[PATCH] usb: host: ehci-sched: avoid possible NULL dereference

[PATCH] usb: host: ehci-sched: avoid possible NULL dereference

[Sudip Mukherjee]

find_tt() can return NULL or the error value in ERR_PTR() and
dereferencing the return value without checking for the error can
lead to a possible dereference of NULL pointer or ERR_PTR().

Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
---
 drivers/usb/host/ehci-sched.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
index 6dfb242f9a4b..f3fd7e9fe6b2 100644
--- a/drivers/usb/host/ehci-sched.c
+++ b/drivers/usb/host/ehci-sched.c
@@ -245,6 +245,8 @@ static void reserve_release_intr_bandwidth(struct ehci_hcd *ehci,
 	/* FS/LS bus bandwidth */
 	if (tt_usecs) {
 		tt = find_tt(qh->ps.udev);
+		if (IS_ERR_OR_NULL(tt))
+			return;
 		if (sign > 0)
 			list_add_tail(&qh->ps.ps_list, &tt->ps_list);
 		else
@@ -1338,6 +1340,8 @@ static void reserve_release_iso_bandwidth(struct ehci_hcd *ehci,
 		}
 
 		tt = find_tt(stream->ps.udev);
+		if (IS_ERR_OR_NULL(tt))
+			return;
 		if (sign > 0)
 			list_add_tail(&stream->ps.ps_list, &tt->ps_list);
 		else
-- 
2.11.0

Re: [PATCH] usb: host: ehci-sched: avoid possible NULL dereference

[Harley A.W. Lorenzo]

On Monday, October 5, 2020 5:31 PM, Sudip Mukherjee <sudipm.mukherjee@gmail.com> wrote:

> find_tt() can return NULL or the error value in ERR_PTR() and
> dereferencing the return value without checking for the error can
> lead to a possible dereference of NULL pointer or ERR_PTR().

Looks fine to me. There is in fact no checks of the return value
before a dereference here, and this solves that.

Reviewed-by: Harley A.W. Lorenzo <hl1998@protonmail.com

Re: [PATCH] usb: host: ehci-sched: avoid possible NULL dereference

[stern]

On Mon, Oct 05, 2020 at 11:19:02PM +0000, Harley A.W. Lorenzo wrote:
> On Monday, October 5, 2020 5:31 PM, Sudip Mukherjee <sudipm.mukherjee@gmail.com> wrote:
> 
> > find_tt() can return NULL or the error value in ERR_PTR() and
> > dereferencing the return value without checking for the error can
> > lead to a possible dereference of NULL pointer or ERR_PTR().
> 
> Looks fine to me. There is in fact no checks of the return value
> before a dereference here, and this solves that.
> 
> Reviewed-by: Harley A.W. Lorenzo <hl1998@protonmail.com

No, this patch is wrong.  In fact, these calls to find_tt() cannot 
return NULL or an ERR_PTR value.

Alan Stern

Re: [PATCH] usb: host: ehci-sched: avoid possible NULL dereference

[gregkh]

On Mon, Oct 05, 2020 at 11:19:02PM +0000, Harley A.W. Lorenzo wrote:
> On Monday, October 5, 2020 5:31 PM, Sudip Mukherjee <sudipm.mukherjee@gmail.com> wrote:
> 
> > find_tt() can return NULL or the error value in ERR_PTR() and
> > dereferencing the return value without checking for the error can
> > lead to a possible dereference of NULL pointer or ERR_PTR().
> 
> Looks fine to me. There is in fact no checks of the return value
> before a dereference here, and this solves that.
> 
> Reviewed-by: Harley A.W. Lorenzo <hl1998@protonmail.com

Nit, in the future, you need the trailing '>' there.

thanks,

greg k-h

Re: [linux-safety] [PATCH] usb: host: ehci-sched: avoid possible NULL dereference

[Sudip Mukherjee]

Hi All,

I sent out this patch yesterday which I think is an obvious safety issue
as the error was not handled. This is a change in code and the resultant
binary will not be same. I know we are moving to pcie now, but have we
decided yet how to validate these kinds of changes?


-- 
Regards
Sudip


On 05/10/2020 22:31, Sudip Mukherjee wrote:
> find_tt() can return NULL or the error value in ERR_PTR() and
> dereferencing the return value without checking for the error can
> lead to a possible dereference of NULL pointer or ERR_PTR().
> 
> Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> ---
>  drivers/usb/host/ehci-sched.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
> index 6dfb242f9a4b..f3fd7e9fe6b2 100644
> --- a/drivers/usb/host/ehci-sched.c
> +++ b/drivers/usb/host/ehci-sched.c
> @@ -245,6 +245,8 @@ static void reserve_release_intr_bandwidth(struct ehci_hcd *ehci,
>  	/* FS/LS bus bandwidth */
>  	if (tt_usecs) {
>  		tt = find_tt(qh->ps.udev);
> +		if (IS_ERR_OR_NULL(tt))
> +			return;
>  		if (sign > 0)
>  			list_add_tail(&qh->ps.ps_list, &tt->ps_list);
>  		else
> @@ -1338,6 +1340,8 @@ static void reserve_release_iso_bandwidth(struct ehci_hcd *ehci,
>  		}
>  
>  		tt = find_tt(stream->ps.udev);
> +		if (IS_ERR_OR_NULL(tt))
> +			return;
>  		if (sign > 0)
>  			list_add_tail(&stream->ps.ps_list, &tt->ps_list);
>  		else
> 

Re: [PATCH] usb: host: ehci-sched: avoid possible NULL dereference

[Alan Stern]

On Mon, Oct 05, 2020 at 09:25:44PM -0400, stern@rowland.harvard.edu wrote:
> On Mon, Oct 05, 2020 at 11:19:02PM +0000, Harley A.W. Lorenzo wrote:
> > On Monday, October 5, 2020 5:31 PM, Sudip Mukherjee <sudipm.mukherjee@gmail.com> wrote:
> > 
> > > find_tt() can return NULL or the error value in ERR_PTR() and
> > > dereferencing the return value without checking for the error can
> > > lead to a possible dereference of NULL pointer or ERR_PTR().
> > 
> > Looks fine to me. There is in fact no checks of the return value
> > before a dereference here, and this solves that.
> > 
> > Reviewed-by: Harley A.W. Lorenzo <hl1998@protonmail.com
> 
> No, this patch is wrong.  In fact, these calls to find_tt() cannot 
> return NULL or an ERR_PTR value.

Sudip, if you would prefer to submit a patch that adds comments to those 
call sites explaining that find_tt() will not return NULL or an error, 
that would be okay.

Alan Stern