Re: [PATCH] thunderbolt: Fix NULL pointer dereference in tb_port_update_credits()

Olliver Schinagl <oliver@xxxxxxxxxxx> · Mon, 12 Feb 2024 13:15:18 +0100

Hey Mika,

On 12-02-2024 12:51, Mika Westerberg wrote:
Olliver reported that his system crashes when plugging in Thunderbolt 1
device:

  BUG: kernel NULL pointer dereference, address: 0000000000000020
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 0 P4D 0
  Oops: 0000 [#1] PREEMPT SMP NOPTI
  RIP: 0010:tb_port_do_update_credits+0x1b/0x130 [thunderbolt]
  Call Trace:
   <TASK>
   ? __die+0x23/0x70
   ? page_fault_oops+0x171/0x4e0
   ? exc_page_fault+0x7f/0x180
   ? asm_exc_page_fault+0x26/0x30
   ? tb_port_do_update_credits+0x1b/0x130
   ? tb_switch_update_link_attributes+0x83/0xd0
   tb_switch_add+0x7a2/0xfe0
   tb_scan_port+0x236/0x6f0
   tb_handle_hotplug+0x6db/0x900
   process_one_work+0x171/0x340
   worker_thread+0x27b/0x3a0
   ? __pfx_worker_thread+0x10/0x10
   kthread+0xe5/0x120
   ? __pfx_kthread+0x10/0x10
   ret_from_fork+0x31/0x50
   ? __pfx_kthread+0x10/0x10
   ret_from_fork_asm+0x1b/0x30
   </TASK>

This is due the fact that some Thunderbolt 1 devices only have one lane
adapter. Fix this by checking for the lane 1 before we read its credits.

Reported-by: Olliver Schinagl <oliver@xxxxxxxxxxx>
Closes: https://lore.kernel.org/linux-usb/c24c7882-6254-4e68-8f22-f3e8f65dc84f@xxxxxxxxxxx/
Fixes: 81af2952e606 ("thunderbolt: Add support for asymmetric link")
Cc: stable@xxxxxxxxxxxxxxx
Cc: Gil Fine <gil.fine@xxxxxxxxxxxxxxx>
Signed-off-by: Mika Westerberg <mika.westerberg@xxxxxxxxxxxxxxx>
---
Hi Olliver,

I managed to reproduce this with a Thunderbolt 1 device. I wonder if you
can try this patch and see if it fixes your issue too?

That sounds reasonable, as it's an old Macbook (Should be TB2) with an 
old ethernet dongle (probably TB1?) or simply because it doesn't need 
that much speed (gbit adapter only). Sadly patching my kernel is not 
something I can do at the moment.

Olliver


  drivers/thunderbolt/switch.c | 3 +++
  1 file changed, 3 insertions(+)

diff --git a/drivers/thunderbolt/switch.c b/drivers/thunderbolt/switch.c
index bca6f28c553b..72ebde0e34d7 100644
--- a/drivers/thunderbolt/switch.c
+++ b/drivers/thunderbolt/switch.c
@@ -1256,6 +1256,9 @@ int tb_port_update_credits(struct tb_port *port)
  	ret = tb_port_do_update_credits(port);
  	if (ret)
  		return ret;
+
+	if (!port->dual_link_port)
+		return 0;
  	return tb_port_do_update_credits(port->dual_link_port);
  }
  







