From patchwork Thu Nov 21 12:41:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?6IOh6L+e5Yuk?= X-Patchwork-Id: 13881983 Received: from HK3PR03CU002.outbound.protection.outlook.com (mail-eastasiaazon11011020.outbound.protection.outlook.com [52.101.129.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 994511CEAB8; Thu, 21 Nov 2024 12:41:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.129.20 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732192869; cv=fail; b=ULdnXFzne2jUO2UgmxJXL34+jC+wkXztJfduhAONWHi6jDu9VcnRSBsVrdln++sFm0FOA3TwW2mwg8BSUdxWUUltEZg9NNwaDSPWfT0ooWWWKtzufdHir4HzirpCvUBlIL8U+hHrankbyjmU4h7MUb3gmLQcIuG7DaysGTEA53w= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732192869; c=relaxed/simple; bh=Bl2Vo2YAhKqhmGMeTvmwWtNsUkk1cM32tCOXMlVPwVM=; h=From:To:CC:Subject:Date:Message-ID:Content-Type:MIME-Version; b=VoBLA5gx7aCrGFYzRofCG4IMDOzLkH+e+z4ujkC34p+88plBKaIfQM1QVVMo6eW+674OJi/LB+esR3SpOzm7MwW2R59udizRUSTHvAQtfXNCwwzvTnSLtgXVET1U1ZIFUDG+NDmn1llC2dmw9QSXldhyudA3HRPWU8bbzEGeJ2Y= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=vivo.com; spf=pass smtp.mailfrom=vivo.com; dkim=pass (2048-bit key) header.d=vivo.com header.i=@vivo.com header.b=FVBZFwDT; arc=fail smtp.client-ip=52.101.129.20 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=vivo.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=vivo.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=vivo.com header.i=@vivo.com header.b="FVBZFwDT" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Vdluo+6VMCV4irXTAFQMtXWXK8J9SnRR0pAmrqRb1uEzXLkx4Kkug1ElYnbxVfJao1WNIOi5tJQVCluOIONG7ufDRm+/B9vY0hSk9BR3dJp+e/FOul6lV5TuMSm/Ebh6zie+PS6e4dj7KY78q/UlsAcH7Cq1s+jMvKFH4IH5azQjOCVlu55cJsIhVswDUL9yfQe3k6wGxapXCSwMqMnLD1doe98zYog1IErGW+cxs1c8NxdlNyPNKkMx2w3j5uUt8x0bNkxEW3bsVOYfukxn+wmnnGrUGFsjhQ2bJ5wcff3NFsOvO/Z+Q6oeH9QqvqTy5lguoqi7YoHHB+R80vTu5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Bl2Vo2YAhKqhmGMeTvmwWtNsUkk1cM32tCOXMlVPwVM=; b=FjwCjEYVNtdJswYXtHzpbWygd79fZXH2roSC91LFnnNQwaP0JJlS+9yuAfKYZ9Rk/wgw0Qdwi+Nkfb+3Mtfu1Mrc2Q//gChmWxAvi4lYQveNrgo4SrB+BuCx7QmBT+7INXvMFLmkch9RGFFKbeZIY1X14bHG0sqe+6Ak/3ooSnlePyr7SYfmZx9DNHWsQRTh2mPMwchNMdBnNLNx4aJxdapdYDgteLVEqHh2lxB6rWq2eprHXQ+MVTXsQEDC5BAJ2MNlogwTE/QaiCHSZeJ6xuMUn/d4XtJ0KHmAFeqxYqCVCZ+Qh782LuMvTPEXbIGbbYmZkr6r4BbU8jZAw6UxMw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vivo.com; dmarc=pass action=none header.from=vivo.com; dkim=pass header.d=vivo.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vivo.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Bl2Vo2YAhKqhmGMeTvmwWtNsUkk1cM32tCOXMlVPwVM=; b=FVBZFwDTUYHWAQmVStqsCbrRDPJ6tDAowFxtp0A6b/oVPF4nY1WMPo2eus/PLX+Kl8hH9U0Zjin33/66ADrjzwIc+dnFP6wNGEXHTXLYh+sYzlThha+w0E6up6uT9URzLcJ+anowJs8iAvCLy29qh1A8matimqQwWDHvP0bGN6325sDpJU1ol+BTgsDx3sIS6pgei6BtJScdaepIQHpvHQ+sayaUiKBVDw/irTUmMOWRq2vzA23IQjyZLUSob7iSBpQmdUyuRjRFmCbkpUA2Z0scvI54xTqRU4BOcpklNnp/fXC5qs+c+nC27bCHHLTTML0gly2wobztV0DZnndW4Q== Received: from TYUPR06MB6217.apcprd06.prod.outlook.com (2603:1096:400:358::7) by JH0PR06MB6966.apcprd06.prod.outlook.com (2603:1096:990:68::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8182.11; Thu, 21 Nov 2024 12:41:01 +0000 Received: from TYUPR06MB6217.apcprd06.prod.outlook.com ([fe80::c18d:f7c6:7590:64fe]) by TYUPR06MB6217.apcprd06.prod.outlook.com ([fe80::c18d:f7c6:7590:64fe%6]) with mapi id 15.20.8182.014; Thu, 21 Nov 2024 12:41:00 +0000 From: =?utf-8?b?6IOh6L+e5Yuk?= To: "gregkh@linuxfoundation.org" , "quic_jjohnson@quicinc.com" , "mwalle@kernel.org" , Prashanth K CC: "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" , opensource.kernel , =?utf-8?b?6IOh6L+e5Yuk?= Subject: [PATCH v2] usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer Thread-Topic: [PATCH v2] usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer Thread-Index: Ads8EVVJRUOwpsmOSCeQNLdPNS2SOg== Date: Thu, 21 Nov 2024 12:41:00 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=vivo.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: TYUPR06MB6217:EE_|JH0PR06MB6966:EE_ x-ms-office365-filtering-correlation-id: 171d027a-58d1-4db8-063d-08dd0a29c11b x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|38070700018; x-microsoft-antispam-message-info: =?utf-8?q?Rot9t9x2QtImm+suunSdjFCSGSBkQLH?= =?utf-8?q?YZqGcLOB8gw09F57H0WNOlFmxTpa5jw3ofX+/SfhB9RuGLSFHgvNbNhZO0wuKHKSV?= =?utf-8?q?HEYGg3UQhv5bao23GuJIP7Dl8PMoticmu5DhkBMYiN8nG6cjUdOYzYSoC3lKI/3m7?= =?utf-8?q?3LuiTolTBNjL0vGpKWS2P+0tjzTaxIX2ut78UzHriUa1gaH6R9bcFj7zLz6A8c/iy?= =?utf-8?q?IRw8HDrDtNMJzJNfNSU7BdCcdWVfaRf67OVAcUA/MMi5b4hs7Y6iGhdVzQspm5cus?= =?utf-8?q?JrzZ7T452L4gKS9KXmTeymO2IjhFmibEoWXe+Z2geOC96kVYXLroIqADH28u1Xu1t?= =?utf-8?q?kxfiSZVkzjapKOuFzywr44OV72hUW13TFaqdnwbF2ZGJcwaJEmUN3xx3kZvGywf0E?= =?utf-8?q?d2j3BKgoZXR6Hw+iJ0+U77i1I3LXzqfQr6qha0WTZTZYCB+fwM0WiQ/TVUMLugLkz?= =?utf-8?q?91eDKG84E9td82TMqYRYQ+rxKW4CHxgg3KAHejHldKKKOmOOtm82GdktQK5WSO7Ef?= =?utf-8?q?CBryv/QaZmHwaJymC33e/8IozopzT5pElqlCl4bitsLpwru2/87EvvIgFvWfDSWUf?= =?utf-8?q?YtmZ/ssCXAXVxn+xbw57nWxdVlKSGUCXy+BmtNHOfx4rZ79lsl0vF9Tbk6rfJyNsa?= =?utf-8?q?9tvbonoCEp2BWhCONK42jeNi2d5XRCJKw6S2cTh5KeIFrWixp/hQviL+IyQMOwiC4?= =?utf-8?q?uYt/LpIRwmmr/g4WzzN8blx8XBy+G2N7eHFR6Ac84gFSbdhWHc3OaE3Ivp1ua9ybN?= =?utf-8?q?QaIXJIrSYhpSNR5t3bttvemI/k5kJPD5Yd+NV6dBtUO481M/MBsPmZaL2ZZywhXkn?= =?utf-8?q?DChPBLwelsg6vrCAjYBhjX/Joi4SBUCbs99n5DZoc7Jlg1D/fR7A+i8t/C8j75vjp?= =?utf-8?q?ekKJkwtBTnUWspweFzIyVYLyQqKgYoN9udFwGFxkCZMfe6Dn9+ntQYza4zKaN781M?= =?utf-8?q?ofSHmcD4RhcVTAuNO6Kg3Yym3bgyx17GSa77+wDXsglXojYSdwsHxni7WEi2nkLyA?= =?utf-8?q?8FAmZzyl6I6z4iWMC7LQiPMtNp2ZUbjTfNHHgHrak+09gT5WZk6hLtq1LAd3k9mhh?= =?utf-8?q?Z3irkBeZG8JxAow3/AAIcRftFVx4Q9x3i+ep1QWhF511IvcWAq3K78d+adcK8feAC?= =?utf-8?q?cvHqSNulYOzyRc6GVDAr5EufZ2BpWM14Gc8eKpiwGf3/5dwm72f6/FYDow3YMSs6o?= =?utf-8?q?P7y8MyUItQIMY83eP5xDmLhtj8EpbQq9hjQnD5kPsm/2NpNaD6vkiGmT5eQzhh/5n?= =?utf-8?q?0K5e4vjj7X9vO?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:zh-cn;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:TYUPR06MB6217.apcprd06.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?ycC4kWiLf+WVm+vLuPMcqIikAmwf?= =?utf-8?q?b88cE57PCBpFwmDxvjcWBe1u6C3KPyXlh7Q/uJuCujtjA7OxC5GQm/jSOSSLxwp1v?= =?utf-8?q?od6TR1NrFWwcf7noSAypH8IYx4ZaRSxss8roQHyWCkiUZwO9MRMdJM36+yWqBWfu2?= =?utf-8?q?rIGWCClaH9VRsFBLQBVwbHYpKVoT0deTDHKdZh7WaNLx4T3HW6peT8u1XttFRgl4x?= =?utf-8?q?t85IoEO22EgdpQpxI6lEpSUH4EcibwUmIB0n2qoshk1fWQEh3wPDMKIaE6JE6HC6t?= =?utf-8?q?qtJyf/A7y7lzqpjUJwEVbgiSqR/ZoXYxARuT3y/hXiOPbfBqQSRn9YNoTM0TDG7yI?= =?utf-8?q?YhfdBb3TU/G72iM91L04XNuapOLZZHhpUI0chJ2oFMpIcLojEF3KaT1GG0CS24JIT?= =?utf-8?q?Z0q0AUIXneMqMAg+TP+P4FUd/PnvzD52OloAkDBLpKiB22JBxdlk0nis3DOKnE99s?= =?utf-8?q?lUx6asbeHz58h30exGB5GfnN8oUcbZ2r2gyfS7xyKinIP60QW4CYCt7vLSmECzBDa?= =?utf-8?q?8q8RNJENUQpSxVvUhpMJp4Gwt+S2k2zPkPDrB1B1HJmKPoKtJXF4OX2SstKhEjEQ8?= =?utf-8?q?Y05RFJ8umhl+7mXlT0s0GdgUwDUJyAzQ35k117pJm0/x0YkeuxOchldhPjMjH3Wmi?= =?utf-8?q?RozZ4z4oRrxfg1MY/J0KLVsitON6J80YkbBI3CW+e4acMk4qb4AVqEtnMfMMCfdtF?= =?utf-8?q?j8SuW6SuA8KEW9q9HAWetWUPnZ2lMU0j9JRv4kpzSqYZaVOekKQ6lkQq9GQXC0jAW?= =?utf-8?q?QFG2e2HSYtkdQ7IWaNmrjJNGGqUnsUs/JTufCPrPxAWN/xtx5i4M+sEXjy0MUMmj3?= =?utf-8?q?Frf0Xx6tmXp/HnkJuzgJpG+g2iqdZUGONdbFewdF5NOvr68D/oeKdBjX5yimSx1IL?= =?utf-8?q?yJJWrZph+VcIBC6BBy1ewNEOesGi11EZZ34x5cWzlxJ5oLhpc0V1g1HZ2LVDD2ip9?= =?utf-8?q?GLTuNTkBIaQYZNVd+giLG8K7vWSELqy9L52vrRimj6tz6GekcWE5sXjMZxQWZmlpf?= =?utf-8?q?3QquePmRn1cdvPr9jIC1rSqmmcqRuijTK80LsmcLM2xFIHZFTdV51fxJ/C52Hw+Df?= =?utf-8?q?7+XlNv0vUBL8KVW3er+ZqOPaxiAzHs4fY7ytms1HLVyZN5I0cgsigIW7jlqK5OgK0?= =?utf-8?q?MaDuzatM2lM4CeDk7GBwxlR8gQoT/cdUzBAkErcus0osIXQ+B5hBjhxhsaTcn+S13?= =?utf-8?q?jxJmLMR20j7cil9TCVBvj/TEinHYt9wI4v7aepafs/E6r//GRTGUFDLSFOi2M0tHX?= =?utf-8?q?c4YAjR5qa70adDI7qd4ZNajQsUbuzdBFxiN72uENlGEnZJYnJEw+6avxeKKh4Ue96?= =?utf-8?q?fc1zIH/HrM2mPe718zNui+SB5mROh4efCTQmhGhnfDqgqjlBI+bV8NjlHyFS0nXL6?= =?utf-8?q?BKySP6Wx1Jk32vPusD2p10rIa6eFeFCQVafiaQrTWSvNSFrSka6WcXjqFt9bOw9Lg?= =?utf-8?q?NwMgcWaxYKmCoVVrEG3v7Z46dDOw91iVVOtS8cWbP8HTJ5ibP+IDSr4o=3D?= Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: vivo.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: TYUPR06MB6217.apcprd06.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 171d027a-58d1-4db8-063d-08dd0a29c11b X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Nov 2024 12:41:00.5832 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 923e42dc-48d5-4cbe-b582-1a797a6412ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: euz/8mVhmgAUPsb/ihy1+PTr+JNdCzcrq1X1DqYWBpiB41jFYJsonaNbpHrr2QkW44dzLDleKQtI0ANhVlHjRA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: JH0PR06MB6966 From: Lianqin Hu Considering that in some extreme cases, when u_serial driver is accessed by multiple threads, Thread A is executing the open operation and calling the gs_open, Thread B is executing the disconnect operation and calling the gserial_disconnect function,The port->port_usb pointer will be set to NULL. E.g. Thread A Thread B gs_open() gadget_unbind_driver() gs_start_io() composite_disconnect() gs_start_rx() gserial_disconnect() ... ... spin_unlock(&port->port_lock) status = usb_ep_queue() spin_lock(&port->port_lock) spin_lock(&port->port_lock) port->port_usb = NULL gs_free_requests(port->port_usb->in) spin_unlock(&port->port_lock) Crash This causes thread A to access a null pointer (port->port_usb is null) when calling the gs_free_requests function, causing a crash. To avoid this, add a null pointer check to gs_start_io before attempting to access the value of the pointer port->port_usb. Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8 pc : gs_start_io+0x164/0x25c lr : gs_start_io+0x238/0x25c sp : ffffffc08b75ba00 x29: ffffffc08b75ba00 x28: ffffffed8ba01000 x27: 0000000000020902 x26: dead000000000100 x25: ffffff899f43a400 x24: ffffff8862325400 x23: ffffff88623256a4 x22: ffffff8862325690 x21: ffffff88623255ec x20: ffffff88623255d8 x19: ffffff885e19d700 x18: ffffffed8c45ae40 x17: 00000000d48d30ad x16: 00000000d48d30ad x15: 0010000000000001 x14: ffffffed8c50fcc0 x13: 0000000040000000 x12: 0000000000000001 x11: 0000000080200012 x10: 0000000080200012 x9 : ffffff88623255d8 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f x5 : ffffffed8ae0b9a4 x4 : fffffffe267d0ea0 x3 : 0000000080200012 x2 : ffffff899f43a400 x1 : 0000000080200013 x0 : ffffff899f43b100 Call trace: gs_start_io+0x164/0x25c gs_open+0x108/0x13c tty_open+0x314/0x638 chrdev_open+0x1b8/0x258 do_dentry_open+0x2c4/0x700 vfs_open+0x2c/0x3c path_openat+0xa64/0xc60 do_filp_open+0xb8/0x164 do_sys_openat2+0x84/0xf0 __arm64_sys_openat+0x70/0x9c invoke_syscall+0x58/0x114 el0_svc_common+0x80/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x38/0x68 el0t_64_sync_handler+0x68/0xbc el0t_64_sync+0x1a8/0x1ac Code: f2fbd5ba eb14013f 540004a1 f940e708 (f9407513) ---[ end trace 0000000000000000 ]--- Suggested-by: Prashanth K Signed-off-by: Lianqin Hu v2: - Modify patch content and description according to "v1 suggestion" - Link to v1: https://lore.kernel.org/all/TYUPR06MB621737D16F68B5ABD6CF5772D2272@TYUPR06MB6217.apcprd06.prod.outlook.com/ drivers/usb/gadget/function/u_serial.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c index 0a8c05b2746b..53d9fc41acc5 100644 --- a/drivers/usb/gadget/function/u_serial.c +++ b/drivers/usb/gadget/function/u_serial.c @@ -579,9 +579,12 @@ static int gs_start_io(struct gs_port *port) * we didn't in gs_start_tx() */ tty_wakeup(port->port.tty); } else { - gs_free_requests(ep, head, &port->read_allocated); - gs_free_requests(port->port_usb->in, &port->write_pool, - &port->write_allocated); + /* Free reqs only if we are still connected */ + if (port->port_usb) { + gs_free_requests(ep, head, &port->read_allocated); + gs_free_requests(port->port_usb->in, &port->write_pool, + &port->write_allocated); + } status = -EIO; }