Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp871650rdd; Wed, 10 Jan 2024 01:58:21 -0800 (PST) X-Google-Smtp-Source: AGHT+IEKO7Pnz9aQ3I38Oo+Fc8ZPQDlhk+PK2Lj1d5DKK5mflhsWCts9ST5tSwbG2ntBPrZCUbyI X-Received: by 2002:a05:6e02:194f:b0:35f:e85c:6c0f with SMTP id x15-20020a056e02194f00b0035fe85c6c0fmr1100661ilu.31.1704880701033; Wed, 10 Jan 2024 01:58:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704880701; cv=none; d=google.com; s=arc-20160816; b=LyO02/WXmDYb88KojKUsthSZseDBdB07KsRj4JpE5CxOdzoQPPwcgzjX3SoRAyKNxA 2Bl4qawD67BR2UaJ5n04BzWiIqKFkPCYB9kd8cE/j/kBk/ZzfkOiZpg1KCd6WflqNxgP ZKPu6kxWPURmn/B3UJyZy1A6QbQGs7YPJRrb8XKBaC4+d6AKV/VD80U4piS3BJ5rX+9q iDTT3Dclyof8mIkyWTFBYai6AUvSC43iCHbI3dHKopTZ2rfBYc7cd+WQVOXjtuiBpd2t fnjPq8l3a1Xr/Rzrxr8BQdsoE5+tFemZ8YxgSIfjoWEoqLeMklo9kOBFXH1qrL8DQtrh b3cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=tsVnBji+CX6UauGvaGmTOaJaiIeGC7M8aqQ1BW98I7w=; fh=7XM323Q0xQhoPRnU727EFje3TjLpbDKN4DlH4759A3Y=; b=kdZgh0j6nLfVa+sQDf+dt8xE3spvEdlGxxyo+gAhqbz2us57Oz8+g537TvaPE/0jmP YdJyRU8jZLRsEuiwCMpboBRNRkM8PQ2GMh0AgDC9YeaXSN0zjwBxXDvt6OT5zbF3fZEu jwc/1swqTWGvlo1FmgGef3A6otG2vsw6JQeL0AhgEXB9q3qsmXZcGP73Svg3OUEVbbXB /bBOBASihKww+vtD6mimBgzjFmwlUxwO8PpsXD0M8wx4zyUv9pcio1WPMW2Fj1PJIkVi aEEUBvEuT+4nU2mQb+DuB8JBcw9LSOsJc11IrfQhoBnJRUb/XmA1fGNI3wxa9AZMCqxL Es0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=gwSvrbps; spf=pass (google.com: domain of linux-kernel+bounces-21931-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-21931-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id e6-20020a656786000000b005cdf80f8417si3264281pgr.871.2024.01.10.01.58.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Jan 2024 01:58:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-21931-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=gwSvrbps; spf=pass (google.com: domain of linux-kernel+bounces-21931-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-21931-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id A4C1B285D44 for ; Wed, 10 Jan 2024 09:58:20 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E659F3FB29; Wed, 10 Jan 2024 09:57:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="gwSvrbps" Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF42A3F8FF; Wed, 10 Jan 2024 09:57:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Received: from pps.filterd (m0279873.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 40A9kKas018787; Wed, 10 Jan 2024 09:57:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= message-id:date:mime-version:subject:to:cc:references:from :in-reply-to:content-type:content-transfer-encoding; s= qcppdkim1; bh=tsVnBji+CX6UauGvaGmTOaJaiIeGC7M8aqQ1BW98I7w=; b=gw SvrbpsKk55/zJT4EPjitawV0cNpu4NCERuTjIABtRfrLrOzT1Y5ZqMG4xwN3Fa80 rNWbJHH1y7B63ZE1Qz9chBijNsiU7s0qvLLtmZCeD+N6II7coGEW4IRUdXeM3tB0 s4ylmf/oMoTRac0+8bB67vzVegEN1LEi8L5baaYusBTdawqlj7yleD6BwVKZHwhm cW//lAdiDm1nw54cIOdoukaY9iH9wLCEZL7Snd0h5j0O0bbc3tlO2EeqDuyfEm0T hpDtgqlPwwVLp+TG01HiAXpzEVy3F1OPcRv7u6lJEdvSHS6EHoAuOBgwW+q7p0iM aZvKrHsE5vERQd6eW01Q== Received: from nalasppmta03.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3vhq2h086y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 10 Jan 2024 09:57:51 +0000 (GMT) Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA03.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 40A9voiW003332 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 10 Jan 2024 09:57:50 GMT Received: from [10.217.219.221] (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Wed, 10 Jan 2024 01:57:47 -0800 Message-ID: <556f3d87-1a38-423a-82c0-c7471b232e43@quicinc.com> Date: Wed, 10 Jan 2024 15:27:45 +0530 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v4] usb: core: Prevent null pointer dereference in update_port_device_state Content-Language: en-US To: Sergei Shtylyov , Greg Kroah-Hartman , Alan Stern CC: Krishna Kurapati , , , References: <20240110091422.25347-1-quic_ugoswami@quicinc.com> <4e272d5d-ec19-7621-1346-4363b0070b1c@gmail.com> From: Udipto Goswami In-Reply-To: <4e272d5d-ec19-7621-1346-4363b0070b1c@gmail.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: ngUbGCKc8h2k2BZeLif8b7s_wTo8zi-5 X-Proofpoint-ORIG-GUID: ngUbGCKc8h2k2BZeLif8b7s_wTo8zi-5 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-09_02,2023-12-07_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxscore=0 spamscore=0 bulkscore=0 clxscore=1015 impostorscore=0 malwarescore=0 lowpriorityscore=0 priorityscore=1501 phishscore=0 suspectscore=0 mlxlogscore=604 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2401100081 On 1/10/2024 2:52 PM, Sergei Shtylyov wrote: > On 1/10/24 12:14 PM, Udipto Goswami wrote: > >> Currently,the function update_port_device_state gets the usb_hub from > > Need space between comma and "the"... got it. > >> udev->parent by calling usb_hub_to_struct_hub. >> However, in case the actconfig or the maxchild is 0, the usb_hub would >> be NULL and upon further accessing to get port_dev would result in null >> pointer dereference. >> >> Fix this by introducing an if check after the usb_hub is populated. >> >> Fixes: 83cb2604f641 ("usb: core: add sysfs entry for usb device state") >> Cc: stable@vger.kernel.org >> Signed-off-by: Udipto Goswami > [...] > >> diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c >> index ffd7c99e24a3..5ba1875e6bf4 100644 >> --- a/drivers/usb/core/hub.c >> +++ b/drivers/usb/core/hub.c >> @@ -2053,9 +2053,22 @@ static void update_port_device_state(struct usb_device *udev) >> >> if (udev->parent) { >> hub = usb_hub_to_struct_hub(udev->parent); >> - port_dev = hub->ports[udev->portnum - 1]; >> - WRITE_ONCE(port_dev->state, udev->state); >> - sysfs_notify_dirent(port_dev->state_kn); >> + >> + /* >> + * The Link Layer Validation System Driver (lvstest) >> + * has step to unbind the hub before running the rest >> + * of the procedure. This triggers hub_disconnect which >> + * will set the hub's maxchild to 0, further resulting > > Resulting in. got it. > >> + * usb_hub_to_struct_hub returning NULL. >> + * >> + * Add if check to avoid running into NULL pointer >> + * de-reference. > > This is obvious from the code below, I think... ok will remove this. Thanks, -Udipto