From nobody Mon Jun 15 21:40:14 2026 Received: from mail-ot1-f53.google.com (mail-ot1-f53.google.com [209.85.210.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81FD6296BCB for ; Tue, 14 Apr 2026 01:01:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776128463; cv=none; b=BYiQLpTAtBzroHX/YhBOrGG0Tc/BFxZ92mDUYHBl6jWWIYLt2WxRA/GCNcsBJXC423z/K6ou8g5362o1eG3YC3pLu5tJjzZfWYj7QnnOt55i7ZgG/rhvx0zfL9eizMsN0MQSJMMwTpuTbxoCGX2llbK9sYosguBNDttnfl6CR9w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776128463; c=relaxed/simple; bh=MgxPj4jbaCxLE5wuCvLBNE8qYKkQXxzozDehyHqvTog=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PsRGJVlDJYrhMjrQ/S2WeIWfSlicPDqIwZNaD3RtysUtYwWLM+vn0Cqj+RzWstgxKoSzveiXerX/UPYa3Gp6uzq46wiaUQXqgOcFRPnmZQ5AuIa2aTfGyoLCqDiSR1YXEYWTgwqgt+n/0xtlXCpuy5euRALZOzHkkDCy9BXp08Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=adrianwowk.com; spf=pass smtp.mailfrom=adrianwowk.com; dkim=pass (2048-bit key) header.d=adrianwowk.com header.i=@adrianwowk.com header.b=f0RtSb1N; arc=none smtp.client-ip=209.85.210.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=adrianwowk.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=adrianwowk.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=adrianwowk.com header.i=@adrianwowk.com header.b="f0RtSb1N" Received: by mail-ot1-f53.google.com with SMTP id 46e09a7af769-7dbccb6ae20so2594332a34.3 for ; Mon, 13 Apr 2026 18:01:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adrianwowk.com; s=google; t=1776128460; x=1776733260; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BiJj2U0dcApG4g4r33MMQF3Km4Fw6Tmwa9t2KLhofNk=; b=f0RtSb1N0L9+22g91GKBsSIzbYo48+SosaRqOc+6iCPMUEaKba1SYQQLLBjljFt5pT Pmgb+MLSgvPl+Sj6lL/8xtu7Oe0B9ceKAGfKGQRb9Cg4JzgmCbcgPoHih94b6HCVQUd0 JokmvBTI4d1/+YI9hqoiA11zppaQHK3yzUSJ8DWlROHWBmQl87oX/MZ5WD7r4L+HWAaM cjN+uYZLXjyGdYUgCfqqvnmkH+sHmw2voDSsEq+fveU4k01sDroICI5irE4lCx4DGGBT +PXtkkSARTvmoJHe7RnaK7eDH7CK9BYbUD2rJ505dEKEZxQJSTP4+CyJ+jLGNs31DVZD 6GfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776128460; x=1776733260; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=BiJj2U0dcApG4g4r33MMQF3Km4Fw6Tmwa9t2KLhofNk=; b=JFcay9Kh61nA7tJZly526CByyUN5djzEL9bHT9fG9TMlx0PvqI6Y/eW7fDpRvzpRfn RK+5ucNXa7gPeeXvNHcXvTATg4vnaS737KKicUZ1vKT5Vs3sstEbxLzb/V/K5rDY9sNr 2ckOD7IuW3IUkS774kG2O+Q2SNYAvyDInzY9hW4Hi9TG/pg2/zqHcUvVss5BelI3pMQc Jzw17J0abH/mGVs0XCyChHqzT1WoSVjk2nvUwmPgmHAH++xKA6iMlgv82mQOs2SiqD5M AJUvRi6MUMNH/uk4h3kTLpwwreb33BTNeRXYSK6DFAedzk7o8XjIuGhA/iMc5Rstg/NA EFew== X-Forwarded-Encrypted: i=1; AFNElJ8I3EW90KvzgzUoKoBhUwM46d9v8ZhvYQTdah95V+ZKF7m6UErGzQeIxnL41BGdflu9U4zebVeZdaLhWAY=@vger.kernel.org X-Gm-Message-State: AOJu0Yydk2shNl7UsbjeR06s2Sf531sT4ykzt/Na24CVd9KdldHYsWKo 6TWSTlSdAD1kCzKTwO3kpsVp81WsPbbz2oUEcoALwHhLj5fUDUmtfNgmdkNIev83Hbs= X-Gm-Gg: AeBDiet3YCRCaY67jvrReu3/lREOMUlKjUnXC6PsQ/RAQF+J4zbJM4UtngF6MOlafmM DIEJLSeDVWpTEllo84Dd65egkThUBrTGppG7LrQgioImcQPtBP0CeLW5Hwwigln+tglVrK1XPDF ci9emcM4L0X3mPBJaYr/3DVY67odi5plszWLT6Nd16va73YKEKEDd0Xl9QgO4BxpUKaxRthR2nR 0lumJ6YpqUoYuJQNT1uos6zt0lThJrto8qq0EqHJq6WW3Krz9K4ui/0ykV1ICmFYjLA7ZTkyDTZ IBhKbBStdsX8iZK2xE5rRfHuu6h4ScN8sNrSvxhqbU6gkPRkzUkcursAYManjnzYe/PrG70+qlJ XywFQV3aJ8jtQCdpnoSxQKEcLJVRhXYURlnK2FFKMiyaA5pNhXrLcADpZupmkEgC9ipoYKCAsCm iZQ6QVhUEgQPaDT2M4Upa+AQZHSkbFb/eW4hRelWCBSw== X-Received: by 2002:a05:6830:67cf:b0:7d9:ad90:573c with SMTP id 46e09a7af769-7dc27ed0496mr8826936a34.17.1776128460417; Mon, 13 Apr 2026 18:01:00 -0700 (PDT) Received: from linux-dev ([12.26.11.218]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7dc269d3255sm9964556a34.25.2026.04.13.18.00.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 18:00:59 -0700 (PDT) From: Adrian Wowk To: valentina.manea.m@gmail.com, shuah@kernel.org Cc: i@zenithal.me, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Adrian Wowk Subject: [PATCH 1/2] usbip: vhci_hcd: fix NULL deref in status_show_vhci Date: Mon, 13 Apr 2026 20:00:49 -0500 Message-ID: <20260414010050.158064-2-dev@adrianwowk.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260414010050.158064-1-dev@adrianwowk.com> References: <20260414010050.158064-1-dev@adrianwowk.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" platform_get_drvdata() can return NULL if a VHCI host controller's probe failed (e.g. due to USB bus number exhaustion). status_show_vhci() checked for a NULL pdev but not for a NULL hcd returned by platform_get_drvdata(). Passing NULL to hcd_to_vhci_hcd() does not return NULL - it returns a pointer offset of 0x260, causing a NULL pointer dereference when that value is subsequently dereferenced. Add a NULL check on hcd before calling hcd_to_vhci_hcd(). Move status_show_not_ready() above status_show_vhci() to make it callable from the new error path without a forward declaration. Signed-off-by: Adrian Wowk Reviewed-by: Shuah Khan --- drivers/usb/usbip/vhci_sysfs.c | 52 +++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 23 deletions(-) diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c index d5865460e82..336fb4d92c6 100644 --- a/drivers/usb/usbip/vhci_sysfs.c +++ b/drivers/usb/usbip/vhci_sysfs.c @@ -59,6 +59,29 @@ static void port_show_vhci(char **out, int hub, int port= , struct vhci_device *vd *out +=3D sprintf(*out, "\n"); } =20 +static ssize_t status_show_not_ready(int pdev_nr, char *out) +{ + char *s =3D out; + int i =3D 0; + + for (i =3D 0; i < VHCI_HC_PORTS; i++) { + out +=3D sprintf(out, "hs %04u %03u ", + (pdev_nr * VHCI_PORTS) + i, + VDEV_ST_NOTASSIGNED); + out +=3D sprintf(out, "000 00000000 0000000000000000 0-0"); + out +=3D sprintf(out, "\n"); + } + + for (i =3D 0; i < VHCI_HC_PORTS; i++) { + out +=3D sprintf(out, "ss %04u %03u ", + (pdev_nr * VHCI_PORTS) + VHCI_HC_PORTS + i, + VDEV_ST_NOTASSIGNED); + out +=3D sprintf(out, "000 00000000 0000000000000000 0-0"); + out +=3D sprintf(out, "\n"); + } + return out - s; +} + /* Sysfs entry to show port status */ static ssize_t status_show_vhci(int pdev_nr, char *out) { @@ -76,6 +99,12 @@ static ssize_t status_show_vhci(int pdev_nr, char *out) } =20 hcd =3D platform_get_drvdata(pdev); + + if (!hcd) { + usbip_dbg_vhci_sysfs("show status error (hcd is NULL)\n"); + return status_show_not_ready(pdev_nr, out); + } + vhci_hcd =3D hcd_to_vhci_hcd(hcd); vhci =3D vhci_hcd->vhci; =20 @@ -104,29 +133,6 @@ static ssize_t status_show_vhci(int pdev_nr, char *out) return out - s; } =20 -static ssize_t status_show_not_ready(int pdev_nr, char *out) -{ - char *s =3D out; - int i =3D 0; - - for (i =3D 0; i < VHCI_HC_PORTS; i++) { - out +=3D sprintf(out, "hs %04u %03u ", - (pdev_nr * VHCI_PORTS) + i, - VDEV_ST_NOTASSIGNED); - out +=3D sprintf(out, "000 00000000 0000000000000000 0-0"); - out +=3D sprintf(out, "\n"); - } - - for (i =3D 0; i < VHCI_HC_PORTS; i++) { - out +=3D sprintf(out, "ss %04u %03u ", - (pdev_nr * VHCI_PORTS) + VHCI_HC_PORTS + i, - VDEV_ST_NOTASSIGNED); - out +=3D sprintf(out, "000 00000000 0000000000000000 0-0"); - out +=3D sprintf(out, "\n"); - } - return out - s; -} - static int status_name_to_id(const char *name) { char *c; --=20 2.53.0 From nobody Mon Jun 15 21:40:14 2026 Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com [209.85.210.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D961B28136F for ; Tue, 14 Apr 2026 01:01:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776128465; cv=none; b=Bp8b91Q98IOcLqg/K5wUOepp7TZMbphbPR5MwQrAAVURFMt8oIQFkIpioycn9FqUxyxzIiZ/+rr0lV/OKprMPtLc+ID7aJV4z827y8YtaIWKWnA2FfV2f8buLvR+dZSwdaIhkHZHDTIiXWPoS4ZC/t0QEjLZjRoGfz/fRYXD6tY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776128465; c=relaxed/simple; bh=Jgh8JGtMuLPuc0fjWZmvaREZhlmPxFCuZkpbNI589XE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FgJjOyxMvJClV2SsppTtuyLbCGraEP+nyluW4AaJcqNp7VDZxqSErpE9gQgMd59ywPbrsTI7d5NnTAux2jLXbPdKnJU8tIMl55rl18Aw8MOEwKv+oZqJ/8bx5euTPXPM42cr/bGNOw87SlnI1CDj+YW21K4CAleNVFk3pMe2XMo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=adrianwowk.com; spf=pass smtp.mailfrom=adrianwowk.com; dkim=pass (2048-bit key) header.d=adrianwowk.com header.i=@adrianwowk.com header.b=egesS+I3; arc=none smtp.client-ip=209.85.210.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=adrianwowk.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=adrianwowk.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=adrianwowk.com header.i=@adrianwowk.com header.b="egesS+I3" Received: by mail-ot1-f48.google.com with SMTP id 46e09a7af769-7d556c1a79eso6866186a34.3 for ; Mon, 13 Apr 2026 18:01:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adrianwowk.com; s=google; t=1776128463; x=1776733263; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dWl3rPpOGMjT1OIH94kOV5+0jR8Ovo4+agJ500Odb3k=; b=egesS+I3CRbcvFN2B+fJ1ROHFXKWdGS10QzjZPc2eeHaTfrH3X7/+khgXd5XCgYC3d veioIRkcd0gXntW7pOI7Qr4/Nn8uP0ZuXMkeGm7IG8EdsGTQhNbOSHytJVpGjWQpxo/x F48NWGmBDUgMXQuXo8p9drPSHTXqsIvM2tAGhL4hORaS60gxeisV3wVGdF7riPncsIll xxnf+FoOkoDOl7MZ1Jt3r2MotlKRIWkTi2IA1SRJFPO1h+x5oXyUh1HTvfdpcf1aTSjZ QK/DLZxqwF8pQx3XZUgT5LPB7WByXztpiR3MN4ZtAOLoF7L89tG6PiYOci/dHWD+VD+J MrBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776128463; x=1776733263; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dWl3rPpOGMjT1OIH94kOV5+0jR8Ovo4+agJ500Odb3k=; b=QcPD2DmzEb4bkC4Ytuj/xmKi89A+q8Swv/VEHs+MXVxRp+g63Rk41tmb6pYn5HO1LW X3DI2uqja1aKmQStcfi14XT5KQpCFSXJLXio+Er0NF5E/1aUSesbORbjEFaZLyhgr6Iv 2GxasCUPGGs8C5ZQgoezuXKFh02LWVw5+7U9LgVQvSU/ZyMf7i1GHLBl9Iar1qyKNvCj L1+kZoe7nv0Z6cFC4iLG5RhNHxBYLBZ2o+XimZqa1xI/0GqUeA9y6mFnCTsNuDusl1sf U3Sar+WWnKf0Q7PmcSCdMAkH+1nP/4pHmCd9IQXoRQjqj5XWXwMN01AvBP0hQlq/b/SW bX4g== X-Forwarded-Encrypted: i=1; AFNElJ8bSxNV7Li2e9QnFOsEHxIuaFxgMS17U8n4CWZnos+fFgXMXX8TtuzEW2gK3w9NECsPCWYaA+zjM3gCad8=@vger.kernel.org X-Gm-Message-State: AOJu0Yw5h2Cq9mjamDuL55Yk55JarWqHR+BCRSuzAGNVCUST3Kdkz/nx OIhBddH8ToZOX0mwpwkO56GHk+AdXlLxI5o/cJddYe5lUOBlYieu0q4wactKXK71A2M= X-Gm-Gg: AeBDiesIYX/I8r/kAoZmNpGBsgJb9AC9k9aHOvhLzQiBrFkPUQcwdGJjaCGDg5hkYW3 CLPs3ytDKmdJmTU7K5OmZnoUaEvDJTfqZyI0s+DwvR5t1cPAVEdYL11mnaZ4438AwuGeZZn9IHs o8FqhOAzL3NSGmaeymCMFM8NiapWF8dNMogxf4WkIhJPUcyEUbeBFgAriUTQvP3WrBv9N03SWaY POL/ODolGDgD9ho03ZpTF9ki46VeNlzmdzkLIFsyArVfUXDbru3BY8d/gdbmkLVMeNK4oLhJnos Gp49hVWUKiEHw6oTm44eN+NIC9aZpGwBd12W2MOw84ALW1ROtz4KHeh23s/mPr07SWMfFot9XFe Zn2492hp4d+HsHieVKT0i75bIzTmCcR+rUuMGhd+ROHjmfIZiZxJ5KpbnRWn/qLVzzvT9k+5CFh NzUkEdzZWgzc3hyEbyqD6LkTfa+h914nYgKsi+MVhWHA== X-Received: by 2002:a05:6830:411c:b0:7d7:ecf8:6b with SMTP id 46e09a7af769-7dc27c67914mr8164751a34.2.1776128462835; Mon, 13 Apr 2026 18:01:02 -0700 (PDT) Received: from linux-dev ([12.26.11.218]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7dc269d3255sm9964556a34.25.2026.04.13.18.01.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 18:01:02 -0700 (PDT) From: Adrian Wowk To: valentina.manea.m@gmail.com, shuah@kernel.org Cc: i@zenithal.me, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Adrian Wowk Subject: [PATCH 2/2] usbip: vhci_hcd: reduce CONFIG_USBIP_VHCI_NR_HCS upper bound to 32 Date: Mon, 13 Apr 2026 20:00:50 -0500 Message-ID: <20260414010050.158064-3-dev@adrianwowk.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260414010050.158064-1-dev@adrianwowk.com> References: <20260414010050.158064-1-dev@adrianwowk.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Each VHCI HC instance registers two USB buses (one HS, one SS). USB_MAXBUS in drivers/usb/core/hcd.c is hard-coded to 64, giving an effective maximum of 32 VHCI HC instances (32 * 2 =3D 64 buses). The Kconfig range for USBIP_VHCI_NR_HCS currently allows up to 128, which will cause probe failures for any HC instance beyond the 32nd. These probe failures trigger the NULL pointer dereference fixed in the previous commit. Reduce the upper bound to 32 to reflect the real maximum imposed by USB_MAXBUS. Note that probe failures can still occur below this limit if real hardware has already claimed enough USB bus numbers, making the NULL check fix necessary regardless. Signed-off-by: Adrian Wowk Reviewed-by: Shuah Khan --- drivers/usb/usbip/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/usbip/Kconfig b/drivers/usb/usbip/Kconfig index b9f94e2e278..50945b6fae1 100644 --- a/drivers/usb/usbip/Kconfig +++ b/drivers/usb/usbip/Kconfig @@ -40,7 +40,7 @@ config USBIP_VHCI_HC_PORTS =20 config USBIP_VHCI_NR_HCS int "Number of USB/IP virtual host controllers" - range 1 128 + range 1 32 default 1 depends on USBIP_VHCI_HCD help --=20 2.53.0