From patchwork Sun Aug 25 08:28:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?6IOh6L+e5Yuk?= X-Patchwork-Id: 823036 Received: from APC01-TYZ-obe.outbound.protection.outlook.com (mail-tyzapc01on2052.outbound.protection.outlook.com [40.107.117.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7BC258203; Sun, 25 Aug 2024 08:28:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.117.52 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724574488; cv=fail; b=qrAhXk+TcQ6CTh7rXmFbgyAjxKBqV5a/msI0B19nLby1I+4qOLiDEVSonxnsrDJeStS+cqs8ky/Bmr9ej6JFMBjn0R1H9pGvSYchc5gusUL7n1JWuyMqb4ETUmYXX3q6+2hvBgVydGIfJijZvrLBDvI08zgnbQO9lneMF7uXYK4= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724574488; c=relaxed/simple; bh=tDKZOusKI+3jquJo8lBPUZka0hek757x8uTlgNP6szk=; h=From:To:CC:Subject:Date:Message-ID:Content-Type:MIME-Version; b=e3IjAufWVOBtvjrkUPb2UWNFLT0A73OXtXikylbDcsaivOpnv22NU4cxXPksp5OoaxH3zT6QgaTrBlZ+KTIk24iPmcEc5guxSs7kU/zmDT+UG7ijLsy189oVLYIVhxPL/aOfsU0ncWEpdtrrVMl8Qw4eVBFGqO4xkhJsu9CBrwc= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=vivo.com; spf=pass smtp.mailfrom=vivo.com; dkim=pass (2048-bit key) header.d=vivo.com header.i=@vivo.com header.b=pqZw306N; arc=fail smtp.client-ip=40.107.117.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=vivo.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=vivo.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=vivo.com header.i=@vivo.com header.b="pqZw306N" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PkkyldH643YEvkTQPjffI3MFcXrWsrcm2BJHWtWR5G8bmWDw/rdsMLP5tytS4mDxUl4YqDXU8tQZKQfch4ihnIdm1Dx7hSVIlFTS7PdWEpYS+VdMCDrBokp3gwUn16jhNacHncFxjN8ekAxtBGdInhFdsqAyWV4PofYNuJ1mYA170I4RkKRMdtps8mjWVzHPg6lQlxyfh5uUY8JGqeBag8miraOpeOMsQaZ5bV4Z9xWM+iNtktn4UFCGvsgwSKq/71c79mFqXJgwCd3YC+fZfkoKCX7iEJwJKL8DkH6b0ObPMGghmYUopiEZukJKZxdZXUONIqnOL5KkRzWeoTpU0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tDKZOusKI+3jquJo8lBPUZka0hek757x8uTlgNP6szk=; b=TBCcyPGO3/Fos27aOCwAcRFzWAeT4zFYXDR3aiak6JVrwfiUYYtHR02KoT1VLfOdx+MQ/WEle+XtXZtK0HsoXEqFtM2qlpihmZgXySZgbg4cvWcqOmVhFXLHkdIUiMOmXYuB5mvdAnSqyjS0CCkc+VHlwCK0hNwAq0bw7144zwbCq7nmwneTI1fZQRRZTddQOCtXSC+vgNhTc7Dq6wmBkoNCZtPIqiQpIcsgJho/2zsbH3NDK5ANPKqPe0nV/9cX4CEmVKX/t/3RPlJOLV2+hsfHzEnXIgg74spE3LKI2/CJ/kKLmBGr4S+9ZHEcxHgl3MLxLHbYyp/6881Egr1Imw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vivo.com; dmarc=pass action=none header.from=vivo.com; dkim=pass header.d=vivo.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vivo.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tDKZOusKI+3jquJo8lBPUZka0hek757x8uTlgNP6szk=; b=pqZw306NWUi9R4BN/cCRdKFBu04Gwi7Bn1tO8KBlc8Melsdot3KDreuQkIx41oqr8tb8m97nGvlp5AxujPRfPJXeARtLAzqSJjI/Uvdi1vGoOUd26jkyF1fPIT/+mVmvCCXZte1bAaJckgHDVSQLuTEJWLwHXxL6FPRngQyKO3CMcy+ZEA75LSdmYz4CuIKtCXLNuGXk6i8RdnOBRKUK0u4G1+SibWpl7KQgHntQYjwzNaRzNdCa7UtdKEiKnTVUm0pAawnPDKjWLWsQjQRAfWqhHAk0G2Ab0PrtDe1GTgoL+uAI1XsQoo98m7v1BvK2s7V1z1ILzUGM9p6vtdZDfA== Received: from TYUPR06MB6217.apcprd06.prod.outlook.com (2603:1096:400:358::7) by TYZPR06MB6992.apcprd06.prod.outlook.com (2603:1096:405:46::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.24; Sun, 25 Aug 2024 08:28:01 +0000 Received: from TYUPR06MB6217.apcprd06.prod.outlook.com ([fe80::c18d:f7c6:7590:64fe]) by TYUPR06MB6217.apcprd06.prod.outlook.com ([fe80::c18d:f7c6:7590:64fe%4]) with mapi id 15.20.7897.021; Sun, 25 Aug 2024 08:28:01 +0000 From: =?utf-8?b?6IOh6L+e5Yuk?= To: Prashanth K , Michael Nazzareno Trimarchi , "gregkh@linuxfoundation.org" CC: "gregkh@linuxfoundation.org" , "quic_jjohnson@quicinc.com" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" , opensource.kernel , "akpm@linux-foundation.org" Subject: [PATCH v7] usb: gadget: u_serial: Add null pointer check in gs_read_complete & gs_write_complete Thread-Topic: [PATCH v7] usb: gadget: u_serial: Add null pointer check in gs_read_complete & gs_write_complete Thread-Index: Adr2x1AMNHz5/SWqR8iMW+/vxX+Bag== Date: Sun, 25 Aug 2024 08:28:00 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=vivo.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: TYUPR06MB6217:EE_|TYZPR06MB6992:EE_ x-ms-office365-filtering-correlation-id: bfa71fe9-461e-4b93-4786-08dcc4dfd4e8 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; ARA:13230040|366016|1800799024|376014|38070700018; x-microsoft-antispam-message-info: =?utf-8?q?MzgO1xs2cLoC1Sqa+D6ah/mckb5MJUe?= =?utf-8?q?Kdz6dqUvv/r2I0tPXVplrX7AhvI/OgIyqlH30NCWVBN4+8CyQSe8KV0G0liHn2AYg?= =?utf-8?q?bt4omqtRABDZiomIQUeqKT76A+omXskPq6tXS0uOsCIT5+RJ8kXyZV62+dH4ahMqz?= =?utf-8?q?aOEmQWf33L5Uub54l0GNxZibhyQ2st6ypZK2FUyzYzyJ/5VZLFjdX/D+crb8TaW5X?= =?utf-8?q?6sNOCmyP9EN7w9t9X2eseGqJ013CsFUJEdOOZZIbVp0frhSzAjrrDfi3IyAqTjpwn?= =?utf-8?q?ybRUDZ6n1S746/F4s4AxfymekUU/8z/Ro9qttXulccVkINWPj1ai5Wvx7IU4r4Wn8?= =?utf-8?q?0uT6Y7giaXNA4Co3D4QRi4z7fpNhrsZ5DiL4rS0C//KLQ/OYg+dmaMiWznkULkJpC?= =?utf-8?q?362cZbdSBBar6i5t1VNt6JRKec/Vs/DOT6OhLE1TjkVN+UaxOga5B0Ne5uzvn2VJg?= =?utf-8?q?ePdWj93oMgmGZSHgpZBt+E0nkXLzVIKcIajLPvkXL5yUNIcBFNClP5mKEQOlHPb1l?= =?utf-8?q?fNpKfPdpGdIiaIqrF53XMVtGCyCJdZDTIq6zNB2xv9nkBAfWleA2TXEjyc6wut/oq?= =?utf-8?q?94nswNINvQGWYnvi3Ylij9n7a0dTkPFgnsuSkvQX92hK5Oj+EyMDhaAKex5lOd4TS?= =?utf-8?q?cpz8o+UxSG17kQ2J3oTlEeNXwcKA3m7A8n9Tub6rEsSbXGFPL9bjcqJEQOp1Itqbx?= =?utf-8?q?SItnrDYrz1sy7Bvpy0GJT4W0frq3UgttSMK2uXdDILd/EJ0MDin0ajIeiO+jGvijv?= =?utf-8?q?9+Rbo6nA3HShHHHG4xoOT5aLpltL5WBkycuFUw67AGurLDSBVgEk1wyiwrn43/jcP?= =?utf-8?q?lMqgL6r84nIjDM5lh4SHimygzk3hhnRlCqo0Z2r3jOFs/n9BdjSbECYRvcE+wLYqi?= =?utf-8?q?1x0a9GLAX3OTSSCxVY77ItvgdOLpqhmfbqktC+GHtOx6yCP6AG71SYLKH5iqKKGtE?= =?utf-8?q?KgS7oBmwA5q8bNg+OEdZtLcNcXERqG5NFlFC0jFYDbsolQSOHdW4Y7RMN2T1LCEsS?= =?utf-8?q?ahKGjhpAgVFV7L4YSGFDa0nSYjTyE2trCjIMkJ0hBo3Coh8XJHN9BDQI9sGWA+mnX?= =?utf-8?q?+LZdEKevakHqjCCf4W1HUGZGTluna9rG3kZ1G8PbzAJLzmYi9XAccPUHSn5PHPybc?= =?utf-8?q?GX76sdItW5FjIzlioWuRyiL8X8RXKZFvW9QMyZc8Vr//rxtt9bphkKMwA7u9QszJt?= =?utf-8?q?jocAyds3qlfjjrfwJW0ygTnToPDCo4PoN7STu56JjQceG7q06qe/2eoSkqOM2fCAO?= =?utf-8?q?YDZSs49+kj9QkWsFC5myf3VKQLBo/HwrPA9n/JdSSpRw4KpsHFo2DwlJlzvzjdQ/q?= =?utf-8?q?c7CegK17r6ninhIqjj98YK/MbjruMLAdiQ=3D=3D?= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:zh-cn; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:TYUPR06MB6217.apcprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230040)(366016)(1800799024)(376014)(38070700018); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?Cr8U77MFsgZX15xCQAsu3x/IAqKa?= =?utf-8?q?5mq+q1lp1lhUEMUCZxHsJjAvSN7RLeReDlHBAzSZRZAHmVMEzHbYxT+9SzhSpOMR8?= =?utf-8?q?apsJFi5EOljEaf4FmLOXXTTW5sUeNnuj4Mf4nWrMgoDEFHqzeW9O2MnpEtMqNfBe6?= =?utf-8?q?00xMRnQOVGS8kOyvKeWv25l15UnjmyuDDEtPWbvy+IJK5LMfhssH97bkXNOZydRZc?= =?utf-8?q?8i5aEFWfw3Y90LgoKSURfzYhozyRVoj/ZRO86vwnn6/2JXhJKTUlqElmWFvY2Bbuq?= =?utf-8?q?5Wz3iZAioWz9rkxeFz49KOARrPP1Zk6PD/B8Gv6u79SDyvn0Qlyz2bGPTNOGaluDa?= =?utf-8?q?c/K+PkzBmXpRcDVIzZc/Tzwz19Ch1trb1NUiKC9KH116L8Ir1NBtq4fueknfw1jDn?= =?utf-8?q?y2yMbjumEWES8x4jJjdyV5q3uUksRcIzamvg8XPUAtewYAZs+5TKadSG4YPyVEGa8?= =?utf-8?q?ipen9GGbN9IShHAzoOKdLHKYjGTYknmBvZ/UrpiWwUQqEznm/NTEwZznWT+gvg2Up?= =?utf-8?q?aAZQ1whSzfocFo0Tr2+MYGN/aPjUKeTa73B/1PlTbb8VpyxgsYy63gdqM7eMsVOiz?= =?utf-8?q?PBsS50Td2K+IBqj7eqBwbTfAGEXd/bk3R6JsCUrd8kxEThMW6XO0L5rz95sd53yYl?= =?utf-8?q?a6/Wyptzy/2DXzXfDDMwvSxVW03XKHBk+mTUvK04UdNdzvj+dZD61WwK+10o8amto?= =?utf-8?q?zADOVKuuXXa43KmQWoSCtqKHtWudJ5v2nfaOuh7dYFyrB1cmn7457kCknnwGnm3Hp?= =?utf-8?q?Cz6a0V4o75YGUVoR56sEDSfGGlYIEEdUjVyLy4/Czu3YQON4RwQbENJmcphT9Hk/X?= =?utf-8?q?gKOZ4pYxysPa12FC09Acf4yLCoOOvs8itNiJs7zrhOHgfpHOdF5nsXk/DEW9YgkZ/?= =?utf-8?q?H1sa2KlgiOdiZQyMaIq+8OWUSja9gNWFfHiSE7BmSXoGWA8dwT8mvjoX3P58/8wqz?= =?utf-8?q?HxqFXdjlccjtEYJyLwFTORS/CHFvBAOg76Sj7D9zoDXCLR8bIxOpzqSSFhR1TM9XO?= =?utf-8?q?OMB3Zy1BKTsx5NbbYzulkguKWUXlKhZ899bQ854SyWwN1lu26A82ORK26MUAMs11g?= =?utf-8?q?hXyt2hbrBIQewJTGPWSOsGyVfjawXIXMCoizZQYT4pq+aGQQLjR8Y4w37bRfeafFd?= =?utf-8?q?CFFHUYvDqeo+tUZJfx10xOaQ7AatT8gEwyHsuI+JaKI3KEI8YMOyzVvcpnt4gIwuI?= =?utf-8?q?fCfBwg5fVRtQuIUwqLEPlQ02v2m4CioZSqzBLeqXoFDzuUUY+hKSuZEvNAVZOqJN8?= =?utf-8?q?IDXbE1iC1ZmufeCGjXelfb6/RapFlDDpCuvXvFVMw622b+ZgIc5wF7QsirrEj3bFM?= =?utf-8?q?Ot+GEwR4XlCu08lKtWgw+r/BGM5Wv3ScL+c+e7eHlO7CEzqBpe7PaHlT7Mt8hiohr?= =?utf-8?q?ln62fN1IJZ8gZ3h0VNDscNm9Sc0cIaEhdaHx4PqMz4bhyjrDdJwz/kukKuIcwlWNr?= =?utf-8?q?7gtS1CdHy0KPNcNObxELkett+CM+BG8xUNHWKkAzKoPVDB++UIb6AqDU=3D?= Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: vivo.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: TYUPR06MB6217.apcprd06.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: bfa71fe9-461e-4b93-4786-08dcc4dfd4e8 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Aug 2024 08:28:00.8172 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 923e42dc-48d5-4cbe-b582-1a797a6412ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: uOaI2MNXYU6U0ICvnJLe5yzuQzyHZSUTo1uFfysNN1t7DeDTYWN/I8onzu525okz8jUXs+lzdbMzmQYwpNE37Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYZPR06MB6992 From: Lianqin Hu Considering that in some extreme cases, when the unbind operation is being executed, gserial_disconnect has already cleared gser->ioport, and the controller has not stopped & pullup 0, sys.usb.config is reset and the bind operation will be re-executed, calling gs_read_complete, which will result in accessing gser->iport, resulting in a null pointer dereference, add a null pointer check to prevent this situation. Added a static spinlock to prevent gser->ioport from becoming null after the newly added check. Unable to handle kernel NULL pointer dereference at virtual address 00000000000001a8 pc : gs_read_complete+0x58/0x240 lr : usb_gadget_giveback_request+0x40/0x160 sp : ffffffc00f1539c0 x29: ffffffc00f1539c0 x28: ffffff8002a30000 x27: 0000000000000000 x26: ffffff8002a30000 x25: 0000000000000000 x24: ffffff8002a30000 x23: ffffff8002ff9a70 x22: ffffff898e7a7b00 x21: ffffff803c9af9d8 x20: ffffff898e7a7b00 x19: 00000000000001a8 x18: ffffffc0099fd098 x17: 0000000000001000 x16: 0000000080000000 x15: 0000000ac1200000 x14: 0000000000000003 x13: 000000000000d5e8 x12: 0000000355c314ac x11: 0000000000000015 x10: 0000000000000012 x9 : 0000000000000008 x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffffff887cd12000 x5 : 0000000000000002 x4 : ffffffc00f9b07f0 x3 : ffffffc00f1538d0 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000000001a8 Call trace: gs_read_complete+0x58/0x240 usb_gadget_giveback_request+0x40/0x160 dwc3_remove_requests+0x170/0x484 dwc3_ep0_out_start+0xb0/0x1d4 __dwc3_gadget_start+0x25c/0x720 kretprobe_trampoline.cfi_jt+0x0/0x8 kretprobe_trampoline.cfi_jt+0x0/0x8 udc_bind_to_driver+0x1d8/0x300 usb_gadget_probe_driver+0xa8/0x1dc gadget_dev_desc_UDC_store+0x13c/0x188 configfs_write_iter+0x160/0x1f4 vfs_write+0x2d0/0x40c ksys_write+0x7c/0xf0 __arm64_sys_write+0x20/0x30 invoke_syscall+0x60/0x150 el0_svc_common+0x8c/0xf8 do_el0_svc+0x28/0xa0 el0_svc+0x24/0x84 el0t_64_sync_handler+0x88/0xec el0t_64_sync+0x1b4/0x1b8 Code: aa1f03e1 aa1303e0 52800022 2a0103e8 (88e87e62) ---[ end trace 938847327a739172 ]--- Kernel panic - not syncing: Oops: Fatal exception Fixes: c1dca562be8a ("usb gadget: split out serial core") Cc: stable@vger.kernel.org Signed-off-by: Lianqin Hu --- v7: - Remove code comments - Update the commit text - Add the Fixes tag - CC stable kernel - Add serial_port_lock protection when checking port pointer - Optimize code comments - Delete log printing --- drivers/usb/gadget/function/u_serial.c | 33 ++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 5 deletions(-) } - spin_unlock(&port->port_lock); + spin_unlock_irqrestore(&port->port_lock, flags); } static void gs_free_requests(struct usb_ep *ep, struct list_head *head, diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c index b394105e55d6..e43d8065f7ec 100644 --- a/drivers/usb/gadget/function/u_serial.c +++ b/drivers/usb/gadget/function/u_serial.c @@ -452,20 +452,43 @@ static void gs_rx_push(struct work_struct *work) static void gs_read_complete(struct usb_ep *ep, struct usb_request *req) { - struct gs_port *port = ep->driver_data; + struct gs_port *port; + unsigned long flags; + + spin_lock_irqsave(&serial_port_lock, flags); + port = ep->driver_data; + + if (!port) { + spin_unlock_irqrestore(&serial_port_lock, flags); + return; + } - /* Queue all received data until the tty layer is ready for it. */ spin_lock(&port->port_lock); + spin_unlock(&serial_port_lock); + + /* Queue all received data until the tty layer is ready for it. */ list_add_tail(&req->list, &port->read_queue); schedule_delayed_work(&port->push, 0); - spin_unlock(&port->port_lock); + spin_unlock_irqrestore(&port->port_lock, flags); } static void gs_write_complete(struct usb_ep *ep, struct usb_request *req) { - struct gs_port *port = ep->driver_data; + struct gs_port *port; + unsigned long flags; + + spin_lock_irqsave(&serial_port_lock, flags); + port = ep->driver_data; + + if (!port) { + spin_unlock_irqrestore(&serial_port_lock, flags); + return; + } spin_lock(&port->port_lock); + spin_unlock(&serial_port_lock); list_add(&req->list, &port->write_pool); port->write_started--; @@ -486,7 +509,7 @@ static void gs_write_complete(struct usb_ep *ep, struct usb_request *req) break;