lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAJh=zjJBUb2JpEh4Tf6z0V9KTy2jufRQktuJt2oMYbeu52PXzg@mail.gmail.com>
Date:   Tue, 1 Aug 2023 11:21:36 +0800
From:   Jimmy Hu <hhhuuu@...gle.com>
To:     Heikki Krogerus <heikki.krogerus@...ux.intel.com>
Cc:     linux@...ck-us.net, gregkh@...uxfoundation.org, kyletso@...gle.com,
        linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] usb: typec: tcpm: Add IS_ERR_OR_NULL check for port->partner

On Mon, Jul 31, 2023 at 7:06 PM Heikki Krogerus
<heikki.krogerus@...ux.intel.com> wrote:
>
> Hi,
>
> I'm sorry to keep you waiting.
>
> On Fri, Jun 30, 2023 at 06:57:11AM +0000, Jimmy Hu wrote:
> > port->partner may be an error or NULL, so we must check it with
> > IS_ERR_OR_NULL() before dereferencing it.
>
> Have you seen this happening? Maybe the partner check should happen
> earlier, before tcpm_pd_svdm() is even called?
>
> > Fixes: 5e1d4c49fbc8 ("usb: typec: tcpm: Determine common SVDM Version")
> > Signed-off-by: Jimmy Hu <hhhuuu@...gle.com>
> > ---
> >  drivers/usb/typec/tcpm/tcpm.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
> > index 829d75ebab42..cd2590eead04 100644
> > --- a/drivers/usb/typec/tcpm/tcpm.c
> > +++ b/drivers/usb/typec/tcpm/tcpm.c
> > @@ -1626,6 +1626,8 @@ static int tcpm_pd_svdm(struct tcpm_port *port, struct typec_altmode *adev,
> >                               break;
> >
> >                       if (PD_VDO_SVDM_VER(p[0]) < svdm_version) {
> > +                             if (IS_ERR_OR_NULL(port->partner))
> > +                                     break;
> >                               typec_partner_set_svdm_version(port->partner,
> >                                                              PD_VDO_SVDM_VER(p[0]));
> >                               svdm_version = PD_VDO_SVDM_VER(p[0]);
>
> Now you will still build a response? I'm pretty sure you don't want
> that.
>
> Do we need to do anything in this function if the partner is lost? If
> not, then why not just check the partner in the beginning of the
> function. Or just make sure we don't even call tcpm_pd_svdm() if
> there's no partner.
>
> thanks,
>
> --
> heikki

Yes, we've seen this. Here is part of the last kmsg.

[978098.478754][  T319] typec port0: failed to register partner (-17)
...
[978101.505668][  T319] Unable to handle kernel NULL pointer
dereference at virtual address 000000000000039f
[978101.864439][  T319] CPU: 5 PID: 319 Comm: i2c-max77759tcp Tainted:
G        W  O      5.10.66-android12-9-00229-gd736cbf8d9ac-ab7921439
#1
[978101.866919][ T1176] [07:31:46.926532][dhd][wlan]
[978101.876939][  T319] Hardware name: Raven DVT (DT)
[978101.876949][  T319] pstate: 80c00005 (Nzcv daif +PAN +UAO -TCO BTYPE=--)
[978101.876982][  T319] pc : tcpm_pd_data_request+0x310/0x13fc
[978101.876987][  T319] lr : tcpm_pd_data_request+0x298/0x13fc
...
978101.886481][  T319] Call trace:
[978101.886492][  T319]  tcpm_pd_data_request+0x310/0x13fc
[978101.886506][  T319]  tcpm_pd_rx_handler+0x100/0x9e8
[978101.898747][  T319]  kthread_worker_fn+0x178/0x58c
[978101.898756][  T319]  kthread+0x150/0x200
[978101.898769][  T319]  ret_from_fork+0x10/0x30

Since this happens when PD_VDO_SVDM_VER(p[0]) < svdm_version, I think
we can check the partner after the condition is met.
Or check it when entering CMD_DISCOVER_IDENT case. Just like:
case CMDT_RSP_ACK:
/* silently drop message if we are not connected */
if (IS_ERR_OR_NULL(port->partner))
break;

Thanks,
Jimmy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ