Hi Andrei,
On Fri, Mar 21, 2025 at 02:37:26PM +0000, Andrei Kuchynski wrote:
> Concurrent calls to typec_partner_unlink_device can lead to a NULL pointer
> dereference. This patch adds a mutex to protect USB device pointers and
> prevent this issue. The same mutex protects both the device pointers and
> the partner device registration.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 59de2a56d127 ("usb: typec: Link enumerated USB devices with Type-C partner")
> Signed-off-by: Andrei Kuchynski <akuchynski@xxxxxxxxxxxx>
Reviewed-by: Benson Leung <bleung@xxxxxxxxxxxx>
> ---
> drivers/usb/typec/class.c | 15 +++++++++++++--
> drivers/usb/typec/class.h | 1 +
> 2 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c
> index 9c76c3d0c6cf..eadb150223f8 100644
> --- a/drivers/usb/typec/class.c
> +++ b/drivers/usb/typec/class.c
> @@ -1052,6 +1052,7 @@ struct typec_partner *typec_register_partner(struct typec_port *port,
> partner->usb_mode = USB_MODE_USB3;
> }
>
> + mutex_lock(&port->partner_link_lock);
> ret = device_register(&partner->dev);
> if (ret) {
> dev_err(&port->dev, "failed to register partner (%d)\n", ret);
> @@ -1063,6 +1064,7 @@ struct typec_partner *typec_register_partner(struct typec_port *port,
> typec_partner_link_device(partner, port->usb2_dev);
> if (port->usb3_dev)
> typec_partner_link_device(partner, port->usb3_dev);
> + mutex_unlock(&port->partner_link_lock);
>
> return partner;
> }
> @@ -1083,12 +1085,14 @@ void typec_unregister_partner(struct typec_partner *partner)
>
> port = to_typec_port(partner->dev.parent);
>
> + mutex_lock(&port->partner_link_lock);
> if (port->usb2_dev)
> typec_partner_unlink_device(partner, port->usb2_dev);
> if (port->usb3_dev)
> typec_partner_unlink_device(partner, port->usb3_dev);
>
> device_unregister(&partner->dev);
> + mutex_unlock(&port->partner_link_lock);
> }
> EXPORT_SYMBOL_GPL(typec_unregister_partner);
>
> @@ -2041,10 +2045,11 @@ static struct typec_partner *typec_get_partner(struct typec_port *port)
> static void typec_partner_attach(struct typec_connector *con, struct device *dev)
> {
> struct typec_port *port = container_of(con, struct typec_port, con);
> - struct typec_partner *partner = typec_get_partner(port);
> + struct typec_partner *partner;
> struct usb_device *udev = to_usb_device(dev);
> enum usb_mode usb_mode;
>
> + mutex_lock(&port->partner_link_lock);
> if (udev->speed < USB_SPEED_SUPER) {
> usb_mode = USB_MODE_USB2;
> port->usb2_dev = dev;
> @@ -2053,18 +2058,22 @@ static void typec_partner_attach(struct typec_connector *con, struct device *dev
> port->usb3_dev = dev;
> }
>
> + partner = typec_get_partner(port);
> if (partner) {
> typec_partner_set_usb_mode(partner, usb_mode);
> typec_partner_link_device(partner, dev);
> put_device(&partner->dev);
> }
> + mutex_unlock(&port->partner_link_lock);
> }
>
> static void typec_partner_deattach(struct typec_connector *con, struct device *dev)
> {
> struct typec_port *port = container_of(con, struct typec_port, con);
> - struct typec_partner *partner = typec_get_partner(port);
> + struct typec_partner *partner;
>
> + mutex_lock(&port->partner_link_lock);
> + partner = typec_get_partner(port);
> if (partner) {
> typec_partner_unlink_device(partner, dev);
> put_device(&partner->dev);
> @@ -2074,6 +2083,7 @@ static void typec_partner_deattach(struct typec_connector *con, struct device *d
> port->usb2_dev = NULL;
> else if (port->usb3_dev == dev)
> port->usb3_dev = NULL;
> + mutex_unlock(&port->partner_link_lock);
> }
>
> /**
> @@ -2614,6 +2624,7 @@ struct typec_port *typec_register_port(struct device *parent,
>
> ida_init(&port->mode_ids);
> mutex_init(&port->port_type_lock);
> + mutex_init(&port->partner_link_lock);
>
> port->id = id;
> port->ops = cap->ops;
> diff --git a/drivers/usb/typec/class.h b/drivers/usb/typec/class.h
> index b3076a24ad2e..db2fe96c48ff 100644
> --- a/drivers/usb/typec/class.h
> +++ b/drivers/usb/typec/class.h
> @@ -59,6 +59,7 @@ struct typec_port {
> enum typec_port_type port_type;
> enum usb_mode usb_mode;
> struct mutex port_type_lock;
> + struct mutex partner_link_lock;
>
> enum typec_orientation orientation;
> struct typec_switch *sw;
> --
> 2.49.0.395.g12beb8f557-goog
>
Attachment:
signature.asc
Description: PGP signature
