Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp7765470rdb; Thu, 4 Jan 2024 07:07:04 -0800 (PST) X-Google-Smtp-Source: AGHT+IFPJOa606Of753l6HfftGVUkM3ux1YbMUNMebEQRXLt+t00cn8EIacYz9rrKwgdrFwsklWa X-Received: by 2002:a17:902:6ac7:b0:1d4:bd03:ab13 with SMTP id i7-20020a1709026ac700b001d4bd03ab13mr618316plt.69.1704380824396; Thu, 04 Jan 2024 07:07:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704380824; cv=none; d=google.com; s=arc-20160816; b=0D19O8/Mxi3Q+jkPrqAPrAeQDD+8X/XmVvqKxoLncTotjaHBOA+uVKZjpBVO6fqDHu 4wrQkKCba+ac2Td0Rpvpb2yPpKEGVe5BQ1tSgN2LSC45exrUXIAI4TruH7wbS6FoPWE5 5y2yZfLlOThNi+HYa+c9omYUChh9CCL9d+odWNmWdjffNQa6K2yS3PoFCMYuNA1x8lAS bcLGOm34ht+Be1z1Z84U/jbd1wkA4o/dDZ2fGoivQ6FKn4VnUkEdN3B5t/ttdyYeHI48 cSeE02Dz96AwX9jTkwNXJFClVZZrQoqgH/K1Gq11b8RpHY3jW+85XoE/zBgiGUHARaI0 O3RA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date; bh=xCHTgs9iqnrUFxWW0KTXuJXHGm4PvOhvNvqK97JbMR8=; fh=1LF996YI7lgc85iNaDsS3FW7DOSOEVzvsF7Us5njoRw=; b=c2juEXg4JGufPBgcDcG1haGeLJVlvRnVg8HoMQ9laBnAhzeMfacL8vgyh+eOJlqcm7 N5n8e2vFa0ARQrmE0QQvquJlz6HvHLXi8rBBgMXqzrSqsMLi3vSYrNyk0vh0Q7dBQ7FW PyfrHkrtUVSM4auV9sexLbkYSz50dLAR0C6ii7U5ElmdVO7Y2ac+aCEBzxQvuc3Rql3T F1510UK1FrX81ToojNLz2Of4gjvVcmAz3V/BCP0jP3WFJLAsotdpzKcPSecXXNSf0W8k gri4sRluKrWZ7fx0pkQI+z1aZYtWiO/O+RdP0Mvu8ViTS5dbmClKCP60MeMhuKgCMgz1 bYqQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-16830-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-16830-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id a19-20020a170902ee9300b001cf5cc3029fsi23491958pld.548.2024.01.04.07.07.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Jan 2024 07:07:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-16830-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-16830-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-16830-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id F28DC282DEB for ; Thu, 4 Jan 2024 15:07:03 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0E2552C190; Thu, 4 Jan 2024 15:02:57 +0000 (UTC) X-Original-To: linux-kernel@vger.kernel.org Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by smtp.subspace.kernel.org (Postfix) with SMTP id 6B06C23769 for ; Thu, 4 Jan 2024 15:02:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=rowland.harvard.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netrider.rowland.org Received: (qmail 382083 invoked by uid 1000); 4 Jan 2024 09:56:11 -0500 Date: Thu, 4 Jan 2024 09:56:11 -0500 From: Alan Stern To: Greg Kroah-Hartman , Udipto Goswami Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] usb: core: Prevent null pointer dereference in update_port_device_state Message-ID: <1fafda18-8806-4036-bcc1-ac08e2d3b9cd@rowland.harvard.edu> References: <20240104102616.20120-1-quic_ugoswami@quicinc.com> <2024010447-sprite-shelter-0743@gregkh> <2024010432-fifth-shakable-0d84@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2024010432-fifth-shakable-0d84@gregkh> On Thu, Jan 04, 2024 at 02:13:51PM +0100, Greg Kroah-Hartman wrote: > On Thu, Jan 04, 2024 at 06:35:38PM +0530, Udipto Goswami wrote: > > Hi Greg, > > > > On 1/4/2024 4:14 PM, Greg Kroah-Hartman wrote: > > > On Thu, Jan 04, 2024 at 03:56:16PM +0530, Udipto Goswami wrote: > > > > Currently,the function update_port_device_state gets the usb_hub from > > > > udev->parent by calling usb_hub_to_struct_hub. > > > > However, in case the actconfig or the maxchild is 0, the usb_hub would > > > > be NULL and upon further accessing to get port_dev would result in null > > > > pointer dereference. > > > > > > Is this true for any real (or fake) hardware? > > > > We saw this in our QCOM hardwares where lvstest.c was calling > > get_dev_desc_store: > > > > usb_set_device_state+0x128/0x17c > > create_lvs_device+0x60/0xf8 [lvstest] > > get_dev_desc_store+0x94/0x18c [lvstest] > > dev_attr_store+0x30/0x48 > > > > I think the part of the test procedure is to first unbind the hub driver > > which calls hub_disconnect setting the maxchild = 0. > > Are you sure lvstest is correct here? This is what happens when people work behind the hub driver's back. :-( If you can't find another way to fix the problem, you should at least change the patch to include a comment before the "if (hub)" test, explaining why it is necessary. Otherwise somebody in the future will remove the test, because under normal circumstances hub would never be NULL here. Alan Stern