| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250301081057.1952519-1-akuchynski@chromium.org> Date: Sat, 1 Mar 2025 08:10:55 +0000 From: Andrei Kuchynski <akuchynski@...omium.org> To: Heikki Krogerus <heikki.krogerus@...ux.intel.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Dmitry Baryshkov <dmitry.baryshkov@...aro.org>, Benson Leung <bleung@...omium.org>, "Christian A. Ehrhardt" <lk@...e.de>, Jameson Thies <jthies@...gle.com>, linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org Cc: Andrei Kuchynski <akuchynski@...omium.org> Subject: [PATCH 0/1] Fix race condition causing NULL pointer dereference The kernel crashes during UCSI initialization due to a race condition. In ucsi_init(): 1. ucsi_register_port() sets up a work queue and schedules ucsi_check_connector_capability task. 2. "PPM policy conflict" causes ucsi_send_command to fail. 3. The error path (err_unregister) deallocates resources, setting con->partner to NULL. 4. After that, ucsi_init() waits for the work queue to finish its task. 5. ucsi_check_connector_capability task, running in the work queue, attempts to dereference the con->partner pointer, resulting in the crash. The core issue is that con->partner is set to NULL before the work queue task is guaranteed to have finished using it. The crash log: cros_ec_ucsi cros_ec_ucsi.3.auto: PPM Policy conflict BUG: kernel NULL pointer dereference, address: 000000000000030c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 8 UID: 0 PID: 13 Comm: kworker/u64:1 Tainted: G U W 6.12.0-g15b373ee5573-dirty #1 b5276ebf6ba85f471d9524ce34509877165c9f58 Tainted: [U]=USER, [W]=WARN Hardware name: Google Fatcat/Fatcat, BIOS Google_Fatcat.16163.0.0 01/15/2025 Workqueue: cros_ec_ucsi.3.auto-con1 ucsi_poll_worker [typec_ucsi] RIP: 0010:typec_partner_set_pd_revision+0x5/0x80 [typec] Code: cc cc cc b8 ea ff ff ff c3 cc cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 <66> 39 b7 0c 03 00 00 75 06 c3 cc cc cc cc cc 55 48 89 e5 41 56 53 RSP: 0018:ffffb532400c7dd8 EFLAGS: 00010206 RAX: 0000000000000004 RBX: 0000000000000004 RCX: 0000000000000000 RDX: ffffb532400c7cc0 RSI: 0000000000000300 RDI: 0000000000000000 RBP: ffffb532400c7de8 R08: ffffa3ab042d28f0 R09: 0000000000000080 R10: 0000000000000080 R11: 00000000000000c0 R12: ffffa3ab01dc6480 R13: ffffa3ab120d12c0 R14: ffffa3ab120d12c0 R15: ffffa3ab12074000 FS: 0000000000000000(0000) GS:ffffa3ae6f800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000030c CR3: 000000010700e004 CR4: 0000000000772ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x6a/0xb0 ? page_fault_oops+0x38e/0x400 ? work_grab_pending+0x56/0x230 ? exc_page_fault+0x5b/0xb0 ? asm_exc_page_fault+0x22/0x30 ? typec_partner_set_pd_revision+0x5/0x80 [typec bc1e7c7e089f4aaed440a0a5388387e3ef1ca2cb] ucsi_check_connector_capability+0x71/0xa0 \ [typec_ucsi 843b0396f746abb17c01f8d4d12ead8b09b88609] ucsi_poll_worker+0x3c/0x110 [typec_ucsi 843b0396f746abb17c01f8d4d12ead8b09b88609] process_scheduled_works+0x20e/0x450 worker_thread+0x2e0/0x390 kthread+0xee/0x110 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x38/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Andrei Kuchynski (1): usb: typec: ucsi: Fix NULL pointer access drivers/usb/typec/ucsi/ucsi.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) -- 2.48.1.711.g2feabab25a-goog
Powered by blists - more mailing lists