Hi Heikki, > Subject: Re: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash > > Hi Biju, > > On Fri, Dec 09, 2022 at 05:07:40PM +0000, Biju Das wrote: > > The value returned by usb_role_switch_get() can be NULL and it leads > > to NULL pointer crash. This patch fixes this issue by adding NULL > > check for the role switch handle. > > > > [ 25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit EK874 > (CAT874 + CAT875) (DT) > > [ 25.344991] Workqueue: events_unbound deferred_probe_work_func > > [ 25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS > BTYPE=--) > > [ 25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80 > [renesas_usb3] > > [ 25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80 > [renesas_usb3] > > [ 25.370986] sp : ffff80000a4b3a40 > > [ 25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27: > 0000000000000000 > > [ 25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24: > ffff80000117f178 > > [ 25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21: > 0000000000000000 > > [ 25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18: > 0000000000000020 > > [ 25.402969] x17: ffff800076196000 x16: ffff800008004000 x15: > 0000000000004000 > > [ 25.410133] x14: 000000000000022b x13: 0000000000000001 x12: > 0000000000000001 > > [ 25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 : > ffff80000a4b3770 > > [ 25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 : > ffff00000a8d8590 > > [ 25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 : > ffff00000a8d84f4 > > [ 25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 : > 0000000000000218 > > [ 25.445942] Call trace: > > [ 25.448398] renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3] > > [ 25.454613] renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3] > > [ 25.460908] usb_role_switch_set_role+0x44/0xa4 > > [ 25.465468] hd3ss3220_set_role+0xa0/0x100 [hd3ss3220] > > [ 25.470635] hd3ss3220_probe+0x118/0x2fc [hd3ss3220] > > [ 25.475621] i2c_device_probe+0x338/0x384 > > Based on that backtrace, your role switch is not NULL. > > You can only end up calling renesas_usb3_role_switch_set() if your > hd3ss3220->role_sw contains a handle to the renesas usb3 role switch. Looks you are correct. > > > Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn: > > passing zero to 'PTR_ERR'") > > Cc: stable@xxxxxxxxxxxxxxx > > Signed-off-by: Biju Das <biju.das.jz@xxxxxxxxxxxxxx> > > --- > > This issue triggered on RZ/G2E board, where there is no USB3 firmware > > and it returned a null role switch handle. > > > > v1->v2: > > * Make it as individual patch > > * Added Cc tag > > --- > > drivers/usb/typec/hd3ss3220.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/usb/typec/hd3ss3220.c > > b/drivers/usb/typec/hd3ss3220.c index 2a58185fb14c..c24bbccd14f9 > > 100644 > > --- a/drivers/usb/typec/hd3ss3220.c > > +++ b/drivers/usb/typec/hd3ss3220.c > > @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client > *client, > > hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev); > > } > > > > - if (IS_ERR(hd3ss3220->role_sw)) { > > + if (!hd3ss3220->role_sw) { > > + ret = -ENODEV; > > + goto err_put_fwnode; > > + } else if (IS_ERR(hd3ss3220->role_sw)) { > > ret = PTR_ERR(hd3ss3220->role_sw); > > goto err_put_fwnode; > > } > > You should not do that. > > Either I'm missing something, or this patch is hiding some other issue. Looks It is a bug in renesas_usb3.c rather than this driver. But how we will prevent hd3ss3220_set_role being called after usb_role_switch_unregister(usb3->role_sw) from renesas_usb3.c driver?? Cheers, Biju