Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2631472pxj; Mon, 14 Jun 2021 03:32:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxRDl4zNeyUOIfqVCdpeSnEaV/W/FHOKwdaV1nrVok7W+p1cXEM6WbLzklT15rSDpOvA/mo X-Received: by 2002:a17:907:10d8:: with SMTP id rv24mr14398328ejb.542.1623666754998; Mon, 14 Jun 2021 03:32:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623666754; cv=none; d=google.com; s=arc-20160816; b=QkFg5EHiwxiuiKQ13cuXLo/MyaAww1IiSIM7F1QzOUXcD409XfupZLWcnPK0oA4of7 1R0PuUNpt6OGWMEyW237sgQPx9/x6EEa2Oic3tQCxW+uIeqs7UYE3YGT7+2VN1hCSulp mWtuOvo1qfNq4OHhFv6AKcI++5sV/Q+1cLvIlol3FSnEaK2/vJ8Dhopie4E3KxKM/16p s+ms9j0foo+ruvjJMrLIULQYp8SZFrCBtCzAXA5f97oCc/jMUwkjds45uy0BU4T3P+DR qiACku0DJ+Gx7WL8f7y3xZTsNx4UKR4qw9ImkA4Iza48lel80KtmL34M4A/SKqxMRpVX oA0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=lREDQzhakPethtHNWU+gy16+7h3EHaDsCNvBnWKHGhY=; b=n1CZROgnAdM6qj0ci7B+bApOaHu+AtOrdBX4y40Rj4DxPo134LMfimt/iTfPaCE77X ugF/KyQrFnLwVCHc4PFQsSYZ4wsTsmhYniMdOuFfScLHKfXA4sc2s1h0FYT/FN89XKNQ LVrW//Cb0h9b1hcJphkLxNA6jH4wN69BvyGLwChI41KBRn+8gLUb+uO+Qe/PraZ/bUan LaMDQ6f6Yw81I+vCSFroF9HhauI56s60QxPz09+nmMd+6sJgZzwcRu1yLDHTwgoMQT2O TOqE7+0jTCYTxv9oHz9WIHKmwx+9/nohcH25fo13nR6y1OljFnaZvwbO91IFwcR/W5Sw zw/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AHzGsMCp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 3si11310155ejl.715.2021.06.14.03.32.12; Mon, 14 Jun 2021 03:32:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AHzGsMCp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233007AbhFNKcC (ORCPT + 99 others); Mon, 14 Jun 2021 06:32:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:37818 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232904AbhFNKbW (ORCPT ); Mon, 14 Jun 2021 06:31:22 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2369A61004; Mon, 14 Jun 2021 10:29:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623666559; bh=0sRQ9tU2KQUbj0eHW1bhSJkUB7cgtfIDfHGBMa24Nhk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AHzGsMCpjgFCxo6KNFWaScxMmdGI0aFOagAEIMkvHVQnCSNLjAAcwpif20BanVlRS TwzQp/0jAdPTTPYcuKgvMuAp2bI5TzeFIIuEzs8iUg11+u5waulJ8s6EKseZ6g4V2c OFwIvmcysBtlLuQDocsdTjh5ttJS6EhAuGW33YQo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marian-Cristian Rotariu Subject: [PATCH 4.4 23/34] usb: dwc3: ep0: fix NULL pointer exception Date: Mon, 14 Jun 2021 12:27:14 +0200 Message-Id: <20210614102642.326815452@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210614102641.582612289@linuxfoundation.org> References: <20210614102641.582612289@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marian-Cristian Rotariu commit d00889080ab60051627dab1d85831cd9db750e2a upstream. There is no validation of the index from dwc3_wIndex_to_dep() and we might be referring a non-existing ep and trigger a NULL pointer exception. In certain configurations we might use fewer eps and the index might wrongly indicate a larger ep index than existing. By adding this validation from the patch we can actually report a wrong index back to the caller. In our usecase we are using a composite device on an older kernel, but upstream might use this fix also. Unfortunately, I cannot describe the hardware for others to reproduce the issue as it is a proprietary implementation. [ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4 [ 82.966891] Mem abort info: [ 82.969663] ESR = 0x96000006 [ 82.972703] Exception class = DABT (current EL), IL = 32 bits [ 82.978603] SET = 0, FnV = 0 [ 82.981642] EA = 0, S1PTW = 0 [ 82.984765] Data abort info: [ 82.987631] ISV = 0, ISS = 0x00000006 [ 82.991449] CM = 0, WnR = 0 [ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc [ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000 [ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP [ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c) [ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1 [ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO) [ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c [ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94 ... [ 83.141788] Call trace: [ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c [ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94 [ 83.181546] ---[ end trace aac6b5267d84c32f ]--- Signed-off-by: Marian-Cristian Rotariu Cc: stable Link: https://lore.kernel.org/r/20210608162650.58426-1-marian.c.rotariu@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/dwc3/ep0.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/usb/dwc3/ep0.c +++ b/drivers/usb/dwc3/ep0.c @@ -331,6 +331,9 @@ static struct dwc3_ep *dwc3_wIndex_to_de epnum |= 1; dep = dwc->eps[epnum]; + if (dep == NULL) + return NULL; + if (dep->flags & DWC3_EP_ENABLED) return dep;