Received: by 2002:a05:7412:98c1:b0:fa:551:50a7 with SMTP id kc1csp1694664rdb; Mon, 8 Jan 2024 07:26:24 -0800 (PST) X-Google-Smtp-Source: AGHT+IH99I/X1M8/5sKkTTn739Ul3BC9VTWrKAplMGg62IpmsZ2bEsQ/iyAyRPn6dOhK/uYE1nBN X-Received: by 2002:a17:903:444:b0:1d4:c2a9:ad2b with SMTP id iw4-20020a170903044400b001d4c2a9ad2bmr1366061plb.34.1704727584261; Mon, 08 Jan 2024 07:26:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704727584; cv=none; d=google.com; s=arc-20160816; b=jbu6Rw/g/BxnXFgjnerMJitheEiniq91benF04nFNonsqZEF6cKDG1RUW04BNeWMcU iMj2BUPZVKe1fs/g1i94g4Vaq4LgFROLQbCS1OgJZWcMIui9nH2O/6OqiZvBJ6pI1zD+ u95Tof8W4ThJ3CsD4rAoXZtyk9KOErmxdZuQqKbPuTX8n/5YKqkvL91g0To8QxbAjKSC sfzRWv3Fkvtrw686RO1DVA16S+Rx4cWwZDK8u4MggNKiKZ3nnRHm2furv37pZUtMm0cH qk8LCe8X2QjkFtcJrPRwgsnvR4bV6naUqHKfXo1QfYqkIdPiYxD6gFquukzd5CJEUaba uSuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date; bh=3vZo1wIw45Ll41pdzOiw4asMLtgn/fjdwI/1ZZpNyVM=; fh=QUzXmB3VXs9rraU3yHGOpGGyGuCCPCu5CPOVkaN7KXk=; b=HZQ4T4DBfTnrtAhSvGap/k0nyEvakT2biZ0wjxM4pJymD2mav29ucSIOC5MU6UNgAi 5uYCD4tffgeoI1Ss+8SuX8rz+K9ij2mYpmlT9mBT9eAnSDSOd1TRsggABLGuH/+k/5W7 Luv0NjXZJ7MdPhMEwfd5SRlUsptZcCoOnVdLKg/LSlVzPwSBzHfy9sS7zLkuOztlq7uI 0SVBhibje84oiWRnEKfI/gY+HdNcNhmW7AbVnQyxpmsEouSZgdMXSrgnL8VC7hFzUCUV 7eq9KT/jcD5BDIXZuwfCvFIf3WTImWIJq339kHwVzw00RfMd7Rl6m0zXTS6sJFxskJXk ncYg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-19761-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-19761-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id s23-20020a170902b19700b001d37d4f6f6dsi40964plr.114.2024.01.08.07.26.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 07:26:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-19761-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-19761-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-19761-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id EFD1A2828C6 for ; Mon, 8 Jan 2024 15:26:23 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4673D5101D; Mon, 8 Jan 2024 15:26:17 +0000 (UTC) X-Original-To: linux-kernel@vger.kernel.org Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by smtp.subspace.kernel.org (Postfix) with SMTP id CE1C451010 for ; Mon, 8 Jan 2024 15:26:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=rowland.harvard.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netrider.rowland.org Received: (qmail 499378 invoked by uid 1000); 8 Jan 2024 10:26:07 -0500 Date: Mon, 8 Jan 2024 10:26:07 -0500 From: Alan Stern To: Udipto Goswami Cc: Greg Kroah-Hartman , Krishna Kurapati , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v2] usb: core: Prevent null pointer dereference in update_port_device_state Message-ID: <2d801dd7-93de-4323-a214-1a73cc5a8451@rowland.harvard.edu> References: <20240108130706.15698-1-quic_ugoswami@quicinc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240108130706.15698-1-quic_ugoswami@quicinc.com> On Mon, Jan 08, 2024 at 06:37:06PM +0530, Udipto Goswami wrote: > Currently,the function update_port_device_state gets the usb_hub from > udev->parent by calling usb_hub_to_struct_hub. > However, in case the actconfig or the maxchild is 0, the usb_hub would > be NULL and upon further accessing to get port_dev would result in null > pointer dereference. > > Fix this by introducing an if check after the usb_hub is populated. > > Fixes: 83cb2604f641 ("usb: core: add sysfs entry for usb device state") > Cc: stable@vger.kernel.org > Signed-off-by: Udipto Goswami > --- > v2: Introduced comment for the if check & CC'ed stable. > > drivers/usb/core/hub.c | 15 ++++++++++++--- > 1 file changed, 12 insertions(+), 3 deletions(-) > > diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c > index ffd7c99e24a3..d40b5500f95b 100644 > --- a/drivers/usb/core/hub.c > +++ b/drivers/usb/core/hub.c > @@ -2053,9 +2053,18 @@ static void update_port_device_state(struct usb_device *udev) > > if (udev->parent) { > hub = usb_hub_to_struct_hub(udev->parent); > - port_dev = hub->ports[udev->portnum - 1]; > - WRITE_ONCE(port_dev->state, udev->state); > - sysfs_notify_dirent(port_dev->state_kn); > + > + /* > + * usb_hub_to_struct_hub() if returns NULL can > + * potentially cause NULL pointer dereference upon further > + * access. > + * Avoid this with an if check. > + */ This is not what I meant. It's perfectly obvious that if usb_hub_to_struct_hub() returns NULL then there will be a NULL-pointer dereference. You don't need to explain that to anybody. Instead, you need to explain why it is _possible_ for usb_hub_to_struct_hub() to return NULL. The reason is because the lvstest driver messes around with usbcore internals without telling the hub driver, so hub will be NULL in cases where udev was created by lvstest. Alan Stern