* [U-Boot] [PATCH] usb: xhci: Fix a potential NULL pointer dereference
@ 2015-08-14 12:13 Sergey Temerkhanov
2015-08-14 12:15 ` Marek Vasut
0 siblings, 1 reply; 7+ messages in thread
From: Sergey Temerkhanov @ 2015-08-14 12:13 UTC (permalink / raw)
To: u-boot
This patch fixes a potential NULL pointer dereference arising on
non-present/non-initialized xHCI controllers
Signed-off-by: Sergey Temerkhanov <s.temerkhanov@gmail.com>
Signed-off-by: Radha Mohan Chintakuntla <rchintakuntla@cavium.com>
---
drivers/usb/host/xhci.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 0b09643..a6c6659 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -199,7 +199,7 @@ int xhci_reset(struct xhci_hcor *hcor)
int ret;
/* Halting the Host first */
- debug("// Halt the HC\n");
+ debug("// Halt the HC: %p\n", hcor);
state = xhci_readl(&hcor->or_usbsts) & STS_HALT;
if (!state) {
cmd = xhci_readl(&hcor->or_usbcmd);
@@ -1093,9 +1093,11 @@ int usb_lowlevel_stop(int index)
{
struct xhci_ctrl *ctrl = (xhcic + index);
- xhci_lowlevel_stop(ctrl);
- xhci_hcd_stop(index);
- xhci_cleanup(ctrl);
+ if (ctrl->hcor) {
+ xhci_lowlevel_stop(ctrl);
+ xhci_hcd_stop(index);
+ xhci_cleanup(ctrl);
+ }
return 0;
}
--
2.2.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [U-Boot] [PATCH] usb: xhci: Fix a potential NULL pointer dereference
2015-08-14 12:13 [U-Boot] [PATCH] usb: xhci: Fix a potential NULL pointer dereference Sergey Temerkhanov
@ 2015-08-14 12:15 ` Marek Vasut
2015-08-14 13:00 ` Sergei Temerkhanov
0 siblings, 1 reply; 7+ messages in thread
From: Marek Vasut @ 2015-08-14 12:15 UTC (permalink / raw)
To: u-boot
On Friday, August 14, 2015 at 02:13:06 PM, Sergey Temerkhanov wrote:
> This patch fixes a potential NULL pointer dereference arising on
> non-present/non-initialized xHCI controllers
Hi,
can you please explain how can such a condition even happen ?
I believe the hcor must always be inited at that point. What
is the condition which triggers this ?
> Signed-off-by: Sergey Temerkhanov <s.temerkhanov@gmail.com>
> Signed-off-by: Radha Mohan Chintakuntla <rchintakuntla@cavium.com>
> ---
>
> drivers/usb/host/xhci.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
> index 0b09643..a6c6659 100644
> --- a/drivers/usb/host/xhci.c
> +++ b/drivers/usb/host/xhci.c
> @@ -199,7 +199,7 @@ int xhci_reset(struct xhci_hcor *hcor)
> int ret;
>
> /* Halting the Host first */
> - debug("// Halt the HC\n");
> + debug("// Halt the HC: %p\n", hcor);
> state = xhci_readl(&hcor->or_usbsts) & STS_HALT;
> if (!state) {
> cmd = xhci_readl(&hcor->or_usbcmd);
> @@ -1093,9 +1093,11 @@ int usb_lowlevel_stop(int index)
> {
> struct xhci_ctrl *ctrl = (xhcic + index);
>
> - xhci_lowlevel_stop(ctrl);
> - xhci_hcd_stop(index);
> - xhci_cleanup(ctrl);
> + if (ctrl->hcor) {
> + xhci_lowlevel_stop(ctrl);
> + xhci_hcd_stop(index);
> + xhci_cleanup(ctrl);
> + }
>
> return 0;
> }
Best regards,
Marek Vasut
^ permalink raw reply [flat|nested] 7+ messages in thread
* [U-Boot] [PATCH] usb: xhci: Fix a potential NULL pointer dereference
2015-08-14 12:15 ` Marek Vasut
@ 2015-08-14 13:00 ` Sergei Temerkhanov
2015-08-14 13:44 ` Marek Vasut
0 siblings, 1 reply; 7+ messages in thread
From: Sergei Temerkhanov @ 2015-08-14 13:00 UTC (permalink / raw)
To: u-boot
This may happen when, for example, one tries to get a single binary for
similar systems where those controllers may or may not present.
Regards,
Sergey
On Fri, Aug 14, 2015 at 3:15 PM, Marek Vasut <marex@denx.de> wrote:
> On Friday, August 14, 2015 at 02:13:06 PM, Sergey Temerkhanov wrote:
> > This patch fixes a potential NULL pointer dereference arising on
> > non-present/non-initialized xHCI controllers
>
> Hi,
>
> can you please explain how can such a condition even happen ?
> I believe the hcor must always be inited at that point. What
> is the condition which triggers this ?
>
> > Signed-off-by: Sergey Temerkhanov <s.temerkhanov@gmail.com>
> > Signed-off-by: Radha Mohan Chintakuntla <rchintakuntla@cavium.com>
> > ---
> >
> > drivers/usb/host/xhci.c | 10 ++++++----
> > 1 file changed, 6 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
> > index 0b09643..a6c6659 100644
> > --- a/drivers/usb/host/xhci.c
> > +++ b/drivers/usb/host/xhci.c
> > @@ -199,7 +199,7 @@ int xhci_reset(struct xhci_hcor *hcor)
> > int ret;
> >
> > /* Halting the Host first */
> > - debug("// Halt the HC\n");
> > + debug("// Halt the HC: %p\n", hcor);
> > state = xhci_readl(&hcor->or_usbsts) & STS_HALT;
> > if (!state) {
> > cmd = xhci_readl(&hcor->or_usbcmd);
> > @@ -1093,9 +1093,11 @@ int usb_lowlevel_stop(int index)
> > {
> > struct xhci_ctrl *ctrl = (xhcic + index);
> >
> > - xhci_lowlevel_stop(ctrl);
> > - xhci_hcd_stop(index);
> > - xhci_cleanup(ctrl);
> > + if (ctrl->hcor) {
> > + xhci_lowlevel_stop(ctrl);
> > + xhci_hcd_stop(index);
> > + xhci_cleanup(ctrl);
> > + }
> >
> > return 0;
> > }
>
> Best regards,
> Marek Vasut
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [U-Boot] [PATCH] usb: xhci: Fix a potential NULL pointer dereference
2015-08-14 13:00 ` Sergei Temerkhanov
@ 2015-08-14 13:44 ` Marek Vasut
2015-08-14 14:29 ` Sergei Temerkhanov
0 siblings, 1 reply; 7+ messages in thread
From: Marek Vasut @ 2015-08-14 13:44 UTC (permalink / raw)
To: u-boot
On Friday, August 14, 2015 at 03:00:31 PM, Sergei Temerkhanov wrote:
> This may happen when, for example, one tries to get a single binary for
> similar systems where those controllers may or may not present.
Please DO STOP TOP-POSTING, I mentioned it already, it is really not helpful.
I think your patch is missing one small bit in usb_lowlevel_init() in xhci.c
In case xhci_lowlevel_init() fails and thus the controller is NOT inited, the
usb_lowlevel_stop() will still try to unregister such controller, which will
likely fail.
You might want to add a check which sets the HCOR and HCCR to NULL if the
xhci_lowlevel_init() fails. What do you think ?
> Regards,
> Sergey
>
> On Fri, Aug 14, 2015 at 3:15 PM, Marek Vasut <marex@denx.de> wrote:
> > On Friday, August 14, 2015 at 02:13:06 PM, Sergey Temerkhanov wrote:
> > > This patch fixes a potential NULL pointer dereference arising on
> > > non-present/non-initialized xHCI controllers
> >
> > Hi,
> >
> > can you please explain how can such a condition even happen ?
> > I believe the hcor must always be inited at that point. What
> > is the condition which triggers this ?
> >
> > > Signed-off-by: Sergey Temerkhanov <s.temerkhanov@gmail.com>
> > > Signed-off-by: Radha Mohan Chintakuntla <rchintakuntla@cavium.com>
> > > ---
> > >
> > > drivers/usb/host/xhci.c | 10 ++++++----
> > > 1 file changed, 6 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
> > > index 0b09643..a6c6659 100644
> > > --- a/drivers/usb/host/xhci.c
> > > +++ b/drivers/usb/host/xhci.c
> > > @@ -199,7 +199,7 @@ int xhci_reset(struct xhci_hcor *hcor)
> > >
> > > int ret;
> > >
> > > /* Halting the Host first */
> > >
> > > - debug("// Halt the HC\n");
> > > + debug("// Halt the HC: %p\n", hcor);
> > >
> > > state = xhci_readl(&hcor->or_usbsts) & STS_HALT;
> > > if (!state) {
> > >
> > > cmd = xhci_readl(&hcor->or_usbcmd);
> > >
> > > @@ -1093,9 +1093,11 @@ int usb_lowlevel_stop(int index)
> > >
> > > {
> > >
> > > struct xhci_ctrl *ctrl = (xhcic + index);
> > >
> > > - xhci_lowlevel_stop(ctrl);
> > > - xhci_hcd_stop(index);
> > > - xhci_cleanup(ctrl);
> > > + if (ctrl->hcor) {
> > > + xhci_lowlevel_stop(ctrl);
> > > + xhci_hcd_stop(index);
> > > + xhci_cleanup(ctrl);
> > > + }
> > >
> > > return 0;
> > >
> > > }
> >
> > Best regards,
> > Marek Vasut
Best regards,
Marek Vasut
^ permalink raw reply [flat|nested] 7+ messages in thread
* [U-Boot] [PATCH] usb: xhci: Fix a potential NULL pointer dereference
2015-08-14 13:44 ` Marek Vasut
@ 2015-08-14 14:29 ` Sergei Temerkhanov
2015-08-14 14:45 ` Marek Vasut
0 siblings, 1 reply; 7+ messages in thread
From: Sergei Temerkhanov @ 2015-08-14 14:29 UTC (permalink / raw)
To: u-boot
On Fri, Aug 14, 2015 at 4:44 PM, Marek Vasut <marex@denx.de> wrote:
> On Friday, August 14, 2015 at 03:00:31 PM, Sergei Temerkhanov wrote:
>> This may happen when, for example, one tries to get a single binary for
>> similar systems where those controllers may or may not present.
>
> Please DO STOP TOP-POSTING, I mentioned it already, it is really not helpful.
>
Sorry about that, had to struggle with Gmail on my tablet.
> I think your patch is missing one small bit in usb_lowlevel_init() in xhci.c
> In case xhci_lowlevel_init() fails and thus the controller is NOT inited, the
> usb_lowlevel_stop() will still try to unregister such controller, which will
> likely fail.
>
> You might want to add a check which sets the HCOR and HCCR to NULL if the
> xhci_lowlevel_init() fails. What do you think ?
Might be useful - it's more about error handling rather then core
configurations.
For the latter xhci_hcd_init() seems to be an appropriate place to set
hccr and hcor
to NULL.
For error handling, it might be useful to modify usb_low_level_init like this:
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index a6c6659..f8e2d70 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1079,6 +1079,11 @@ int usb_lowlevel_init(int index, enum
usb_init_type init, void **controller)
*controller = &xhcic[index];
+ if (ret) {
+ ctrl->hccr = NULL;
+ ctrl->hcor = NULL;
+ }
+
return ret;
}
>
>> Regards,
>> Sergey
>>
>> On Fri, Aug 14, 2015 at 3:15 PM, Marek Vasut <marex@denx.de> wrote:
>> > On Friday, August 14, 2015 at 02:13:06 PM, Sergey Temerkhanov wrote:
>> > > This patch fixes a potential NULL pointer dereference arising on
>> > > non-present/non-initialized xHCI controllers
>> >
>> > Hi,
>> >
>> > can you please explain how can such a condition even happen ?
>> > I believe the hcor must always be inited at that point. What
>> > is the condition which triggers this ?
>> >
>> > > Signed-off-by: Sergey Temerkhanov <s.temerkhanov@gmail.com>
>> > > Signed-off-by: Radha Mohan Chintakuntla <rchintakuntla@cavium.com>
>> > > ---
>> > >
>> > > drivers/usb/host/xhci.c | 10 ++++++----
>> > > 1 file changed, 6 insertions(+), 4 deletions(-)
>> > >
>> > > diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
>> > > index 0b09643..a6c6659 100644
>> > > --- a/drivers/usb/host/xhci.c
>> > > +++ b/drivers/usb/host/xhci.c
>> > > @@ -199,7 +199,7 @@ int xhci_reset(struct xhci_hcor *hcor)
>> > >
>> > > int ret;
>> > >
>> > > /* Halting the Host first */
>> > >
>> > > - debug("// Halt the HC\n");
>> > > + debug("// Halt the HC: %p\n", hcor);
>> > >
>> > > state = xhci_readl(&hcor->or_usbsts) & STS_HALT;
>> > > if (!state) {
>> > >
>> > > cmd = xhci_readl(&hcor->or_usbcmd);
>> > >
>> > > @@ -1093,9 +1093,11 @@ int usb_lowlevel_stop(int index)
>> > >
>> > > {
>> > >
>> > > struct xhci_ctrl *ctrl = (xhcic + index);
>> > >
>> > > - xhci_lowlevel_stop(ctrl);
>> > > - xhci_hcd_stop(index);
>> > > - xhci_cleanup(ctrl);
>> > > + if (ctrl->hcor) {
>> > > + xhci_lowlevel_stop(ctrl);
>> > > + xhci_hcd_stop(index);
>> > > + xhci_cleanup(ctrl);
>> > > + }
>> > >
>> > > return 0;
>> > >
>> > > }
>> >
>> > Best regards,
>> > Marek Vasut
>
> Best regards,
> Marek Vasut
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [U-Boot] [PATCH] usb: xhci: Fix a potential NULL pointer dereference
2015-08-14 14:29 ` Sergei Temerkhanov
@ 2015-08-14 14:45 ` Marek Vasut
2015-08-14 14:52 ` Sergei Temerkhanov
0 siblings, 1 reply; 7+ messages in thread
From: Marek Vasut @ 2015-08-14 14:45 UTC (permalink / raw)
To: u-boot
On Friday, August 14, 2015 at 04:29:43 PM, Sergei Temerkhanov wrote:
> On Fri, Aug 14, 2015 at 4:44 PM, Marek Vasut <marex@denx.de> wrote:
> > On Friday, August 14, 2015 at 03:00:31 PM, Sergei Temerkhanov wrote:
> >> This may happen when, for example, one tries to get a single binary for
> >> similar systems where those controllers may or may not present.
> >
> > Please DO STOP TOP-POSTING, I mentioned it already, it is really not
> > helpful.
>
> Sorry about that, had to struggle with Gmail on my tablet.
Thanks :)
> > I think your patch is missing one small bit in usb_lowlevel_init() in
> > xhci.c In case xhci_lowlevel_init() fails and thus the controller is NOT
> > inited, the usb_lowlevel_stop() will still try to unregister such
> > controller, which will likely fail.
> >
> > You might want to add a check which sets the HCOR and HCCR to NULL if the
> > xhci_lowlevel_init() fails. What do you think ?
>
> Might be useful - it's more about error handling rather then core
> configurations.
> For the latter xhci_hcd_init() seems to be an appropriate place to set
> hccr and hcor
> to NULL.
>
> For error handling, it might be useful to modify usb_low_level_init like
> this:
>
> diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
> index a6c6659..f8e2d70 100644
> --- a/drivers/usb/host/xhci.c
> +++ b/drivers/usb/host/xhci.c
> @@ -1079,6 +1079,11 @@ int usb_lowlevel_init(int index, enum
> usb_init_type init, void **controller)
>
> *controller = &xhcic[index];
>
> + if (ret) {
> + ctrl->hccr = NULL;
> + ctrl->hcor = NULL;
> + }
> +
> return ret;
> }
You might also want to set *controller to NULL, just to be explicitly correct.
Can you please send a V2 patch ?
^ permalink raw reply [flat|nested] 7+ messages in thread
* [U-Boot] [PATCH] usb: xhci: Fix a potential NULL pointer dereference
2015-08-14 14:45 ` Marek Vasut
@ 2015-08-14 14:52 ` Sergei Temerkhanov
0 siblings, 0 replies; 7+ messages in thread
From: Sergei Temerkhanov @ 2015-08-14 14:52 UTC (permalink / raw)
To: u-boot
On Fri, Aug 14, 2015 at 5:45 PM, Marek Vasut <marex@denx.de> wrote:
> On Friday, August 14, 2015 at 04:29:43 PM, Sergei Temerkhanov wrote:
>> On Fri, Aug 14, 2015 at 4:44 PM, Marek Vasut <marex@denx.de> wrote:
>> > On Friday, August 14, 2015 at 03:00:31 PM, Sergei Temerkhanov wrote:
>> >> This may happen when, for example, one tries to get a single binary for
>> >> similar systems where those controllers may or may not present.
>> >
>> > Please DO STOP TOP-POSTING, I mentioned it already, it is really not
>> > helpful.
>>
>> Sorry about that, had to struggle with Gmail on my tablet.
>
> Thanks :)
>
>> > I think your patch is missing one small bit in usb_lowlevel_init() in
>> > xhci.c In case xhci_lowlevel_init() fails and thus the controller is NOT
>> > inited, the usb_lowlevel_stop() will still try to unregister such
>> > controller, which will likely fail.
>> >
>> > You might want to add a check which sets the HCOR and HCCR to NULL if the
>> > xhci_lowlevel_init() fails. What do you think ?
>>
>> Might be useful - it's more about error handling rather then core
>> configurations.
>> For the latter xhci_hcd_init() seems to be an appropriate place to set
>> hccr and hcor
>> to NULL.
>>
>> For error handling, it might be useful to modify usb_low_level_init like
>> this:
>>
>> diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
>> index a6c6659..f8e2d70 100644
>> --- a/drivers/usb/host/xhci.c
>> +++ b/drivers/usb/host/xhci.c
>> @@ -1079,6 +1079,11 @@ int usb_lowlevel_init(int index, enum
>> usb_init_type init, void **controller)
>>
>> *controller = &xhcic[index];
>>
>> + if (ret) {
>> + ctrl->hccr = NULL;
>> + ctrl->hcor = NULL;
>> + }
>> +
>> return ret;
>> }
>
> You might also want to set *controller to NULL, just to be explicitly correct.
> Can you please send a V2 patch ?
OK, in a few minutes.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-08-14 14:52 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-14 12:13 [U-Boot] [PATCH] usb: xhci: Fix a potential NULL pointer dereference Sergey Temerkhanov
2015-08-14 12:15 ` Marek Vasut
2015-08-14 13:00 ` Sergei Temerkhanov
2015-08-14 13:44 ` Marek Vasut
2015-08-14 14:29 ` Sergei Temerkhanov
2015-08-14 14:45 ` Marek Vasut
2015-08-14 14:52 ` Sergei Temerkhanov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox