diff mbox series

[2/2] usb: musb: Fix a possible null-pointer dereference in musb_handle_intr_connect()

Message ID 20191210165454.13772-3-b-liu@ti.com (mailing list archive)
State New, archived
Headers show
Series musb fixes for v5.5-rc2 | expand

Commit Message

Bin Liu Dec. 10, 2019, 4:54 p.m. UTC 
From: Jia-Ju Bai <baijiaju1990@gmail.com>

In musb_handle_intr_connect(), there is an if statement on line 783 to
check whether musb->hcd is NULL:
    if (musb->hcd)

When musb->hcd is NULL, it is used on line 797:
    musb_host_poke_root_hub(musb);
        if (musb->hcd->status_urb)

Thus, a possible null-pointer dereference may occur.

To fix this bug, musb->hcd is checked before calling
musb_host_poke_root_hub().

This bug is found by a static analysis tool STCheck written by us.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
---
 drivers/usb/musb/musb_core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Greg KH Dec. 11, 2019, 8:09 a.m. UTC | #1 
On Tue, Dec 10, 2019 at 10:54:54AM -0600, Bin Liu wrote:
> From: Jia-Ju Bai <baijiaju1990@gmail.com>
> 
> In musb_handle_intr_connect(), there is an if statement on line 783 to
> check whether musb->hcd is NULL:
>     if (musb->hcd)
> 
> When musb->hcd is NULL, it is used on line 797:
>     musb_host_poke_root_hub(musb);
>         if (musb->hcd->status_urb)
> 
> Thus, a possible null-pointer dereference may occur.

Maybe, if musb->hcd really ever could be NULL.

In looking at the code, I don't see where that could happen, do you?
Why is that check there in the first place?

What sets musb->hcd to NULL in the first place?

thanks,

greg k-h
Jia-Ju Bai Dec. 11, 2019, 9:10 a.m. UTC | #2 
On 2019/12/11 16:09, Greg Kroah-Hartman wrote:
> On Tue, Dec 10, 2019 at 10:54:54AM -0600, Bin Liu wrote:
>> From: Jia-Ju Bai <baijiaju1990@gmail.com>
>>
>> In musb_handle_intr_connect(), there is an if statement on line 783 to
>> check whether musb->hcd is NULL:
>>      if (musb->hcd)
>>
>> When musb->hcd is NULL, it is used on line 797:
>>      musb_host_poke_root_hub(musb);
>>          if (musb->hcd->status_urb)
>>
>> Thus, a possible null-pointer dereference may occur.
> Maybe, if musb->hcd really ever could be NULL.
>
> In looking at the code, I don't see where that could happen, do you?
> Why is that check there in the first place?
>
> What sets musb->hcd to NULL in the first place?

In fact, my static analysis tool identifies an if check about musb->hcd, 
so it infers that musb->hcd could be NULL here.
But it does not try to find any explicit place that set musb->hcd to NULL.

If musb->hcd is never NULL here, we can just delete the related if check.


Best wishes,
Jia-Ju Bai
Greg KH Dec. 11, 2019, 9:20 a.m. UTC | #3 
On Wed, Dec 11, 2019 at 05:10:17PM +0800, Jia-Ju Bai wrote:
> 
> 
> On 2019/12/11 16:09, Greg Kroah-Hartman wrote:
> > On Tue, Dec 10, 2019 at 10:54:54AM -0600, Bin Liu wrote:
> > > From: Jia-Ju Bai <baijiaju1990@gmail.com>
> > > 
> > > In musb_handle_intr_connect(), there is an if statement on line 783 to
> > > check whether musb->hcd is NULL:
> > >      if (musb->hcd)
> > > 
> > > When musb->hcd is NULL, it is used on line 797:
> > >      musb_host_poke_root_hub(musb);
> > >          if (musb->hcd->status_urb)
> > > 
> > > Thus, a possible null-pointer dereference may occur.
> > Maybe, if musb->hcd really ever could be NULL.
> > 
> > In looking at the code, I don't see where that could happen, do you?
> > Why is that check there in the first place?
> > 
> > What sets musb->hcd to NULL in the first place?
> 
> In fact, my static analysis tool identifies an if check about musb->hcd, so
> it infers that musb->hcd could be NULL here.
> But it does not try to find any explicit place that set musb->hcd to NULL.

Can it do that?

> If musb->hcd is never NULL here, we can just delete the related if check.

I agree :)

thanks,

greg k-h
Jia-Ju Bai Dec. 17, 2019, 8:26 a.m. UTC | #4 
On 2019/12/11 17:20, Greg Kroah-Hartman wrote:
> On Wed, Dec 11, 2019 at 05:10:17PM +0800, Jia-Ju Bai wrote:
>>
>> On 2019/12/11 16:09, Greg Kroah-Hartman wrote:
>>> On Tue, Dec 10, 2019 at 10:54:54AM -0600, Bin Liu wrote:
>>>> From: Jia-Ju Bai <baijiaju1990@gmail.com>
>>>>
>>>> In musb_handle_intr_connect(), there is an if statement on line 783 to
>>>> check whether musb->hcd is NULL:
>>>>       if (musb->hcd)
>>>>
>>>> When musb->hcd is NULL, it is used on line 797:
>>>>       musb_host_poke_root_hub(musb);
>>>>           if (musb->hcd->status_urb)
>>>>
>>>> Thus, a possible null-pointer dereference may occur.
>>> Maybe, if musb->hcd really ever could be NULL.
>>>
>>> In looking at the code, I don't see where that could happen, do you?
>>> Why is that check there in the first place?
>>>
>>> What sets musb->hcd to NULL in the first place?
>> In fact, my static analysis tool identifies an if check about musb->hcd, so
>> it infers that musb->hcd could be NULL here.
>> But it does not try to find any explicit place that set musb->hcd to NULL.
> Can it do that?

Not yet...

>
>> If musb->hcd is never NULL here, we can just delete the related if check.
> I agree :)

Okay, I will send a new patch that delete the if check.


Best wishes,
Jia-Ju Bai
diff mbox series

Patch

diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
index 15cca912c53e..5080fc6a0808 100644
--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -794,7 +794,8 @@  static void musb_handle_intr_connect(struct musb *musb, u8 devctl, u8 int_usb)
 		break;
 	}
 
-	musb_host_poke_root_hub(musb);
+	if (musb->hcd)
+		musb_host_poke_root_hub(musb);
 
 	musb_dbg(musb, "CONNECT (%s) devctl %02x",
 			usb_otg_state_string(musb->xceiv->otg->state), devctl);