From: Alan Stern <stern@rowland.harvard.edu>
To: Yuran Pereira <yuran.pereira@hotmail.com>
Cc: gregkh@linuxfoundation.org, royluo@google.com,
christophe.jaillet@wanadoo.fr, raychi@google.com,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot+c063a4e176681d2e0380@syzkaller.appspotmail.com
Subject: Re: [PATCH] USB: core: Fix a NULL pointer dereference
Date: Fri, 8 Sep 2023 12:42:16 -0400 [thread overview]
Message-ID: <d3ffde1a-e0da-4f3f-ac34-659cbcf41258@rowland.harvard.edu> (raw)
In-Reply-To: <AS8P192MB12697886EC8DF1650AD56A57E8EDA@AS8P192MB1269.EURP192.PROD.OUTLOOK.COM>
On Fri, Sep 08, 2023 at 09:09:37PM +0530, Yuran Pereira wrote:
>
> When the call to dev_set_name() in the usb_hub_create_port_device
> function fails to set the device's kobject's name field,
> the subsequent call to device_register() is bound to fail and cause
> a NULL pointer derefference, because kobject_add(), which is in the
> call sequence, expects the name field to be set before it is called
>
>
> This patch adds code to perform error checking for dev_set_name()'s
> return value. If the call to dev_set_name() was unsuccessful,
> usb_hub_create_port_device() returns with an error.
>
>
> PS: The patch also frees port_dev->req and port_dev before returning.
> However, I am not sure if that is necessary, because port_dev->req
> and port_dev are not freed when device_register() fails. Would be
> happy if someone could help me understand why that is, and whether I
> should keep those kfree calls in my patch.
>
> dashboard link: https://syzkaller.appspot.com/bug?extid=c063a4e176681d2e0380
>
> Reported-by: syzbot+c063a4e176681d2e0380@syzkaller.appspotmail.com
It shouldn't be necessary to check the return value from dev_set_name().
Most of its other call sites ignore the return value. In fact, only one
of the call sites in drivers/base/core.c does check the return value!
Furthermore, device_add() includes the following test for whether the
device's name has been set:
if (!dev_name(dev)) {
error = -EINVAL;
goto name_error;
}
The real question is why this test did not prevent the bug from
occurring. Until you can answer that question, any fix you propose is
highly questionable.
Alan Stern
next prev parent reply other threads:[~2023-09-08 16:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-08 15:39 [PATCH] USB: core: Fix a NULL pointer dereference Yuran Pereira
2023-09-08 16:42 ` Alan Stern [this message]
[not found] ` <AM9P192MB12670D185D208AFA51B8348EE8ECA@AM9P192MB1267.EURP192.PROD.OUTLOOK.COM>
2023-09-09 14:36 ` Alan Stern
2023-09-09 15:35 ` gregkh
[not found] ` <AS8P192MB1269A9732001D142F3272ACDE8F6A@AS8P192MB1269.EURP192.PROD.OUTLOOK.COM>
2023-09-15 1:42 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d3ffde1a-e0da-4f3f-ac34-659cbcf41258@rowland.harvard.edu \
--to=stern@rowland.harvard.edu \
--cc=christophe.jaillet@wanadoo.fr \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=raychi@google.com \
--cc=royluo@google.com \
--cc=syzbot+c063a4e176681d2e0380@syzkaller.appspotmail.com \
--cc=yuran.pereira@hotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox