From: Thierry Reding <thierry.reding-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Greg Kroah-Hartman
<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
Cc: Shailendra Verma
<shailendra.v-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>,
Mathias Nyman
<mathias.nyman-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
Stephen Warren <swarren-3lzwWm7+Weoh9ZMKESR00Q@public.gmane.org>,
Alexandre Courbot
<gnurou-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-tegra-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
p.shailesh-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org,
ashish.kalra-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org,
Shailendra Verma
<shailendra.capricorn-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: [PATCH] Usb: host - Fix possible NULL derefrence.
Date: Mon, 30 Jan 2017 08:03:23 +0100 [thread overview]
Message-ID: <20170130070323.GD3585@ulmo.ba.sec> (raw)
In-Reply-To: <20170130064521.GC4324-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
[-- Attachment #1: Type: text/plain, Size: 2058 bytes --]
On Mon, Jan 30, 2017 at 07:45:21AM +0100, Greg Kroah-Hartman wrote:
> On Mon, Jan 30, 2017 at 10:36:29AM +0530, Shailendra Verma wrote:
> > of_device_get_match_data could return NULL, and so can cause
> > a NULL pointer dereference later.
> >
> > Signed-off-by: Shailendra Verma <shailendra.v-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
> > ---
> > drivers/usb/host/xhci-tegra.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c
> > index a59fafb..890c778 100644
> > --- a/drivers/usb/host/xhci-tegra.c
> > +++ b/drivers/usb/host/xhci-tegra.c
> > @@ -903,6 +903,10 @@ static int tegra_xusb_probe(struct platform_device *pdev)
> > return -ENOMEM;
> >
> > tegra->soc = of_device_get_match_data(&pdev->dev);
> > + if (!tegra->soc) {
>
> How would the driver be loaded and the probe function called if this
> returns NULL?
>
> Is this ever possible?
No, it isn't. I've been NAK'ing this kind of patch for a while now.
There are two variants of this patch going about:
1) checking the return value of of_match_device()
2) checking the return value of of_device_get_match_data()
The same may also apply to of_match_node(), but I haven't seen that used
very much lately.
For of_match_device() the problem could technically occur if used in non
OF setups, because the device could be instantiated by hand in board
setup code. Tegra has been OF-only for a couple of years now, so there
is no way this can happen today.
of_device_get_match_data() is somewhat more complicated because it could
still return NULL if the OF table entry had its .data field set to NULL.
However in all drivers that I know that would be considered a bug, so
might as well let things crash at this point to make it immediately
obvious.
I had once been tempted to write a checkpatch rule for this, but I'm not
sure it's as easy as just warning if there's a check, because there are
some legitimate cases, even if they're very rare.
Thierry
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Thierry Reding <thierry.reding@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Shailendra Verma <shailendra.v@samsung.com>,
Mathias Nyman <mathias.nyman@intel.com>,
Stephen Warren <swarren@wwwdotorg.org>,
Alexandre Courbot <gnurou@gmail.com>,
linux-usb@vger.kernel.org, linux-tegra@vger.kernel.org,
linux-kernel@vger.kernel.org, p.shailesh@samsung.com,
ashish.kalra@samsung.com,
Shailendra Verma <shailendra.capricorn@gmail.com>
Subject: Re: [PATCH] Usb: host - Fix possible NULL derefrence.
Date: Mon, 30 Jan 2017 08:03:23 +0100 [thread overview]
Message-ID: <20170130070323.GD3585@ulmo.ba.sec> (raw)
In-Reply-To: <20170130064521.GC4324@kroah.com>
[-- Attachment #1: Type: text/plain, Size: 2030 bytes --]
On Mon, Jan 30, 2017 at 07:45:21AM +0100, Greg Kroah-Hartman wrote:
> On Mon, Jan 30, 2017 at 10:36:29AM +0530, Shailendra Verma wrote:
> > of_device_get_match_data could return NULL, and so can cause
> > a NULL pointer dereference later.
> >
> > Signed-off-by: Shailendra Verma <shailendra.v@samsung.com>
> > ---
> > drivers/usb/host/xhci-tegra.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c
> > index a59fafb..890c778 100644
> > --- a/drivers/usb/host/xhci-tegra.c
> > +++ b/drivers/usb/host/xhci-tegra.c
> > @@ -903,6 +903,10 @@ static int tegra_xusb_probe(struct platform_device *pdev)
> > return -ENOMEM;
> >
> > tegra->soc = of_device_get_match_data(&pdev->dev);
> > + if (!tegra->soc) {
>
> How would the driver be loaded and the probe function called if this
> returns NULL?
>
> Is this ever possible?
No, it isn't. I've been NAK'ing this kind of patch for a while now.
There are two variants of this patch going about:
1) checking the return value of of_match_device()
2) checking the return value of of_device_get_match_data()
The same may also apply to of_match_node(), but I haven't seen that used
very much lately.
For of_match_device() the problem could technically occur if used in non
OF setups, because the device could be instantiated by hand in board
setup code. Tegra has been OF-only for a couple of years now, so there
is no way this can happen today.
of_device_get_match_data() is somewhat more complicated because it could
still return NULL if the OF table entry had its .data field set to NULL.
However in all drivers that I know that would be considered a bug, so
might as well let things crash at this point to make it immediately
obvious.
I had once been tempted to write a checkpatch rule for this, but I'm not
sure it's as easy as just warning if there's a check, because there are
some legitimate cases, even if they're very rare.
Thierry
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-01-30 7:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170130050640epcas2p1f856bc12df5d1ee6b9e0c66cf9dd6339@epcas2p1.samsung.com>
2017-01-30 5:06 ` [PATCH] Usb: host - Fix possible NULL derefrence Shailendra Verma
2017-01-30 5:06 ` Shailendra Verma
[not found] ` <1485752789-30374-1-git-send-email-shailendra.v-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2017-01-30 6:45 ` Greg Kroah-Hartman
2017-01-30 6:45 ` Greg Kroah-Hartman
[not found] ` <20170130064521.GC4324-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2017-01-30 7:03 ` Thierry Reding [this message]
2017-01-30 7:03 ` Thierry Reding
2017-01-30 19:37 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170130070323.GD3585@ulmo.ba.sec \
--to=thierry.reding-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=ashish.kalra-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org \
--cc=gnurou-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-tegra-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mathias.nyman-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=p.shailesh-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org \
--cc=shailendra.capricorn-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=shailendra.v-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org \
--cc=swarren-3lzwWm7+Weoh9ZMKESR00Q@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.