[PATCH 4.19 29/91] usb: typec: tcpm: Add NULL check before dereferencing config

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Douglas Gilbert <dgilbert@interlog.com>,
	Guenter Roeck <linux@roeck-us.net>, Jun Li <jun.li@nxp.com>,
	Heikki Krogerus <heikki.krogerus@linux.intel.com>
Subject: [PATCH 4.19 29/91] usb: typec: tcpm: Add NULL check before dereferencing config
Date: Wed, 14 Aug 2019 19:00:52 +0200	[thread overview]
Message-ID: <20190814165750.919436537@linuxfoundation.org> (raw)
In-Reply-To: <20190814165748.991235624@linuxfoundation.org>

From: Guenter Roeck <linux@roeck-us.net>

commit 1957de95d425d1c06560069dc7277a73a8b28683 upstream.

When instantiating tcpm on an NXP OM 13588 board with NXP PTN5110,
the following crash is seen when writing into the 'preferred_role'
sysfs attribute.

Unable to handle kernel NULL pointer dereference at virtual address 00000028
pgd = f69149ad
[00000028] *pgd=00000000
Internal error: Oops: 5 [#1] THUMB2
Modules linked in: tcpci tcpm
CPU: 0 PID: 1882 Comm: bash Not tainted 5.1.18-sama5-armv7-r2 #4
Hardware name: Atmel SAMA5
PC is at tcpm_try_role+0x3a/0x4c [tcpm]
LR is at tcpm_try_role+0x15/0x4c [tcpm]
pc : [<bf8000e2>]    lr : [<bf8000bd>]    psr: 60030033
sp : dc1a1e88  ip : c03fb47d  fp : 00000000
r10: dc216190  r9 : dc1a1f78  r8 : 00000001
r7 : df4ae044  r6 : dd032e90  r5 : dd1ce340  r4 : df4ae054
r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : df4ae044
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA Thumb  Segment none
Control: 50c53c7d  Table: 3efec059  DAC: 00000051
Process bash (pid: 1882, stack limit = 0x6a6d4aa5)
Stack: (0xdc1a1e88 to 0xdc1a2000)
1e80:                   dd05d808 dd1ce340 00000001 00000007 dd1ce340 c03fb4a7
1ea0: 00000007 00000007 dc216180 00000000 00000000 c01e1e03 00000000 00000000
1ec0: c0907008 dee98b40 c01e1d5d c06106c4 00000000 00000000 00000007 c0194e8b
1ee0: 0000000a 00000400 00000000 c01a97db dc22bf00 ffffe000 df4b6a00 df745900
1f00: 00000001 00000001 000000dd c01a9c2f 7aeab3be c0907008 00000000 dc22bf00
1f20: c0907008 00000000 00000000 00000000 00000000 7aeab3be 00000007 dee98b40
1f40: 005dc318 dc1a1f78 00000000 00000000 00000007 c01969f7 0000000a c01a20cb
1f60: dee98b40 c0907008 dee98b40 005dc318 00000000 c0196b9b 00000000 00000000
1f80: dee98b40 7aeab3be 00000074 005dc318 b6f3bdb0 00000004 c0101224 dc1a0000
1fa0: 00000004 c0101001 00000074 005dc318 00000001 005dc318 00000007 00000000
1fc0: 00000074 005dc318 b6f3bdb0 00000004 00000007 00000007 00000000 00000000
1fe0: 00000004 be800880 b6ed35b3 b6e5c746 60030030 00000001 00000000 00000000
[<bf8000e2>] (tcpm_try_role [tcpm]) from [<c03fb4a7>] (preferred_role_store+0x2b/0x5c)
[<c03fb4a7>] (preferred_role_store) from [<c01e1e03>] (kernfs_fop_write+0xa7/0x150)
[<c01e1e03>] (kernfs_fop_write) from [<c0194e8b>] (__vfs_write+0x1f/0x104)
[<c0194e8b>] (__vfs_write) from [<c01969f7>] (vfs_write+0x6b/0x104)
[<c01969f7>] (vfs_write) from [<c0196b9b>] (ksys_write+0x43/0x94)
[<c0196b9b>] (ksys_write) from [<c0101001>] (ret_fast_syscall+0x1/0x62)

Since commit 96232cbc6c994 ("usb: typec: tcpm: support get typec and pd
config from device properties"), the 'config' pointer in struct tcpc_dev
is optional when registering a Type-C port. Since it is optional, we have
to check if it is NULL before dereferencing it.

Reported-by: Douglas Gilbert <dgilbert@interlog.com>
Cc: Douglas Gilbert <dgilbert@interlog.com>
Fixes: 96232cbc6c994 ("usb: typec: tcpm: support get typec and pd config from device properties")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Jun Li <jun.li@nxp.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/1563979112-22483-1-git-send-email-linux@roeck-us.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/typec/tcpm.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/usb/typec/tcpm.c
+++ b/drivers/usb/typec/tcpm.c
@@ -378,7 +378,8 @@ static enum tcpm_state tcpm_default_stat
 			return SNK_UNATTACHED;
 		else if (port->try_role == TYPEC_SOURCE)
 			return SRC_UNATTACHED;
-		else if (port->tcpc->config->default_role == TYPEC_SINK)
+		else if (port->tcpc->config &&
+			 port->tcpc->config->default_role == TYPEC_SINK)
 			return SNK_UNATTACHED;
 		/* Fall through to return SRC_UNATTACHED */
 	} else if (port->port_type == TYPEC_PORT_SNK) {
@@ -4096,7 +4097,7 @@ static int tcpm_try_role(const struct ty
 	mutex_lock(&port->lock);
 	if (tcpc->try_role)
 		ret = tcpc->try_role(tcpc, role);
-	if (!ret && !tcpc->config->try_role_hw)
+	if (!ret && (!tcpc->config || !tcpc->config->try_role_hw))
 		port->try_role = role;
 	port->try_src_count = 0;
 	port->try_snk_count = 0;
@@ -4743,7 +4744,7 @@ static int tcpm_copy_caps(struct tcpm_po
 	port->typec_caps.prefer_role = tcfg->default_role;
 	port->typec_caps.type = tcfg->type;
 	port->typec_caps.data = tcfg->data;
-	port->self_powered = port->tcpc->config->self_powered;
+	port->self_powered = tcfg->self_powered;
 
 	return 0;
 }

next prev parent reply	other threads:[~2019-08-14 17:09 UTC|newest]

Thread overview: 109+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-14 17:00 [PATCH 4.19 00/91] 4.19.67-stable review Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 01/91] iio: cros_ec_accel_legacy: Fix incorrect channel setting Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 02/91] iio: adc: max9611: Fix misuse of GENMASK macro Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 03/91] staging: gasket: apex: fix copy-paste typo Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 04/91] staging: android: ion: Bail out upon SIGKILL when allocating memory Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 05/91] crypto: ccp - Fix oops by properly managing allocated structures Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 06/91] crypto: ccp - Add support for valid authsize values less than 16 Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 07/91] crypto: ccp - Ignore tag length when decrypting GCM ciphertext Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 08/91] usb: usbfs: fix double-free of usb memory upon submiturb error Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 09/91] usb: iowarrior: fix deadlock on disconnect Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 10/91] sound: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 11/91] mmc: cavium: Set the correct dma max segment size for mmc_host Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 12/91] mmc: cavium: Add the missing dma unmap when the dma has finished Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 13/91] loop: set PF_MEMALLOC_NOIO for the worker thread Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 14/91] Input: usbtouchscreen - initialize PM mutex before using it Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 15/91] Input: elantech - enable SMBus on new (2018+) systems Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 16/91] Input: synaptics - enable RMI mode for HP Spectre X360 Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 17/91] x86/mm: Check for pfn instead of page in vmalloc_sync_one() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 18/91] x86/mm: Sync also unmappings in vmalloc_sync_all() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 19/91] mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 20/91] perf annotate: Fix s390 gap between kernel end and module start Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 21/91] perf db-export: Fix thread__exec_comm() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 22/91] perf record: Fix module size on s390 Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 23/91] x86/purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 24/91] gfs2: gfs2_walk_metadata fix Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 25/91] usb: host: xhci-rcar: Fix timeout in xhci_suspend() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 26/91] usb: yurex: Fix use-after-free in yurex_delete Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 27/91] usb: typec: tcpm: free log buf memory when remove debug file Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 28/91] usb: typec: tcpm: remove tcpm dir if no children Greg Kroah-Hartman
2019-08-14 17:00 ` Greg Kroah-Hartman [this message]
2019-08-14 17:00 ` [PATCH 4.19 30/91] usb: typec: tcpm: Ignore unsupported/unknown alternate mode requests Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 31/91] can: rcar_canfd: fix possible IRQ storm on high load Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 32/91] can: peak_usb: fix potential double kfree_skb() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 33/91] netfilter: nfnetlink: avoid deadlock due to synchronous request_module Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 34/91] vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 35/91] netfilter: Fix rpfilter dropping vrf packets by mistake Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 36/91] netfilter: conntrack: always store window size un-scaled Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 37/91] netfilter: nft_hash: fix symhash with modulus one Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 38/91] scripts/sphinx-pre-install: fix script for RHEL/CentOS Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 39/91] drm/amd/display: Wait for backlight programming completion in set backlight level Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 40/91] drm/amd/display: use encoders engine id to find matched free audio device Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 41/91] drm/amd/display: Fix dc_create failure handling and 666 color depths Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 42/91] drm/amd/display: Only enable audio if speaker allocation exists Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 43/91] drm/amd/display: Increase size of audios array Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 44/91] iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 45/91] nl80211: fix NL80211_HE_MAX_CAPABILITY_LEN Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 46/91] mac80211: dont warn about CW params when not using them Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 47/91] allocate_flower_entry: should check for null deref Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 48/91] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 49/91] drm: silence variable conn set but not used Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 50/91] cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 51/91] s390/qdio: add sanity checks to the fast-requeue path Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 52/91] ALSA: compress: Fix regression on compressed capture streams Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 53/91] ALSA: compress: Prevent bypasses of set_params Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 54/91] ALSA: compress: Dont allow paritial drain operations on capture streams Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 55/91] ALSA: compress: Be more restrictive about when a drain is allowed Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 56/91] perf tools: Fix proper buffer size for feature processing Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 57/91] perf probe: Avoid calling freeing routine multiple times for same pointer Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 58/91] drbd: dynamically allocate shash descriptor Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 59/91] ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 60/91] nvme: fix multipath crash when ANA is deactivated Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 61/91] ARM: davinci: fix sleep.S build error on ARMv4 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 62/91] ARM: dts: bcm: bcm47094: add missing #cells for mdio-bus-mux Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 63/91] scsi: megaraid_sas: fix panic on loading firmware crashdump Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 64/91] scsi: ibmvfc: fix WARN_ON during event pool release Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 65/91] scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 66/91] test_firmware: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 67/91] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 68/91] perf/core: Fix creating kernel counters for PMUs that override event->cpu Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 69/91] s390/dma: provide proper ARCH_ZONE_DMA_BITS value Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 70/91] HID: sony: Fix race condition between rumble and device remove Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 71/91] x86/purgatory: Do not use __builtin_memcpy and __builtin_memset Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 72/91] ALSA: usb-audio: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 73/91] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 74/91] can: peak_usb: pcan_usb_fd: " Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 75/91] hwmon: (nct7802) Fix wrong detection of in4 presence Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 76/91] drm/i915: Fix wrong escape clock divisor init for GLK Greg Kroah-Hartman
2019-08-14 17:01   ` Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 77/91] ALSA: firewire: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 78/91] ALSA: hiface: fix multiple memory leak bugs Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 79/91] ALSA: hda - Dont override global PCM hw info flag Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 80/91] ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457) Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 81/91] mac80211: dont WARN on short WMM parameters from AP Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 82/91] dax: dax_layout_busy_page() should not unmap cow pages Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 83/91] SMB3: Fix deadlock in validate negotiate hits reconnect Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 84/91] smb3: send CAP_DFS capability during session setup Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 85/91] NFSv4: Fix an Oops in nfs4_do_setattr Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 86/91] KVM: Fix leak vCPUs VMCS value into other pCPU Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 87/91] mwifiex: fix 802.11n/WPA detection Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 88/91] iwlwifi: dont unmap as page memory that was mapped as single Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 89/91] iwlwifi: mvm: fix an out-of-bound access Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 90/91] iwlwifi: mvm: dont send GEO_TX_POWER_LIMIT on version < 41 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 91/91] iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support Greg Kroah-Hartman
2019-08-14 21:36 ` [PATCH 4.19 00/91] 4.19.67-stable review kernelci.org bot
2019-08-15  1:29 ` Naresh Kamboju
2019-08-15 13:29 ` Guenter Roeck
2019-08-15 13:58   ` Daniel Díaz
2019-08-15 14:05     ` Guenter Roeck
2019-08-15 19:37     ` Greg Kroah-Hartman
2019-08-15 20:20       ` Guenter Roeck
2019-08-15 20:42         ` Greg Kroah-Hartman
2019-08-15 21:32           ` Guenter Roeck
2019-08-15 22:06             ` Greg Kroah-Hartman
2019-08-15 15:17 ` Guenter Roeck
2019-08-16  2:09 ` shuah
2019-08-16  6:38 ` Kelsey Skunberg
2019-08-16  6:53 ` Jinpu Wang
2019-08-16  9:21 ` Thierry Reding
2019-08-16  9:21   ` Thierry Reding

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190814165750.919436537@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dgilbert@interlog.com \
    --cc=heikki.krogerus@linux.intel.com \
    --cc=jun.li@nxp.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@roeck-us.net \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.