RE: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Subject: RE: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash
> 
> Hi Heikki,
> 
> > Subject: Re: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash
> >
> > Hi Biju,
> >
> > On Fri, Dec 09, 2022 at 05:07:40PM +0000, Biju Das wrote:
> > > The value returned by usb_role_switch_get() can be NULL and it leads
> > > to NULL pointer crash. This patch fixes this issue by adding NULL
> > > check for the role switch handle.
> > >
> > > [   25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit
> EK874
> > (CAT874 + CAT875) (DT)
> > > [   25.344991] Workqueue: events_unbound deferred_probe_work_func
> > > [   25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS
> > BTYPE=--)
> > > [   25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80
> > [renesas_usb3]
> > > [   25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80
> > [renesas_usb3]
> > > [   25.370986] sp : ffff80000a4b3a40
> > > [   25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27:
> > 0000000000000000
> > > [   25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24:
> > ffff80000117f178
> > > [   25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21:
> > 0000000000000000
> > > [   25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18:
> > 0000000000000020
> > > [   25.402969] x17: ffff800076196000 x16: ffff800008004000 x15:
> > 0000000000004000
> > > [   25.410133] x14: 000000000000022b x13: 0000000000000001 x12:
> > 0000000000000001
> > > [   25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 :
> > ffff80000a4b3770
> > > [   25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 :
> > ffff00000a8d8590
> > > [   25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 :
> > ffff00000a8d84f4
> > > [   25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 :
> > 0000000000000218
> > > [   25.445942] Call trace:
> > > [   25.448398]  renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3]
> > > [   25.454613]  renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3]
> > > [   25.460908]  usb_role_switch_set_role+0x44/0xa4
> > > [   25.465468]  hd3ss3220_set_role+0xa0/0x100 [hd3ss3220]
> > > [   25.470635]  hd3ss3220_probe+0x118/0x2fc [hd3ss3220]
> > > [   25.475621]  i2c_device_probe+0x338/0x384
> >
> > Based on that backtrace, your role switch is not NULL.
> >
> > You can only end up calling renesas_usb3_role_switch_set() if your
> > hd3ss3220->role_sw contains a handle to the renesas usb3 role switch.
> 
> Looks you are correct.
> 
> >
> > > Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn:
> > > passing zero to 'PTR_ERR'")
> > > Cc: stable@xxxxxxxxxxxxxxx
> > > Signed-off-by: Biju Das <biju.das.jz@xxxxxxxxxxxxxx>
> > > ---
> > > This issue triggered on RZ/G2E board, where there is no USB3
> > > firmware and it returned a null role switch handle.
> > >
> > > v1->v2:
> > >  * Make it as individual patch
> > >  * Added Cc tag
> > > ---
> > >  drivers/usb/typec/hd3ss3220.c | 5 ++++-
> > >  1 file changed, 4 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/usb/typec/hd3ss3220.c
> > > b/drivers/usb/typec/hd3ss3220.c index 2a58185fb14c..c24bbccd14f9
> > > 100644
> > > --- a/drivers/usb/typec/hd3ss3220.c
> > > +++ b/drivers/usb/typec/hd3ss3220.c
> > > @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client
> > *client,
> > >  		hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev);
> > >  	}
> > >
> > > -	if (IS_ERR(hd3ss3220->role_sw)) {
> > > +	if (!hd3ss3220->role_sw) {
> > > +		ret = -ENODEV;
> > > +		goto err_put_fwnode;
> > > +	} else if (IS_ERR(hd3ss3220->role_sw)) {
> > >  		ret = PTR_ERR(hd3ss3220->role_sw);
> > >  		goto err_put_fwnode;
> > >  	}
> >
> > You should not do that.
> >
> > Either I'm missing something, or this patch is hiding some other issue.
> 
> Looks It is a bug in renesas_usb3.c rather than this driver.
> 
> But how we will prevent hd3ss3220_set_role being called after
> usb_role_switch_unregister(usb3->role_sw) from renesas_usb3.c driver??

Do we need to add additional check for "fwnode_usb_role_switch_get" and
"usb_role_switch_get" to return error if there is no registered role_switch device
Like the scenario above??

Cheers,
Biju




[Index of Archives]     [Linux Samsung SOC]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux