From: Greg KH <gregkh@linuxfoundation.org>
To: rtm@csail.mit.edu
Cc: linux-usb@vger.kernel.org
Subject: Re: USB hub code can dereference NULL hub and hub->ports
Date: Tue, 21 Jan 2025 08:01:22 +0100 [thread overview]
Message-ID: <2025012150-nervous-john-fb53@gregkh> (raw)
In-Reply-To: <95564.1737394039@localhost>
On Mon, Jan 20, 2025 at 12:27:19PM -0500, rtm@csail.mit.edu wrote:
> The attached program, which acts via usbip as a USB device or hub,
> causes my linux machines to dereference some NULL pointers in
> drivers/usb/core/hub.c. These are places where udev->maxchild > 0, but
> either usb_hub_to_struct_hub(udev) returns NULL, or the returned hub
> has hub->ports == NULL.
>
> This is one such place:
>
> static void recursively_mark_NOTATTACHED(struct usb_device *udev)
> {
> struct usb_hub *hub = usb_hub_to_struct_hub(udev);
> int i;
>
> for (i = 0; i < udev->maxchild; ++i) {
> if (hub->ports[i]->child)
>
> And this:
>
> static void hub_disconnect_children(struct usb_device *udev)
> {
> struct usb_hub *hub = usb_hub_to_struct_hub(udev);
> int i;
>
> /* Free up all the children before we remove this device */
> for (i = 0; i < udev->maxchild; i++) {
> if (hub->ports[i]->child)
>
> This can see NULL hub->ports:
>
> void usb_hub_adjust_deviceremovable(struct usb_device *hdev,
> struct usb_hub_descriptor *desc)
> {
> struct usb_hub *hub = usb_hub_to_struct_hub(hdev);
> enum usb_port_connect_type connect_type;
> int i;
>
> if (!hub)
> return;
>
> if (!hub_is_superspeed(hdev)) {
> for (i = 1; i <= hdev->maxchild; i++) {
> struct usb_port *port_dev = hub->ports[i - 1];
>
> This can see a NULL hub:
>
> static int hub_set_address(struct usb_device *udev, int devnum)
> {
> int retval;
> unsigned int timeout_ms = USB_CTRL_SET_TIMEOUT;
> struct usb_hcd *hcd = bus_to_hcd(udev->bus);
> struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent);
>
> if (hub->hdev->quirks & USB_QUIRK_SHORT_SET_ADDRESS_REQ_TIMEOUT)
>
> I've attached a demo that runs into some of these NULL dereferences.
> It depends on being able to run usbip (and modeprobe vhci-hcd).
Great, can you submit patches to fix these issues now that you have a
reliable test program to verify the problem?
thanks,
greg k-h
next prev parent reply other threads:[~2025-01-21 7:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-20 17:27 USB hub code can dereference NULL hub and hub->ports rtm
2025-01-21 7:01 ` Greg KH [this message]
2025-01-22 11:37 ` rtm
2025-01-22 15:55 ` Alan Stern
2025-01-22 19:21 ` rtm
2025-01-22 19:26 ` [PATCH] USB: hub: Ignore non-compliant devices with too many configs or interfaces Alan Stern
2025-02-03 15:35 ` Alan Stern
2025-02-03 15:49 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025012150-nervous-john-fb53@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=rtm@csail.mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.