[PATCH] usb: chipidea: udc: fix NULL pointer dereference if udc_start failed

All of lore.kernel.org
 help / color / mirror / Atom feed

From: jszhang@marvell.com (Jisheng Zhang)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] usb: chipidea: udc: fix NULL pointer dereference if udc_start failed
Date: Wed, 26 Apr 2017 16:25:26 +0800	[thread overview]
Message-ID: <20170426162526.7c8ef827@xhacker> (raw)
In-Reply-To: <0ac4bc53-dd26-0b90-c84e-a94d01a6d5e4@i2se.com>

On Tue, 25 Apr 2017 17:21:59 +0200
Stefan Wahren <stefan.wahren@i2se.com> wrote:

> Am 25.04.2017 um 11:20 schrieb Peter Chen:
> >    
> >>>> diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
> >>>> index f88e9157fad0..60a786c87c06 100644
> >>>> --- a/drivers/usb/chipidea/udc.c
> >>>> +++ b/drivers/usb/chipidea/udc.c
> >>>> @@ -1984,6 +1984,7 @@ static void udc_id_switch_for_host(struct
> >>>> ci_hdrc *ci)  int ci_hdrc_gadget_init(struct ci_hdrc *ci)  {
> >>>>  	struct ci_role_driver *rdrv;
> >>>> +	int ret;
> >>>>
> >>>>  	if (!hw_read(ci, CAP_DCCPARAMS, DCCPARAMS_DC))
> >>>>  		return -ENXIO;
> >>>> @@ -1996,7 +1997,10 @@ int ci_hdrc_gadget_init(struct ci_hdrc *ci)
> >>>>  	rdrv->stop	= udc_id_switch_for_host;
> >>>>  	rdrv->irq	= udc_irq;
> >>>>  	rdrv->name	= "gadget";
> >>>> -	ci->roles[CI_ROLE_GADGET] = rdrv;
> >>>>
> >>>> -	return udc_start(ci);
> >>>> +	ret = udc_start(ci);
> >>>> +	if (!ret)
> >>>> +		ci->roles[CI_ROLE_GADGET] = rdrv;
> >>>> +
> >>>> +	return ret;
> >>>>  }
> >>>> --  
> >>> Thanks for fixing it. In fact, we'd better return failure if ret &&
> >>> ret != -ENXIO at probe, it stands for initialization for host or
> >>> gadget has failed.
> >>>  
> >> I got your meaning. I'll cook v2. I don't have preference, since either one can fix the
> >> issue.
> >>  
> > Both are needed, you don't need to send this one again. Only a new one, thanks.  
> 
> I'm not sure how easy it is to reproduce the issue.

It's easy to reproduce it (100%) on arm64 platforms after commit
1dccb598df549 ("arm64: simplify dma_get_ops"). This commit could
make all dma related operations failed, then udc_start() would fail
with -ENOMEM.

On other platforms, it's not easy.

> 
> Shouldn't make a Fixes tag sense at least?

maybe 3f124d233e97 ("usb: chipidea: add role init and destroy APIs"

WARNING: multiple messages have this Message-ID (diff)

From: Jisheng Zhang <jszhang@marvell.com>
To: Stefan Wahren <stefan.wahren@i2se.com>
Cc: Peter Chen <peter.chen@nxp.com>,
	"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
	"linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"linux-arm-kernel@lists.infradead.org" 
	<linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH] usb: chipidea: udc: fix NULL pointer dereference if udc_start failed
Date: Wed, 26 Apr 2017 16:25:26 +0800	[thread overview]
Message-ID: <20170426162526.7c8ef827@xhacker> (raw)
In-Reply-To: <0ac4bc53-dd26-0b90-c84e-a94d01a6d5e4@i2se.com>

On Tue, 25 Apr 2017 17:21:59 +0200
Stefan Wahren <stefan.wahren@i2se.com> wrote:

> Am 25.04.2017 um 11:20 schrieb Peter Chen:
> >    
> >>>> diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
> >>>> index f88e9157fad0..60a786c87c06 100644
> >>>> --- a/drivers/usb/chipidea/udc.c
> >>>> +++ b/drivers/usb/chipidea/udc.c
> >>>> @@ -1984,6 +1984,7 @@ static void udc_id_switch_for_host(struct
> >>>> ci_hdrc *ci)  int ci_hdrc_gadget_init(struct ci_hdrc *ci)  {
> >>>>  	struct ci_role_driver *rdrv;
> >>>> +	int ret;
> >>>>
> >>>>  	if (!hw_read(ci, CAP_DCCPARAMS, DCCPARAMS_DC))
> >>>>  		return -ENXIO;
> >>>> @@ -1996,7 +1997,10 @@ int ci_hdrc_gadget_init(struct ci_hdrc *ci)
> >>>>  	rdrv->stop	= udc_id_switch_for_host;
> >>>>  	rdrv->irq	= udc_irq;
> >>>>  	rdrv->name	= "gadget";
> >>>> -	ci->roles[CI_ROLE_GADGET] = rdrv;
> >>>>
> >>>> -	return udc_start(ci);
> >>>> +	ret = udc_start(ci);
> >>>> +	if (!ret)
> >>>> +		ci->roles[CI_ROLE_GADGET] = rdrv;
> >>>> +
> >>>> +	return ret;
> >>>>  }
> >>>> --  
> >>> Thanks for fixing it. In fact, we'd better return failure if ret &&
> >>> ret != -ENXIO at probe, it stands for initialization for host or
> >>> gadget has failed.
> >>>  
> >> I got your meaning. I'll cook v2. I don't have preference, since either one can fix the
> >> issue.
> >>  
> > Both are needed, you don't need to send this one again. Only a new one, thanks.  
> 
> I'm not sure how easy it is to reproduce the issue.

It's easy to reproduce it (100%) on arm64 platforms after commit
1dccb598df549 ("arm64: simplify dma_get_ops"). This commit could
make all dma related operations failed, then udc_start() would fail
with -ENOMEM.

On other platforms, it's not easy.

> 
> Shouldn't make a Fixes tag sense at least?

maybe 3f124d233e97 ("usb: chipidea: add role init and destroy APIs"

next prev parent reply	other threads:[~2017-04-26  8:25 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-24 12:35 [PATCH] usb: chipidea: udc: fix NULL pointer dereference if udc_start failed Jisheng Zhang
2017-04-24 12:35 ` Jisheng Zhang
2017-04-25  8:29 ` Peter Chen
2017-04-25  8:29   ` Peter Chen
2017-04-25  9:11   ` Jisheng Zhang
2017-04-25  9:11     ` Jisheng Zhang
2017-04-25  9:20     ` Peter Chen
2017-04-25  9:20       ` Peter Chen
2017-04-25 15:21       ` Stefan Wahren
2017-04-25 15:21         ` Stefan Wahren
2017-04-26  8:25         ` Jisheng Zhang [this message]
2017-04-26  8:25           ` Jisheng Zhang
2017-04-26  9:05           ` Peter Chen
2017-04-26  9:05             ` Peter Chen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170426162526.7c8ef827@xhacker \
    --to=jszhang@marvell.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.