From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1176278AbdDYIaO (ORCPT ); Tue, 25 Apr 2017 04:30:14 -0400 Received: from mail-cys01nam02on0084.outbound.protection.outlook.com ([104.47.37.84]:61216 "EHLO NAM02-CY1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S980798AbdDYIaA (ORCPT ); Tue, 25 Apr 2017 04:30:00 -0400 Authentication-Results: spf=fail (sender IP is 192.88.168.50) smtp.mailfrom=nxp.com; lists.infradead.org; dkim=none (message not signed) header.d=none;lists.infradead.org; dmarc=fail action=none header.from=nxp.com; Date: Tue, 25 Apr 2017 16:29:48 +0800 From: Peter Chen To: Jisheng Zhang CC: "gregkh@linuxfoundation.org" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" Subject: Re: [PATCH] usb: chipidea: udc: fix NULL pointer dereference if udc_start failed Message-ID: <20170425082948.GB873@b29397-desktop> References: <20170424123551.2465-1-jszhang@marvell.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20170424123551.2465-1-jszhang@marvell.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-EOPAttributedMessage: 0 X-Matching-Connectors: 131375825976548430;(91ab9b29-cfa4-454e-5278-08d120cd25b8);() X-Forefront-Antispam-Report: CIP:192.88.168.50;IPV:NLI;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(10009020)(6009001)(336005)(39840400002)(39380400002)(39850400002)(39410400002)(39400400002)(39860400002)(39450400003)(2980300002)(1109001)(1110001)(339900001)(199003)(189002)(24454002)(9170700003)(104016004)(4326008)(110136004)(6246003)(305945005)(76176999)(38730400002)(50986999)(86362001)(2950100002)(6916009)(575784001)(54356999)(1076002)(23726003)(33716001)(97756001)(33656002)(5660300001)(50466002)(356003)(47776003)(5890100001)(46406003)(85426001)(189998001)(2906002)(8936002)(77096006)(83506001)(54906002)(9686003)(55016002)(106466001)(4001350100001)(53936002)(8676002)(229853002)(105606002)(6666003)(81166006)(18370500001);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR0301MB1195;H:tx30smr01.am.freescale.net;FPR:;SPF:Fail;MLV:ovrnspm;A:1;MX:1;PTR:InfoDomainNonexistent;LANG:en; X-Microsoft-Exchange-Diagnostics: 1;BN1AFFO11FD027;1:oJw/C1tGsPtXmgAoUQp5c7MOjF2dBymRlHp8KbowE/cKeuOi1Zss2nJbuWjuwt/JOwEfx5/Xk9KtN7Ql6GroQ+8cv69nV/oZWY6zniypJxoBnhhZ1Mkqj6vVfBuGMzRtj48oChAqGIkfNqQDxD+cXD1BDDl7jhf2vtVNgA3KVz0W7D8P5o/jw0OxE6lEa4QI1RTFqQNi4O1ULxono44DrUBkVZIG5wF9UQqxoKoq1qUX3BxAed5CS4aTrDcyOKjN/opm1R+bESFthK21o0aQn/dofgB0s9pj/h4Aa8vibiZa4hZrXXlSa1v80thEOStWREEItJX9zIUqpJaRYFfkAI0Yp9YC8RL2NI7ZxLoYqn8473kajCmjbToAqOG/0/vZFKtjm3lydVKG8phm5M5z5nZmx1383rdfb6uMtt24VXRZuBu60xPhUU6WI40QSPrMWL3SQMJ+oCaHWeQwmseUd8oSv6A9tSYah3UG8usjxoBJgP9GjMkTfigN/74Q5t2zfaoYc/3RZqi9NPuX0b+13F6ygWVxqTvUiRGF9WeAhO0zQoYFJXErdvQ0UVxTaBqCTWfmLdLH637mnBdi3HMmBRuGnOjAsr3Q0RCVHdYX+KA+yHH849jWX994Vdyp+7ik X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: be938d5f-05bb-4dde-7aed-08d48bb541dc X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(201703131430075)(201703131517081);SRVR:CY1PR0301MB1195; X-Microsoft-Exchange-Diagnostics: 1;CY1PR0301MB1195;3:IIVwtPwcykQRq+CPW1XNzfwTTDon72G8V42/oBAAT7ZDXX/gSsU7oMyn9nFdjLFmjrQ1y54IgKCV38Dm3Cks2i+RNF+xYcPUxJ41etTTrBVjhgNg6nfkMfg93CCM+BDRfwluBKLaqsHJntPcelJPcp8cBqLF8j9wIhVN5JzJaAdwCxZUdquvjx6Qq6VVBbOMHlbFGGE84xM28bplpkFf3Ks9+GpmQV7QRZ3FvEUZ0FZpTM2lg7hMaVXX1zVC0mogsMq/zyLU7CZ9z+EU3nE30/hLFTj638rNe8SKJCG5gy1Ei7lJZqMNAoZXSXVJnbquPd5VbsaQ4mW3punOZBIjP3aJSiaJ6cDsIyIvKXVvrFcaXurAG4/nPbL4NoAEpSxkB/mevmVvZZPsNXWILkogMNHP3ES/eLigY9GwWgUwN+VzMKFr2x51eVRn69wo0dAT;25:NOLU6ZuLQq9VUhGGNvq8nhMRDVrD7OS/6DYQ9zV2y4/495rPoFUyNuTE1aOGzTNXVsS3muMX5M1CnofPbDfIVwTbduKcTtt/JUjAlHu5A8BcsLCEQoRjsJsLPC+YAxjJrqJwQWQcf977b5IDuWsV/P3hW/uQb6K9hwWzQrQnEQYy18n363uPBx6PHo6KHMBc9PMQujRNsvPl2poJoQsHUXNzLRg1Kc8XOJnSon5H+vSdqTF3ps84cxF4kMUXfz6VzYPaSjKy7Hcgra2S67BTCoEa8xsMFyAs4ujN0Qtnblbx/8YeNcov172WFWmucZlLAFLTLbxVqowK/93Yjl+z4iWmjSu984oXD5lzHvK4VD82UvRtVBoQWgLrq2UpDYQWgpdfZK0znntY6G3yNOEohL8Gw2RqDnmPw0HCoBXpUUv8dRYXJIXpt/m8DPLRf9Td8W/9BmvA4NQYyoPOQSPkcQ== X-Microsoft-Exchange-Diagnostics: 1;CY1PR0301MB1195;31:KjlsJqbrRvJcRgoWn0cIJ05VkvPaTyB0lQ55lTMhLqSvFVKvcaBsUuRDotnf3qqXuXZ0vLH1D0BMQWcqbSf6M3527r1FQZ31HcsccgAvcdTV6BC7W0KNbIrwAP+7pI6Qd/7ROCOkLGecCGOZbZmUGVMLnfjM3GY/KaMl6PY72glGYA2yijmFWcr5a3uUeZ6dVipUAgd1omxNEp9xc4in72NMm1HEuDls6LJ89dbe8Tw4c62PWNtSujknRj0phZ/cJRGCpVec+s04sJM+ILdwfg== X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6095135)(601004)(2401047)(13024025)(13023025)(13018025)(13015025)(13017025)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(6055026)(6096035)(20161123563025)(201703131430075)(201703131433075)(201703131448075)(201703161259150)(20161123565025)(20161123556025)(20161123561025);SRVR:CY1PR0301MB1195;BCL:0;PCL:0;RULEID:(400006);SRVR:CY1PR0301MB1195; X-Microsoft-Exchange-Diagnostics: 1;CY1PR0301MB1195;4:nC+2MQlLOiIsfqjWR8ehh9djOOQ/RJlFRS9GBdXduyEvrJpPgFqYerB8zJ0uqYgJk+K35HLS2WfLaZQxOLD18d897bvF+A0ygbS5FHlPdrlKcCjyWM8arfvBz+9Ad/YyMNhVMAt7KRzsKsg006LX63xOBiDktxo0hbuu8X0TFecSalfcb0jXq1d0vKf90nf60K6hPTWnFwwVBs+L2Yveqtqyj7wOLZi+nOM0lW7f+eVT5EdOtV/PKO9O04ynPbZbURgkrluenSjVTIFoQLzsNXkpbtflfdtL6pZe7slMiB3MQqci+NnLvN6Y1LR46odiwv+AfMOe1SiV0tVRmSBIoJKvrJCr+ORSc9dhwwF3eQx8c9OAGfcqcmUyetYdMeQdH/spv08sw1f7oReWWf58BkEYypsFhlzYBG19od1j93e3OexUsD0nhwfatk2HLGvDyWHRBQ/Mm9Lyihnsktd9RBQQnUZaF/h5Pw6MnxDzd5RpsqfEpfTqX+hBqTky4N1ORpN7MZALJwj2M+RzvOsAL5SxzyoJZRANdQYeDfwIDfrFJs4e2kxmzPnnsBprHDnu6lH5JOHIHdjbMxXCSYyLRTGNNUGNOckyrfyQ7eIhzmVgNLMUfVibICJ8/e9Mmne1mFLbOvXNBY8hSz2TiQwnPnxiW/s+F8R/SKhqKW1Wn7bkWOSo9tnCflNFfV+JGQT+VzFHi6YWi14A3MS2gZ+U91JsOvQVUsJDofdL1t5Pb9c149Ut9NSPT22pDkWr+dyEq/SGE62LET/dQPEbHwGL2cGCN7ctebN/aXwrYeK22KqAq5DUqcL9NRu8Cd2y5CoRayZLVpeNYjZ8R3LApPpU9g== X-Forefront-PRVS: 0288CD37D9 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;CY1PR0301MB1195;23:zgqfVgx46RBCWI27RsFuaVF3MZ/tTrRu6rrgHST?= =?us-ascii?Q?IuTcEcf1ZfwKfcYFpdS7t2MwoHFBeE9bgK1lfsiYw5xvPenjWCgDdXtN7IjU?= =?us-ascii?Q?16++Ohw6TkJ5HJOaZgJGUZT9IeC3IN3wGbtvqUJjeEspd0gkGrP04UzHVMdX?= =?us-ascii?Q?pjitHlxhZw6zEeNtlLDtx01VmUMrPiD/yhTUj1h88BLZokOQ/phZMm9CqoaS?= =?us-ascii?Q?4K2t+3C37R+hJE1MVsM22129i/xvN8gOw1ERoKYVoCndIICnn8bGK8xexpKA?= =?us-ascii?Q?ZF2qBo5cCiqgCjLg/T8UHe/6VbviI9ml31jSI4QfSQHbRFYcujRvMgo985Gr?= =?us-ascii?Q?X7oytQLtt6+YzGrmsyiYzImZubYkF2/PCcFeQTwSNg39SrDEBlkiqrRvJKaK?= =?us-ascii?Q?gQ2rO9JJFVnZUxTvcRyGRYeJ8Wdp+RG8kgh4GmQSTYcvd1+O9/8GSWZGBA8d?= =?us-ascii?Q?bb+FsmRyo+cw5WgmsnP561nDKS3vQU0B6kMK4Kc/wE3B/OGn6dpWi+z+I892?= =?us-ascii?Q?i0F2LXBGSER/Ru5GxnGkjfg4RfwuyGHVuQ+G2oJ7jz/pUaf5f0LV+QTvUQp1?= =?us-ascii?Q?ocrBIQ0K1QJsnv0mnrytD2Lmg8t2/7hpYil0fsxNr8vXeIdOXa+xD54mVdGv?= =?us-ascii?Q?liLKCLaWwcT/ceLnUvTdDBuHBM3WIDHrBrUVwlYBCfpRRPztwZwVI+Ip0zxp?= =?us-ascii?Q?MpuJG/6SkOHnssByjFBJxZ2Fj0q729Q8RmYqVemSF5dUb7EJ/9nJYQa4AVAj?= =?us-ascii?Q?9qJ32G7TZE5T6ArAYjZdNF3T5/4FpNEh1XSb943g+je5g1f19wS3BCsVpVjo?= =?us-ascii?Q?h57R7miZFqnBziZJZ537yXm3Sm20wHDlMXXJeis73kVOmiaQVhAM+aPfNuLo?= =?us-ascii?Q?tY+hH2pAfTZ88gVNtMNK48oHqHFeVZ6lOlYp77yM8BJ6WKRfllt/JNYx7iHp?= =?us-ascii?Q?h9cC4YR5QA0MjAP4b0Gipt2ASAkhnKzUd12gar6I5KuGEC+gY/M9bAJmptKi?= =?us-ascii?Q?QKcY+Loufev5YVlR1s/UnGlwol+kkE/wWEWlewsaRObFhl8xR59gyXX+dp+b?= =?us-ascii?Q?C5p36X9zs0ti6ju8GQ9cAdV7BZczIzz/mUXQajKfY1u7FklTLE49KwhJ0AW1?= =?us-ascii?Q?euq0HqjAZ3InfLW7i6GEqMQQZQCTprQRdP1HymxRaEOX1Qtpxf9QsLMICHJB?= =?us-ascii?Q?ArYZedQRS+xzNOzMBHbi65boAhwnrSmQr0vpr1EgkO+9y96LUBX0ounbdjNM?= =?us-ascii?Q?e9plncQ0S3d7aKigV6FMNfhhzY8tOVxg178atfCVw4ienkEsB8oZyRVfIfWz?= =?us-ascii?Q?+ILXtqSG9R6vG5T5a3cpdu4cATZsCipxp8UUh5QfaEdC6YFBWHAzhXCMMUFz?= =?us-ascii?Q?EsGeIhCHcmdwS6PmANw6g8FFrPMlAqBFDXYyC2tg0Lx9eZPR1yLyZanXkOQ+?= =?us-ascii?Q?Q3ntr9JnknCnEY0Iw9ZUn4qk2O6+46QQ=3D?= X-Microsoft-Exchange-Diagnostics: 1;CY1PR0301MB1195;6:6xGvQ35F+QoDPz7frFO/Zt6YsLAQz8q85bHJIHMdM4rYbLxL+EArJzB7fA03p1QS4V9RLgYsLQ0KH3A+qZMDUA571c+VJ2/ewhc0pCBZr5UTadIUFZ3Um/VH2flaC49HyeW3UvgcOdXDTAGm2+8TH87iWZcB+ZgQnFHnn9Rj36ggwU2ILVywgiyH2wFHBSwbm+fZXRpz0SfBvgAuRDUV+OuaxDtZugnMZq/GLnBTbvHIaWJdNJxoXGEydkqICZQIf8IFgU98nUI4F7zO9Ovuin64TKwhORlV4SqPTSHENt2+X34DKFdcYP9YqQwxBtDUEG6ECb5j+zzb7vpuHIIp5m1/kUhpZQs8R8GqZk6vFTPVfhiMrahlBouQsmdu7jxzCqkJH0h2JMiGeU/TY+2ecna8yaqJJ4e0gW9572S/sMyO4qMXB7S5P8/Kh96h7Bujz3PL6YoCAeV10AY88c/qWKROI7bm7A4LqfUsJ1VaGhB/M5Kn0Lb8bdh1SPK/gqpomXIcFSh9E39e/Xt4ukxLsg==;5:nIeNQ5gYccmdDwn5sNbmkOYDI+j9izpFki+spPTH1eJuYn4lHXuWFYUrKUisGmAwz5u3ZRLvwtJXu3vHZietnSZrtJHcHSJmxLKWTMVwau5GsyTEzGClhI80vawXmaWx4afXOIRnGX92ihdKLAO1V+tdl2a99ovza5fpb/iwYtXG3DYHNTD1mUnoiu389ru1;24:s6DB55gY1F4/uavNhTg6bEmaxbuRR1NdDaxSI9DxFQ4s6ZI/981ARO++LCaxXn/TNMxvd8v6jpyxbs9FH/Noqd6OzeyyobtDDHYdtL0KDdE= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;CY1PR0301MB1195;7:Nm5tDhd3rV3anCHk3SiSSG4TdzJJIKvIaldHNtzknfXLsrP6lsujGIw97TEh/AVOa06Yy7J4fS9pZRRCIrz+t/EVAwpstkxibyazvagHQM30T6MT8lAoqCpb0veR2LS5V6tJ0s7Sxs7gDf7yt/Y9o+oGSFokIPMHK9hk31NyWULfrN0TJBRrc21PDU1QN5UEwtIj2dMahebRlIKVnmJyy1S3+YfFdFOfheva3i/a6Eeq1BjrAhiwQm/77JtMxHkW8uGyErurqFkyELi1bAHjGGhcGpSgMOvH4wXXgi/g0NorG6XIoIYIDK/uV6IhKQ+niJba1BIHl6OWouZfbReijg== X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Apr 2017 08:29:57.4676 (UTC) X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e;Ip=[192.88.168.50];Helo=[tx30smr01.am.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB1195 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 24, 2017 at 12:35:51PM +0000, Jisheng Zhang wrote: > Fix below NULL pointer dereference. we set ci->roles[CI_ROLE_GADGET] > too early in ci_hdrc_gadget_init(), if udc_start() fails due to some > reason, the ci->roles[CI_ROLE_GADGET] check in ci_hdrc_gadget_destroy > can't protect us. > > We fix this issue by only setting ci->roles[CI_ROLE_GADGET] if > udc_start() succeed. > > [ 1.398550] Unable to handle kernel NULL pointer dereference at > virtual address 00000000 > ... > [ 1.448600] PC is at dma_pool_free+0xb8/0xf0 > [ 1.453012] LR is at dma_pool_free+0x28/0xf0 > [ 2.113369] [] dma_pool_free+0xb8/0xf0 > [ 2.118857] [] destroy_eps+0x4c/0x68 > [ 2.124165] [] ci_hdrc_gadget_destroy+0x28/0x50 > [ 2.130461] [] ci_hdrc_probe+0x588/0x7e8 > [ 2.136129] [] platform_drv_probe+0x50/0xb8 > [ 2.142066] [] driver_probe_device+0x1fc/0x2a8 > [ 2.148270] [] __device_attach_driver+0x9c/0xf8 > [ 2.154563] [] bus_for_each_drv+0x58/0x98 > [ 2.160317] [] __device_attach+0xc4/0x138 > [ 2.166072] [] device_initial_probe+0x10/0x18 > [ 2.172185] [] bus_probe_device+0x94/0xa0 > [ 2.177940] [] device_add+0x3f0/0x560 > [ 2.183337] [] platform_device_add+0x180/0x240 > [ 2.189541] [] ci_hdrc_add_device+0x440/0x4f8 > [ 2.195654] [] ci_hdrc_usb2_probe+0x13c/0x2d8 > [ 2.201769] [] platform_drv_probe+0x50/0xb8 > [ 2.207705] [] driver_probe_device+0x1fc/0x2a8 > [ 2.213910] [] __driver_attach+0xac/0xb0 > [ 2.219575] [] bus_for_each_dev+0x60/0xa0 > [ 2.225329] [] driver_attach+0x20/0x28 > [ 2.230816] [] bus_add_driver+0x1d0/0x238 > [ 2.236571] [] driver_register+0x60/0xf8 > [ 2.242237] [] __platform_driver_register+0x44/0x50 > [ 2.248891] [] ci_hdrc_usb2_driver_init+0x18/0x20 > [ 2.255365] [] do_one_initcall+0x38/0x128 > [ 2.261121] [] kernel_init_freeable+0x1ac/0x250 > [ 2.267414] [] kernel_init+0x10/0x100 > [ 2.272810] [] ret_from_fork+0x10/0x50 > > Signed-off-by: Jisheng Zhang > --- > drivers/usb/chipidea/udc.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c > index f88e9157fad0..60a786c87c06 100644 > --- a/drivers/usb/chipidea/udc.c > +++ b/drivers/usb/chipidea/udc.c > @@ -1984,6 +1984,7 @@ static void udc_id_switch_for_host(struct ci_hdrc *ci) > int ci_hdrc_gadget_init(struct ci_hdrc *ci) > { > struct ci_role_driver *rdrv; > + int ret; > > if (!hw_read(ci, CAP_DCCPARAMS, DCCPARAMS_DC)) > return -ENXIO; > @@ -1996,7 +1997,10 @@ int ci_hdrc_gadget_init(struct ci_hdrc *ci) > rdrv->stop = udc_id_switch_for_host; > rdrv->irq = udc_irq; > rdrv->name = "gadget"; > - ci->roles[CI_ROLE_GADGET] = rdrv; > > - return udc_start(ci); > + ret = udc_start(ci); > + if (!ret) > + ci->roles[CI_ROLE_GADGET] = rdrv; > + > + return ret; > } > -- Thanks for fixing it. In fact, we'd better return failure if ret && ret != -ENXIO at probe, it stands for initialization for host or gadget has failed. -- Best Regards, Peter Chen