Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2659020pxj; Mon, 14 Jun 2021 04:14:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJycXymyk/0/hh8umYPpWJrcBWVR9XnXBAoJeeQzqRifz5Xqs8wbEKTCPA4SGdMARIkorxOR X-Received: by 2002:a05:6402:4c:: with SMTP id f12mr7849581edu.84.1623669298939; Mon, 14 Jun 2021 04:14:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623669298; cv=none; d=google.com; s=arc-20160816; b=P57Xta5iFiDwiUOJz6X37rT9EF0xVf9jZX2R89I+Vug++G5823+CsmcUga8r1Bv+v4 rW7OlWZjq6YkQj4+NQTngFGQ3PGV9LKxeNdp72XLYLhtpVS0dvbK8573Yw+CMbLKGO9G bGiw942y1+w5FWAWENgcZFsyOxNS/H610yMK6AqAoDi5NO7W+CZdX4XbPb1L5hLaqmCe I0NSpAQ/uiSf+LLw681cxdcvgR1Jr/m4xDr2ZaC3pyBmbtezxA5H3irFmJKUAQ0aTRxP lgFJUq0/ZAz6kIJjM8yOQmgCJ9/bsFaFUK9zQT7btZxeUJtnSD8+0+TnTk4znyNcj4Fd cbJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=PwGHwGHyrE0CC8w2pL/911H/e38ROfiJbJZmK6kJ6PI=; b=FMND1RNqNxVFdzvgRBm82/pEO2zTkEqL4Uu3QcAT/j0nowgtt0KdnlqL7GvF40QUFt lMAmlp6DjefjHpFRxmewOVYDwaiwWNIhx6ndAoiDWcy4uz/oFU1O3brquJg72ZphBc5B X5g39HcO2eZXjtZj4U2UJssDiRaQSENWJhniw0swTsI2IlQi0YwC0m3TS41MKRQXvpBn LcgnYU1nbAi/ooVivoYwuAMymMciXy7A/YYl5sIwpJgfHIy5v5QI6y7u5F7zXXMLxctz E9pzyewpHoFOIZlkH1TImd3paQicWFuT8JoJT5QOyj8Z4Kd9TvEL7W7rRWpl4VNtEPlq jT8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="zACPv/aK"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i24si12006381ejx.167.2021.06.14.04.14.35; Mon, 14 Jun 2021 04:14:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="zACPv/aK"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233542AbhFNLPr (ORCPT + 99 others); Mon, 14 Jun 2021 07:15:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:39158 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234665AbhFNLCr (ORCPT ); Mon, 14 Jun 2021 07:02:47 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C05956143F; Mon, 14 Jun 2021 10:44:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623667448; bh=4b+kN5kgYUJozpZ0feh5k1wvn1s8BWKCOUy7nfMwHoA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zACPv/aKwGLzkC7rztGmFOmzXhAmzSRAhNB4Bj9Bl2aWmQS6vJnakm5lldUV7kXHj F6gWn6z1KcLNoCv6G4cPVZXGuYwF45wfjd4KNLPfs1VZ0dg3Gpp7N8dZsFGE9+9Gs/ rlJ/4SrvZEJEyuipez0wEoiM8SoHIWbBpIJjS6KI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marian-Cristian Rotariu Subject: [PATCH 5.10 074/131] usb: dwc3: ep0: fix NULL pointer exception Date: Mon, 14 Jun 2021 12:27:15 +0200 Message-Id: <20210614102655.543399418@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210614102652.964395392@linuxfoundation.org> References: <20210614102652.964395392@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marian-Cristian Rotariu commit d00889080ab60051627dab1d85831cd9db750e2a upstream. There is no validation of the index from dwc3_wIndex_to_dep() and we might be referring a non-existing ep and trigger a NULL pointer exception. In certain configurations we might use fewer eps and the index might wrongly indicate a larger ep index than existing. By adding this validation from the patch we can actually report a wrong index back to the caller. In our usecase we are using a composite device on an older kernel, but upstream might use this fix also. Unfortunately, I cannot describe the hardware for others to reproduce the issue as it is a proprietary implementation. [ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4 [ 82.966891] Mem abort info: [ 82.969663] ESR = 0x96000006 [ 82.972703] Exception class = DABT (current EL), IL = 32 bits [ 82.978603] SET = 0, FnV = 0 [ 82.981642] EA = 0, S1PTW = 0 [ 82.984765] Data abort info: [ 82.987631] ISV = 0, ISS = 0x00000006 [ 82.991449] CM = 0, WnR = 0 [ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc [ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000 [ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP [ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c) [ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1 [ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO) [ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c [ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94 ... [ 83.141788] Call trace: [ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c [ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94 [ 83.181546] ---[ end trace aac6b5267d84c32f ]--- Signed-off-by: Marian-Cristian Rotariu Cc: stable Link: https://lore.kernel.org/r/20210608162650.58426-1-marian.c.rotariu@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/dwc3/ep0.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/usb/dwc3/ep0.c +++ b/drivers/usb/dwc3/ep0.c @@ -292,6 +292,9 @@ static struct dwc3_ep *dwc3_wIndex_to_de epnum |= 1; dep = dwc->eps[epnum]; + if (dep == NULL) + return NULL; + if (dep->flags & DWC3_EP_ENABLED) return dep;