]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob
ac67cdb0e7349b6935bf70e120af7a1dc62ebcd2
[thirdparty/kernel/stable-queue.git] /
1 From 4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2b Mon Sep 17 00:00:00 2001
2 From: Lianqin Hu <hulianqin@vivo.com>
3 Date: Tue, 3 Dec 2024 12:14:16 +0000
4 Subject: usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer
5
6 From: Lianqin Hu <hulianqin@vivo.com>
7
8 commit 4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2b upstream.
9
10 Considering that in some extreme cases,
11 when u_serial driver is accessed by multiple threads,
12 Thread A is executing the open operation and calling the gs_open,
13 Thread B is executing the disconnect operation and calling the
14 gserial_disconnect function,The port->port_usb pointer will be set to NULL.
15
16 E.g.
17 Thread A Thread B
18 gs_open() gadget_unbind_driver()
19 gs_start_io() composite_disconnect()
20 gs_start_rx() gserial_disconnect()
21 ... ...
22 spin_unlock(&port->port_lock)
23 status = usb_ep_queue() spin_lock(&port->port_lock)
24 spin_lock(&port->port_lock) port->port_usb = NULL
25 gs_free_requests(port->port_usb->in) spin_unlock(&port->port_lock)
26 Crash
27
28 This causes thread A to access a null pointer (port->port_usb is null)
29 when calling the gs_free_requests function, causing a crash.
30
31 If port_usb is NULL, the release request will be skipped as it
32 will be done by gserial_disconnect.
33
34 So add a null pointer check to gs_start_io before attempting
35 to access the value of the pointer port->port_usb.
36
37 Call trace:
38 gs_start_io+0x164/0x25c
39 gs_open+0x108/0x13c
40 tty_open+0x314/0x638
41 chrdev_open+0x1b8/0x258
42 do_dentry_open+0x2c4/0x700
43 vfs_open+0x2c/0x3c
44 path_openat+0xa64/0xc60
45 do_filp_open+0xb8/0x164
46 do_sys_openat2+0x84/0xf0
47 __arm64_sys_openat+0x70/0x9c
48 invoke_syscall+0x58/0x114
49 el0_svc_common+0x80/0xe0
50 do_el0_svc+0x1c/0x28
51 el0_svc+0x38/0x68
52
53 Fixes: c1dca562be8a ("usb gadget: split out serial core")
54 Cc: stable@vger.kernel.org
55 Suggested-by: Prashanth K <quic_prashk@quicinc.com>
56 Signed-off-by: Lianqin Hu <hulianqin@vivo.com>
57 Acked-by: Prashanth K <quic_prashk@quicinc.com>
58 Link: https://lore.kernel.org/r/TYUPR06MB62178DC3473F9E1A537DCD02D2362@TYUPR06MB6217.apcprd06.prod.outlook.com
59 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
60 ---
61 drivers/usb/gadget/function/u_serial.c | 9 ++++++---
62 1 file changed, 6 insertions(+), 3 deletions(-)
63
64 --- a/drivers/usb/gadget/function/u_serial.c
65 +++ b/drivers/usb/gadget/function/u_serial.c
66 @@ -575,9 +575,12 @@ static int gs_start_io(struct gs_port *p
67 * we didn't in gs_start_tx() */
68 tty_wakeup(port->port.tty);
69 } else {
70 - gs_free_requests(ep, head, &port->read_allocated);
71 - gs_free_requests(port->port_usb->in, &port->write_pool,
72 - &port->write_allocated);
73 + /* Free reqs only if we are still connected */
74 + if (port->port_usb) {
75 + gs_free_requests(ep, head, &port->read_allocated);
76 + gs_free_requests(port->port_usb->in, &port->write_pool,
77 + &port->write_allocated);
78 + }
79 status = -EIO;
80 }
81