* [PATCH] usb: host: ehci-sched: avoid possible NULL dereference
@ 2020-10-05 21:31 Sudip Mukherjee
2020-10-05 23:19 ` Harley A.W. Lorenzo
2020-10-06 8:31 ` [linux-safety] " Sudip Mukherjee
0 siblings, 2 replies; 6+ messages in thread
From: Sudip Mukherjee @ 2020-10-05 21:31 UTC (permalink / raw)
To: Alan Stern, Greg Kroah-Hartman
Cc: linux-kernel, linux-safety, linux-usb, Sudip Mukherjee
find_tt() can return NULL or the error value in ERR_PTR() and
dereferencing the return value without checking for the error can
lead to a possible dereference of NULL pointer or ERR_PTR().
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
---
drivers/usb/host/ehci-sched.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
index 6dfb242f9a4b..f3fd7e9fe6b2 100644
--- a/drivers/usb/host/ehci-sched.c
+++ b/drivers/usb/host/ehci-sched.c
@@ -245,6 +245,8 @@ static void reserve_release_intr_bandwidth(struct ehci_hcd *ehci,
/* FS/LS bus bandwidth */
if (tt_usecs) {
tt = find_tt(qh->ps.udev);
+ if (IS_ERR_OR_NULL(tt))
+ return;
if (sign > 0)
list_add_tail(&qh->ps.ps_list, &tt->ps_list);
else
@@ -1338,6 +1340,8 @@ static void reserve_release_iso_bandwidth(struct ehci_hcd *ehci,
}
tt = find_tt(stream->ps.udev);
+ if (IS_ERR_OR_NULL(tt))
+ return;
if (sign > 0)
list_add_tail(&stream->ps.ps_list, &tt->ps_list);
else
--
2.11.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] usb: host: ehci-sched: avoid possible NULL dereference
2020-10-05 21:31 [PATCH] usb: host: ehci-sched: avoid possible NULL dereference Sudip Mukherjee
@ 2020-10-05 23:19 ` Harley A.W. Lorenzo
2020-10-06 1:25 ` stern
2020-10-06 7:19 ` gregkh
2020-10-06 8:31 ` [linux-safety] " Sudip Mukherjee
1 sibling, 2 replies; 6+ messages in thread
From: Harley A.W. Lorenzo @ 2020-10-05 23:19 UTC (permalink / raw)
To: Sudip Mukherjee, gregkh; +Cc: linux-kernel, linux-safety, linux-usb, stern
On Monday, October 5, 2020 5:31 PM, Sudip Mukherjee <sudipm.mukherjee@gmail.com> wrote:
> find_tt() can return NULL or the error value in ERR_PTR() and
> dereferencing the return value without checking for the error can
> lead to a possible dereference of NULL pointer or ERR_PTR().
Looks fine to me. There is in fact no checks of the return value
before a dereference here, and this solves that.
Reviewed-by: Harley A.W. Lorenzo <hl1998@protonmail.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] usb: host: ehci-sched: avoid possible NULL dereference
2020-10-05 23:19 ` Harley A.W. Lorenzo
@ 2020-10-06 1:25 ` stern
2020-10-06 17:58 ` Alan Stern
2020-10-06 7:19 ` gregkh
1 sibling, 1 reply; 6+ messages in thread
From: stern @ 2020-10-06 1:25 UTC (permalink / raw)
To: Harley A.W. Lorenzo
Cc: Sudip Mukherjee, gregkh, linux-kernel, linux-safety, linux-usb
On Mon, Oct 05, 2020 at 11:19:02PM +0000, Harley A.W. Lorenzo wrote:
> On Monday, October 5, 2020 5:31 PM, Sudip Mukherjee <sudipm.mukherjee@gmail.com> wrote:
>
> > find_tt() can return NULL or the error value in ERR_PTR() and
> > dereferencing the return value without checking for the error can
> > lead to a possible dereference of NULL pointer or ERR_PTR().
>
> Looks fine to me. There is in fact no checks of the return value
> before a dereference here, and this solves that.
>
> Reviewed-by: Harley A.W. Lorenzo <hl1998@protonmail.com
No, this patch is wrong. In fact, these calls to find_tt() cannot
return NULL or an ERR_PTR value.
Alan Stern
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] usb: host: ehci-sched: avoid possible NULL dereference
2020-10-05 23:19 ` Harley A.W. Lorenzo
2020-10-06 1:25 ` stern
@ 2020-10-06 7:19 ` gregkh
1 sibling, 0 replies; 6+ messages in thread
From: gregkh @ 2020-10-06 7:19 UTC (permalink / raw)
To: Harley A.W. Lorenzo
Cc: Sudip Mukherjee, linux-kernel, linux-safety, linux-usb, stern
On Mon, Oct 05, 2020 at 11:19:02PM +0000, Harley A.W. Lorenzo wrote:
> On Monday, October 5, 2020 5:31 PM, Sudip Mukherjee <sudipm.mukherjee@gmail.com> wrote:
>
> > find_tt() can return NULL or the error value in ERR_PTR() and
> > dereferencing the return value without checking for the error can
> > lead to a possible dereference of NULL pointer or ERR_PTR().
>
> Looks fine to me. There is in fact no checks of the return value
> before a dereference here, and this solves that.
>
> Reviewed-by: Harley A.W. Lorenzo <hl1998@protonmail.com
Nit, in the future, you need the trailing '>' there.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [linux-safety] [PATCH] usb: host: ehci-sched: avoid possible NULL dereference
2020-10-05 21:31 [PATCH] usb: host: ehci-sched: avoid possible NULL dereference Sudip Mukherjee
2020-10-05 23:19 ` Harley A.W. Lorenzo
@ 2020-10-06 8:31 ` Sudip Mukherjee
1 sibling, 0 replies; 6+ messages in thread
From: Sudip Mukherjee @ 2020-10-06 8:31 UTC (permalink / raw)
To: development-process, linux-safety
Hi All,
I sent out this patch yesterday which I think is an obvious safety issue
as the error was not handled. This is a change in code and the resultant
binary will not be same. I know we are moving to pcie now, but have we
decided yet how to validate these kinds of changes?
--
Regards
Sudip
On 05/10/2020 22:31, Sudip Mukherjee wrote:
> find_tt() can return NULL or the error value in ERR_PTR() and
> dereferencing the return value without checking for the error can
> lead to a possible dereference of NULL pointer or ERR_PTR().
>
> Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> ---
> drivers/usb/host/ehci-sched.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
> index 6dfb242f9a4b..f3fd7e9fe6b2 100644
> --- a/drivers/usb/host/ehci-sched.c
> +++ b/drivers/usb/host/ehci-sched.c
> @@ -245,6 +245,8 @@ static void reserve_release_intr_bandwidth(struct ehci_hcd *ehci,
> /* FS/LS bus bandwidth */
> if (tt_usecs) {
> tt = find_tt(qh->ps.udev);
> + if (IS_ERR_OR_NULL(tt))
> + return;
> if (sign > 0)
> list_add_tail(&qh->ps.ps_list, &tt->ps_list);
> else
> @@ -1338,6 +1340,8 @@ static void reserve_release_iso_bandwidth(struct ehci_hcd *ehci,
> }
>
> tt = find_tt(stream->ps.udev);
> + if (IS_ERR_OR_NULL(tt))
> + return;
> if (sign > 0)
> list_add_tail(&stream->ps.ps_list, &tt->ps_list);
> else
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] usb: host: ehci-sched: avoid possible NULL dereference
2020-10-06 1:25 ` stern
@ 2020-10-06 17:58 ` Alan Stern
0 siblings, 0 replies; 6+ messages in thread
From: Alan Stern @ 2020-10-06 17:58 UTC (permalink / raw)
To: Sudip Mukherjee
Cc: Harley A.W. Lorenzo, gregkh, linux-kernel, linux-safety, linux-usb
On Mon, Oct 05, 2020 at 09:25:44PM -0400, stern@rowland.harvard.edu wrote:
> On Mon, Oct 05, 2020 at 11:19:02PM +0000, Harley A.W. Lorenzo wrote:
> > On Monday, October 5, 2020 5:31 PM, Sudip Mukherjee <sudipm.mukherjee@gmail.com> wrote:
> >
> > > find_tt() can return NULL or the error value in ERR_PTR() and
> > > dereferencing the return value without checking for the error can
> > > lead to a possible dereference of NULL pointer or ERR_PTR().
> >
> > Looks fine to me. There is in fact no checks of the return value
> > before a dereference here, and this solves that.
> >
> > Reviewed-by: Harley A.W. Lorenzo <hl1998@protonmail.com
>
> No, this patch is wrong. In fact, these calls to find_tt() cannot
> return NULL or an ERR_PTR value.
Sudip, if you would prefer to submit a patch that adds comments to those
call sites explaining that find_tt() will not return NULL or an error,
that would be okay.
Alan Stern
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-10-06 17:58 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-05 21:31 [PATCH] usb: host: ehci-sched: avoid possible NULL dereference Sudip Mukherjee
2020-10-05 23:19 ` Harley A.W. Lorenzo
2020-10-06 1:25 ` stern
2020-10-06 17:58 ` Alan Stern
2020-10-06 7:19 ` gregkh
2020-10-06 8:31 ` [linux-safety] " Sudip Mukherjee
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).