[PATCH 0/2] musb fixes for v5.5-rc2

[PATCH 0/2] musb fixes for v5.5-rc2

[Bin Liu]

Hi Greg,

Here are couple patches for musb fixes for v5.5 -rc. Please let me know
if any change is needed.

Regards,
-Bin.
---

Jia-Ju Bai (1):
  usb: musb: Fix a possible null-pointer dereference in
    musb_handle_intr_connect()

Mans Rullgard (1):
  usb: musb: sunxi: propagate devicetree node to glue pdev

 drivers/usb/musb/musb_core.c | 3 ++-
 drivers/usb/musb/sunxi.c     | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

-- 
2.17.1

[PATCH 1/2] usb: musb: sunxi: propagate devicetree node to glue pdev

[Bin Liu]

From: Mans Rullgard <mans@mansr.com>

In order for devicetree nodes to be correctly associated with attached
devices, the controller node needs to be propagated to the glue device.

Signed-off-by: Mans Rullgard <mans@mansr.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
---
 drivers/usb/musb/sunxi.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/musb/sunxi.c b/drivers/usb/musb/sunxi.c
index 832a41f9ee7d..a72665fbf111 100644
--- a/drivers/usb/musb/sunxi.c
+++ b/drivers/usb/musb/sunxi.c
@@ -781,6 +781,8 @@ static int sunxi_musb_probe(struct platform_device *pdev)
 	pinfo.name	 = "musb-hdrc";
 	pinfo.id	= PLATFORM_DEVID_AUTO;
 	pinfo.parent	= &pdev->dev;
+	pinfo.fwnode	= of_fwnode_handle(pdev->dev.of_node);
+	pinfo.of_node_reused = true;
 	pinfo.res	= pdev->resource;
 	pinfo.num_res	= pdev->num_resources;
 	pinfo.data	= &pdata;
-- 
2.17.1

[PATCH 2/2] usb: musb: Fix a possible null-pointer dereference in musb_handle_intr_connect()

[Bin Liu]

From: Jia-Ju Bai <baijiaju1990@gmail.com>

In musb_handle_intr_connect(), there is an if statement on line 783 to
check whether musb->hcd is NULL:
    if (musb->hcd)

When musb->hcd is NULL, it is used on line 797:
    musb_host_poke_root_hub(musb);
        if (musb->hcd->status_urb)

Thus, a possible null-pointer dereference may occur.

To fix this bug, musb->hcd is checked before calling
musb_host_poke_root_hub().

This bug is found by a static analysis tool STCheck written by us.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
---
 drivers/usb/musb/musb_core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
index 15cca912c53e..5080fc6a0808 100644
--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -794,7 +794,8 @@ static void musb_handle_intr_connect(struct musb *musb, u8 devctl, u8 int_usb)
 		break;
 	}
 
-	musb_host_poke_root_hub(musb);
+	if (musb->hcd)
+		musb_host_poke_root_hub(musb);
 
 	musb_dbg(musb, "CONNECT (%s) devctl %02x",
 			usb_otg_state_string(musb->xceiv->otg->state), devctl);
-- 
2.17.1

Re: [PATCH 1/2] usb: musb: sunxi: propagate devicetree node to glue pdev

[Greg Kroah-Hartman]

On Tue, Dec 10, 2019 at 10:54:53AM -0600, Bin Liu wrote:
> From: Mans Rullgard <mans@mansr.com>
> 
> In order for devicetree nodes to be correctly associated with attached
> devices, the controller node needs to be propagated to the glue device.
> 
> Signed-off-by: Mans Rullgard <mans@mansr.com>
> Signed-off-by: Bin Liu <b-liu@ti.com>
> ---
>  drivers/usb/musb/sunxi.c | 2 ++
>  1 file changed, 2 insertions(+)

Does this need to go to stable kernel(s)?  If so, what commit does this
fix fix?

thanks,

greg k-h

Re: [PATCH 2/2] usb: musb: Fix a possible null-pointer dereference in musb_handle_intr_connect()

[Greg Kroah-Hartman]

On Tue, Dec 10, 2019 at 10:54:54AM -0600, Bin Liu wrote:
> From: Jia-Ju Bai <baijiaju1990@gmail.com>
> 
> In musb_handle_intr_connect(), there is an if statement on line 783 to
> check whether musb->hcd is NULL:
>     if (musb->hcd)
> 
> When musb->hcd is NULL, it is used on line 797:
>     musb_host_poke_root_hub(musb);
>         if (musb->hcd->status_urb)
> 
> Thus, a possible null-pointer dereference may occur.

Maybe, if musb->hcd really ever could be NULL.

In looking at the code, I don't see where that could happen, do you?
Why is that check there in the first place?

What sets musb->hcd to NULL in the first place?

thanks,

greg k-h

Re: [PATCH 1/2] usb: musb: sunxi: propagate devicetree node to glue pdev

[Johan Hovold]

On Wed, Dec 11, 2019 at 09:05:28AM +0100, Greg Kroah-Hartman wrote:
> On Tue, Dec 10, 2019 at 10:54:53AM -0600, Bin Liu wrote:
> > From: Mans Rullgard <mans@mansr.com>
> > 
> > In order for devicetree nodes to be correctly associated with attached
> > devices, the controller node needs to be propagated to the glue device.
> > 
> > Signed-off-by: Mans Rullgard <mans@mansr.com>
> > Signed-off-by: Bin Liu <b-liu@ti.com>
> > ---
> >  drivers/usb/musb/sunxi.c | 2 ++
> >  1 file changed, 2 insertions(+)
> 
> Does this need to go to stable kernel(s)?  If so, what commit does this
> fix fix?

No, I'd say it's a new feature.

Johan

Re: [PATCH 1/2] usb: musb: sunxi: propagate devicetree node to glue pdev

[Greg Kroah-Hartman]

On Wed, Dec 11, 2019 at 09:49:35AM +0100, Johan Hovold wrote:
> On Wed, Dec 11, 2019 at 09:05:28AM +0100, Greg Kroah-Hartman wrote:
> > On Tue, Dec 10, 2019 at 10:54:53AM -0600, Bin Liu wrote:
> > > From: Mans Rullgard <mans@mansr.com>
> > > 
> > > In order for devicetree nodes to be correctly associated with attached
> > > devices, the controller node needs to be propagated to the glue device.
> > > 
> > > Signed-off-by: Mans Rullgard <mans@mansr.com>
> > > Signed-off-by: Bin Liu <b-liu@ti.com>
> > > ---
> > >  drivers/usb/musb/sunxi.c | 2 ++
> > >  1 file changed, 2 insertions(+)
> > 
> > Does this need to go to stable kernel(s)?  If so, what commit does this
> > fix fix?
> 
> No, I'd say it's a new feature.

Then why is it needed for 5.5-final and not for 5.6-rc1?

thanks,

greg k-h

Re: [PATCH 1/2] usb: musb: sunxi: propagate devicetree node to glue pdev

[Johan Hovold]

On Wed, Dec 11, 2019 at 09:51:22AM +0100, Greg Kroah-Hartman wrote:
> On Wed, Dec 11, 2019 at 09:49:35AM +0100, Johan Hovold wrote:
> > On Wed, Dec 11, 2019 at 09:05:28AM +0100, Greg Kroah-Hartman wrote:
> > > On Tue, Dec 10, 2019 at 10:54:53AM -0600, Bin Liu wrote:
> > > > From: Mans Rullgard <mans@mansr.com>
> > > > 
> > > > In order for devicetree nodes to be correctly associated with attached
> > > > devices, the controller node needs to be propagated to the glue device.
> > > > 
> > > > Signed-off-by: Mans Rullgard <mans@mansr.com>
> > > > Signed-off-by: Bin Liu <b-liu@ti.com>
> > > > ---
> > > >  drivers/usb/musb/sunxi.c | 2 ++
> > > >  1 file changed, 2 insertions(+)
> > > 
> > > Does this need to go to stable kernel(s)?  If so, what commit does this
> > > fix fix?
> > 
> > No, I'd say it's a new feature.
> 
> Then why is it needed for 5.5-final and not for 5.6-rc1?

Right, it shouldn't be needed in 5.5.

Johan

Re: [PATCH 2/2] usb: musb: Fix a possible null-pointer dereference in musb_handle_intr_connect()

[Jia-Ju Bai]

On 2019/12/11 16:09, Greg Kroah-Hartman wrote:
> On Tue, Dec 10, 2019 at 10:54:54AM -0600, Bin Liu wrote:
>> From: Jia-Ju Bai <baijiaju1990@gmail.com>
>>
>> In musb_handle_intr_connect(), there is an if statement on line 783 to
>> check whether musb->hcd is NULL:
>>      if (musb->hcd)
>>
>> When musb->hcd is NULL, it is used on line 797:
>>      musb_host_poke_root_hub(musb);
>>          if (musb->hcd->status_urb)
>>
>> Thus, a possible null-pointer dereference may occur.
> Maybe, if musb->hcd really ever could be NULL.
>
> In looking at the code, I don't see where that could happen, do you?
> Why is that check there in the first place?
>
> What sets musb->hcd to NULL in the first place?

In fact, my static analysis tool identifies an if check about musb->hcd, 
so it infers that musb->hcd could be NULL here.
But it does not try to find any explicit place that set musb->hcd to NULL.

If musb->hcd is never NULL here, we can just delete the related if check.


Best wishes,
Jia-Ju Bai

Re: [PATCH 2/2] usb: musb: Fix a possible null-pointer dereference in musb_handle_intr_connect()

[Greg Kroah-Hartman]

On Wed, Dec 11, 2019 at 05:10:17PM +0800, Jia-Ju Bai wrote:
> 
> 
> On 2019/12/11 16:09, Greg Kroah-Hartman wrote:
> > On Tue, Dec 10, 2019 at 10:54:54AM -0600, Bin Liu wrote:
> > > From: Jia-Ju Bai <baijiaju1990@gmail.com>
> > > 
> > > In musb_handle_intr_connect(), there is an if statement on line 783 to
> > > check whether musb->hcd is NULL:
> > >      if (musb->hcd)
> > > 
> > > When musb->hcd is NULL, it is used on line 797:
> > >      musb_host_poke_root_hub(musb);
> > >          if (musb->hcd->status_urb)
> > > 
> > > Thus, a possible null-pointer dereference may occur.
> > Maybe, if musb->hcd really ever could be NULL.
> > 
> > In looking at the code, I don't see where that could happen, do you?
> > Why is that check there in the first place?
> > 
> > What sets musb->hcd to NULL in the first place?
> 
> In fact, my static analysis tool identifies an if check about musb->hcd, so
> it infers that musb->hcd could be NULL here.
> But it does not try to find any explicit place that set musb->hcd to NULL.

Can it do that?

> If musb->hcd is never NULL here, we can just delete the related if check.

I agree :)

thanks,

greg k-h

Re: [PATCH 2/2] usb: musb: Fix a possible null-pointer dereference in musb_handle_intr_connect()

[Jia-Ju Bai]

On 2019/12/11 17:20, Greg Kroah-Hartman wrote:
> On Wed, Dec 11, 2019 at 05:10:17PM +0800, Jia-Ju Bai wrote:
>>
>> On 2019/12/11 16:09, Greg Kroah-Hartman wrote:
>>> On Tue, Dec 10, 2019 at 10:54:54AM -0600, Bin Liu wrote:
>>>> From: Jia-Ju Bai <baijiaju1990@gmail.com>
>>>>
>>>> In musb_handle_intr_connect(), there is an if statement on line 783 to
>>>> check whether musb->hcd is NULL:
>>>>       if (musb->hcd)
>>>>
>>>> When musb->hcd is NULL, it is used on line 797:
>>>>       musb_host_poke_root_hub(musb);
>>>>           if (musb->hcd->status_urb)
>>>>
>>>> Thus, a possible null-pointer dereference may occur.
>>> Maybe, if musb->hcd really ever could be NULL.
>>>
>>> In looking at the code, I don't see where that could happen, do you?
>>> Why is that check there in the first place?
>>>
>>> What sets musb->hcd to NULL in the first place?
>> In fact, my static analysis tool identifies an if check about musb->hcd, so
>> it infers that musb->hcd could be NULL here.
>> But it does not try to find any explicit place that set musb->hcd to NULL.
> Can it do that?

Not yet...

>
>> If musb->hcd is never NULL here, we can just delete the related if check.
> I agree :)

Okay, I will send a new patch that delete the if check.


Best wishes,
Jia-Ju Bai