Re: [PATCH 1/2] usb: typec: class: Fix NULL pointer access

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Benson Leung <bleung@google.com>
To: Andrei Kuchynski <akuchynski@chromium.org>
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	Benson Leung <bleung@chromium.org>,
	Jameson Thies <jthies@google.com>,
	stable@vger.kernel.org
Subject: Re: [PATCH 1/2] usb: typec: class: Fix NULL pointer access
Date: Fri, 21 Mar 2025 23:16:44 +0000	[thread overview]
Message-ID: <Z93zXHJPO3UHY_YF@google.com> (raw)
In-Reply-To: <20250321143728.4092417-2-akuchynski@chromium.org>

[-- Attachment #1: Type: text/plain, Size: 4531 bytes --]

Hi Andrei,


On Fri, Mar 21, 2025 at 02:37:26PM +0000, Andrei Kuchynski wrote:
> Concurrent calls to typec_partner_unlink_device can lead to a NULL pointer
> dereference. This patch adds a mutex to protect USB device pointers and
> prevent this issue. The same mutex protects both the device pointers and
> the partner device registration.
> 
> Cc: stable@vger.kernel.org
> Fixes: 59de2a56d127 ("usb: typec: Link enumerated USB devices with Type-C partner")       
> Signed-off-by: Andrei Kuchynski <akuchynski@chromium.org>

Reviewed-by: Benson Leung <bleung@chromium.org>

> ---
>  drivers/usb/typec/class.c | 15 +++++++++++++--
>  drivers/usb/typec/class.h |  1 +
>  2 files changed, 14 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c
> index 9c76c3d0c6cf..eadb150223f8 100644
> --- a/drivers/usb/typec/class.c
> +++ b/drivers/usb/typec/class.c
> @@ -1052,6 +1052,7 @@ struct typec_partner *typec_register_partner(struct typec_port *port,
>  		partner->usb_mode = USB_MODE_USB3;
>  	}
>  
> +	mutex_lock(&port->partner_link_lock);
>  	ret = device_register(&partner->dev);
>  	if (ret) {
>  		dev_err(&port->dev, "failed to register partner (%d)\n", ret);
> @@ -1063,6 +1064,7 @@ struct typec_partner *typec_register_partner(struct typec_port *port,
>  		typec_partner_link_device(partner, port->usb2_dev);
>  	if (port->usb3_dev)
>  		typec_partner_link_device(partner, port->usb3_dev);
> +	mutex_unlock(&port->partner_link_lock);
>  
>  	return partner;
>  }
> @@ -1083,12 +1085,14 @@ void typec_unregister_partner(struct typec_partner *partner)
>  
>  	port = to_typec_port(partner->dev.parent);
>  
> +	mutex_lock(&port->partner_link_lock);
>  	if (port->usb2_dev)
>  		typec_partner_unlink_device(partner, port->usb2_dev);
>  	if (port->usb3_dev)
>  		typec_partner_unlink_device(partner, port->usb3_dev);
>  
>  	device_unregister(&partner->dev);
> +	mutex_unlock(&port->partner_link_lock);
>  }
>  EXPORT_SYMBOL_GPL(typec_unregister_partner);
>  
> @@ -2041,10 +2045,11 @@ static struct typec_partner *typec_get_partner(struct typec_port *port)
>  static void typec_partner_attach(struct typec_connector *con, struct device *dev)
>  {
>  	struct typec_port *port = container_of(con, struct typec_port, con);
> -	struct typec_partner *partner = typec_get_partner(port);
> +	struct typec_partner *partner;
>  	struct usb_device *udev = to_usb_device(dev);
>  	enum usb_mode usb_mode;
>  
> +	mutex_lock(&port->partner_link_lock);
>  	if (udev->speed < USB_SPEED_SUPER) {
>  		usb_mode = USB_MODE_USB2;
>  		port->usb2_dev = dev;
> @@ -2053,18 +2058,22 @@ static void typec_partner_attach(struct typec_connector *con, struct device *dev
>  		port->usb3_dev = dev;
>  	}
>  
> +	partner = typec_get_partner(port);
>  	if (partner) {
>  		typec_partner_set_usb_mode(partner, usb_mode);
>  		typec_partner_link_device(partner, dev);
>  		put_device(&partner->dev);
>  	}
> +	mutex_unlock(&port->partner_link_lock);
>  }
>  
>  static void typec_partner_deattach(struct typec_connector *con, struct device *dev)
>  {
>  	struct typec_port *port = container_of(con, struct typec_port, con);
> -	struct typec_partner *partner = typec_get_partner(port);
> +	struct typec_partner *partner;
>  
> +	mutex_lock(&port->partner_link_lock);
> +	partner = typec_get_partner(port);
>  	if (partner) {
>  		typec_partner_unlink_device(partner, dev);
>  		put_device(&partner->dev);
> @@ -2074,6 +2083,7 @@ static void typec_partner_deattach(struct typec_connector *con, struct device *d
>  		port->usb2_dev = NULL;
>  	else if (port->usb3_dev == dev)
>  		port->usb3_dev = NULL;
> +	mutex_unlock(&port->partner_link_lock);
>  }
>  
>  /**
> @@ -2614,6 +2624,7 @@ struct typec_port *typec_register_port(struct device *parent,
>  
>  	ida_init(&port->mode_ids);
>  	mutex_init(&port->port_type_lock);
> +	mutex_init(&port->partner_link_lock);
>  
>  	port->id = id;
>  	port->ops = cap->ops;
> diff --git a/drivers/usb/typec/class.h b/drivers/usb/typec/class.h
> index b3076a24ad2e..db2fe96c48ff 100644
> --- a/drivers/usb/typec/class.h
> +++ b/drivers/usb/typec/class.h
> @@ -59,6 +59,7 @@ struct typec_port {
>  	enum typec_port_type		port_type;
>  	enum usb_mode			usb_mode;
>  	struct mutex			port_type_lock;
> +	struct mutex			partner_link_lock;
>  
>  	enum typec_orientation		orientation;
>  	struct typec_switch		*sw;
> -- 
> 2.49.0.395.g12beb8f557-goog
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

next prev parent reply	other threads:[~2025-03-21 23:16 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-21 14:37 [PATCH 0/2] Fix invalid pointer access Andrei Kuchynski
2025-03-21 14:37 ` [PATCH 1/2] usb: typec: class: Fix NULL " Andrei Kuchynski
2025-03-21 23:16   ` Benson Leung [this message]
2025-03-24  9:42   ` Heikki Krogerus
2025-03-21 14:37 ` [PATCH 2/2] usb: typec: class: Invalidate USB device pointers on partner unregistration Andrei Kuchynski
2025-03-21 23:19   ` Benson Leung
2025-03-24  9:43   ` Heikki Krogerus

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z93zXHJPO3UHY_YF@google.com \
    --to=bleung@google.com \
    --cc=akuchynski@chromium.org \
    --cc=bleung@chromium.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=heikki.krogerus@linux.intel.com \
    --cc=jthies@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.