Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3514903pxb; Mon, 24 Jan 2022 11:09:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJz9q0Vsx5q3MJvTul9Zp65pv5QD42GIGdfhK0xGovNF6KXC4rNfZWyDYDh15EO5IzCoW+c3 X-Received: by 2002:a17:902:8e82:b0:149:b26a:b9c8 with SMTP id bg2-20020a1709028e8200b00149b26ab9c8mr15584060plb.143.1643051386002; Mon, 24 Jan 2022 11:09:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643051385; cv=none; d=google.com; s=arc-20160816; b=yjnY6RBv9/wW9GojsiuKnVC08wpYYcj3t/1rN2uj+YkjZqy1vp1jQySwTHbH+69plB cfSgOG9NqyaTg2tYZQimcLFQc1LLDOwZc4ypmo0JkDIHhXewzbg4+G8TWUNMSuuxx8wK VazkSqEY4VaYMAv/O0mSuwSRDdqqbfis7zj1IVLkt7OJSZxEJTywFdCviQh1ricEHsAl ocdqOJDDK9SWYz2eUVLhFV8o/q2yjdQCNPFSMzVT8w3X9rZJrtmvo/l//Jl5XBHk+sw+ DscGxBAQ9R+ewelxXPaTsJ82WsR8utmRVCaAQIpM23YsN3hru0fks9MpW7YOi0EZs1Zj yLyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter:dmarc-filter; bh=bcoDGYv5WbGoY7EVxjd/aG/krLpaD/QwL/X8pTR3VUk=; b=fXBBzEEVBAAyjrwIz2XNKVqjBWpxE6fNqdDd+sqIvK8v0ipPaycIo1IeV8Yq2Nly6g cM0jDKduZosjqEgEId0fDDZgeK6iXoYV86+M0PUhcVNHV/m1Mncc/f6LCXU++fP3Q/R6 umt6b49EtVE9u0WpwBYFEeQHBV7nfhKMGpv2fdpesSLDykMpwx8Q22IWT1MN/e1XdFXu 4UsCQrscApNeFAQ8w0xS52Nuh5EcAhoXT0RtvGVxhUk/mz7SClHiXtCTxxGsR/Vvkv7f 3tGWnOUdNrMN+/AEXmtO28rBXuZvbe+zbTpOLBeu+/tTtnyW4ltzCnDS2jCSzNEE/AzE 2bsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=I9K1ey0N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g23si5015636plo.142.2022.01.24.11.09.34; Mon, 24 Jan 2022 11:09:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=I9K1ey0N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242701AbiAXMPo (ORCPT + 99 others); Mon, 24 Jan 2022 07:15:44 -0500 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:39592 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239342AbiAXMOR (ORCPT ); Mon, 24 Jan 2022 07:14:17 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 4Jj86b4RXcz9vC8s for ; Mon, 24 Jan 2022 12:14:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id omnldx4fKL66 for ; Mon, 24 Jan 2022 06:14:15 -0600 (CST) Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com [209.85.215.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 4Jj86b2HTFz9vC8v for ; Mon, 24 Jan 2022 06:14:15 -0600 (CST) DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p8.oit.umn.edu 4Jj86b2HTFz9vC8v DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p8.oit.umn.edu 4Jj86b2HTFz9vC8v Received: by mail-pg1-f199.google.com with SMTP id c19-20020a637253000000b0035e0ba5a1bfso2760025pgn.13 for ; Mon, 24 Jan 2022 04:14:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bcoDGYv5WbGoY7EVxjd/aG/krLpaD/QwL/X8pTR3VUk=; b=I9K1ey0NhGpNev5axEpQwfCr7zcPte2LN+htxeiycK6t56WT4om0xTQeVf5ij4PBd8 mcTOSD2Mkui15OuZYRuN2iDXVWOJ/2bsWFyJQs3u96aGJpBQqUIx9AXy67FKGAF9g9c8 tN6fzvCZuHeInuZKtq6p0rki6LhTW3I2o/prlUQQIlouqS4WRfBUhAC1MauNatB1WyhX 6eMHmcyiJqjHGZLa7+Rx0u+wUUQLjlZCx3gkxxMY7w29+LS+UfFwxdtOLMJ+3CfM42Ez K2AdD3u/IjP9llrpNtJalHxwk0TL4DN0f5MmwdHJf0SwUDlxneyUPsoOF60EGQSoBpHq ig4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bcoDGYv5WbGoY7EVxjd/aG/krLpaD/QwL/X8pTR3VUk=; b=uIbK6/j3YCXLDk+z/McbRcS7gHOLYgTPD17zMgxUrWf3t1rD08BMQnlBsfCLH/3F4p 1imvAvdaiDqROdnNQkFFe4SEkKJ7tcqN1iwa9eqIJNIYWeRzV39n9SE2sKk6ITatqcQx 4AGXuypEurClTNQWchgKZx4PZY9HHugsK6lmz7s/gkgyXXD9Y3Dz1yNiuqzfi+f0cK8B HuBwsvcxwaa5XObaYij1tzLeFnzYKLsPT53QFxMVmJThrUZ7MQcEsPs636xvouHTcRIn elBZCFaUOvS4X9GK0rM7he96T0P2DfHWgSbrmmbTDvNWjVAUbXHV/NRmvpv/XfxO7OlA dWhg== X-Gm-Message-State: AOAM531jNa133k7L3BiaURhiQubIkdwhrsjyxxCm+uo+5xBroZSqBnbB gpYeF8VcE1xNB4lCLBmFOpWMlk10odfMMgGIi6goB3jrQbq05Ebj3F5Z3RUfAcb59NULPysGgyv IFQrWSLZ5hOkAQFXFQyHhebXSNfFM X-Received: by 2002:a05:6a00:cc5:b0:4c3:832a:1180 with SMTP id b5-20020a056a000cc500b004c3832a1180mr14103252pfv.10.1643026454442; Mon, 24 Jan 2022 04:14:14 -0800 (PST) X-Received: by 2002:a05:6a00:cc5:b0:4c3:832a:1180 with SMTP id b5-20020a056a000cc500b004c3832a1180mr14103233pfv.10.1643026454188; Mon, 24 Jan 2022 04:14:14 -0800 (PST) Received: from zqy787-GE5S.lan ([36.4.61.248]) by smtp.gmail.com with ESMTPSA id b21sm11546359pgi.51.2022.01.24.04.14.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jan 2022 04:14:13 -0800 (PST) From: Zhou Qingyang To: zhou1615@umn.edu Cc: kjlu@umn.edu, Felipe Balbi , Greg Kroah-Hartman , Johan Hovold , Nadezda Lutovinova , Yu Xu , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] usb: gadget: mv_u3d: Fix a NULL pointer dereference in mv_u3d_req_to_trb() Date: Mon, 24 Jan 2022 20:12:33 +0800 Message-Id: <20220124121236.19761-1-zhou1615@umn.edu> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In mv_u3d_req_to_trb(), mv_u3d_build_trb_one() is assigned to trb and there is a dereference of it in mv_u3d_req_to_trb(), which could lead to a NULL pointer dereference on failure of mv_u3d_build_trb_one(). Fix this bug by adding a check of trb. This bug was found by a static analyzer. Builds with CONFIG_USB_MV_U3D=m show no new warnings, and our static analyzer no longer warns about this code. Fixes: 3d4eb9dfa3e8 ("usb: gadget: mv: Add USB 3.0 device driver for Marvell PXA2128 chip.") Signed-off-by: Zhou Qingyang --- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Changes in v2: - Remove unnecessary error message drivers/usb/gadget/udc/mv_u3d_core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/gadget/udc/mv_u3d_core.c b/drivers/usb/gadget/udc/mv_u3d_core.c index a1057ddfbda3..4573233f2835 100644 --- a/drivers/usb/gadget/udc/mv_u3d_core.c +++ b/drivers/usb/gadget/udc/mv_u3d_core.c @@ -417,6 +417,9 @@ static int mv_u3d_req_to_trb(struct mv_u3d_req *req) */ if (length <= (unsigned)MV_U3D_EP_MAX_LENGTH_TRANSFER) { trb = mv_u3d_build_trb_one(req, &count, &dma); + if (!trb) + return -ENOMEM; + list_add_tail(&trb->trb_list, &req->trb_list); req->trb_head = trb; req->trb_count = 1; -- 2.25.1