[PATCH 4.4.y-cip] usb: renesas_usbhs: Flush the notify_hotplug_work

[PATCH 4.4.y-cip] usb: renesas_usbhs: Flush the notify_hotplug_work

[Lad Prabhakar]

From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>

commit 552ca6b87e3778f3dd5b87842f95138162e16c82 upstream.

When performing continuous unbind/bind operations on the USB drivers
available on the Renesas RZ/G2L SoC, a kernel crash with the message
"Unable to handle kernel NULL pointer dereference at virtual address"
may occur. This issue points to the usbhsc_notify_hotplug() function.

Flush the delayed work to avoid its execution when driver resources are
unavailable.

Fixes: bc57381e6347 ("usb: renesas_usbhs: use delayed_work instead of work_struct")
Cc: stable <stable@kernel.org>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://lore.kernel.org/r/20250225110248.870417-4-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[PL: manually applied the change]
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
Hi all,

This backport is intended to fix CVE-2025-21917 [0].

[0] https://nvd.nist.gov/vuln/detail/CVE-2025-21917

Note,
- This patch is already present in 6.1-cip [1] & 6.12-cip [2].
- Patch is already posted for 4.19-cip [3].

[1] https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/commit/drivers/usb/renesas_usbhs?h=linux-6.1.y-cip&id=4ca078084cdd5f32d533311d6a0b63a60dcadd41
[2] https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/commit/drivers/usb/renesas_usbhs?h=linux-6.12.y-cip&id=e5aac1c9b2974636db7ce796ffa6de88fa08335e
[3] https://lore.kernel.org/all/20250820135622.27414-1-prabhakar.mahadev-lad.rj@bp.renesas.com/

Cheers, Prabhakar
---
 drivers/usb/renesas_usbhs/common.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c
index 2fa4479e8df6..7110cbd5fd6d 100644
--- a/drivers/usb/renesas_usbhs/common.c
+++ b/drivers/usb/renesas_usbhs/common.c
@@ -705,6 +705,8 @@ static int usbhs_remove(struct platform_device *pdev)
 
 	dev_dbg(&pdev->dev, "usb remove\n");
 
+	flush_delayed_work(&priv->notify_hotplug_work);
+
 	dfunc->notify_hotplug = NULL;
 
 	/* power off */
-- 
2.51.0

Re: [cip-dev] [PATCH 4.4.y-cip] usb: renesas_usbhs: Flush the notify_hotplug_work

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 781 bytes --]

On Wed 2025-08-20 15:05:53, Lad Prabhakar via lists.cip-project.org wrote:
> From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
> 
> commit 552ca6b87e3778f3dd5b87842f95138162e16c82 upstream.
> 
> When performing continuous unbind/bind operations on the USB drivers
> available on the Renesas RZ/G2L SoC, a kernel crash with the message
> "Unable to handle kernel NULL pointer dereference at virtual address"
> may occur. This issue points to the usbhsc_notify_hotplug() function.
> 
> Flush the delayed work to avoid its execution when driver resources are
> unavailable.

Reviewed-by: Pavel Machek <pavel@denx.de>

									Pavel
-- 
In cooperation with DENX Software Engineering GmbH, HRB 165235 Munich,
Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

RE: [PATCH 4.4.y-cip] usb: renesas_usbhs: Flush the notify_hotplug_work

[nobuhiro.iwamatsu.x90]

Hi Lad Prabhakar,


> -----Original Message-----
> From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
> Sent: Wednesday, August 20, 2025 11:06 PM
> To: cip-dev@lists.cip-project.org; iwamatsu nobuhiro(岩松 信洋 □ＤＩＴＣ○
> ＣＰＴ) <nobuhiro.iwamatsu.x90@mail.toshiba>; Pavel Machek
> <pavel@denx.de>; Ulrich Hecht <uli@kernel.org>
> Cc: Biju Das <biju.das.jz@bp.renesas.com>
> Subject: [PATCH 4.4.y-cip] usb: renesas_usbhs: Flush the
> notify_hotplug_work
> 
> From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
> 
> commit 552ca6b87e3778f3dd5b87842f95138162e16c82 upstream.
> 
> When performing continuous unbind/bind operations on the USB drivers
> available on the Renesas RZ/G2L SoC, a kernel crash with the message
> "Unable to handle kernel NULL pointer dereference at virtual address"
> may occur. This issue points to the usbhsc_notify_hotplug() function.
> 
> Flush the delayed work to avoid its execution when driver resources are
> unavailable.
> 
> Fixes: bc57381e6347 ("usb: renesas_usbhs: use delayed_work instead of
> work_struct")
> Cc: stable <stable@kernel.org>
> Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
> Link:
> https://lore.kernel.org/r/20250225110248.870417-4-claudiu.beznea.uj@bp.re
> nesas.com
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> [PL: manually applied the change]
> Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>

Reviewed-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.x90@mail.toshiba>

Best regards,
  Nobuhiro