On Wed, Jan 22, 2025 at 12:58:57PM +0000, Qasim Ijaz wrote: > If usb_add_hcd() fails in vhci_hcd_probe() (i.e., a probe failure), > the error path calls usb_remove_hcd() and also sets > pdev->dev.driver_data to NULL. > > Consequently, any subsequent call to platform_get_drvdata(pdev) > (which returns pdev->dev.driver_data) may yield NULL, causing a > crash if that pointer is dereferenced. If usb_add_hcd() fails during probe then it should not be possible to have any subsequent calls to platform_get_drvdata(pdev). > Fix this by adding a sanity check to ensure "hcd" is non-NULL > before proceeding with further operations. > > Reported-by: syzbot <syzbot+83976e47ec1ef91e66f1@xxxxxxxxxxxxxxxxxxxxxxxxx> > Closes: https://syzkaller.appspot.com/bug?extid=83976e47ec1ef91e66f1 > Tested-by: syzbot <syzbot+83976e47ec1ef91e66f1@xxxxxxxxxxxxxxxxxxxxxxxxx> > Fixes: 03cd00d538a6 ("usbip: vhci-hcd: Set the vhci structure up to work") > Signed-off-by: Qasim Ijaz <qasdev00@xxxxxxxxx> > --- > v3: > - Added this section to comply with patch format requirements > - Removed the extra newline after `hcd = platform_get_drvdata(pdev);` > > drivers/usb/usbip/vhci_sysfs.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c > index d5865460e82d..d4a1aa6d06b2 100644 > --- a/drivers/usb/usbip/vhci_sysfs.c > +++ b/drivers/usb/usbip/vhci_sysfs.c > @@ -76,6 +76,9 @@ static ssize_t status_show_vhci(int pdev_nr, char *out) > } > > hcd = platform_get_drvdata(pdev); > + if (!hcd) > + return 0; In this case, for example, the status sysfs attribute file should never have been created in the first place if probing failed. This seems more like a synchronization or logic error, not something to be solved with a simple check for a NULL pointer Alan Stern > + > vhci_hcd = hcd_to_vhci_hcd(hcd); > vhci = vhci_hcd->vhci; > > -- > 2.39.5 > >
