Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp638544rdb; Fri, 8 Sep 2023 11:18:13 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGM2dtTnZEU+skN1wqklhGOueGvtirL6A+IbbQ5TWd1SATxJLJBnw2sMdPJZjPt+HUYyuOy X-Received: by 2002:ac2:58cf:0:b0:500:7696:200 with SMTP id u15-20020ac258cf000000b0050076960200mr1877709lfo.59.1694197093411; Fri, 08 Sep 2023 11:18:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694197093; cv=none; d=google.com; s=arc-20160816; b=ZgshK2+odTQ+uVdRswVWFL59U8FZyXkg56cyBiaplYL4z/HRmwCaHbd3i6luKpMvNS +hE6ky8ltIsEaMFwQrBBFN7QdgZvGnU9LcH0Qs3csg/HzHmu5oxaTlGUL5qecdQecy3a br+2GceqLSjlcarH6xjR49LqojOQdKlnXgaZA6waRAV0Eu/RIU/p0Y9Aj51rVdKCTS2J Uel0+TSZWsWz3oihMhisScksnua08zelx2HXsDRUGGIr7SX4nso+bGBcy8a1ftEPMuYA 8ewNNuF9M5PgPjyH+1pZlC0ldTBAse2YDeRt3cFGKQ0FdNisBv3EAh2an+05ftJ7weYI /YCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=JPcJub27X32dTE5x8IMvO4X0yUQW7m0wCT2sX6hSNpA=; fh=++3DB+IrBD1x9br3hX2fONh1UQLgsnAloj+MVH1hxJY=; b=XtllTEVz6k/ZGmHEp8Thevg+dOPgBd/RwrxtlwedNzkM2TR1DW1ogl5Lfazf+p4uMU ChgrWmSa4R6t+y4DxR6GPJi+408Y26VrSlX5MxS0TJclw426eBkFXe6lyLzMFq9Bqxxq Aw+XjP3ASa9nOkO9Opj92E2eKX0UCuS6yOgV1aeF8gKLOERJX3A31zky+XFpdB+qw3H6 AJkSFZe4wW+N8kXIEaZznRLG0giS7bIeatPWkz7AUWuNnpaq3CIypnMBftMBXbJTPtsm xKeX+Jn38/34S9VzXt1LWgJ7IVFYo3vVVOd5/ZpeTdMfSjGRAFwldYo+oOYUO8RFwEkc uBkw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ox3-20020a170907100300b0098821ac27b7si2034414ejb.39.2023.09.08.11.17.45; Fri, 08 Sep 2023 11:18:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243809AbjIHQmX (ORCPT + 99 others); Fri, 8 Sep 2023 12:42:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56722 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244653AbjIHQmW (ORCPT ); Fri, 8 Sep 2023 12:42:22 -0400 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 398741FCD for ; Fri, 8 Sep 2023 09:42:17 -0700 (PDT) Received: (qmail 789180 invoked by uid 1000); 8 Sep 2023 12:42:16 -0400 Date: Fri, 8 Sep 2023 12:42:16 -0400 From: Alan Stern To: Yuran Pereira Cc: gregkh@linuxfoundation.org, royluo@google.com, christophe.jaillet@wanadoo.fr, raychi@google.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+c063a4e176681d2e0380@syzkaller.appspotmail.com Subject: Re: [PATCH] USB: core: Fix a NULL pointer dereference Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 08, 2023 at 09:09:37PM +0530, Yuran Pereira wrote: > > When the call to dev_set_name() in the usb_hub_create_port_device > function fails to set the device's kobject's name field, > the subsequent call to device_register() is bound to fail and cause > a NULL pointer derefference, because kobject_add(), which is in the > call sequence, expects the name field to be set before it is called > > > This patch adds code to perform error checking for dev_set_name()'s > return value. If the call to dev_set_name() was unsuccessful, > usb_hub_create_port_device() returns with an error. > > > PS: The patch also frees port_dev->req and port_dev before returning. > However, I am not sure if that is necessary, because port_dev->req > and port_dev are not freed when device_register() fails. Would be > happy if someone could help me understand why that is, and whether I > should keep those kfree calls in my patch. > > dashboard link: https://syzkaller.appspot.com/bug?extid=c063a4e176681d2e0380 > > Reported-by: syzbot+c063a4e176681d2e0380@syzkaller.appspotmail.com It shouldn't be necessary to check the return value from dev_set_name(). Most of its other call sites ignore the return value. In fact, only one of the call sites in drivers/base/core.c does check the return value! Furthermore, device_add() includes the following test for whether the device's name has been set: if (!dev_name(dev)) { error = -EINVAL; goto name_error; } The real question is why this test did not prevent the bug from occurring. Until you can answer that question, any fix you propose is highly questionable. Alan Stern