lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241115091545.2358156-1-quic_kriskura@quicinc.com>
Date: Fri, 15 Nov 2024 14:45:45 +0530
From: Krishna Kurapati <quic_kriskura@...cinc.com>
To: Vinod Koul <vkoul@...nel.org>, Kishon Vijay Abraham I <kishon@...nel.org>,
        Bjorn Andersson <quic_bjorande@...cinc.com>,
        Konrad Dybcio
	<konradybcio@...nel.org>,
        Dmitry Baryshkov <dmitry.baryshkov@...aro.org>,
        Andy Gross <agross@...nel.org>, Stephen Boyd <swboyd@...omium.org>
CC: <linux-kernel@...r.kernel.org>, <linux-arm-msm@...r.kernel.org>,
        <linux-phy@...ts.infradead.org>, <quic_ppratap@...cinc.com>,
        <quic_jackp@...cinc.com>, Krishna Kurapati <quic_kriskura@...cinc.com>,
        <stable@...r.kernel.org>
Subject: [PATCH 5.15.y] phy: qcom: qmp: Fix NULL pointer dereference for USB Uni PHYs

Commit [1] introduced DP support to QMP driver. While doing so, the
dp and usb configuration structures were added to a combo_phy_cfg
structure. During probe, the match data is used to parse and identify the
dp and usb configs separately. While doing so, the usb_cfg variable
represents the configuration parameters for USB part of the phy (whether
it is DP-Cobo or Uni). during probe, one corner case of parsing usb_cfg
for Uni PHYs is left incomplete and it is left as NULL. This NULL variable
further percolates down to qmp_phy_create() call essentially getting
de-referenced and causing a crash.

Subsequently, commit [2] split the driver into multiple files, each
handling a specific PHY type (USB, DP-Combo, UFS, PCIe). During this
refactoring, the probing process was modified, and the NULL pointer
dereference issue no longer showed up.

[1]: https://lore.kernel.org/all/20200916231202.3637932-8-swboyd@chromium.org/
[2]: https://lore.kernel.org/all/20220607213203.2819885-1-dmitry.baryshkov@linaro.org/

Fixes: 52e013d0bffa ("phy: qcom-qmp: Add support for DP in USB3+DP combo phy")
Cc: stable@...r.kernel.org # 5.15.y
Signed-off-by: Krishna Kurapati <quic_kriskura@...cinc.com>
---
 drivers/phy/qualcomm/phy-qcom-qmp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/phy/qualcomm/phy-qcom-qmp.c b/drivers/phy/qualcomm/phy-qcom-qmp.c
index eef863108bfe..e22ee71aa060 100644
--- a/drivers/phy/qualcomm/phy-qcom-qmp.c
+++ b/drivers/phy/qualcomm/phy-qcom-qmp.c
@@ -5714,6 +5714,8 @@ static int qcom_qmp_phy_probe(struct platform_device *pdev)
 
 		usb_cfg = combo_cfg->usb_cfg;
 		cfg = usb_cfg; /* Setup clks and regulators */
+	} else {
+		usb_cfg = cfg;
 	}
 
 	/* per PHY serdes; usually located at base address */
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ