From patchwork Thu Aug 29 11:54:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?6IOh6L+e5Yuk?= X-Patchwork-Id: 13783069 Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-sgaapc01on2045.outbound.protection.outlook.com [40.107.215.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0384618C03D; Thu, 29 Aug 2024 11:54:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.215.45 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724932488; cv=fail; b=QJKSG3PdpdQcZfvCZUENUBkhdd4LVWiZzUoftewRQstNWtm3eE6E3jWrGaSvB3uzg1aPnucA3GCXvySnji3xB6jXyCnRf33BkZqL3STh+tCu3iHqlghCJ/fPEKlNevpPoxgw1nuM8br2uLvDxWznN2ajNEdrCRHQs65Bfq8ors8= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724932488; c=relaxed/simple; bh=Zh3xIclALRntGm1nUo4hZVd+mBsiDcdf7kcLW0PFDYc=; h=From:To:CC:Subject:Date:Message-ID:Content-Type:MIME-Version; b=WgKAf6Sj1MRbFetTyRHZ/Byow3Eui0HUQkTRoeGnoRIlhZaUwbhxnsaCzlgxGbqQrnY9BlpuNW6rZxAfvpnpOozimshuQK71fhwKXgIrTqlkX9pXaEkIl1wvhKlt4fKVkltkEKpI9tge+1HJRhg1q0WWmqgnsC5tbGC3oescz8w= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=vivo.com; spf=pass smtp.mailfrom=vivo.com; dkim=pass (2048-bit key) header.d=vivo.com header.i=@vivo.com header.b=O1tY+8vo; arc=fail smtp.client-ip=40.107.215.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=vivo.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=vivo.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=vivo.com header.i=@vivo.com header.b="O1tY+8vo" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=FvpZMfbHt0Sfq8JlGojy+pow9g6MDQJz8j5YKFq+QuD1kFxYNqrsuPJPB+pY2RQOKHF1IiA43UOeuUVOuogUREcb/92A5Qw7E23n1t73Z71RB30S3jWHAqsyJ+lVY1t54bFEO+H5apKk/lw9d519u2pKu7wKev/OSl7Ci298Hp4qibspTqwWvq1AjVvfXrLXTG7fD6bnsgvTvhofdhKZKofmeA1v3tLQfgeRnH9PCuA0lEoZp71UngDYgwb3pFUTjBaabHeUS6h4weJzYV4ZJuuRis87iln8j1B4xq6OZdglP5kEOMd+QSMwHd+IhY1z4oBxn5GKiWLbXpWz6B9tWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Zh3xIclALRntGm1nUo4hZVd+mBsiDcdf7kcLW0PFDYc=; b=l1oDvtYoNWNREA8yrlfSgOCtIAakmNoicyJLSObOnM88M3455OWDmYM1rxUsBlq0o6VmkJ7ZfABRdz9NEX7CuHBPk/M+x/iVpcRB09hg2yf+2Uj/Y9lEnnS1fFkt8iaPS17GTBgGxgwZt6473JzDb8GPoFAPZlUGYm+NJRec9Icl4RvVbQGls7xc2LclH4yBfNm9ybz6lG7YP38hU4tixav4lYmGhMVo4Zan/V/HAPhuMeN56ET6sOZVXUSC65LYJBz/lXUviR4ZJ6ZKQKFzs/8S/4svW7WEKC+YCVKgDMBa1tXXuEqMy8h+NGvW4/K8nG/VK1BQPGwpLh1mW2enCQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vivo.com; dmarc=pass action=none header.from=vivo.com; dkim=pass header.d=vivo.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vivo.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zh3xIclALRntGm1nUo4hZVd+mBsiDcdf7kcLW0PFDYc=; b=O1tY+8vomnrRFWvCZAJVskCtWQ/pKFgw8hqBkJS0iao9kCfj1/bhfuqQjRDEoHm6i7R7QAtslECSwNeWuQlRRpG/NI0JVv0EIyhy+Cz3vgznf2AXNB23nfLm9G6lCph7BmUhwVxdyWJVJ6tgTvox6FyLnI2H97ctoxR7D5GoZiNPSl2UI1+lwNbTXvOUm3zLMrABIvF4BWq52BwSPL/Am2ZG/oMLMGj/ydmIHYqHjdy20uTnYKzfd+D2oarh/8vmozknWy/hew3PJucJTt6nwymFHgWP5jorrOwIdK4RQglIayk4m6j9C9aka7D1bxZ1K+z/BeuqkjNtuH5BmpQv5w== Received: from TYUPR06MB6217.apcprd06.prod.outlook.com (2603:1096:400:358::7) by PUZPR06MB6005.apcprd06.prod.outlook.com (2603:1096:301:11b::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.27; Thu, 29 Aug 2024 11:54:40 +0000 Received: from TYUPR06MB6217.apcprd06.prod.outlook.com ([fe80::c18d:f7c6:7590:64fe]) by TYUPR06MB6217.apcprd06.prod.outlook.com ([fe80::c18d:f7c6:7590:64fe%4]) with mapi id 15.20.7897.027; Thu, 29 Aug 2024 11:54:40 +0000 From: =?utf-8?b?6IOh6L+e5Yuk?= To: Michael Nazzareno Trimarchi , Prashanth K , "gregkh@linuxfoundation.org" CC: "quic_jjohnson@quicinc.com" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" , opensource.kernel , "akpm@linux-foundation.org" , =?utf-8?b?6IOh6L+e?= =?utf-8?b?5Yuk?= Subject: [PATCH v9] usb: gadget: u_serial: Add null pointer check in gs_read_complete & gs_write_complete Thread-Topic: [PATCH v9] usb: gadget: u_serial: Add null pointer check in gs_read_complete & gs_write_complete Thread-Index: Adr6Cd+UUO/sbS6xR4e70mPa/mlHZg== Date: Thu, 29 Aug 2024 11:54:39 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=vivo.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: TYUPR06MB6217:EE_|PUZPR06MB6005:EE_ x-ms-office365-filtering-correlation-id: 21d03c0a-cc85-4fef-8720-08dcc8215d08 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|38070700018; x-microsoft-antispam-message-info: =?utf-8?q?8QST8nHZlPuUTArm4UnTGXPlstDbI7G?= =?utf-8?q?Fre4hbVGPQJ30kUls3AQ9bWz7ZjVe2BGlv2C1ZGCu2wSGvpt5oOWZykhb79tncnPm?= =?utf-8?q?HfcQhLHZlVzujpT0FeDd1t+9JIPkrIwtIIlnFrUCKJY2ndKAHNzqagAhG5keItlLC?= =?utf-8?q?nraaDkQ3GD2WM0BjsfQBUh3RpfyLHbYBIp/U28rIx46gbXkMSYC9rn479EM974ps3?= =?utf-8?q?gyVLJRWFw8SJfIGrUAEAXj91pmm0gCdAAX3r5GIIRAsVYWBg9BRzD2X4xTthRxJHT?= =?utf-8?q?uXLF/fHL0sgWgiFto3AXhqX3cCdMrO+6eXWo2tGhavwKZJG6c30tsxSt+LZOEIWmb?= =?utf-8?q?Mk+dGL4EGd9HpBjfJ7bGJwAFZ3y2NOKLbwdtLDyileHM/QHUcxc01C+KVMC95EwCB?= =?utf-8?q?nW49gWC2tuTaWZ+oP+/1JIgM+c+wdWKvIbj1sz19IQfx4M/4dScB1lXmgz5+/fGVp?= =?utf-8?q?8tJskP/ZNvu8q9qWx6Ck0JH/Y6LCFQJrcFuHifPFqGFMD8qYNP5UkM0eYvTm4yVkZ?= =?utf-8?q?6LVRpj7DvsjkUApCtxy6YeWAAr8mV3iGBuPHbH2HyA9mngwmm1fiaIz4TVnpsDwxi?= =?utf-8?q?rEv9F4Wch6yvVcnq9nC+nrFMP028r/vPycq5Nd6rpfSbO0N6h9mNstwE9ZqzcpU2J?= =?utf-8?q?DDHzdg8YbKfUnBUlimts5dZIJBI8M05sGILemsN5YL5ypnyfhAd1rIz6pWxTZ6qXG?= =?utf-8?q?0WGyD1zqcGeKL620voSWLRUnVQFgoBviBEu5D7Y0TBbOYP4riGDVSn/gQnb2XEWYg?= =?utf-8?q?nWScUsqwBp/nrC8Zcc/GamidzBPOUqjgB37FDIu9CTrBbXNQEhl0CDfAVMOm9GPG3?= =?utf-8?q?1BfLDjkHVG5EmQWZwH1ievyzWtblPRb8tBGpcMVbhuRI4WKVIypYh6U3Kr8JnduRV?= =?utf-8?q?n53wpaEb8N7G+1VJ2IO3aLnwzbD/n980oy5xdBTHoOtGevsKXrNZ3mNWt8UsVEQGl?= =?utf-8?q?QcGRPS/RLxiImHg/waIU8RWrHO2DttTRmMbRaDC2sLE9cMIDfy384lT/qoSVDk9T0?= =?utf-8?q?/jzfSdmQkebaJSRXN/WKebrrh/CdHmJe9B2Wu5XpkwOWx6Qm+vPIMEQ/utF3epi1a?= =?utf-8?q?BzyvuvTYXMImGIxle5BpeC05amcbiSis4C5iUUWTVDGiULyXeRXhA/IewqUGbTbAC?= =?utf-8?q?PesV6QzKvG6RHe+WiIq6GHJ7KN0/85FQpRSXcxltrjkly9NCScz7GfNN791h0lCRz?= =?utf-8?q?YjiHTmyHS58geqAhIR/Wz4qfGhWyu1q+H6jLY7DF7oMb7PEUdC5lYwGvQ0KpjJ7HN?= =?utf-8?q?s11j6xtY2O5ydoxA2100xvekXQmxLcJbxShx/hsnEnGsLiQksHj1UOzI8d4hDJ1mA?= =?utf-8?q?IIxOtejKs6XuqMf/oYkTsrH0zk8x/a7Lcg=3D=3D?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:zh-cn;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:TYUPR06MB6217.apcprd06.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?DnAmryr8u2/eRAq5sWsfZ74sp9yZ?= =?utf-8?q?45kM5iRVwYR2egMdw1FhrQlDYXU+QoUf9vlOPN5j6ZhFozgum1h9eqpVH78RKaz+L?= =?utf-8?q?1YQKP4nBIZntPs+PM8ZPCkOrFR4I2TTEPUQNjnHyjeXCmVKZ9E9V84HF5gCfx6zZL?= =?utf-8?q?Ii9y/iTZhVjH/GwPbOq7nhjlkZr4wnsUlom6SoRZC58xt24C45Og0szdMy2p7E5Rn?= =?utf-8?q?WXE0941CEX7GlVuNxAi/Ie3ySTZxO2x6mLNkVNNvRm25182IBzO5oxDV8h7bG2piY?= =?utf-8?q?NhF0LHQD/cp2ZkNObNsqXum9yegTRLgsW0hNSZbQN6s+HYtQG0nsrMWU3W4eZlKhN?= =?utf-8?q?B+9yNBaKdLtsUYhovFoMMGLyrcnZHZ/YAiUyb7PypCx55SM3S3KX9f3rRbKsRLJKO?= =?utf-8?q?DSuD7OGng7FNCXLLsNQJF4fX8rpztyJVJT0/MMqEYKHQzUEKvq2/86YWJRGvkhe1K?= =?utf-8?q?S07NyXggemVqMZW5emeEISQb9WL+y1gNSqyc5w4Vp5dFiAcPuOOGtw9nI+rKXyhQk?= =?utf-8?q?KU82EaWdVS3m/nlR+NF2KfObgMyF1nQO2/oR+kIF7qYDlbzOmBKxAfCe9lNo+Hzca?= =?utf-8?q?eeyDA0yldYi9XASh3VhlWDWA7uqLPD4X6gVLdQJYN9Jyt/HvmDeihxwsSovAbH7d9?= =?utf-8?q?oAGymn/xa3cVDMxMe4zxlhYS3eOL23i9eUmiJuAC1wM/OhfD8R1aOeuCf3WNmfJjH?= =?utf-8?q?Xv0Cs0Kq14Yx9X1vjsi4TQ2zt3B15IjXrLDbB2wX6JrVET946qVeS7tpyCjH9lXzU?= =?utf-8?q?7eJE1yWo85Xk5jF2lxO5iorc5dMmuEiT5PYN6DsVsh/7IV11dyqHy+bTDQiELznSw?= =?utf-8?q?tA9oBhlusQTGnWIVwtWvxq8lshORgv3VTpgDF/U8sj8h6nwN0TTc9bV0UEz+6gb/e?= =?utf-8?q?xJJapIhrv6IS0fFMexqHwogFxDA0+6Yznibcg6jQ2lwqX8ScMr+MdcVvxzDX0QPPz?= =?utf-8?q?J2HLGaVoydCAc5LdNfZpaGDuRcIhLKjb1KPsFRUU7MfZ63eEgUD2/x4ti9qrN6S4v?= =?utf-8?q?MoqtdUk9aH7jXGQpj8V7WjLHgrJhjTuJhuTmazsQ4hkm+WfeBQGitC/qwoFJ/qZ9X?= =?utf-8?q?jibUggHZGRg9jjNHWbJDSAeb9o8GH3XDiWCrzf6TIHtTa4GmUW9k+T+IP7eKtQHL7?= =?utf-8?q?PAcKPU9kIJNLDTo2TDjzY+JC5Scqt+uXPD6jvFdszi1EfzGO2uz2fHbuN7UYMwc7o?= =?utf-8?q?U09TZBZeg+TfwHNWsZ1x98nj/C4XpCu3ljIGi1+hePMtCRdFwafBhczujuig8OQcI?= =?utf-8?q?RRkICQ0UoBLyslXHclBf7xUYJCkzT0sckEzBRqPJcydWJzREjVIp2sPZ+bEWdUbYn?= =?utf-8?q?etd0HBHdkOutJ6vN6Telhb6XPZNJgqMjBmUQMCDgz9kthCxOJn/cFcLH2zBr9Ue75?= =?utf-8?q?rXWb5rUMNfxfpDjmHfBioEvnF55aWVKuw8giLijGegPF5BfhSMBJ5k6gHUTReEHJk?= =?utf-8?q?Ok0orpKmgBoWajMDoDXccjGc4gx/5QL71jcisxcHp15RjNQHj68ArbfU=3D?= Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: vivo.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: TYUPR06MB6217.apcprd06.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 21d03c0a-cc85-4fef-8720-08dcc8215d08 X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2024 11:54:39.9980 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 923e42dc-48d5-4cbe-b582-1a797a6412ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 5uaS6gVgqK1TiviraQ4ScBehys6JZtBdtxXRtLk9BpTiYAEH9+AAcVDaBTv4lDbjWgYfloJD6ZrYtQdUXeB3YA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PUZPR06MB6005 From: Lianqin Hu Considering that in some extreme cases, when the unbind operation is being executed, gserial_disconnect has already cleared gser->ioport, triggering a gadget reconfiguration at this time and gs_read_complete gets called afterwards, which results in accessing null pointer, add a null pointer check to prevent this situation. Added a static spinlock to prevent gser->ioport from becoming null after the newly added check. Unable to handle kernel NULL pointer dereference at virtual address 00000000000001a8 pc : gs_read_complete+0x58/0x240 lr : usb_gadget_giveback_request+0x40/0x160 sp : ffffffc00f1539c0 x29: ffffffc00f1539c0 x28: ffffff8002a30000 x27: 0000000000000000 x26: ffffff8002a30000 x25: 0000000000000000 x24: ffffff8002a30000 x23: ffffff8002ff9a70 x22: ffffff898e7a7b00 x21: ffffff803c9af9d8 x20: ffffff898e7a7b00 x19: 00000000000001a8 x18: ffffffc0099fd098 x17: 0000000000001000 x16: 0000000080000000 x15: 0000000ac1200000 x14: 0000000000000003 x13: 000000000000d5e8 x12: 0000000355c314ac x11: 0000000000000015 x10: 0000000000000012 x9 : 0000000000000008 x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffffff887cd12000 x5 : 0000000000000002 x4 : ffffffc00f9b07f0 x3 : ffffffc00f1538d0 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000000001a8 Call trace: gs_read_complete+0x58/0x240 usb_gadget_giveback_request+0x40/0x160 dwc3_remove_requests+0x170/0x484 dwc3_ep0_out_start+0xb0/0x1d4 __dwc3_gadget_start+0x25c/0x720 kretprobe_trampoline.cfi_jt+0x0/0x8 kretprobe_trampoline.cfi_jt+0x0/0x8 udc_bind_to_driver+0x1d8/0x300 usb_gadget_probe_driver+0xa8/0x1dc gadget_dev_desc_UDC_store+0x13c/0x188 configfs_write_iter+0x160/0x1f4 vfs_write+0x2d0/0x40c ksys_write+0x7c/0xf0 __arm64_sys_write+0x20/0x30 invoke_syscall+0x60/0x150 el0_svc_common+0x8c/0xf8 do_el0_svc+0x28/0xa0 el0_svc+0x24/0x84 el0t_64_sync_handler+0x88/0xec el0t_64_sync+0x1b4/0x1b8 Code: aa1f03e1 aa1303e0 52800022 2a0103e8 (88e87e62) ---[ end trace 938847327a739172 ]--- Kernel panic - not syncing: Oops: Fatal exception Fixes: c1dca562be8a ("usb gadget: split out serial core") Cc: stable@vger.kernel.org Suggested-by: Michael Nazzareno Trimarchi Suggested-by: Prashanth K Signed-off-by: Lianqin Hu --- v9: Add gadget reconfiguration description in commit message. v8: Updated patch submission description as suggested in v7 discussion. v7: Remove code comments. v6: Update the commit text. v5: Add the Fixes tag. v4: CC stable kernel. v3: Add serial_port_lock protection when checking port pointer. v2: Optimize code comments. v1: Delete log printing. drivers/usb/gadget/function/u_serial.c | 31 +++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c index b394105e55d6..66d918523b3e 100644 --- a/drivers/usb/gadget/function/u_serial.c +++ b/drivers/usb/gadget/function/u_serial.c @@ -452,20 +452,41 @@ static void gs_rx_push(struct work_struct *work) static void gs_read_complete(struct usb_ep *ep, struct usb_request *req) { - struct gs_port *port = ep->driver_data; + struct gs_port *port; + unsigned long flags; + + spin_lock_irqsave(&serial_port_lock, flags); + port = ep->driver_data; + + if (!port) { + spin_unlock_irqrestore(&serial_port_lock, flags); + return; + } - /* Queue all received data until the tty layer is ready for it. */ spin_lock(&port->port_lock); + spin_unlock(&serial_port_lock); + + /* Queue all received data until the tty layer is ready for it. */ list_add_tail(&req->list, &port->read_queue); schedule_delayed_work(&port->push, 0); - spin_unlock(&port->port_lock); + spin_unlock_irqrestore(&port->port_lock, flags); } static void gs_write_complete(struct usb_ep *ep, struct usb_request *req) { - struct gs_port *port = ep->driver_data; + struct gs_port *port; + unsigned long flags; + + spin_lock_irqsave(&serial_port_lock, flags); + port = ep->driver_data; + + if (!port) { + spin_unlock_irqrestore(&serial_port_lock, flags); + return; + } spin_lock(&port->port_lock); + spin_unlock(&serial_port_lock); list_add(&req->list, &port->write_pool); port->write_started--; @@ -486,7 +507,7 @@ static void gs_write_complete(struct usb_ep *ep, struct usb_request *req) break; } - spin_unlock(&port->port_lock); + spin_unlock_irqrestore(&port->port_lock, flags); } static void gs_free_requests(struct usb_ep *ep, struct list_head *head,