Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] USB: core: Fix potental Null Pointer dereference
@ 2019-10-10  1:02 Yizhuo
  2019-10-10  5:20 ` Greg Kroah-Hartman
  0 siblings, 1 reply; 2+ messages in thread
From: Yizhuo @ 2019-10-10  1:02 UTC (permalink / raw)
  To: unlisted-recipients:; (no To-header on input)
  Cc: Yizhuo, Greg Kroah-Hartman, Alan Stern, Kai-Heng Feng,
	Mathias Nyman, Thinh Nguyen, Douglas Anderson,
	Nicolas Saenz Julienne, Jan-Marek Glogowski, Mathieu Malaterre,
	linux-usb, linux-kernel

Inside function usb_device_is_owned(), usb_hub_to_struct_hub()
could return NULL but there's no check before its dereference,
which is potentially unsafe.

Signed-off-by: Yizhuo <yzhai003@ucr.edu>
---
 drivers/usb/core/hub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 236313f41f4a..8d628c8e0c1b 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1977,7 +1977,7 @@ bool usb_device_is_owned(struct usb_device *udev)
 	if (udev->state == USB_STATE_NOTATTACHED || !udev->parent)
 		return false;
 	hub = usb_hub_to_struct_hub(udev->parent);
-	return !!hub->ports[udev->portnum - 1]->port_owner;
+	return hub && !!hub->ports[udev->portnum - 1]->port_owner;
 }
 
 static void recursively_mark_NOTATTACHED(struct usb_device *udev)
-- 
2.17.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] USB: core: Fix potental Null Pointer dereference
  2019-10-10  1:02 [PATCH] USB: core: Fix potental Null Pointer dereference Yizhuo
@ 2019-10-10  5:20 ` Greg Kroah-Hartman
  0 siblings, 0 replies; 2+ messages in thread
From: Greg Kroah-Hartman @ 2019-10-10  5:20 UTC (permalink / raw)
  To: Yizhuo
  Cc: Alan Stern, Kai-Heng Feng, Mathias Nyman, Thinh Nguyen,
	Douglas Anderson, Nicolas Saenz Julienne, Jan-Marek Glogowski,
	Mathieu Malaterre, linux-usb, linux-kernel

On Wed, Oct 09, 2019 at 06:02:02PM -0700, Yizhuo wrote:
> Inside function usb_device_is_owned(), usb_hub_to_struct_hub()
> could return NULL but there's no check before its dereference,
> which is potentially unsafe.
> 
> Signed-off-by: Yizhuo <yzhai003@ucr.edu>
> ---
>  drivers/usb/core/hub.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
> index 236313f41f4a..8d628c8e0c1b 100644
> --- a/drivers/usb/core/hub.c
> +++ b/drivers/usb/core/hub.c
> @@ -1977,7 +1977,7 @@ bool usb_device_is_owned(struct usb_device *udev)
>  	if (udev->state == USB_STATE_NOTATTACHED || !udev->parent)
>  		return false;
>  	hub = usb_hub_to_struct_hub(udev->parent);
> -	return !!hub->ports[udev->portnum - 1]->port_owner;
> +	return hub && !!hub->ports[udev->portnum - 1]->port_owner;

How can hub ever not be valid?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-10  1:02 [PATCH] USB: core: Fix potental Null Pointer dereference Yizhuo
2019-10-10  5:20 ` Greg Kroah-Hartman

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org linux-usb@archiver.kernel.org
	public-inbox-index linux-usb

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/ public-inbox