From patchwork Tue Aug 27 10:19:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?6IOh6L+e5Yuk?= X-Patchwork-Id: 13779295 Received: from HK2PR02CU002.outbound.protection.outlook.com (mail-eastasiaazon11010028.outbound.protection.outlook.com [52.101.128.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 11B209450; Tue, 27 Aug 2024 10:19:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.128.28 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724753971; cv=fail; b=W4AKJoBB7/AqEh8Op88dUwjVyPmNnrVUI1sW0hqm1rra7uJyID4mtEnGzpsBVBJrK1OwxvvkORt9wUbmjOF/6NV+0L9owI3wW4BpxRsPp6tGujmSolaF5lHMMMNHN/euGzi2N2QXW6LFkxTo92OvIspIErnixxB+M2ixR5HguXI= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724753971; c=relaxed/simple; bh=bLika92/uaYyx02oWNkRYrt1LERbg7DmU7zDnOzjrW8=; h=From:To:CC:Subject:Date:Message-ID:Content-Type:MIME-Version; b=ZDTIKfFCOxAuzfyYylsFYyh4Mfb2ud4LX/5g6thPH+etAaTCI2A1XfP7fZZ40pzLETQui4S+CS+q3cc1MaoR9lSIonZ1rDkC0Dcy/M8s9hKmeiibIRLnpTTLAV+obQ++JnYey1cC2tf3yeV1PQwkNS/g2+6EOHzqjNkqxzOYuns= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=vivo.com; spf=pass smtp.mailfrom=vivo.com; dkim=pass (2048-bit key) header.d=vivo.com header.i=@vivo.com header.b=hxCDzJGq; arc=fail smtp.client-ip=52.101.128.28 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=vivo.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=vivo.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=vivo.com header.i=@vivo.com header.b="hxCDzJGq" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=sXUfVWJHiO9KZSXS6pNrUVIFVqvobHrOTS/twqj0HbZj4IfwRC7eS6soiWlTbnUEUKmBXSZvj3VQ1Y/kyYv+PZK781SkzSOG6YW+aQmBXjQ3Q8SiwOb/VYMu1ZL4vDqt9JSt8DFiT4kjgWr+El4LSp/4TJHnQzV9/O3nkIpXvDaEI3DnbHYGqjpTPmRO8AhoNKt8CE2bK7OY9J6UdKMqNOYFioZ2EVCoXviFTjUGdIlsy+jDwRik2B3quxrnQCL5Qu6aCcSySuHOnO3hCl0ZnEmzekjl2Sv7lyvAnghBbHJZNmPy/Ev458f0RJhVbM5xA6pYfdtp/C12GxLB/sMPTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bLika92/uaYyx02oWNkRYrt1LERbg7DmU7zDnOzjrW8=; b=Z5588F7AUw+G6jZKqNotoHPYIqdMZhy1El+NcNA4veuBYkchS/hpIU8PcQPtT0FA4VD7p/AaDsDjUPUNi3UBvS6AJoeRH3cA8I5M4py4QAHn5ke/bt5CTPbkphDIsX4U/B4YWu6Tc72wrN5oH+SE6UhRNk1JtJXQ6RzHfcLy3Da/OSX/rdFhQBIgYNiPUZTMBveuadu3KuTNCGvHGJEFym9q90aW10aMQwVR7I1tKXtayTrwMyExQr+HyhWgmnKg3aKXlhb6su1Zly3ZQ5y3J7qNgr2sKSB0czq9ENXbemFmSyHhALP9a1/O0mJ+qm91HrkxRTysCijSB4X9xleWZg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vivo.com; dmarc=pass action=none header.from=vivo.com; dkim=pass header.d=vivo.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vivo.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bLika92/uaYyx02oWNkRYrt1LERbg7DmU7zDnOzjrW8=; b=hxCDzJGqBNDvnwzJxXtPJ6AP1GGRHjEI94He+e8u2bPZ8ChVgp1HrLeVYEn58Nwps9HqS7HKVgLc0jffrrSvMadTJChVdDJM939Y6UA0irjBwlWGEb2BQ8zNWraKecDBLhOvgjaYTCgzkcc6vbprhN1MLdjvQU/wjmd0iaF77BZPNAtEqOk5IALcgfMcDnm4JvdzaHhWgHKGLOMk/nCI++r3Uj9awPBD7GAXuQ6FGCBS4x3LqzX8p52cjjF5+ffufozO6zjEy+pNHCuV4dVIm+gXH47ORlTtOR7Zgs/D5/s5mHJDCW9E2dg1iri+qx1FMuqtWGYOLywHSXw8aXn8Aw== Received: from TYUPR06MB6217.apcprd06.prod.outlook.com (2603:1096:400:358::7) by PUZPR06MB6188.apcprd06.prod.outlook.com (2603:1096:301:116::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.25; Tue, 27 Aug 2024 10:19:22 +0000 Received: from TYUPR06MB6217.apcprd06.prod.outlook.com ([fe80::c18d:f7c6:7590:64fe]) by TYUPR06MB6217.apcprd06.prod.outlook.com ([fe80::c18d:f7c6:7590:64fe%4]) with mapi id 15.20.7897.021; Tue, 27 Aug 2024 10:19:22 +0000 From: =?utf-8?b?6IOh6L+e5Yuk?= To: "gregkh@linuxfoundation.org" , Prashanth K , Michael Nazzareno Trimarchi CC: "quic_jjohnson@quicinc.com" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" , opensource.kernel , "akpm@linux-foundation.org" Subject: [PATCH v8] usb: gadget: u_serial: Add null pointer check in gs_read_complete & gs_write_complete Thread-Topic: [PATCH v8] usb: gadget: u_serial: Add null pointer check in gs_read_complete & gs_write_complete Thread-Index: Adr4aNYXeCkosvBxSpO4qbARlQh3sg== Date: Tue, 27 Aug 2024 10:19:22 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=vivo.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: TYUPR06MB6217:EE_|PUZPR06MB6188:EE_ x-ms-office365-filtering-correlation-id: 0ba35f7f-cd9b-4782-1ad5-08dcc681b843 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|38070700018; x-microsoft-antispam-message-info: =?utf-8?q?rmD42OZnsPY8Rt51SVoqh304H2JEyqw?= =?utf-8?q?BAZVMBuz3lDzd3nhC5tihPSeQVAoHWeAipzLjaZ29l2fBwIcSB0+4gr33dXItWNVj?= =?utf-8?q?+vyFoO4x3k3KtRI6a67gkFtuMeAXuUcUwBV4K92fuLaqfGAFG4eYibhr4MMTVTCrk?= =?utf-8?q?jNjvYlvkveVFqIdYE8jYr6xwXu/Cs3SlE1F5ijc9e+t92yj+0IifjV42/mz3nPkCn?= =?utf-8?q?DCbPvdkM87nxTT0ymtU6BvMANC76D7dBGshhdRUKuUR3U+R7gjeWzwj7KwE8oVHV2?= =?utf-8?q?fZ1dBrgAXch/zwTIRe9hoKkfS4DbQ/xK7cDoTf0P8MjO1VayhPMQxIcHGcFWC1drN?= =?utf-8?q?801W6JRdjIXZErgRcvCyjdS+Zz/ofGmLDidpEKnHA9mC+jE+C8YTNEArLK7wFGeSw?= =?utf-8?q?pKjkN2dIpL+8DLsQrZ1mYMaVobd60H/Chz+FfQx+0K1P3tTseZ0DhsLON8NcCq+a0?= =?utf-8?q?63YQ20bWilrHXJbPsFjoqoONqiyLQuq4/mQ3HGEgCr4lWUn+K051QvfBUdGGzHSZY?= =?utf-8?q?kIoWg8CJkk4SK6EJMSazUy6K+KI+ARRufe0fOiP/kYK9q0FnCvAiWmf4PJD6lJSmG?= =?utf-8?q?qkLPi0IVPy1huU/YBxU2gP2UW4hjsar/hr6m79dTYIzuMaH8IJz165A50nLZx4NeZ?= =?utf-8?q?4uUyQ11wfMmUx3i2I/nNjG8c+zUaJbi28asBRCewNqs9F7ye0s+61TxAaptBHeKHJ?= =?utf-8?q?N357EaDRRYWKX1WyJdpdYEXP5eruhzd8BzQafLlWMhhTcVg/pdDHUKdCjvCXa2h0p?= =?utf-8?q?l9Z/4vQpdspWgiIZMT96CE7TStF5KYwLMfpLDI40UnzhrICINSZH1NMMU/O2ZRPT6?= =?utf-8?q?N3Xgs84TeEtdHLJFd2A2V4DtsmksFW5AVK8p8j82/uNG+ofLPpdnM1WvjCCMLSo4c?= =?utf-8?q?mrLddu48GgsFBufXiGetFj5v6k6rpnFczjN45tuuY3Vz/y7p5G4/2LkE04RUbZJtu?= =?utf-8?q?KWnWgzrYeVEI1h/cn2a/WK8QpRvmRSlI8dE9wHXqOtNIZYitulakdWXUdF0lPq9we?= =?utf-8?q?3Wqb+xf6eQ42u+rvYhNPKFQAp4LozBR5Ya/iJJYxSLPJmRhTTMgCqNFevrb6YxIA1?= =?utf-8?q?84ZSZF/1d7KyWqbNTlZaYtfrIwe2wXfZ2yv1Zk0imXnVcuYeO05sWRgNTLxE1pRCO?= =?utf-8?q?M0Kv7xci2OxAlBzwvmmpPKSUxHEhqlYhz0Yx73uyNje93gUKqS8czSxSvMmbRGy7I?= =?utf-8?q?njcMB9JyqHhgrwKMaxfsmkUrPjRFFwhMwZ6tUC/9tG6zipjN1T2i2lQuiLpKXvYvM?= =?utf-8?q?mVm5hv6GT+elLLltXAnDYlwMd9nz8z7p2qaKiZHHZJNzmzo/6bps34v5jGR3egCdr?= =?utf-8?q?YNzxv/mb05NfnZwoIDHYUiW08G99PiCIPg=3D=3D?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:zh-cn;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:TYUPR06MB6217.apcprd06.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?nroMi5Y1aKm8WklrnIG7RJgLrRZz?= =?utf-8?q?loweNzY6xMoL7pyi4lrz3c7FpchbJVz9gUUFPph0dOkS0dt8vpRBaxJqsKo1Jt6Tc?= =?utf-8?q?j2ix4x2pwPXjbPg5Sk9Q8k/EpEElICe1EpRrFbyN5US5o50KhjBS/Qum7qlDVIVsS?= =?utf-8?q?4GaBDKmUxi8pCA8NxLyX1lNNil6iRI+6dKgIegibPxC8dL0nXHD6ZgUC+3B1SHlLC?= =?utf-8?q?nZceLj5mRzx6MGRY1HEpXgU+WcwtgnGyUEGDdXH8TbhGEaxjcMPSwngDbfaeRzCoa?= =?utf-8?q?6xXsVJ88oRbTyGinaOgxDDuTM5H519wJr9v+csjZwVO22xbtzFwUukzFwYwcD0aHB?= =?utf-8?q?BS3KU6BLU305ZxcWNuBSUgAB4BI1brP84G3QamiE5WO4Dc9tCgmcJTVJn9iwtW9ln?= =?utf-8?q?Ej9SDIyr4gEZZZMnbdsMqzC/oQwExEKLQj43lmSNK8LRjCt3tdts9ZNk+8o/zHoyW?= =?utf-8?q?28JXXiDDIQsHpUCyTmCM1GD6rb2Z4c1cU2w8h6BITJgr8DmU+rF/4LpsYV3hWRMJx?= =?utf-8?q?U6VBjSLoLdkseHQGGtZovJyvn6iMvNhioqnLy4Iy4CUdR9PFjXto4ehfrXiGjCsRk?= =?utf-8?q?tVB86OEmo5p0iSOS0qlS4lo/E50GT5o143dKNuzbwrBGhwdNmldtubSqQLnvRO1Al?= =?utf-8?q?BW9vzyLhYAKVqreofWqsFs6CocCQR9yuvF91eghw6UH1fP/ixyxjA8Pyprx9EBwYh?= =?utf-8?q?lnGs+kzhP2vVUUpOiX0GsH6m2KrWAvfUIjHXt0otHCw08Ik/zm4P2BiGEFZ4sQQR1?= =?utf-8?q?0QfaIovOVnulC8rpE2ZyhkUUOEYlHinZN3IjtUFJwXwu5r2z7W10DPsYBNJNYglSJ?= =?utf-8?q?Hhyh9PpBkyIHq9XzON4nwuiKfZwCtYgFyY4oA5pJttB6gdLq6Y7sGpwzLbL4oevm4?= =?utf-8?q?6YGmuCIgSRx68axdvYCj1AT+gilyG8t1+HHRIVIo9btIchkATd0bfH2SUenlyFZQ7?= =?utf-8?q?SXV9ZvmiPAR8J37Uti0ybBJZTynM8kkGTgNRB4MIA3XLp5Vi5Bepjv+lYXz+F/xF4?= =?utf-8?q?fJadMD5tBakey3Z2pTDepqWat0dWBl9zdLMt+Td0jUG4Idme0xfh3z8roRagji+lV?= =?utf-8?q?71lJcnsfyhGKh9h6vLaWCw3VKO9SeHZFpYwvn5AdawoObdRI9cfwZNwXmCVJ0oTmS?= =?utf-8?q?zSG5jthhMpXbtFGtXMIJAk/cdmgOuMnjN4v29xIxg60QYRzqynkr0PcVW6H0C9PzA?= =?utf-8?q?lQWqbV4PvifwM/7Ea55iR2udUOrY+e7kuaXxNpcDkBvbt2v3FbUiAYwvmkQVX130f?= =?utf-8?q?QEtqejLbZO/ZD2kvEKTTewbTiFY4fosjA3bhsSxXvdT619YvIefom7yNATcftMq+V?= =?utf-8?q?y26BwhLUECh8wi5HkAcFoEvgEXrp3CAeCVq2lPYqJ5/ttNaXevzIb+ZpItvZJnaH0?= =?utf-8?q?ER6XYlSnNqzAHBZaZzgySB3zJFXZ1z/Sn8q9ghF+OsfzOhPQsPIyQ+++ASxfy613I?= =?utf-8?q?BxsOrbC9tLIjYXSiu8Rnl6qrsGeL9t3BJ70cGyG+5rCj4KIZu1aoSkHI=3D?= Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: vivo.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: TYUPR06MB6217.apcprd06.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0ba35f7f-cd9b-4782-1ad5-08dcc681b843 X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Aug 2024 10:19:22.4122 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 923e42dc-48d5-4cbe-b582-1a797a6412ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 8tPwuwhIKrqTntt/CMkprb31KuZ/xhJaWAVhBtHLkPGtagfIeA73/AayGvqrZMjZFlteeKY6efu956O2a8WMSg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PUZPR06MB6188 From: Lianqin Hu Considering that in some extreme cases, when the unbind operation is being executed, gserial_disconnect has already cleared gser->ioport, and gs_read_complete gets called afterwards, which results in accessing null pointer, add a null pointer check to prevent this situation. Added a static spinlock to prevent gser->ioport from becoming null after the newly added check. Unable to handle kernel NULL pointer dereference at virtual address 00000000000001a8 pc : gs_read_complete+0x58/0x240 lr : usb_gadget_giveback_request+0x40/0x160 sp : ffffffc00f1539c0 x29: ffffffc00f1539c0 x28: ffffff8002a30000 x27: 0000000000000000 x26: ffffff8002a30000 x25: 0000000000000000 x24: ffffff8002a30000 x23: ffffff8002ff9a70 x22: ffffff898e7a7b00 x21: ffffff803c9af9d8 x20: ffffff898e7a7b00 x19: 00000000000001a8 x18: ffffffc0099fd098 x17: 0000000000001000 x16: 0000000080000000 x15: 0000000ac1200000 x14: 0000000000000003 x13: 000000000000d5e8 x12: 0000000355c314ac x11: 0000000000000015 x10: 0000000000000012 x9 : 0000000000000008 x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffffff887cd12000 x5 : 0000000000000002 x4 : ffffffc00f9b07f0 x3 : ffffffc00f1538d0 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000000001a8 Call trace: gs_read_complete+0x58/0x240 usb_gadget_giveback_request+0x40/0x160 dwc3_remove_requests+0x170/0x484 dwc3_ep0_out_start+0xb0/0x1d4 __dwc3_gadget_start+0x25c/0x720 kretprobe_trampoline.cfi_jt+0x0/0x8 kretprobe_trampoline.cfi_jt+0x0/0x8 udc_bind_to_driver+0x1d8/0x300 usb_gadget_probe_driver+0xa8/0x1dc gadget_dev_desc_UDC_store+0x13c/0x188 configfs_write_iter+0x160/0x1f4 vfs_write+0x2d0/0x40c ksys_write+0x7c/0xf0 __arm64_sys_write+0x20/0x30 invoke_syscall+0x60/0x150 el0_svc_common+0x8c/0xf8 do_el0_svc+0x28/0xa0 el0_svc+0x24/0x84 el0t_64_sync_handler+0x88/0xec el0t_64_sync+0x1b4/0x1b8 Code: aa1f03e1 aa1303e0 52800022 2a0103e8 (88e87e62) ---[ end trace 938847327a739172 ]--- Kernel panic - not syncing: Oops: Fatal exception Fixes: c1dca562be8a ("usb gadget: split out serial core") Cc: stable@vger.kernel.org Suggested-by: Prashanth K Signed-off-by: Lianqin Hu --- v8: Updated patch submission description as suggested in v7 discussion. v7: Remove code comments. v6: Update the commit text. v5: Add the Fixes tag. v4: CC stable kernel. v3: Add serial_port_lock protection when checking port pointer. v2: Optimize code comments. v1: Delete log printing. drivers/usb/gadget/function/u_serial.c | 31 +++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c index b394105e55d6..66d918523b3e 100644 --- a/drivers/usb/gadget/function/u_serial.c +++ b/drivers/usb/gadget/function/u_serial.c @@ -452,20 +452,41 @@ static void gs_rx_push(struct work_struct *work) static void gs_read_complete(struct usb_ep *ep, struct usb_request *req) { - struct gs_port *port = ep->driver_data; + struct gs_port *port; + unsigned long flags; + + spin_lock_irqsave(&serial_port_lock, flags); + port = ep->driver_data; + + if (!port) { + spin_unlock_irqrestore(&serial_port_lock, flags); + return; + } - /* Queue all received data until the tty layer is ready for it. */ spin_lock(&port->port_lock); + spin_unlock(&serial_port_lock); + + /* Queue all received data until the tty layer is ready for it. */ list_add_tail(&req->list, &port->read_queue); schedule_delayed_work(&port->push, 0); - spin_unlock(&port->port_lock); + spin_unlock_irqrestore(&port->port_lock, flags); } static void gs_write_complete(struct usb_ep *ep, struct usb_request *req) { - struct gs_port *port = ep->driver_data; + struct gs_port *port; + unsigned long flags; + + spin_lock_irqsave(&serial_port_lock, flags); + port = ep->driver_data; + + if (!port) { + spin_unlock_irqrestore(&serial_port_lock, flags); + return; + } spin_lock(&port->port_lock); + spin_unlock(&serial_port_lock); list_add(&req->list, &port->write_pool); port->write_started--; @@ -486,7 +507,7 @@ static void gs_write_complete(struct usb_ep *ep, struct usb_request *req) break; } - spin_unlock(&port->port_lock); + spin_unlock_irqrestore(&port->port_lock, flags); } static void gs_free_requests(struct usb_ep *ep, struct list_head *head,