From nobody Tue Jun 30 06:34:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4737C433EF for ; Mon, 24 Jan 2022 12:15:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242716AbiAXMPp (ORCPT ); Mon, 24 Jan 2022 07:15:45 -0500 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:39592 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239342AbiAXMOR (ORCPT ); Mon, 24 Jan 2022 07:14:17 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 4Jj86b4RXcz9vC8s for ; Mon, 24 Jan 2022 12:14:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id omnldx4fKL66 for ; Mon, 24 Jan 2022 06:14:15 -0600 (CST) Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com [209.85.215.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 4Jj86b2HTFz9vC8v for ; Mon, 24 Jan 2022 06:14:15 -0600 (CST) DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p8.oit.umn.edu 4Jj86b2HTFz9vC8v DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p8.oit.umn.edu 4Jj86b2HTFz9vC8v Received: by mail-pg1-f199.google.com with SMTP id c19-20020a637253000000b0035e0ba5a1bfso2760025pgn.13 for ; Mon, 24 Jan 2022 04:14:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bcoDGYv5WbGoY7EVxjd/aG/krLpaD/QwL/X8pTR3VUk=; b=I9K1ey0NhGpNev5axEpQwfCr7zcPte2LN+htxeiycK6t56WT4om0xTQeVf5ij4PBd8 mcTOSD2Mkui15OuZYRuN2iDXVWOJ/2bsWFyJQs3u96aGJpBQqUIx9AXy67FKGAF9g9c8 tN6fzvCZuHeInuZKtq6p0rki6LhTW3I2o/prlUQQIlouqS4WRfBUhAC1MauNatB1WyhX 6eMHmcyiJqjHGZLa7+Rx0u+wUUQLjlZCx3gkxxMY7w29+LS+UfFwxdtOLMJ+3CfM42Ez K2AdD3u/IjP9llrpNtJalHxwk0TL4DN0f5MmwdHJf0SwUDlxneyUPsoOF60EGQSoBpHq ig4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bcoDGYv5WbGoY7EVxjd/aG/krLpaD/QwL/X8pTR3VUk=; b=uIbK6/j3YCXLDk+z/McbRcS7gHOLYgTPD17zMgxUrWf3t1rD08BMQnlBsfCLH/3F4p 1imvAvdaiDqROdnNQkFFe4SEkKJ7tcqN1iwa9eqIJNIYWeRzV39n9SE2sKk6ITatqcQx 4AGXuypEurClTNQWchgKZx4PZY9HHugsK6lmz7s/gkgyXXD9Y3Dz1yNiuqzfi+f0cK8B HuBwsvcxwaa5XObaYij1tzLeFnzYKLsPT53QFxMVmJThrUZ7MQcEsPs636xvouHTcRIn elBZCFaUOvS4X9GK0rM7he96T0P2DfHWgSbrmmbTDvNWjVAUbXHV/NRmvpv/XfxO7OlA dWhg== X-Gm-Message-State: AOAM531jNa133k7L3BiaURhiQubIkdwhrsjyxxCm+uo+5xBroZSqBnbB gpYeF8VcE1xNB4lCLBmFOpWMlk10odfMMgGIi6goB3jrQbq05Ebj3F5Z3RUfAcb59NULPysGgyv IFQrWSLZ5hOkAQFXFQyHhebXSNfFM X-Received: by 2002:a05:6a00:cc5:b0:4c3:832a:1180 with SMTP id b5-20020a056a000cc500b004c3832a1180mr14103252pfv.10.1643026454442; Mon, 24 Jan 2022 04:14:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJzkPpY5o+pwP/MpYJFNoBFr9G8QoFt755MIYhSaRAtEQ74j4Dp4tq5YxTU7Ff5MZDdXIDiHSg== X-Received: by 2002:a05:6a00:cc5:b0:4c3:832a:1180 with SMTP id b5-20020a056a000cc500b004c3832a1180mr14103233pfv.10.1643026454188; Mon, 24 Jan 2022 04:14:14 -0800 (PST) Received: from zqy787-GE5S.lan ([36.4.61.248]) by smtp.gmail.com with ESMTPSA id b21sm11546359pgi.51.2022.01.24.04.14.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jan 2022 04:14:13 -0800 (PST) From: Zhou Qingyang To: zhou1615@umn.edu Cc: kjlu@umn.edu, Felipe Balbi , Greg Kroah-Hartman , Johan Hovold , Nadezda Lutovinova , Yu Xu , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] usb: gadget: mv_u3d: Fix a NULL pointer dereference in mv_u3d_req_to_trb() Date: Mon, 24 Jan 2022 20:12:33 +0800 Message-Id: <20220124121236.19761-1-zhou1615@umn.edu> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In mv_u3d_req_to_trb(), mv_u3d_build_trb_one() is assigned to trb and there is a dereference of it in mv_u3d_req_to_trb(), which could lead to a NULL pointer dereference on failure of mv_u3d_build_trb_one(). Fix this bug by adding a check of trb. This bug was found by a static analyzer. Builds with CONFIG_USB_MV_U3D=3Dm show no new warnings, and our static analyzer no longer warns about this code. Fixes: 3d4eb9dfa3e8 ("usb: gadget: mv: Add USB 3.0 device driver for Marvel= l PXA2128 chip.") Signed-off-by: Zhou Qingyang --- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths=20 and confirms that the inconsistent operations are not recovered in=20 the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Changes in v2: - Remove unnecessary error message drivers/usb/gadget/udc/mv_u3d_core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/gadget/udc/mv_u3d_core.c b/drivers/usb/gadget/udc/= mv_u3d_core.c index a1057ddfbda3..4573233f2835 100644 --- a/drivers/usb/gadget/udc/mv_u3d_core.c +++ b/drivers/usb/gadget/udc/mv_u3d_core.c @@ -417,6 +417,9 @@ static int mv_u3d_req_to_trb(struct mv_u3d_req *req) */ if (length <=3D (unsigned)MV_U3D_EP_MAX_LENGTH_TRANSFER) { trb =3D mv_u3d_build_trb_one(req, &count, &dma); + if (!trb) + return -ENOMEM; + list_add_tail(&trb->trb_list, &req->trb_list); req->trb_head =3D trb; req->trb_count =3D 1; --=20 2.25.1