[PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash

[PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash

[Biju Das]

The value returned by usb_role_switch_get() can be NULL and it leads
to NULL pointer crash. This patch fixes this issue by adding NULL
check for the role switch handle.

[   25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit EK874 (CAT874 + CAT875) (DT)
[   25.344991] Workqueue: events_unbound deferred_probe_work_func
[   25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3]
[   25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80 [renesas_usb3]
[   25.370986] sp : ffff80000a4b3a40
[   25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27: 0000000000000000
[   25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24: ffff80000117f178
[   25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21: 0000000000000000
[   25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18: 0000000000000020
[   25.402969] x17: ffff800076196000 x16: ffff800008004000 x15: 0000000000004000
[   25.410133] x14: 000000000000022b x13: 0000000000000001 x12: 0000000000000001
[   25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 : ffff80000a4b3770
[   25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 : ffff00000a8d8590
[   25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 : ffff00000a8d84f4
[   25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 : 0000000000000218
[   25.445942] Call trace:
[   25.448398]  renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3]
[   25.454613]  renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3]
[   25.460908]  usb_role_switch_set_role+0x44/0xa4
[   25.465468]  hd3ss3220_set_role+0xa0/0x100 [hd3ss3220]
[   25.470635]  hd3ss3220_probe+0x118/0x2fc [hd3ss3220]
[   25.475621]  i2c_device_probe+0x338/0x384

Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn: passing zero to 'PTR_ERR'")
Cc: stable@vger.kernel.org
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
---
This issue triggered on RZ/G2E board, where there is no USB3 firmware and it
returned a null role switch handle.

v1->v2:
 * Make it as individual patch
 * Added Cc tag
---
 drivers/usb/typec/hd3ss3220.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/typec/hd3ss3220.c b/drivers/usb/typec/hd3ss3220.c
index 2a58185fb14c..c24bbccd14f9 100644
--- a/drivers/usb/typec/hd3ss3220.c
+++ b/drivers/usb/typec/hd3ss3220.c
@@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client *client,
 		hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev);
 	}
 
-	if (IS_ERR(hd3ss3220->role_sw)) {
+	if (!hd3ss3220->role_sw) {
+		ret = -ENODEV;
+		goto err_put_fwnode;
+	} else if (IS_ERR(hd3ss3220->role_sw)) {
 		ret = PTR_ERR(hd3ss3220->role_sw);
 		goto err_put_fwnode;
 	}
-- 
2.25.1

Re: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash

[Heikki Krogerus]

Hi Biju,

On Fri, Dec 09, 2022 at 05:07:40PM +0000, Biju Das wrote:
> The value returned by usb_role_switch_get() can be NULL and it leads
> to NULL pointer crash. This patch fixes this issue by adding NULL
> check for the role switch handle.
> 
> [   25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit EK874 (CAT874 + CAT875) (DT)
> [   25.344991] Workqueue: events_unbound deferred_probe_work_func
> [   25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> [   25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3]
> [   25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80 [renesas_usb3]
> [   25.370986] sp : ffff80000a4b3a40
> [   25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27: 0000000000000000
> [   25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24: ffff80000117f178
> [   25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21: 0000000000000000
> [   25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18: 0000000000000020
> [   25.402969] x17: ffff800076196000 x16: ffff800008004000 x15: 0000000000004000
> [   25.410133] x14: 000000000000022b x13: 0000000000000001 x12: 0000000000000001
> [   25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 : ffff80000a4b3770
> [   25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 : ffff00000a8d8590
> [   25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 : ffff00000a8d84f4
> [   25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 : 0000000000000218
> [   25.445942] Call trace:
> [   25.448398]  renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3]
> [   25.454613]  renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3]
> [   25.460908]  usb_role_switch_set_role+0x44/0xa4
> [   25.465468]  hd3ss3220_set_role+0xa0/0x100 [hd3ss3220]
> [   25.470635]  hd3ss3220_probe+0x118/0x2fc [hd3ss3220]
> [   25.475621]  i2c_device_probe+0x338/0x384

Based on that backtrace, your role switch is not NULL.

You can only end up calling renesas_usb3_role_switch_set() if your
hd3ss3220->role_sw contains a handle to the renesas usb3 role switch.

> Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn: passing zero to 'PTR_ERR'")
> Cc: stable@vger.kernel.org
> Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
> ---
> This issue triggered on RZ/G2E board, where there is no USB3 firmware and it
> returned a null role switch handle.
> 
> v1->v2:
>  * Make it as individual patch
>  * Added Cc tag
> ---
>  drivers/usb/typec/hd3ss3220.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/typec/hd3ss3220.c b/drivers/usb/typec/hd3ss3220.c
> index 2a58185fb14c..c24bbccd14f9 100644
> --- a/drivers/usb/typec/hd3ss3220.c
> +++ b/drivers/usb/typec/hd3ss3220.c
> @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client *client,
>  		hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev);
>  	}
>  
> -	if (IS_ERR(hd3ss3220->role_sw)) {
> +	if (!hd3ss3220->role_sw) {
> +		ret = -ENODEV;
> +		goto err_put_fwnode;
> +	} else if (IS_ERR(hd3ss3220->role_sw)) {
>  		ret = PTR_ERR(hd3ss3220->role_sw);
>  		goto err_put_fwnode;
>  	}

You should not do that.

Either I'm missing something, or this patch is hiding some other
issue.

thanks,

-- 
heikki

RE: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash

[Biju Das]

Hi Heikki,

Thanks for the feedback.

> Subject: Re: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash
> 
> Hi Biju,
> 
> On Fri, Dec 09, 2022 at 05:07:40PM +0000, Biju Das wrote:
> > The value returned by usb_role_switch_get() can be NULL and it leads
> > to NULL pointer crash. This patch fixes this issue by adding NULL
> > check for the role switch handle.
> >
> > [   25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit EK874
> (CAT874 + CAT875) (DT)
> > [   25.344991] Workqueue: events_unbound deferred_probe_work_func
> > [   25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS
> BTYPE=--)
> > [   25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80
> [renesas_usb3]
> > [   25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80
> [renesas_usb3]
> > [   25.370986] sp : ffff80000a4b3a40
> > [   25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27:
> 0000000000000000
> > [   25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24:
> ffff80000117f178
> > [   25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21:
> 0000000000000000
> > [   25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18:
> 0000000000000020
> > [   25.402969] x17: ffff800076196000 x16: ffff800008004000 x15:
> 0000000000004000
> > [   25.410133] x14: 000000000000022b x13: 0000000000000001 x12:
> 0000000000000001
> > [   25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 :
> ffff80000a4b3770
> > [   25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 :
> ffff00000a8d8590
> > [   25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 :
> ffff00000a8d84f4
> > [   25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 :
> 0000000000000218
> > [   25.445942] Call trace:
> > [   25.448398]  renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3]
> > [   25.454613]  renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3]
> > [   25.460908]  usb_role_switch_set_role+0x44/0xa4
> > [   25.465468]  hd3ss3220_set_role+0xa0/0x100 [hd3ss3220]
> > [   25.470635]  hd3ss3220_probe+0x118/0x2fc [hd3ss3220]
> > [   25.475621]  i2c_device_probe+0x338/0x384
> 
> Based on that backtrace, your role switch is not NULL.

I haven't provided the USB3 firmware, so companion device will fail. See [1]
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/drivers/usb/gadget/udc/renesas_usb3.c?h=next-20221208#n2917


Cheers,
Biju

> 
> You can only end up calling renesas_usb3_role_switch_set() if your
> hd3ss3220->role_sw contains a handle to the renesas usb3 role switch.
> 
> > Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn:
> > passing zero to 'PTR_ERR'")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
> > ---
> > This issue triggered on RZ/G2E board, where there is no USB3 firmware
> > and it returned a null role switch handle.
> >
> > v1->v2:
> >  * Make it as individual patch
> >  * Added Cc tag
> > ---
> >  drivers/usb/typec/hd3ss3220.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/usb/typec/hd3ss3220.c
> > b/drivers/usb/typec/hd3ss3220.c index 2a58185fb14c..c24bbccd14f9
> > 100644
> > --- a/drivers/usb/typec/hd3ss3220.c
> > +++ b/drivers/usb/typec/hd3ss3220.c
> > @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client
> *client,
> >  		hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev);
> >  	}
> >
> > -	if (IS_ERR(hd3ss3220->role_sw)) {
> > +	if (!hd3ss3220->role_sw) {
> > +		ret = -ENODEV;
> > +		goto err_put_fwnode;
> > +	} else if (IS_ERR(hd3ss3220->role_sw)) {
> >  		ret = PTR_ERR(hd3ss3220->role_sw);
> >  		goto err_put_fwnode;
> >  	}
> 
> You should not do that.
> 
> Either I'm missing something, or this patch is hiding some other issue.
> 
> thanks,
> 
> --
> heikki

RE: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash

[Biju Das]

Hi Heikki,

> Subject: Re: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash
> 
> Hi Biju,
> 
> On Fri, Dec 09, 2022 at 05:07:40PM +0000, Biju Das wrote:
> > The value returned by usb_role_switch_get() can be NULL and it leads
> > to NULL pointer crash. This patch fixes this issue by adding NULL
> > check for the role switch handle.
> >
> > [   25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit EK874
> (CAT874 + CAT875) (DT)
> > [   25.344991] Workqueue: events_unbound deferred_probe_work_func
> > [   25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS
> BTYPE=--)
> > [   25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80
> [renesas_usb3]
> > [   25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80
> [renesas_usb3]
> > [   25.370986] sp : ffff80000a4b3a40
> > [   25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27:
> 0000000000000000
> > [   25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24:
> ffff80000117f178
> > [   25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21:
> 0000000000000000
> > [   25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18:
> 0000000000000020
> > [   25.402969] x17: ffff800076196000 x16: ffff800008004000 x15:
> 0000000000004000
> > [   25.410133] x14: 000000000000022b x13: 0000000000000001 x12:
> 0000000000000001
> > [   25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 :
> ffff80000a4b3770
> > [   25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 :
> ffff00000a8d8590
> > [   25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 :
> ffff00000a8d84f4
> > [   25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 :
> 0000000000000218
> > [   25.445942] Call trace:
> > [   25.448398]  renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3]
> > [   25.454613]  renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3]
> > [   25.460908]  usb_role_switch_set_role+0x44/0xa4
> > [   25.465468]  hd3ss3220_set_role+0xa0/0x100 [hd3ss3220]
> > [   25.470635]  hd3ss3220_probe+0x118/0x2fc [hd3ss3220]
> > [   25.475621]  i2c_device_probe+0x338/0x384
> 
> Based on that backtrace, your role switch is not NULL.
> 
> You can only end up calling renesas_usb3_role_switch_set() if your
> hd3ss3220->role_sw contains a handle to the renesas usb3 role switch.

Looks you are correct.

> 
> > Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn:
> > passing zero to 'PTR_ERR'")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
> > ---
> > This issue triggered on RZ/G2E board, where there is no USB3 firmware
> > and it returned a null role switch handle.
> >
> > v1->v2:
> >  * Make it as individual patch
> >  * Added Cc tag
> > ---
> >  drivers/usb/typec/hd3ss3220.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/usb/typec/hd3ss3220.c
> > b/drivers/usb/typec/hd3ss3220.c index 2a58185fb14c..c24bbccd14f9
> > 100644
> > --- a/drivers/usb/typec/hd3ss3220.c
> > +++ b/drivers/usb/typec/hd3ss3220.c
> > @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client
> *client,
> >  		hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev);
> >  	}
> >
> > -	if (IS_ERR(hd3ss3220->role_sw)) {
> > +	if (!hd3ss3220->role_sw) {
> > +		ret = -ENODEV;
> > +		goto err_put_fwnode;
> > +	} else if (IS_ERR(hd3ss3220->role_sw)) {
> >  		ret = PTR_ERR(hd3ss3220->role_sw);
> >  		goto err_put_fwnode;
> >  	}
> 
> You should not do that.
> 
> Either I'm missing something, or this patch is hiding some other issue.

Looks It is a bug in renesas_usb3.c rather than this driver.

But how we will prevent hd3ss3220_set_role being called after
usb_role_switch_unregister(usb3->role_sw) from renesas_usb3.c
driver??

Cheers,
Biju

RE: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash

[Biju Das]

> Subject: RE: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash
> 
> Hi Heikki,
> 
> > Subject: Re: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash
> >
> > Hi Biju,
> >
> > On Fri, Dec 09, 2022 at 05:07:40PM +0000, Biju Das wrote:
> > > The value returned by usb_role_switch_get() can be NULL and it leads
> > > to NULL pointer crash. This patch fixes this issue by adding NULL
> > > check for the role switch handle.
> > >
> > > [   25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit
> EK874
> > (CAT874 + CAT875) (DT)
> > > [   25.344991] Workqueue: events_unbound deferred_probe_work_func
> > > [   25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS
> > BTYPE=--)
> > > [   25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80
> > [renesas_usb3]
> > > [   25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80
> > [renesas_usb3]
> > > [   25.370986] sp : ffff80000a4b3a40
> > > [   25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27:
> > 0000000000000000
> > > [   25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24:
> > ffff80000117f178
> > > [   25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21:
> > 0000000000000000
> > > [   25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18:
> > 0000000000000020
> > > [   25.402969] x17: ffff800076196000 x16: ffff800008004000 x15:
> > 0000000000004000
> > > [   25.410133] x14: 000000000000022b x13: 0000000000000001 x12:
> > 0000000000000001
> > > [   25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 :
> > ffff80000a4b3770
> > > [   25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 :
> > ffff00000a8d8590
> > > [   25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 :
> > ffff00000a8d84f4
> > > [   25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 :
> > 0000000000000218
> > > [   25.445942] Call trace:
> > > [   25.448398]  renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3]
> > > [   25.454613]  renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3]
> > > [   25.460908]  usb_role_switch_set_role+0x44/0xa4
> > > [   25.465468]  hd3ss3220_set_role+0xa0/0x100 [hd3ss3220]
> > > [   25.470635]  hd3ss3220_probe+0x118/0x2fc [hd3ss3220]
> > > [   25.475621]  i2c_device_probe+0x338/0x384
> >
> > Based on that backtrace, your role switch is not NULL.
> >
> > You can only end up calling renesas_usb3_role_switch_set() if your
> > hd3ss3220->role_sw contains a handle to the renesas usb3 role switch.
> 
> Looks you are correct.
> 
> >
> > > Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn:
> > > passing zero to 'PTR_ERR'")
> > > Cc: stable@vger.kernel.org
> > > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
> > > ---
> > > This issue triggered on RZ/G2E board, where there is no USB3
> > > firmware and it returned a null role switch handle.
> > >
> > > v1->v2:
> > >  * Make it as individual patch
> > >  * Added Cc tag
> > > ---
> > >  drivers/usb/typec/hd3ss3220.c | 5 ++++-
> > >  1 file changed, 4 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/usb/typec/hd3ss3220.c
> > > b/drivers/usb/typec/hd3ss3220.c index 2a58185fb14c..c24bbccd14f9
> > > 100644
> > > --- a/drivers/usb/typec/hd3ss3220.c
> > > +++ b/drivers/usb/typec/hd3ss3220.c
> > > @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client
> > *client,
> > >  		hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev);
> > >  	}
> > >
> > > -	if (IS_ERR(hd3ss3220->role_sw)) {
> > > +	if (!hd3ss3220->role_sw) {
> > > +		ret = -ENODEV;
> > > +		goto err_put_fwnode;
> > > +	} else if (IS_ERR(hd3ss3220->role_sw)) {
> > >  		ret = PTR_ERR(hd3ss3220->role_sw);
> > >  		goto err_put_fwnode;
> > >  	}
> >
> > You should not do that.
> >
> > Either I'm missing something, or this patch is hiding some other issue.
> 
> Looks It is a bug in renesas_usb3.c rather than this driver.
> 
> But how we will prevent hd3ss3220_set_role being called after
> usb_role_switch_unregister(usb3->role_sw) from renesas_usb3.c driver??

Do we need to add additional check for "fwnode_usb_role_switch_get" and
"usb_role_switch_get" to return error if there is no registered role_switch device
Like the scenario above??

Cheers,
Biju

Re: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash

[Heikki Krogerus]

Hi,

On Mon, Dec 12, 2022 at 10:54:25AM +0000, Biju Das wrote:
> > Looks It is a bug in renesas_usb3.c rather than this driver.
> > 
> > But how we will prevent hd3ss3220_set_role being called after
> > usb_role_switch_unregister(usb3->role_sw) from renesas_usb3.c driver??

Normally that should not be a problem. When you get a reference to the
role switch, also the reference count of the switch driver module (on
top of the device) is incremented.

From where is usb_role_switch_unregister() being called in this case -
is it renesas_usb3_probe()?

If it is, would something like this help:

diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c
index 615ba0a6fbee1..d2e01f7cfef11 100644
--- a/drivers/usb/gadget/udc/renesas_usb3.c
+++ b/drivers/usb/gadget/udc/renesas_usb3.c
@@ -2907,18 +2907,13 @@ static int renesas_usb3_probe(struct platform_device *pdev)
        renesas_usb3_role_switch_desc.driver_data = usb3;
 
        INIT_WORK(&usb3->role_work, renesas_usb3_role_work);
-       usb3->role_sw = usb_role_switch_register(&pdev->dev,
-                                       &renesas_usb3_role_switch_desc);
-       if (!IS_ERR(usb3->role_sw)) {
-               usb3->host_dev = usb_of_get_companion_dev(&pdev->dev);
-               if (!usb3->host_dev) {
-                       /* If not found, this driver will not use a role sw */
-                       usb_role_switch_unregister(usb3->role_sw);
-                       usb3->role_sw = NULL;
-               }
-       } else {
+
+       usb3->host_dev = usb_of_get_companion_dev(&pdev->dev);
+       if (usb3->host_dev)
+               usb3->role_sw = usb_role_switch_register(&pdev->dev,
+                                                        &renesas_usb3_role_switch_desc);
+       if (IS_ERR(usb3->role_sw))
                usb3->role_sw = NULL;
-       }
 
        usb3->workaround_for_vbus = priv->workaround_for_vbus;
 


> Do we need to add additional check for "fwnode_usb_role_switch_get" and
> "usb_role_switch_get" to return error if there is no registered role_switch device
> Like the scenario above??

No. The switch is always an optional resource.

Error means that there is a switch that you can control, but you can't
get a handle to it for some reason.

NULL means you don't need to worry about it - there is no switch on
your platform that you could control.

thanks,

-- 
heikki

RE: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash

[Biju Das]

+ Shimoda-San

> -----Original Message-----
> From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> Sent: 13 December 2022 08:37
> To: Biju Das <biju.das.jz@bp.renesas.com>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>; Biju Das
> <biju.das@bp.renesas.com>; linux-usb@vger.kernel.org; Geert Uytterhoeven
> <geert+renesas@glider.be>; Fabrizio Castro
> <fabrizio.castro.jz@renesas.com>; linux-renesas-soc@vger.kernel.org;
> stable@vger.kernel.org
> Subject: Re: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash
> 
> Hi,
> 
> On Mon, Dec 12, 2022 at 10:54:25AM +0000, Biju Das wrote:
> > > Looks It is a bug in renesas_usb3.c rather than this driver.
> > >
> > > But how we will prevent hd3ss3220_set_role being called after
> > > usb_role_switch_unregister(usb3->role_sw) from renesas_usb3.c driver??
> 
> Normally that should not be a problem. When you get a reference to the
> role switch, also the reference count of the switch driver module (on top
> of the device) is incremented.
> 
> From where is usb_role_switch_unregister() being called in this case - is
> it renesas_usb3_probe()?

Yes, that os correct.

> 
> If it is, would something like this help:

Shimoda-San,

What is your thoughts on Heikki's proposal as below? It looks good to me.

> 
> diff --git a/drivers/usb/gadget/udc/renesas_usb3.c
> b/drivers/usb/gadget/udc/renesas_usb3.c
> index 615ba0a6fbee1..d2e01f7cfef11 100644
> --- a/drivers/usb/gadget/udc/renesas_usb3.c
> +++ b/drivers/usb/gadget/udc/renesas_usb3.c
> @@ -2907,18 +2907,13 @@ static int renesas_usb3_probe(struct
> platform_device *pdev)
>         renesas_usb3_role_switch_desc.driver_data = usb3;
> 
>         INIT_WORK(&usb3->role_work, renesas_usb3_role_work);
> -       usb3->role_sw = usb_role_switch_register(&pdev->dev,
> -                                       &renesas_usb3_role_switch_desc);
> -       if (!IS_ERR(usb3->role_sw)) {
> -               usb3->host_dev = usb_of_get_companion_dev(&pdev->dev);
> -               if (!usb3->host_dev) {
> -                       /* If not found, this driver will not use a role
> sw */
> -                       usb_role_switch_unregister(usb3->role_sw);
> -                       usb3->role_sw = NULL;
> -               }
> -       } else {
> +
> +       usb3->host_dev = usb_of_get_companion_dev(&pdev->dev);
> +       if (usb3->host_dev)
> +               usb3->role_sw = usb_role_switch_register(&pdev->dev,
> +
> &renesas_usb3_role_switch_desc);
> +       if (IS_ERR(usb3->role_sw))
>                 usb3->role_sw = NULL;
> -       }
> 
>         usb3->workaround_for_vbus = priv->workaround_for_vbus;
> 
> 
> 
> > Do we need to add additional check for "fwnode_usb_role_switch_get"
> > and "usb_role_switch_get" to return error if there is no registered
> > role_switch device Like the scenario above??
> 
> No. The switch is always an optional resource.
> 
> Error means that there is a switch that you can control, but you can't get
> a handle to it for some reason.
> 
> NULL means you don't need to worry about it - there is no switch on your
> platform that you could control.
> 
> thanks,
> 
> --
> heikki