Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1283529pxb;
        Fri, 21 Jan 2022 14:18:32 -0800 (PST)
X-Google-Smtp-Source: ABdhPJx1QKyFsywL9V7uFYxsK7K1F2ifF+sMG3hMnSd5dahNEVjjSaNLk0/hQplYwspj2DqvXsy5
X-Received: by 2002:a17:902:b688:b0:149:a1d6:c731 with SMTP id c8-20020a170902b68800b00149a1d6c731mr5452167pls.145.1642803512017;
        Fri, 21 Jan 2022 14:18:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1642803512; cv=none;
        d=google.com; s=arc-20160816;
        b=eXInXfPa4CrY7lBuJd893bmGYli5HDjyKo3s6I2FNrYksu90mGeb9GvSDquDgP2Th7
         w8wDWL2Vr22mDXTYiMd5FSJ9guZXJr7tN1SYb/TbaebuYLfoYjBdB9M2rR6mtHpyiXbv
         Ik+/nTDDNAzBYxt9p0sUpHwoVFycGszLGNN1oHQGj4J3KZBXLmTQmgr9AlXH5XeavqZc
         IFO9Onx0mjfnbNnUfZ/LEhXvqxdm3laqj5nwxuRDF4nOLF3wsS+74OaJX6T6Nw9UgMEJ
         x/ZeePEB1QvPeeeev+TkdW5Sw9lM6b9UjvGhI8HIA8YNnO71xD34SJ0t3fyOHUN6vxFH
         OxBg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=vlMPyFopXBgs1BABS9cXUwRTtHoetRlf1vqYPuagmH4=;
        b=m53J45C+6SuWhfLmcs8Uygd0uERBY3vtK6jVtgEj+yli7mM+Ep34czezrOE8UAPyW6
         VPmYMSITD8zMJnVlRElo123t0KzdSoLk0mpXGZUmBCAziM2s5XOL7hd8fjcpcpeKG6mS
         NroWuEirAM9o1Onrk7zn1EFx0ZjHIpGXq5xDIisbWmmsCMFDrqsij6Iehp/QOrLVZ/9o
         zK2udtQ/w+p/kHQecSiq7Qb0+5f+K8U7Xl5pdvo7YZBZC62Cl/1NWjpLKMC1qz0LaVnT
         tHDcx7N0L9+7HHAy1wh8YoQhF2tgL4mgMDRuP2igX1zAKgebplHE92Y11DRGJONAH26i
         VaWw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g21si7557943pfc.252.2022.01.21.14.18.20;
        Fri, 21 Jan 2022 14:18:31 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1346201AbiATPEC (ORCPT <rfc822;stevenley.huang@gmail.com>
        + 99 others); Thu, 20 Jan 2022 10:04:02 -0500
Received: from giacobini.uberspace.de ([185.26.156.129]:60438 "EHLO
        giacobini.uberspace.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1346103AbiATPEA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 Jan 2022 10:04:00 -0500
Received: (qmail 17099 invoked by uid 990); 20 Jan 2022 15:03:56 -0000
Authentication-Results: giacobini.uberspace.de;
        auth=pass (plain)
From:   Soenke Huster <soenke.huster@eknoes.de>
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "Rafael J. Wysocki" <rafael@kernel.org>
Cc:     Soenke Huster <soenke.huster@eknoes.de>,
        linux-kernel@vger.kernel.org
Subject: [PATCH] driver core: fix null pointer deref in device_find_child
Date:   Thu, 20 Jan 2022 16:02:46 +0100
Message-Id: <20220120150246.6216-1-soenke.huster@eknoes.de>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Rspamd-Bar: /
X-Rspamd-Report: R_MISSING_CHARSET(0.5) MIME_GOOD(-0.1) MID_CONTAINS_FROM(1) BAYES_HAM(-1.698639)
X-Rspamd-Score: -0.298639
Received: from unknown (HELO unkown) (::1)
        by giacobini.uberspace.de (Haraka/2.8.28) with ESMTPSA; Thu, 20 Jan 2022 16:03:56 +0100
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Similar to device_for_each_child, device_find_child should not ooops
if parent->p is NULL. While fuzzing the Bluetooth subsystem, I got a null
pointer dereference in next_device, which is prevented by this change.

Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497
Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
---
I found this while fuzzing the bluetooth subsystem and reported this bug
in bugzilla. As I feel more like a kernelnewbie, I am not sure whether
this needs to be patched in driver core, or is just an issue of the
bluetooth subsystem itself. If the latter is the case: sorry for the
spam!

A similar fix was applied in 014c90dbb9b6 ("driver core: prevent
device_for_each_child from oopsing") for device_for_each_child, which is
mentioned in the docstring of device_find_child as similar function.

 drivers/base/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/base/core.c b/drivers/base/core.c
index 7bb957b11861..654d904631f9 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -3780,7 +3780,7 @@ struct device *device_find_child(struct device *parent, void *data,
 	struct klist_iter i;
 	struct device *child;
 
-	if (!parent)
+	if (!parent || !parent->p)
 		return NULL;
 
 	klist_iter_init(&parent->p->klist_children, &i);
-- 
2.34.1