Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2649046pxj; Mon, 14 Jun 2021 04:01:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzZdPUhA84LITlXlNjXp174gQU7L6bBxhSYN8ToMDVYtNfsBhkj4zC945tCwiBKmk4+K6Nh X-Received: by 2002:a05:6402:1609:: with SMTP id f9mr16022963edv.76.1623668510666; Mon, 14 Jun 2021 04:01:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623668510; cv=none; d=google.com; s=arc-20160816; b=Raae5WJAUearaXMxlpYyYelMX5TmQU3llvr0vg7VnaZl00JHfAEREAZifvRrvypYEy ZCqf92ZMbepoTWDqd11LswwVILjqB6EPL4/O5IZeh0vSnj6Is20u/JTOuQscbefa76nE thIwtrz+1N1o4ma3kPCdUYtDBuNocCKitf6/4ibRZPuAbuni0Tr25CkmyLk37Fwb1ZS/ z83yE2SAsvvwYi9IVD3L9a8b74L0kA/ytAeOAba07vBLD48+D+EN8K27OCbH2nRvHort YBRISkjhdkR3PRxWtJZ8Fam7/2a36KpzUEssKoj5Y/VvS+1wmmgP+Mi1knypGDFwk0ao m09w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=PwGHwGHyrE0CC8w2pL/911H/e38ROfiJbJZmK6kJ6PI=; b=Kw81VvSJZCzQd4xYukoNIjEObkanxt31nQiNmWYm5/mB22uN7da0xaXMnbrjdmEBM1 2o/gv5uSqmNwSw7k9tlUkr5T1Q5MA2dEUG7r9TjsN/3w0gFzbtS9GJT8EcIub4WbLfJW st1YxaGZgQFMofOE1Uog0CvMlZDiYx+o9wvKEbKN2LZpYsgEks1AjlINCJl+y8BxzCNN djDvXBEzb7/LMopwkQcgFbb+gKGQQK2WsVS4Mmjxx4SQQx+h8qLrS+mOn+mHvigWs+T3 XXW5foYEBFPG6/TnRKpsapYmOCD850GOX8eQfwDQ8RpwMbsHEB9T2qjBIzIMHnzy3Kuz wx7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=UiHXHkUy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c27si585725ejj.287.2021.06.14.04.01.28; Mon, 14 Jun 2021 04:01:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=UiHXHkUy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234383AbhFNLBl (ORCPT + 99 others); Mon, 14 Jun 2021 07:01:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:58052 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234010AbhFNKwX (ORCPT ); Mon, 14 Jun 2021 06:52:23 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E1A1061438; Mon, 14 Jun 2021 10:39:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623667162; bh=4b+kN5kgYUJozpZ0feh5k1wvn1s8BWKCOUy7nfMwHoA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UiHXHkUyDmY7wNJ2aKwFWwmSxJ+v0uYZQKEsBHQoX2oEG8CpXeYb7UgbsMkLeLUfC aqVLpGZWDrEzwU3A22O7xlI7TF6Le2QsFS8uAtsGInHGOwAo/EDx6+40sW/RamGHS1 QynO4GUsWx88smzloHBD/YyfjjkEZ7coHmtoPRTM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marian-Cristian Rotariu Subject: [PATCH 5.4 50/84] usb: dwc3: ep0: fix NULL pointer exception Date: Mon, 14 Jun 2021 12:27:28 +0200 Message-Id: <20210614102648.065885218@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210614102646.341387537@linuxfoundation.org> References: <20210614102646.341387537@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marian-Cristian Rotariu commit d00889080ab60051627dab1d85831cd9db750e2a upstream. There is no validation of the index from dwc3_wIndex_to_dep() and we might be referring a non-existing ep and trigger a NULL pointer exception. In certain configurations we might use fewer eps and the index might wrongly indicate a larger ep index than existing. By adding this validation from the patch we can actually report a wrong index back to the caller. In our usecase we are using a composite device on an older kernel, but upstream might use this fix also. Unfortunately, I cannot describe the hardware for others to reproduce the issue as it is a proprietary implementation. [ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4 [ 82.966891] Mem abort info: [ 82.969663] ESR = 0x96000006 [ 82.972703] Exception class = DABT (current EL), IL = 32 bits [ 82.978603] SET = 0, FnV = 0 [ 82.981642] EA = 0, S1PTW = 0 [ 82.984765] Data abort info: [ 82.987631] ISV = 0, ISS = 0x00000006 [ 82.991449] CM = 0, WnR = 0 [ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc [ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000 [ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP [ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c) [ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1 [ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO) [ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c [ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94 ... [ 83.141788] Call trace: [ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c [ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94 [ 83.181546] ---[ end trace aac6b5267d84c32f ]--- Signed-off-by: Marian-Cristian Rotariu Cc: stable Link: https://lore.kernel.org/r/20210608162650.58426-1-marian.c.rotariu@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/dwc3/ep0.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/usb/dwc3/ep0.c +++ b/drivers/usb/dwc3/ep0.c @@ -292,6 +292,9 @@ static struct dwc3_ep *dwc3_wIndex_to_de epnum |= 1; dep = dwc->eps[epnum]; + if (dep == NULL) + return NULL; + if (dep->flags & DWC3_EP_ENABLED) return dep;