From: Greg KH <gregkh@linuxfoundation.org>
To: rtm@csail.mit.edu
Cc: linux-usb@vger.kernel.org
Subject: Re: USB hub code can dereference NULL hub and hub->ports
Date: Tue, 21 Jan 2025 08:01:22 +0100 [thread overview]
Message-ID: <2025012150-nervous-john-fb53@gregkh> (raw)
In-Reply-To: <95564.1737394039@localhost>
On Mon, Jan 20, 2025 at 12:27:19PM -0500, rtm@csail.mit.edu wrote:
> The attached program, which acts via usbip as a USB device or hub,
> causes my linux machines to dereference some NULL pointers in
> drivers/usb/core/hub.c. These are places where udev->maxchild > 0, but
> either usb_hub_to_struct_hub(udev) returns NULL, or the returned hub
> has hub->ports == NULL.
>
> This is one such place:
>
> static void recursively_mark_NOTATTACHED(struct usb_device *udev)
> {
> struct usb_hub *hub = usb_hub_to_struct_hub(udev);
> int i;
>
> for (i = 0; i < udev->maxchild; ++i) {
> if (hub->ports[i]->child)
>
> And this:
>
> static void hub_disconnect_children(struct usb_device *udev)
> {
> struct usb_hub *hub = usb_hub_to_struct_hub(udev);
> int i;
>
> /* Free up all the children before we remove this device */
> for (i = 0; i < udev->maxchild; i++) {
> if (hub->ports[i]->child)
>
> This can see NULL hub->ports:
>
> void usb_hub_adjust_deviceremovable(struct usb_device *hdev,
> struct usb_hub_descriptor *desc)
> {
> struct usb_hub *hub = usb_hub_to_struct_hub(hdev);
> enum usb_port_connect_type connect_type;
> int i;
>
> if (!hub)
> return;
>
> if (!hub_is_superspeed(hdev)) {
> for (i = 1; i <= hdev->maxchild; i++) {
> struct usb_port *port_dev = hub->ports[i - 1];
>
> This can see a NULL hub:
>
> static int hub_set_address(struct usb_device *udev, int devnum)
> {
> int retval;
> unsigned int timeout_ms = USB_CTRL_SET_TIMEOUT;
> struct usb_hcd *hcd = bus_to_hcd(udev->bus);
> struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent);
>
> if (hub->hdev->quirks & USB_QUIRK_SHORT_SET_ADDRESS_REQ_TIMEOUT)
>
> I've attached a demo that runs into some of these NULL dereferences.
> It depends on being able to run usbip (and modeprobe vhci-hcd).
Great, can you submit patches to fix these issues now that you have a
reliable test program to verify the problem?
thanks,
greg k-h
next prev parent reply other threads:[~2025-01-21 7:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-20 17:27 USB hub code can dereference NULL hub and hub->ports rtm
2025-01-21 7:01 ` Greg KH [this message]
2025-01-22 11:37 ` rtm
2025-01-22 15:55 ` Alan Stern
2025-01-22 19:21 ` rtm
2025-01-22 19:26 ` [PATCH] USB: hub: Ignore non-compliant devices with too many configs or interfaces Alan Stern
2025-02-03 15:35 ` Alan Stern
2025-02-03 15:49 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025012150-nervous-john-fb53@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=rtm@csail.mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).