Re: [PATCH] usb: gadget: u_serial: Add null pointer check in gserial_resume

From: Prashanth K
Date: Wed Feb 08 2023 - 10:46:12 EST

Next message: Bastian Germann: "[PATCH v4 0/2] Bluetooth: btrtl: add support for the RTL8723CS"
Previous message: Kazuki: "Re: s2idle breaks on machines without cpuidle support"
In reply to: Greg Kroah-Hartman: "Re: [PATCH] usb: gadget: u_serial: Add null pointer check in gserial_resume"
Next in thread: Alan Stern: "Re: [PATCH] usb: gadget: u_serial: Add null pointer check in gserial_resume"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 08-02-23 08:24 pm, Greg Kroah-Hartman wrote:

On Wed, Feb 08, 2023 at 07:24:47PM +0530, Prashanth K wrote:

Consider a case where gserial_disconnect has already cleared
gser->ioport. And if a wakeup interrupt triggers afterwards,
gserial_resume gets called, which will lead to accessing of
gserial->port and thus causing null pointer dereference.Add
a null pointer check to prevent this.

Fixes: aba3a8d01d62 (" usb: gadget: u_serial: add suspend resume callbacks")

Nit, and our tools will complain, no " " before the "usb:" string here,
right?

Will fix it in next patch.

Signed-off-by: Prashanth K <quic_prashk@xxxxxxxxxxx>
---
drivers/usb/gadget/function/u_serial.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c
index 840626e..98be2b8 100644
--- a/drivers/usb/gadget/function/u_serial.c
+++ b/drivers/usb/gadget/function/u_serial.c
@@ -1428,6 +1428,9 @@ void gserial_resume(struct gserial *gser)
struct gs_port *port = gser->ioport;
unsigned long flags;
+ if (!port)
+ return;
+

What prevents port from going to NULL right after this check?

In our case we got a null pointer de-reference while performing USB compliance tests, as the gser->port was null. Because in gserial_resume, spinlock_irq_save(&port->port_lock) accesses a null-pointer as port was already marked null by gserial_disconnect.

And after gserial_resume acquires the spinlock, gserial_disconnect cant mark it null until the spinlock is released. We need to check if the port->lock is valid before accessing it, otherwise it can lead to the above mentioned scenario

Issue Type: kernel panic issue
Issue AutoSignature:
pc : do_raw_spin_lock
lr : _raw_spin_lock_irqsave
Call trace:
do_raw_spin_lock
_raw_spin_lock_irqsave
gserial_resume
acm_resume
composite_resume
configfs_composite_resume
dwc3_process_event_entry
dwc3_process_event_buf
dwc3_thread_interrupt
irq_thread_fn
irq_thread
kthread
ret_from_fork

Thanks in advance,
Prashanth

thanks,

greg k-h

Next message: Bastian Germann: "[PATCH v4 0/2] Bluetooth: btrtl: add support for the RTL8723CS"
Previous message: Kazuki: "Re: s2idle breaks on machines without cpuidle support"
In reply to: Greg Kroah-Hartman: "Re: [PATCH] usb: gadget: u_serial: Add null pointer check in gserial_resume"
Next in thread: Alan Stern: "Re: [PATCH] usb: gadget: u_serial: Add null pointer check in gserial_resume"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]