Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp632061rwd; Thu, 8 Jun 2023 05:54:22 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4D6IW798DZvFzBSecxQVgJFPjlld97lFU5m7e66y5EXtYvC0T2aFpfaATxauiiyHTr52g7 X-Received: by 2002:a17:90a:e64b:b0:259:3e2e:2968 with SMTP id ep11-20020a17090ae64b00b002593e2e2968mr7733213pjb.1.1686228861855; Thu, 08 Jun 2023 05:54:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686228861; cv=none; d=google.com; s=arc-20160816; b=G/6qaxDX/2o1xQQJYaqY4G/OqWRKO1KzEAhiBPAugMlEJUZzi/mj1z9CFVSKHokjYE zjXsvFlOVyhYBDS0P7x8bhVF+1DnUr9oAO2dxb+WKEDABgxs+kKBHZxfWByuN5YWA6y4 TZ4q1a/8BCVx0ldx0/30gWZOEQvdUS0+8Fdz7HipfB1wjG0PKKifcHE1TO87EQCCY1Lu E3HD8u/y0Wa3KeoGJJNM8ZyMxe7qeWk/B20NL+T7yk8HkIu2XAI/6cfCvMkUC2WZMh4y 3FQJJ9rIbeITgaoF+mkDmAGIDqXuT6UVKg9JKjNYysEBPJ9lMA7Dz3AJKMobwimN321U ZZ9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=YkIAhLvLnVwhb1623YqvVKWgPZype03kjxLPtMN1rsU=; b=CAcmfGFNbHDOWcV/iRKr73nrcEGtHRh0UeEnsp0XGOmk8GQzxoT7/u2xCrS6jEozpq ypsAOKd89b+6YW8muTWRx4rxSxoQ2kBdHDxinqkQUZSuukG7lXwC1Ixryqks+lVed6LO pdomo7ZSYMs1YqdpQH9Nrw2c9Zw4Qxqgx95GNxfcmY0F+a7n50RH2+G6l9w1cn3jTJHb 0iGrlXww7CN+tgopRteZ84SfHoPSobrV+LV0dGNaPFRioPJRt1tzBa2hvtodS37bHmES 0Nxx5I+bI5hLuU0e5FMEoH6vdCW6HL0hfXb0M5lQjBK5So28IGKVyg5H0ozCaSVb6o5c 8yAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=n+U+30vo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 97-20020a17090a09ea00b002524da9db57si999653pjo.172.2023.06.08.05.54.08; Thu, 08 Jun 2023 05:54:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=n+U+30vo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236349AbjFHMtP (ORCPT + 99 others); Thu, 8 Jun 2023 08:49:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235470AbjFHMtN (ORCPT ); Thu, 8 Jun 2023 08:49:13 -0400 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4C67A26B1 for ; Thu, 8 Jun 2023 05:49:12 -0700 (PDT) Received: by mail-pf1-x432.google.com with SMTP id d2e1a72fcca58-6532671ccc7so491708b3a.2 for ; Thu, 08 Jun 2023 05:49:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1686228552; x=1688820552; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=YkIAhLvLnVwhb1623YqvVKWgPZype03kjxLPtMN1rsU=; b=n+U+30vobooxgtQnaHc1KysZzSn6jdERYhOotJVB4hboAx6NrJumODxFOdJmZ5DVtc Rs6M5zIv+HTi015uuZJEVVUq6FifOjoHeBYLNh115+x3CLbJAxjVGM5lEd6NUp4M4OTG R/sKlueRfruZvQzLiy/iol6Zx7OEbiOPZldEwyV9m0NqWdJV766peMNlT+bGgfwz34QU 1kKBi7/kL9N65y6V/mYW3u2V21U4Db51tGnIpBboUWvuqoj+MyyPPDWVJ12GNzQbjxZ/ hbFfY4OG9tddUCgGs41XycnC9gSMTaES7Ipd74smgKrbqrPykhVjLjOf78R2AdPFTTbr tNNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686228552; x=1688820552; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=YkIAhLvLnVwhb1623YqvVKWgPZype03kjxLPtMN1rsU=; b=Zb3vyOcmU23C92sN6CtXUFzlN0UYhUSWe44Z4plvzIH2oSq5L8iXLvl2H+XgA25k0y FtwKEW6RVqQ6OvvoD/0We5hqyKSHkDSGkMwcPvggG6R4MKjfORcQIXIJymPF3CVdxOmt kOewubK05yP334nJ3fSyO+JHI4rSpHU4gBhtg34DVaOEHeUAb6Qe8mc8CKnccJk1Raxx rT4fBZs/p6jixFjNDpw3UsMUOYchhcgJhy0IO9CSLu6qZjVcj/I63Ay9p6sUYKKzae3o Yds87vdyryauulUpLnOBMs85s4jqFd2XrM7ejV/ex5Y/tXJXjSv3MAwJsQZYvXsyxWzk yrbw== X-Gm-Message-State: AC+VfDxm9pFZMzaDO9z1HMQCJP9YjGx8KtbeDQhfprGaMi12BHjMDtnn 5PUwUlkJr68JEeMr2QZk/7UC X-Received: by 2002:a05:6a20:549d:b0:10c:3cf3:ef7e with SMTP id i29-20020a056a20549d00b0010c3cf3ef7emr7532523pzk.42.1686228551815; Thu, 08 Jun 2023 05:49:11 -0700 (PDT) Received: from thinkpad ([117.202.186.138]) by smtp.gmail.com with ESMTPSA id s12-20020a63450c000000b0051b0e564963sm1185367pga.49.2023.06.08.05.49.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Jun 2023 05:49:11 -0700 (PDT) Date: Thu, 8 Jun 2023 18:19:00 +0530 From: Manivannan Sadhasivam To: Johan Hovold Cc: Thinh Nguyen , Greg Kroah-Hartman , Andy Gross , Bjorn Andersson , Konrad Dybcio , Krishna Kurapati , linux-usb@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sandeep Maheswaram Subject: Re: [PATCH 1/2] USB: dwc3: qcom: fix NULL-deref on suspend Message-ID: <20230608124900.GE5672@thinkpad> References: <20230607100540.31045-1-johan+linaro@kernel.org> <20230607100540.31045-2-johan+linaro@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20230607100540.31045-2-johan+linaro@kernel.org> X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_WEB,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 07, 2023 at 12:05:39PM +0200, Johan Hovold wrote: > The Qualcomm dwc3 glue driver is currently accessing the driver data of > the child core device during suspend and on wakeup interrupts. This is > clearly a bad idea as the child may not have probed yet or could have > been unbound from its driver. > > The first such layering violation was part of the initial version of the > driver, but this was later made worse when the hack that accesses the > driver data of the grand child xhci device to configure the wakeup > interrupts was added. > > Fixing this properly is not that easily done, so add a sanity check to > make sure that the child driver data is non-NULL before dereferencing it > for now. > > Note that this relies on subtleties like the fact that driver core is > making sure that the parent is not suspended while the child is probing. > > Reported-by: Manivannan Sadhasivam > Link: https://lore.kernel.org/all/20230325165217.31069-4-manivannan.sadhasivam@linaro.org/ > Fixes: d9152161b4bf ("usb: dwc3: Add Qualcomm DWC3 glue layer driver") > Fixes: 6895ea55c385 ("usb: dwc3: qcom: Configure wakeup interrupts during suspend") > Cc: stable@vger.kernel.org # 3.18: a872ab303d5d: "usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup" > Cc: Sandeep Maheswaram > Cc: Krishna Kurapati > Signed-off-by: Johan Hovold Reviewed-by: Manivannan Sadhasivam - Mani > --- > drivers/usb/dwc3/dwc3-qcom.c | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c > index 959fc925ca7c..79b22abf9727 100644 > --- a/drivers/usb/dwc3/dwc3-qcom.c > +++ b/drivers/usb/dwc3/dwc3-qcom.c > @@ -308,7 +308,16 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) > /* Only usable in contexts where the role can not change. */ > static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) > { > - struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); > + struct dwc3 *dwc; > + > + /* > + * FIXME: Fix this layering violation. > + */ > + dwc = platform_get_drvdata(qcom->dwc3); > + > + /* Core driver may not have probed yet. */ > + if (!dwc) > + return false; > > return dwc->xhci; > } > -- > 2.39.3 > -- மணிவண்ணன் சதாசிவம்