(&port->dev, "failed to register partner (%d)\n", ret); > @@ -1063,6 +1064,7 @@ struct typec_partner *typec_register_partner(struct typec_port *port, > typec_partner_link_device(partner, port->usb2_dev); > if (port->usb3_dev) > typec_partner_link_device(partner, port->usb3_dev); > + mutex_unlock(&port->partner_link_lock); > > return partner; > } > @@ -1083,12 +1085,14 @@ void typec_unregister_partner(struct typec_partner *partner) > > port = to_typec_port(partner->dev.parent); > > + mutex_lock(&port->partner_link_lock); > if (port->usb2_dev) > typec_partner_unlink_device(partner, port->usb2_dev); > if (port->usb3_dev) > typec_partner_unlink_device(partner, port->usb3_dev); > > device_unregister(&partner->dev); > + mutex_unlock(&port->partner_link_lock); > } > EXPORT_SYMBOL_GPL(typec_unregister_partner); > > @@ -2041,10 +2045,11 @@ static struct typec_partner *typec_get_partner(struct typec_port *port) > static void typec_partner_attach(struct typec_connector *con, struct device *dev) > { > struct typec_port *port = container_of(con, struct typec_port, con); > - struct typec_partner *partner = typec_get_partner(port); > + struct typec_partner *partner; > struct usb_device *udev = to_usb_device(dev); > enum usb_mode usb_mode; > > + mutex_lock(&port->partner_link_lock); > if (udev->speed < USB_SPEED_SUPER) { > usb_mode = USB_MODE_USB2; > port->usb2_dev = dev; > @@ -2053,18 +2058,22 @@ static void typec_partner_attach(struct typec_connector *con, struct device *dev > port->usb3_dev = dev; > } > > + partner = typec_get_partner(port); > if (partner) { > typec_partner_set_usb_mode(partner, usb_mode); > typec_partner_link_device(partner, dev); > put_device(&partner->dev); > } > + mutex_unlock(&port->partner_link_lock); > } > > static void typec_partner_deattach(struct typec_connector *con, struct device *dev) > { > struct typec_port *port = container_of(con, struct typec_port, con); > - struct typec_partner *partner = typec_get_partner(port); > + struct typec_partner *partner; > > + mutex_lock(&port->partner_link_lock); > + partner = typec_get_partner(port); > if (partner) { > typec_partner_unlink_device(partner, dev); > put_device(&partner->dev); > @@ -2074,6 +2083,7 @@ static void typec_partner_deattach(struct typec_connector *con, struct device *d > port->usb2_dev = NULL; > else if (port->usb3_dev == dev) > port->usb3_dev = NULL; > + mutex_unlock(&port->partner_link_lock); > } > > /** > @@ -2614,6 +2624,7 @@ struct typec_port *typec_register_port(struct device *parent, > > ida_init(&port->mode_ids); > mutex_init(&port->port_type_lock); > + mutex_init(&port->partner_link_lock); > > port->id = id; > port->ops = cap->ops; > diff --git a/drivers/usb/typec/class.h b/drivers/usb/typec/class.h > index b3076a24ad2e..db2fe96c48ff 100644 > --- a/drivers/usb/typec/class.h > +++ b/drivers/usb/typec/class.h > @@ -59,6 +59,7 @@ struct typec_port { > enum typec_port_type port_type; > enum usb_mode usb_mode; > struct mutex port_type_lock; > + struct mutex partner_link_lock; > > enum typec_orientation orientation; > struct typec_switch *sw; > -- > 2.49.0.395.g12beb8f557-goog
diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c index 9c76c3d0c6cf..eadb150223f8 100644 --- a/drivers/usb/typec/class.c +++ b/drivers/usb/typec/class.c @@ -1052,6 +1052,7 @@ struct typec_partner *typec_register_partner(struct typec_port *port, partner->usb_mode = USB_MODE_USB3; } + mutex_lock(&port->partner_link_lock); ret = device_register(&partner->dev); if (ret) { dev_err(&port->dev, "failed to register partner (%d)\n", ret); @@ -1063,6 +1064,7 @@ struct typec_partner *typec_register_partner(struct typec_port *port, typec_partner_link_device(partner, port->usb2_dev); if (port->usb3_dev) typec_partner_link_device(partner, port->usb3_dev); + mutex_unlock(&port->partner_link_lock); return partner; } @@ -1083,12 +1085,14 @@ void typec_unregister_partner(struct typec_partner *partner) port = to_typec_port(partner->dev.parent); + mutex_lock(&port->partner_link_lock); if (port->usb2_dev) typec_partner_unlink_device(partner, port->usb2_dev); if (port->usb3_dev) typec_partner_unlink_device(partner, port->usb3_dev); device_unregister(&partner->dev); + mutex_unlock(&port->partner_link_lock); } EXPORT_SYMBOL_GPL(typec_unregister_partner); @@ -2041,10 +2045,11 @@ static struct typec_partner *typec_get_partner(struct typec_port *port) static void typec_partner_attach(struct typec_connector *con, struct device *dev) { struct typec_port *port = container_of(con, struct typec_port, con); - struct typec_partner *partner = typec_get_partner(port); + struct typec_partner *partner; struct usb_device *udev = to_usb_device(dev); enum usb_mode usb_mode; + mutex_lock(&port->partner_link_lock); if (udev->speed < USB_SPEED_SUPER) { usb_mode = USB_MODE_USB2; port->usb2_dev = dev; @@ -2053,18 +2058,22 @@ static void typec_partner_attach(struct typec_connector *con, struct device *dev port->usb3_dev = dev; } + partner = typec_get_partner(port); if (partner) { typec_partner_set_usb_mode(partner, usb_mode); typec_partner_link_device(partner, dev); put_device(&partner->dev); } + mutex_unlock(&port->partner_link_lock); } static void typec_partner_deattach(struct typec_connector *con, struct device *dev) { struct typec_port *port = container_of(con, struct typec_port, con); - struct typec_partner *partner = typec_get_partner(port); + struct typec_partner *partner; + mutex_lock(&port->partner_link_lock); + partner = typec_get_partner(port); if (partner) { typec_partner_unlink_device(partner, dev); put_device(&partner->dev); @@ -2074,6 +2083,7 @@ static void typec_partner_deattach(struct typec_connector *con, struct device *d port->usb2_dev = NULL; else if (port->usb3_dev == dev) port->usb3_dev = NULL; + mutex_unlock(&port->partner_link_lock); } /** @@ -2614,6 +2624,7 @@ struct typec_port *typec_register_port(struct device *parent, ida_init(&port->mode_ids); mutex_init(&port->port_type_lock); + mutex_init(&port->partner_link_lock); port->id = id; port->ops = cap->ops; diff --git a/drivers/usb/typec/class.h b/drivers/usb/typec/class.h index b3076a24ad2e..db2fe96c48ff 100644 --- a/drivers/usb/typec/class.h +++ b/drivers/usb/typec/class.h @@ -59,6 +59,7 @@ struct typec_port { enum typec_port_type port_type; enum usb_mode usb_mode; struct mutex port_type_lock; + struct mutex partner_link_lock; enum typec_orientation orientation; struct typec_switch *sw;
Concurrent calls to typec_partner_unlink_device can lead to a NULL pointer dereference. This patch adds a mutex to protect USB device pointers and prevent this issue. The same mutex protects both the device pointers and the partner device registration. Cc: stable@vger.kernel.org Fixes: 59de2a56d127 ("usb: typec: Link enumerated USB devices with Type-C partner") Signed-off-by: Andrei Kuchynski <akuchynski@chromium.org> --- drivers/usb/typec/class.c | 15 +++++++++++++-- drivers/usb/typec/class.h | 1 + 2 files changed, 14 insertions(+), 2 deletions(-)