From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Douglas Gilbert <dgilbert@interlog.com>,
Guenter Roeck <linux@roeck-us.net>, Jun Li <jun.li@nxp.com>,
Heikki Krogerus <heikki.krogerus@linux.intel.com>
Subject: [PATCH 4.19 29/91] usb: typec: tcpm: Add NULL check before dereferencing config
Date: Wed, 14 Aug 2019 19:00:52 +0200 [thread overview]
Message-ID: <20190814165750.919436537@linuxfoundation.org> (raw)
In-Reply-To: <20190814165748.991235624@linuxfoundation.org>
From: Guenter Roeck <linux@roeck-us.net>
commit 1957de95d425d1c06560069dc7277a73a8b28683 upstream.
When instantiating tcpm on an NXP OM 13588 board with NXP PTN5110,
the following crash is seen when writing into the 'preferred_role'
sysfs attribute.
Unable to handle kernel NULL pointer dereference at virtual address 00000028
pgd = f69149ad
[00000028] *pgd=00000000
Internal error: Oops: 5 [#1] THUMB2
Modules linked in: tcpci tcpm
CPU: 0 PID: 1882 Comm: bash Not tainted 5.1.18-sama5-armv7-r2 #4
Hardware name: Atmel SAMA5
PC is at tcpm_try_role+0x3a/0x4c [tcpm]
LR is at tcpm_try_role+0x15/0x4c [tcpm]
pc : [<bf8000e2>] lr : [<bf8000bd>] psr: 60030033
sp : dc1a1e88 ip : c03fb47d fp : 00000000
r10: dc216190 r9 : dc1a1f78 r8 : 00000001
r7 : df4ae044 r6 : dd032e90 r5 : dd1ce340 r4 : df4ae054
r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : df4ae044
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment none
Control: 50c53c7d Table: 3efec059 DAC: 00000051
Process bash (pid: 1882, stack limit = 0x6a6d4aa5)
Stack: (0xdc1a1e88 to 0xdc1a2000)
1e80: dd05d808 dd1ce340 00000001 00000007 dd1ce340 c03fb4a7
1ea0: 00000007 00000007 dc216180 00000000 00000000 c01e1e03 00000000 00000000
1ec0: c0907008 dee98b40 c01e1d5d c06106c4 00000000 00000000 00000007 c0194e8b
1ee0: 0000000a 00000400 00000000 c01a97db dc22bf00 ffffe000 df4b6a00 df745900
1f00: 00000001 00000001 000000dd c01a9c2f 7aeab3be c0907008 00000000 dc22bf00
1f20: c0907008 00000000 00000000 00000000 00000000 7aeab3be 00000007 dee98b40
1f40: 005dc318 dc1a1f78 00000000 00000000 00000007 c01969f7 0000000a c01a20cb
1f60: dee98b40 c0907008 dee98b40 005dc318 00000000 c0196b9b 00000000 00000000
1f80: dee98b40 7aeab3be 00000074 005dc318 b6f3bdb0 00000004 c0101224 dc1a0000
1fa0: 00000004 c0101001 00000074 005dc318 00000001 005dc318 00000007 00000000
1fc0: 00000074 005dc318 b6f3bdb0 00000004 00000007 00000007 00000000 00000000
1fe0: 00000004 be800880 b6ed35b3 b6e5c746 60030030 00000001 00000000 00000000
[<bf8000e2>] (tcpm_try_role [tcpm]) from [<c03fb4a7>] (preferred_role_store+0x2b/0x5c)
[<c03fb4a7>] (preferred_role_store) from [<c01e1e03>] (kernfs_fop_write+0xa7/0x150)
[<c01e1e03>] (kernfs_fop_write) from [<c0194e8b>] (__vfs_write+0x1f/0x104)
[<c0194e8b>] (__vfs_write) from [<c01969f7>] (vfs_write+0x6b/0x104)
[<c01969f7>] (vfs_write) from [<c0196b9b>] (ksys_write+0x43/0x94)
[<c0196b9b>] (ksys_write) from [<c0101001>] (ret_fast_syscall+0x1/0x62)
Since commit 96232cbc6c994 ("usb: typec: tcpm: support get typec and pd
config from device properties"), the 'config' pointer in struct tcpc_dev
is optional when registering a Type-C port. Since it is optional, we have
to check if it is NULL before dereferencing it.
Reported-by: Douglas Gilbert <dgilbert@interlog.com>
Cc: Douglas Gilbert <dgilbert@interlog.com>
Fixes: 96232cbc6c994 ("usb: typec: tcpm: support get typec and pd config from device properties")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Jun Li <jun.li@nxp.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/1563979112-22483-1-git-send-email-linux@roeck-us.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/usb/typec/tcpm.c
+++ b/drivers/usb/typec/tcpm.c
@@ -378,7 +378,8 @@ static enum tcpm_state tcpm_default_stat
return SNK_UNATTACHED;
else if (port->try_role == TYPEC_SOURCE)
return SRC_UNATTACHED;
- else if (port->tcpc->config->default_role == TYPEC_SINK)
+ else if (port->tcpc->config &&
+ port->tcpc->config->default_role == TYPEC_SINK)
return SNK_UNATTACHED;
/* Fall through to return SRC_UNATTACHED */
} else if (port->port_type == TYPEC_PORT_SNK) {
@@ -4096,7 +4097,7 @@ static int tcpm_try_role(const struct ty
mutex_lock(&port->lock);
if (tcpc->try_role)
ret = tcpc->try_role(tcpc, role);
- if (!ret && !tcpc->config->try_role_hw)
+ if (!ret && (!tcpc->config || !tcpc->config->try_role_hw))
port->try_role = role;
port->try_src_count = 0;
port->try_snk_count = 0;
@@ -4743,7 +4744,7 @@ static int tcpm_copy_caps(struct tcpm_po
port->typec_caps.prefer_role = tcfg->default_role;
port->typec_caps.type = tcfg->type;
port->typec_caps.data = tcfg->data;
- port->self_powered = port->tcpc->config->self_powered;
+ port->self_powered = tcfg->self_powered;
return 0;
}
next prev parent reply other threads:[~2019-08-14 17:09 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-14 17:00 [PATCH 4.19 00/91] 4.19.67-stable review Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 01/91] iio: cros_ec_accel_legacy: Fix incorrect channel setting Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 02/91] iio: adc: max9611: Fix misuse of GENMASK macro Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 03/91] staging: gasket: apex: fix copy-paste typo Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 04/91] staging: android: ion: Bail out upon SIGKILL when allocating memory Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 05/91] crypto: ccp - Fix oops by properly managing allocated structures Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 06/91] crypto: ccp - Add support for valid authsize values less than 16 Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 07/91] crypto: ccp - Ignore tag length when decrypting GCM ciphertext Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 08/91] usb: usbfs: fix double-free of usb memory upon submiturb error Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 09/91] usb: iowarrior: fix deadlock on disconnect Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 10/91] sound: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 11/91] mmc: cavium: Set the correct dma max segment size for mmc_host Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 12/91] mmc: cavium: Add the missing dma unmap when the dma has finished Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 13/91] loop: set PF_MEMALLOC_NOIO for the worker thread Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 14/91] Input: usbtouchscreen - initialize PM mutex before using it Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 15/91] Input: elantech - enable SMBus on new (2018+) systems Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 16/91] Input: synaptics - enable RMI mode for HP Spectre X360 Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 17/91] x86/mm: Check for pfn instead of page in vmalloc_sync_one() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 18/91] x86/mm: Sync also unmappings in vmalloc_sync_all() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 19/91] mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 20/91] perf annotate: Fix s390 gap between kernel end and module start Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 21/91] perf db-export: Fix thread__exec_comm() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 22/91] perf record: Fix module size on s390 Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 23/91] x86/purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 24/91] gfs2: gfs2_walk_metadata fix Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 25/91] usb: host: xhci-rcar: Fix timeout in xhci_suspend() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 26/91] usb: yurex: Fix use-after-free in yurex_delete Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 27/91] usb: typec: tcpm: free log buf memory when remove debug file Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 28/91] usb: typec: tcpm: remove tcpm dir if no children Greg Kroah-Hartman
2019-08-14 17:00 ` Greg Kroah-Hartman [this message]
2019-08-14 17:00 ` [PATCH 4.19 30/91] usb: typec: tcpm: Ignore unsupported/unknown alternate mode requests Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 31/91] can: rcar_canfd: fix possible IRQ storm on high load Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 32/91] can: peak_usb: fix potential double kfree_skb() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 33/91] netfilter: nfnetlink: avoid deadlock due to synchronous request_module Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 34/91] vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 35/91] netfilter: Fix rpfilter dropping vrf packets by mistake Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 4.19 36/91] netfilter: conntrack: always store window size un-scaled Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 37/91] netfilter: nft_hash: fix symhash with modulus one Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 38/91] scripts/sphinx-pre-install: fix script for RHEL/CentOS Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 39/91] drm/amd/display: Wait for backlight programming completion in set backlight level Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 40/91] drm/amd/display: use encoders engine id to find matched free audio device Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 41/91] drm/amd/display: Fix dc_create failure handling and 666 color depths Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 42/91] drm/amd/display: Only enable audio if speaker allocation exists Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 43/91] drm/amd/display: Increase size of audios array Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 44/91] iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 45/91] nl80211: fix NL80211_HE_MAX_CAPABILITY_LEN Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 46/91] mac80211: dont warn about CW params when not using them Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 47/91] allocate_flower_entry: should check for null deref Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 48/91] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 49/91] drm: silence variable conn set but not used Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 50/91] cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 51/91] s390/qdio: add sanity checks to the fast-requeue path Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 52/91] ALSA: compress: Fix regression on compressed capture streams Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 53/91] ALSA: compress: Prevent bypasses of set_params Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 54/91] ALSA: compress: Dont allow paritial drain operations on capture streams Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 55/91] ALSA: compress: Be more restrictive about when a drain is allowed Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 56/91] perf tools: Fix proper buffer size for feature processing Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 57/91] perf probe: Avoid calling freeing routine multiple times for same pointer Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 58/91] drbd: dynamically allocate shash descriptor Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 59/91] ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 60/91] nvme: fix multipath crash when ANA is deactivated Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 61/91] ARM: davinci: fix sleep.S build error on ARMv4 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 62/91] ARM: dts: bcm: bcm47094: add missing #cells for mdio-bus-mux Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 63/91] scsi: megaraid_sas: fix panic on loading firmware crashdump Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 64/91] scsi: ibmvfc: fix WARN_ON during event pool release Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 65/91] scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 66/91] test_firmware: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 67/91] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 68/91] perf/core: Fix creating kernel counters for PMUs that override event->cpu Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 69/91] s390/dma: provide proper ARCH_ZONE_DMA_BITS value Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 70/91] HID: sony: Fix race condition between rumble and device remove Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 71/91] x86/purgatory: Do not use __builtin_memcpy and __builtin_memset Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 72/91] ALSA: usb-audio: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 73/91] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 74/91] can: peak_usb: pcan_usb_fd: " Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 75/91] hwmon: (nct7802) Fix wrong detection of in4 presence Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 76/91] drm/i915: Fix wrong escape clock divisor init for GLK Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 77/91] ALSA: firewire: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 78/91] ALSA: hiface: fix multiple memory leak bugs Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 79/91] ALSA: hda - Dont override global PCM hw info flag Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 80/91] ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457) Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 81/91] mac80211: dont WARN on short WMM parameters from AP Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 82/91] dax: dax_layout_busy_page() should not unmap cow pages Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 83/91] SMB3: Fix deadlock in validate negotiate hits reconnect Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 84/91] smb3: send CAP_DFS capability during session setup Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 85/91] NFSv4: Fix an Oops in nfs4_do_setattr Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 86/91] KVM: Fix leak vCPUs VMCS value into other pCPU Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 87/91] mwifiex: fix 802.11n/WPA detection Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 88/91] iwlwifi: dont unmap as page memory that was mapped as single Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 89/91] iwlwifi: mvm: fix an out-of-bound access Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 90/91] iwlwifi: mvm: dont send GEO_TX_POWER_LIMIT on version < 41 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 4.19 91/91] iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support Greg Kroah-Hartman
2019-08-14 21:36 ` [PATCH 4.19 00/91] 4.19.67-stable review kernelci.org bot
2019-08-15 1:29 ` Naresh Kamboju
2019-08-15 13:29 ` Guenter Roeck
2019-08-15 13:58 ` Daniel Díaz
2019-08-15 14:05 ` Guenter Roeck
2019-08-15 19:37 ` Greg Kroah-Hartman
2019-08-15 20:20 ` Guenter Roeck
2019-08-15 20:42 ` Greg Kroah-Hartman
2019-08-15 21:32 ` Guenter Roeck
2019-08-15 22:06 ` Greg Kroah-Hartman
2019-08-15 15:17 ` Guenter Roeck
2019-08-16 2:09 ` shuah
2019-08-16 6:38 ` Kelsey Skunberg
2019-08-16 6:53 ` Jinpu Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190814165750.919436537@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dgilbert@interlog.com \
--cc=heikki.krogerus@linux.intel.com \
--cc=jun.li@nxp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).