Re: [PATCH] usb: gadget: f_fs: Fix NULL pointer dereference in ffs_epfile_async_io_complete()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: Selvarasu Ganesan <quic_selvaras@quicinc.com>
Cc: brauner@kernel.org, axboe@kernel.dk, jack@suse.cz,
	jlayton@kernel.org, keescook@chromium.org, peter@korsgaard.com,
	hayama@lineo.co.jp, dmantipov@yandex.ru,
	quic_linyyuan@quicinc.com, linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org, quic_ppratap@quicinc.com,
	quic_wcheng@quicinc.com, quic_jackp@quicinc.com
Subject: Re: [PATCH] usb: gadget: f_fs: Fix NULL pointer dereference in ffs_epfile_async_io_complete()
Date: Fri, 23 Feb 2024 06:58:09 +0100	[thread overview]
Message-ID: <2024022302-routine-schematic-b4fd@gregkh> (raw)
In-Reply-To: <20240223054809.2379-1-quic_selvaras@quicinc.com>

On Thu, Feb 22, 2024 at 09:48:09PM -0800, Selvarasu Ganesan wrote:
> In scenarios of continuous and parallel usage of multiple FFS interfaces
> and concurrent adb operations (e.g., adb root, adb reboot), there's a
> chance that ffs_epfile_async_io_complete() might be processed after
> ffs_epfile_release(). This could lead to a NULL pointer dereference of
> ffs when accessing the ffs pointer in ffs_epfile_async_io_complete(), as
> ffs is freed as part of ffs_epfile_release(). This epfile release is
> part of file operation and is triggered when user space daemons restart
> themselves or a reboot is initiated.
> 
> Fix this issue by adding a NULL pointer check for ffs in
> ffs_epfile_async_io_complete().
> 
> [  9981.393115] Unable to handle kernel NULL pointer dereference at virtual address 00000000000001e0
> [  9981.402854] Mem abort info:
> ...
> [  9981.532540] Hardware name: Qualcomm Technologies,
> [  9981.540579] pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> [  9981.548438] pc : ffs_epfile_async_io_complete+0x38/0x4c
> [  9981.554529] lr : usb_gadget_giveback_request+0x30/0xd0
> ...
> [  9981.645057] Call trace:
> [  9981.648282]  ffs_epfile_async_io_complete+0x38/0x4c
> [  9981.654004]  usb_gadget_giveback_request+0x30/0xd0
> [  9981.659637]  dwc3_gadget_endpoint_trbs_complete+0x1a8/0x48c
> [  9981.666074]  dwc3_process_event_entry+0x378/0x648
> [  9981.671622]  dwc3_process_event_buf+0x6c/0x288
> [  9981.676903]  dwc3_thread_interrupt+0x3c/0x68
> [  9981.682003]  irq_thread_fn+0x2c/0x8c
> [  9981.686388]  irq_thread+0x198/0x2ac
> [  9981.690685]  kthread+0x154/0x218
> [  9981.694717]  ret_from_fork+0x10/0x20
> 
> Signed-off-by: Selvarasu Ganesan <quic_selvaras@quicinc.com>

What commit id does this fix?  Should it go to stable kernels?

> ---
>  drivers/usb/gadget/function/f_fs.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> index be3851cffb73..d8c8e88628f9 100644
> --- a/drivers/usb/gadget/function/f_fs.c
> +++ b/drivers/usb/gadget/function/f_fs.c
> @@ -849,7 +849,9 @@ static void ffs_epfile_async_io_complete(struct usb_ep *_ep,
>  	usb_ep_free_request(_ep, req);
>  
>  	INIT_WORK(&io_data->work, ffs_user_copy_worker);
> -	queue_work(ffs->io_completion_wq, &io_data->work);
> +
> +	if (ffs && ffs->io_completion_wq)
> +		queue_work(ffs->io_completion_wq, &io_data->work);

What happens if ffs->io_compleation_wq goes away right after you test
it but before you call queue_work()?

Where is the locking here to prevent that?

thanks,

greg k-h

next prev parent reply	other threads:[~2024-02-23  5:58 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-23  5:48 [PATCH] usb: gadget: f_fs: Fix NULL pointer dereference in ffs_epfile_async_io_complete() Selvarasu Ganesan
2024-02-23  5:58 ` Greg KH [this message]
2024-02-23 11:35   ` Selvarasu Ganesan
2024-02-23 12:40     ` Greg KH
2024-02-23 14:43     ` Jens Axboe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2024022302-routine-schematic-b4fd@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=axboe@kernel.dk \
    --cc=brauner@kernel.org \
    --cc=dmantipov@yandex.ru \
    --cc=hayama@lineo.co.jp \
    --cc=jack@suse.cz \
    --cc=jlayton@kernel.org \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=peter@korsgaard.com \
    --cc=quic_jackp@quicinc.com \
    --cc=quic_linyyuan@quicinc.com \
    --cc=quic_ppratap@quicinc.com \
    --cc=quic_selvaras@quicinc.com \
    --cc=quic_wcheng@quicinc.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.