CVE-2024-56670

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer<br /> <br /> Considering that in some extreme cases,<br /> when u_serial driver is accessed by multiple threads,<br /> Thread A is executing the open operation and calling the gs_open,<br /> Thread B is executing the disconnect operation and calling the<br /> gserial_disconnect function,The port-&gt;port_usb pointer will be set to NULL.<br /> <br /> E.g.<br /> Thread A Thread B<br /> gs_open() gadget_unbind_driver()<br /> gs_start_io() composite_disconnect()<br /> gs_start_rx() gserial_disconnect()<br /> ... ...<br /> spin_unlock(&amp;port-&gt;port_lock)<br /> status = usb_ep_queue() spin_lock(&amp;port-&gt;port_lock)<br /> spin_lock(&amp;port-&gt;port_lock) port-&gt;port_usb = NULL<br /> gs_free_requests(port-&gt;port_usb-&gt;in) spin_unlock(&amp;port-&gt;port_lock)<br /> Crash<br /> <br /> This causes thread A to access a null pointer (port-&gt;port_usb is null)<br /> when calling the gs_free_requests function, causing a crash.<br /> <br /> If port_usb is NULL, the release request will be skipped as it<br /> will be done by gserial_disconnect.<br /> <br /> So add a null pointer check to gs_start_io before attempting<br /> to access the value of the pointer port-&gt;port_usb.<br /> <br /> Call trace:<br /> gs_start_io+0x164/0x25c<br /> gs_open+0x108/0x13c<br /> tty_open+0x314/0x638<br /> chrdev_open+0x1b8/0x258<br /> do_dentry_open+0x2c4/0x700<br /> vfs_open+0x2c/0x3c<br /> path_openat+0xa64/0xc60<br /> do_filp_open+0xb8/0x164<br /> do_sys_openat2+0x84/0xf0<br /> __arm64_sys_openat+0x70/0x9c<br /> invoke_syscall+0x58/0x114<br /> el0_svc_common+0x80/0xe0<br /> do_el0_svc+0x1c/0x28<br /> el0_svc+0x38/0x68