From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD8DCC7EE45 for ; Thu, 8 Jun 2023 12:49:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236293AbjFHMtP (ORCPT ); Thu, 8 Jun 2023 08:49:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60922 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235841AbjFHMtO (ORCPT ); Thu, 8 Jun 2023 08:49:14 -0400 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4C7DE26B2 for ; Thu, 8 Jun 2023 05:49:12 -0700 (PDT) Received: by mail-pf1-x42b.google.com with SMTP id d2e1a72fcca58-652d76be8c2so492684b3a.3 for ; Thu, 08 Jun 2023 05:49:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1686228552; x=1688820552; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=YkIAhLvLnVwhb1623YqvVKWgPZype03kjxLPtMN1rsU=; b=n+U+30vobooxgtQnaHc1KysZzSn6jdERYhOotJVB4hboAx6NrJumODxFOdJmZ5DVtc Rs6M5zIv+HTi015uuZJEVVUq6FifOjoHeBYLNh115+x3CLbJAxjVGM5lEd6NUp4M4OTG R/sKlueRfruZvQzLiy/iol6Zx7OEbiOPZldEwyV9m0NqWdJV766peMNlT+bGgfwz34QU 1kKBi7/kL9N65y6V/mYW3u2V21U4Db51tGnIpBboUWvuqoj+MyyPPDWVJ12GNzQbjxZ/ hbFfY4OG9tddUCgGs41XycnC9gSMTaES7Ipd74smgKrbqrPykhVjLjOf78R2AdPFTTbr tNNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686228552; x=1688820552; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=YkIAhLvLnVwhb1623YqvVKWgPZype03kjxLPtMN1rsU=; b=ljYvJHyJdapOOG7AvPGiwM7ifoMk4Es3OmDEOjJNqCEDxUyXXej6Cjs8SJakPTMzoS 9r6fsfUgvV2+nHmLOMN1uL0fdYRmNXD+6GkCkVKM4zea7dj7Jp8LfcjaOqBovv03hfQ1 f/6/qN+dDAQDTczDPDcQjVvMiw+8VKHf+Q/uxBBF5Q+8bzbI4iD79YB50nlT2aeTpI5V +Ox8EJoHSB4Z4cXi4lW0AKHEpujsnoOSA1Cw2b4y4b51FEB/igvUd6q3OnNyw+61MT41 sSMnMd6hd0vM2EU2Xp3YqbyzRJgzKItJvBiZaJLSDuNC+BY+4JBndadyySApgdCXxBWP 2tVg== X-Gm-Message-State: AC+VfDxsDRCTeQhSkXQUDN+xTQejq1TG8sxAOMJoTnZ/FY2QAhUpyONp SUJwZxf8B6kThLPW881+lkpb X-Google-Smtp-Source: ACHHUZ4iAqD/Jz411eyAzEsPuFH5BlY0kU8cHNTBiM1PkXwV+u8COwWL6C4wUXsw6nqiPx/Cjqj20w== X-Received: by 2002:a05:6a20:549d:b0:10c:3cf3:ef7e with SMTP id i29-20020a056a20549d00b0010c3cf3ef7emr7532523pzk.42.1686228551815; Thu, 08 Jun 2023 05:49:11 -0700 (PDT) Received: from thinkpad ([117.202.186.138]) by smtp.gmail.com with ESMTPSA id s12-20020a63450c000000b0051b0e564963sm1185367pga.49.2023.06.08.05.49.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Jun 2023 05:49:11 -0700 (PDT) Date: Thu, 8 Jun 2023 18:19:00 +0530 From: Manivannan Sadhasivam To: Johan Hovold Cc: Thinh Nguyen , Greg Kroah-Hartman , Andy Gross , Bjorn Andersson , Konrad Dybcio , Krishna Kurapati , linux-usb@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sandeep Maheswaram Subject: Re: [PATCH 1/2] USB: dwc3: qcom: fix NULL-deref on suspend Message-ID: <20230608124900.GE5672@thinkpad> References: <20230607100540.31045-1-johan+linaro@kernel.org> <20230607100540.31045-2-johan+linaro@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20230607100540.31045-2-johan+linaro@kernel.org> Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org On Wed, Jun 07, 2023 at 12:05:39PM +0200, Johan Hovold wrote: > The Qualcomm dwc3 glue driver is currently accessing the driver data of > the child core device during suspend and on wakeup interrupts. This is > clearly a bad idea as the child may not have probed yet or could have > been unbound from its driver. > > The first such layering violation was part of the initial version of the > driver, but this was later made worse when the hack that accesses the > driver data of the grand child xhci device to configure the wakeup > interrupts was added. > > Fixing this properly is not that easily done, so add a sanity check to > make sure that the child driver data is non-NULL before dereferencing it > for now. > > Note that this relies on subtleties like the fact that driver core is > making sure that the parent is not suspended while the child is probing. > > Reported-by: Manivannan Sadhasivam > Link: https://lore.kernel.org/all/20230325165217.31069-4-manivannan.sadhasivam@linaro.org/ > Fixes: d9152161b4bf ("usb: dwc3: Add Qualcomm DWC3 glue layer driver") > Fixes: 6895ea55c385 ("usb: dwc3: qcom: Configure wakeup interrupts during suspend") > Cc: stable@vger.kernel.org # 3.18: a872ab303d5d: "usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup" > Cc: Sandeep Maheswaram > Cc: Krishna Kurapati > Signed-off-by: Johan Hovold Reviewed-by: Manivannan Sadhasivam - Mani > --- > drivers/usb/dwc3/dwc3-qcom.c | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c > index 959fc925ca7c..79b22abf9727 100644 > --- a/drivers/usb/dwc3/dwc3-qcom.c > +++ b/drivers/usb/dwc3/dwc3-qcom.c > @@ -308,7 +308,16 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) > /* Only usable in contexts where the role can not change. */ > static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) > { > - struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); > + struct dwc3 *dwc; > + > + /* > + * FIXME: Fix this layering violation. > + */ > + dwc = platform_get_drvdata(qcom->dwc3); > + > + /* Core driver may not have probed yet. */ > + if (!dwc) > + return false; > > return dwc->xhci; > } > -- > 2.39.3 > -- மணிவண்ணன் சதாசிவம்