Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp4825592pxb; Tue, 28 Sep 2021 05:06:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwBFAZsAjaddASCbgNJYci/B8QS1fioEVguf7abMI2wmquA6fbJBGLi7nJXsIbcmR/WLf1l X-Received: by 2002:a65:6a0f:: with SMTP id m15mr4276181pgu.298.1632830801524; Tue, 28 Sep 2021 05:06:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632830801; cv=none; d=google.com; s=arc-20160816; b=y9G4u+EiL+nepBzyTRYiqQqtFB6YitzuJPrssaU/JZRiYjxPa9dtQNGnLqn7FCCfpY 5Kgq6IzbOtaguBNImAQDgBDqvaNEx2kewPTx4qJWrgXs4hgYeTN6mBOMSggLU6nQVIdY pZmIttcnm+j8zpSuoBkMYaLT18c0o5ffsMZ/hu8Rs29G2bNh85lJYNdo4Wd4aBTO8d4n 7VqYca4VKXPDwN8pZGwBv6iSYnvaf/o4+PJdju69lmnDZSMyHxzKCoDhb8E5wbjx+D30 ha05EgJQDFXU2wt2K1WpC0dP4dOZS8pVwdQZhD061TfWmEb6oiSHb/EIlcBpd9anpsmS DnhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=vaJDkETVuMysVoNFHF6PnnqIG8s3U+3o6VSYKoFyXAM=; b=xpbr1HMJ/98eQeTmYQPZBVfw8ZU3SVCg4xdmtpWmpf4kXjegfcjItYvkflvRHuVhAP 0irEEhjtQzDIWijpqUbHg9XbqfhDHCzYqFiwk3kDYuK0Is+tL+O9vUO8B0YTiAIldxV5 dBOrmaYc9VyUmb5oTInZxzlbcFngOdHTHN/KQ+4ALXrkg2FRrJWMIUzbsWgQaDvdGjXn 3+2fwxzVqGQelMt0I3SUhLtar5mPwzZe6Obqv3DRpslFqH+fIzg70+YmLV0uleUlBMgH YGp6gs9FUEj8U/zAhpMKqo2Sr051wMrNU2O93/W2f/UGmIGCqRGYyCr26b4CIileT/yO pQpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=f4hVmdUB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d21si21020982pgv.271.2021.09.28.05.06.15; Tue, 28 Sep 2021 05:06:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=f4hVmdUB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240467AbhI1MGx (ORCPT + 99 others); Tue, 28 Sep 2021 08:06:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:44708 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240410AbhI1MGw (ORCPT ); Tue, 28 Sep 2021 08:06:52 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 18C31611C7; Tue, 28 Sep 2021 12:05:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1632830713; bh=UW41wA6UexwXfO+ET/Gq/KMyYOkaqqvmSfYGQ2jsm0s=; h=From:To:Cc:Subject:Date:From; b=f4hVmdUBNE/wqiX0GdCG0EN4TFnatwj3LDS57ZwfPRJ6R/zez1E8VLXfIdWm8cjke bQW304KYooguyuW1FS4iQJN/+s+vnq/QS1SA2pH8bIyKdCp8wQusRduYbdEWQ//u7G JCDlCtyglb09X0b2bcPusdYWNKZA20TA49s0ceiggLRovsf29n3Lw/vde1NXPQVHpq NaVTzMHN3z3HKZHWwBiRsAItRLuMOK38usMq/TpeFins/gT1N7HAb3YA2V5WGDx3o8 jWVfXStsbOhYRFZXDBraWi9vnvd03Cl6xLys2UEJ0WZo4AN0shzkry3qpVPlaLojgV IAid6CTwmzeUQ== Received: from johan by xi.lan with local (Exim 4.94.2) (envelope-from ) id 1mVBrF-0005P2-3V; Tue, 28 Sep 2021 14:05:13 +0200 From: Johan Hovold To: Mathias Nyman Cc: Greg Kroah-Hartman , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org, Lu Baolu Subject: [PATCH] USB: xhci: dbc: fix tty registration race Date: Tue, 28 Sep 2021 14:04:00 +0200 Message-Id: <20210928120400.20704-1-johan@kernel.org> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Make sure to allocate resources before registering the tty device to avoid having a racing open() and write() fail to enable rx or dereference a NULL pointer when accessing the uninitialised fifo. Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") Cc: stable@vger.kernel.org # 4.16 Cc: Lu Baolu Signed-off-by: Johan Hovold --- drivers/usb/host/xhci-dbgtty.c | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c index 6e784f2fc26d..eb46e642e87a 100644 --- a/drivers/usb/host/xhci-dbgtty.c +++ b/drivers/usb/host/xhci-dbgtty.c @@ -408,40 +408,38 @@ static int xhci_dbc_tty_register_device(struct xhci_dbc *dbc) return -EBUSY; xhci_dbc_tty_init_port(dbc, port); - tty_dev = tty_port_register_device(&port->port, - dbc_tty_driver, 0, NULL); - if (IS_ERR(tty_dev)) { - ret = PTR_ERR(tty_dev); - goto register_fail; - } ret = kfifo_alloc(&port->write_fifo, DBC_WRITE_BUF_SIZE, GFP_KERNEL); if (ret) - goto buf_alloc_fail; + goto err_exit_port; ret = xhci_dbc_alloc_requests(dbc, BULK_IN, &port->read_pool, dbc_read_complete); if (ret) - goto request_fail; + goto err_free_fifo; ret = xhci_dbc_alloc_requests(dbc, BULK_OUT, &port->write_pool, dbc_write_complete); if (ret) - goto request_fail; + goto err_free_requests; + + tty_dev = tty_port_register_device(&port->port, + dbc_tty_driver, 0, NULL); + if (IS_ERR(tty_dev)) { + ret = PTR_ERR(tty_dev); + goto err_free_requests; + } port->registered = true; return 0; -request_fail: +err_free_requests: xhci_dbc_free_requests(&port->read_pool); xhci_dbc_free_requests(&port->write_pool); +err_free_fifo: kfifo_free(&port->write_fifo); - -buf_alloc_fail: - tty_unregister_device(dbc_tty_driver, 0); - -register_fail: +err_exit_port: xhci_dbc_tty_exit_port(port); dev_err(dbc->dev, "can't register tty port, err %d\n", ret); -- 2.32.0