Message ID | 20221209170740.70539-1-biju.das.jz@bp.renesas.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [v2] usb: typec: hd3ss3220: Fix NULL pointer crash | expand |
Hi Biju, On Fri, Dec 09, 2022 at 05:07:40PM +0000, Biju Das wrote: > The value returned by usb_role_switch_get() can be NULL and it leads > to NULL pointer crash. This patch fixes this issue by adding NULL > check for the role switch handle. > > [ 25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit EK874 (CAT874 + CAT875) (DT) > [ 25.344991] Workqueue: events_unbound deferred_probe_work_func > [ 25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) > [ 25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3] > [ 25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80 [renesas_usb3] > [ 25.370986] sp : ffff80000a4b3a40 > [ 25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27: 0000000000000000 > [ 25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24: ffff80000117f178 > [ 25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21: 0000000000000000 > [ 25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18: 0000000000000020 > [ 25.402969] x17: ffff800076196000 x16: ffff800008004000 x15: 0000000000004000 > [ 25.410133] x14: 000000000000022b x13: 0000000000000001 x12: 0000000000000001 > [ 25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 : ffff80000a4b3770 > [ 25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 : ffff00000a8d8590 > [ 25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 : ffff00000a8d84f4 > [ 25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 : 0000000000000218 > [ 25.445942] Call trace: > [ 25.448398] renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3] > [ 25.454613] renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3] > [ 25.460908] usb_role_switch_set_role+0x44/0xa4 > [ 25.465468] hd3ss3220_set_role+0xa0/0x100 [hd3ss3220] > [ 25.470635] hd3ss3220_probe+0x118/0x2fc [hd3ss3220] > [ 25.475621] i2c_device_probe+0x338/0x384 Based on that backtrace, your role switch is not NULL. You can only end up calling renesas_usb3_role_switch_set() if your hd3ss3220->role_sw contains a handle to the renesas usb3 role switch. > Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn: passing zero to 'PTR_ERR'") > Cc: stable@vger.kernel.org > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> > --- > This issue triggered on RZ/G2E board, where there is no USB3 firmware and it > returned a null role switch handle. > > v1->v2: > * Make it as individual patch > * Added Cc tag > --- > drivers/usb/typec/hd3ss3220.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/typec/hd3ss3220.c b/drivers/usb/typec/hd3ss3220.c > index 2a58185fb14c..c24bbccd14f9 100644 > --- a/drivers/usb/typec/hd3ss3220.c > +++ b/drivers/usb/typec/hd3ss3220.c > @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client *client, > hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev); > } > > - if (IS_ERR(hd3ss3220->role_sw)) { > + if (!hd3ss3220->role_sw) { > + ret = -ENODEV; > + goto err_put_fwnode; > + } else if (IS_ERR(hd3ss3220->role_sw)) { > ret = PTR_ERR(hd3ss3220->role_sw); > goto err_put_fwnode; > } You should not do that. Either I'm missing something, or this patch is hiding some other issue. thanks,
Hi Heikki, Thanks for the feedback. > Subject: Re: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash > > Hi Biju, > > On Fri, Dec 09, 2022 at 05:07:40PM +0000, Biju Das wrote: > > The value returned by usb_role_switch_get() can be NULL and it leads > > to NULL pointer crash. This patch fixes this issue by adding NULL > > check for the role switch handle. > > > > [ 25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit EK874 > (CAT874 + CAT875) (DT) > > [ 25.344991] Workqueue: events_unbound deferred_probe_work_func > > [ 25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS > BTYPE=--) > > [ 25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80 > [renesas_usb3] > > [ 25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80 > [renesas_usb3] > > [ 25.370986] sp : ffff80000a4b3a40 > > [ 25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27: > 0000000000000000 > > [ 25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24: > ffff80000117f178 > > [ 25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21: > 0000000000000000 > > [ 25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18: > 0000000000000020 > > [ 25.402969] x17: ffff800076196000 x16: ffff800008004000 x15: > 0000000000004000 > > [ 25.410133] x14: 000000000000022b x13: 0000000000000001 x12: > 0000000000000001 > > [ 25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 : > ffff80000a4b3770 > > [ 25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 : > ffff00000a8d8590 > > [ 25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 : > ffff00000a8d84f4 > > [ 25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 : > 0000000000000218 > > [ 25.445942] Call trace: > > [ 25.448398] renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3] > > [ 25.454613] renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3] > > [ 25.460908] usb_role_switch_set_role+0x44/0xa4 > > [ 25.465468] hd3ss3220_set_role+0xa0/0x100 [hd3ss3220] > > [ 25.470635] hd3ss3220_probe+0x118/0x2fc [hd3ss3220] > > [ 25.475621] i2c_device_probe+0x338/0x384 > > Based on that backtrace, your role switch is not NULL. I haven't provided the USB3 firmware, so companion device will fail. See [1] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/drivers/usb/gadget/udc/renesas_usb3.c?h=next-20221208#n2917 Cheers, Biju > > You can only end up calling renesas_usb3_role_switch_set() if your > hd3ss3220->role_sw contains a handle to the renesas usb3 role switch. > > > Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn: > > passing zero to 'PTR_ERR'") > > Cc: stable@vger.kernel.org > > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> > > --- > > This issue triggered on RZ/G2E board, where there is no USB3 firmware > > and it returned a null role switch handle. > > > > v1->v2: > > * Make it as individual patch > > * Added Cc tag > > --- > > drivers/usb/typec/hd3ss3220.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/usb/typec/hd3ss3220.c > > b/drivers/usb/typec/hd3ss3220.c index 2a58185fb14c..c24bbccd14f9 > > 100644 > > --- a/drivers/usb/typec/hd3ss3220.c > > +++ b/drivers/usb/typec/hd3ss3220.c > > @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client > *client, > > hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev); > > } > > > > - if (IS_ERR(hd3ss3220->role_sw)) { > > + if (!hd3ss3220->role_sw) { > > + ret = -ENODEV; > > + goto err_put_fwnode; > > + } else if (IS_ERR(hd3ss3220->role_sw)) { > > ret = PTR_ERR(hd3ss3220->role_sw); > > goto err_put_fwnode; > > } > > You should not do that. > > Either I'm missing something, or this patch is hiding some other issue. > > thanks, > > -- > heikki
Hi Heikki, > Subject: Re: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash > > Hi Biju, > > On Fri, Dec 09, 2022 at 05:07:40PM +0000, Biju Das wrote: > > The value returned by usb_role_switch_get() can be NULL and it leads > > to NULL pointer crash. This patch fixes this issue by adding NULL > > check for the role switch handle. > > > > [ 25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit EK874 > (CAT874 + CAT875) (DT) > > [ 25.344991] Workqueue: events_unbound deferred_probe_work_func > > [ 25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS > BTYPE=--) > > [ 25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80 > [renesas_usb3] > > [ 25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80 > [renesas_usb3] > > [ 25.370986] sp : ffff80000a4b3a40 > > [ 25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27: > 0000000000000000 > > [ 25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24: > ffff80000117f178 > > [ 25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21: > 0000000000000000 > > [ 25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18: > 0000000000000020 > > [ 25.402969] x17: ffff800076196000 x16: ffff800008004000 x15: > 0000000000004000 > > [ 25.410133] x14: 000000000000022b x13: 0000000000000001 x12: > 0000000000000001 > > [ 25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 : > ffff80000a4b3770 > > [ 25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 : > ffff00000a8d8590 > > [ 25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 : > ffff00000a8d84f4 > > [ 25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 : > 0000000000000218 > > [ 25.445942] Call trace: > > [ 25.448398] renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3] > > [ 25.454613] renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3] > > [ 25.460908] usb_role_switch_set_role+0x44/0xa4 > > [ 25.465468] hd3ss3220_set_role+0xa0/0x100 [hd3ss3220] > > [ 25.470635] hd3ss3220_probe+0x118/0x2fc [hd3ss3220] > > [ 25.475621] i2c_device_probe+0x338/0x384 > > Based on that backtrace, your role switch is not NULL. > > You can only end up calling renesas_usb3_role_switch_set() if your > hd3ss3220->role_sw contains a handle to the renesas usb3 role switch. Looks you are correct. > > > Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn: > > passing zero to 'PTR_ERR'") > > Cc: stable@vger.kernel.org > > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> > > --- > > This issue triggered on RZ/G2E board, where there is no USB3 firmware > > and it returned a null role switch handle. > > > > v1->v2: > > * Make it as individual patch > > * Added Cc tag > > --- > > drivers/usb/typec/hd3ss3220.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/usb/typec/hd3ss3220.c > > b/drivers/usb/typec/hd3ss3220.c index 2a58185fb14c..c24bbccd14f9 > > 100644 > > --- a/drivers/usb/typec/hd3ss3220.c > > +++ b/drivers/usb/typec/hd3ss3220.c > > @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client > *client, > > hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev); > > } > > > > - if (IS_ERR(hd3ss3220->role_sw)) { > > + if (!hd3ss3220->role_sw) { > > + ret = -ENODEV; > > + goto err_put_fwnode; > > + } else if (IS_ERR(hd3ss3220->role_sw)) { > > ret = PTR_ERR(hd3ss3220->role_sw); > > goto err_put_fwnode; > > } > > You should not do that. > > Either I'm missing something, or this patch is hiding some other issue. Looks It is a bug in renesas_usb3.c rather than this driver. But how we will prevent hd3ss3220_set_role being called after usb_role_switch_unregister(usb3->role_sw) from renesas_usb3.c driver?? Cheers, Biju
> Subject: RE: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash > > Hi Heikki, > > > Subject: Re: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash > > > > Hi Biju, > > > > On Fri, Dec 09, 2022 at 05:07:40PM +0000, Biju Das wrote: > > > The value returned by usb_role_switch_get() can be NULL and it leads > > > to NULL pointer crash. This patch fixes this issue by adding NULL > > > check for the role switch handle. > > > > > > [ 25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit > EK874 > > (CAT874 + CAT875) (DT) > > > [ 25.344991] Workqueue: events_unbound deferred_probe_work_func > > > [ 25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS > > BTYPE=--) > > > [ 25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80 > > [renesas_usb3] > > > [ 25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80 > > [renesas_usb3] > > > [ 25.370986] sp : ffff80000a4b3a40 > > > [ 25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27: > > 0000000000000000 > > > [ 25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24: > > ffff80000117f178 > > > [ 25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21: > > 0000000000000000 > > > [ 25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18: > > 0000000000000020 > > > [ 25.402969] x17: ffff800076196000 x16: ffff800008004000 x15: > > 0000000000004000 > > > [ 25.410133] x14: 000000000000022b x13: 0000000000000001 x12: > > 0000000000000001 > > > [ 25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 : > > ffff80000a4b3770 > > > [ 25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 : > > ffff00000a8d8590 > > > [ 25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 : > > ffff00000a8d84f4 > > > [ 25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 : > > 0000000000000218 > > > [ 25.445942] Call trace: > > > [ 25.448398] renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3] > > > [ 25.454613] renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3] > > > [ 25.460908] usb_role_switch_set_role+0x44/0xa4 > > > [ 25.465468] hd3ss3220_set_role+0xa0/0x100 [hd3ss3220] > > > [ 25.470635] hd3ss3220_probe+0x118/0x2fc [hd3ss3220] > > > [ 25.475621] i2c_device_probe+0x338/0x384 > > > > Based on that backtrace, your role switch is not NULL. > > > > You can only end up calling renesas_usb3_role_switch_set() if your > > hd3ss3220->role_sw contains a handle to the renesas usb3 role switch. > > Looks you are correct. > > > > > > Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn: > > > passing zero to 'PTR_ERR'") > > > Cc: stable@vger.kernel.org > > > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> > > > --- > > > This issue triggered on RZ/G2E board, where there is no USB3 > > > firmware and it returned a null role switch handle. > > > > > > v1->v2: > > > * Make it as individual patch > > > * Added Cc tag > > > --- > > > drivers/usb/typec/hd3ss3220.c | 5 ++++- > > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > > > diff --git a/drivers/usb/typec/hd3ss3220.c > > > b/drivers/usb/typec/hd3ss3220.c index 2a58185fb14c..c24bbccd14f9 > > > 100644 > > > --- a/drivers/usb/typec/hd3ss3220.c > > > +++ b/drivers/usb/typec/hd3ss3220.c > > > @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client > > *client, > > > hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev); > > > } > > > > > > - if (IS_ERR(hd3ss3220->role_sw)) { > > > + if (!hd3ss3220->role_sw) { > > > + ret = -ENODEV; > > > + goto err_put_fwnode; > > > + } else if (IS_ERR(hd3ss3220->role_sw)) { > > > ret = PTR_ERR(hd3ss3220->role_sw); > > > goto err_put_fwnode; > > > } > > > > You should not do that. > > > > Either I'm missing something, or this patch is hiding some other issue. > > Looks It is a bug in renesas_usb3.c rather than this driver. > > But how we will prevent hd3ss3220_set_role being called after > usb_role_switch_unregister(usb3->role_sw) from renesas_usb3.c driver?? Do we need to add additional check for "fwnode_usb_role_switch_get" and "usb_role_switch_get" to return error if there is no registered role_switch device Like the scenario above?? Cheers, Biju
Hi, On Mon, Dec 12, 2022 at 10:54:25AM +0000, Biju Das wrote: > > Looks It is a bug in renesas_usb3.c rather than this driver. > > > > But how we will prevent hd3ss3220_set_role being called after > > usb_role_switch_unregister(usb3->role_sw) from renesas_usb3.c driver?? Normally that should not be a problem. When you get a reference to the role switch, also the reference count of the switch driver module (on top of the device) is incremented. From where is usb_role_switch_unregister() being called in this case - is it renesas_usb3_probe()? If it is, would something like this help: diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c index 615ba0a6fbee1..d2e01f7cfef11 100644 --- a/drivers/usb/gadget/udc/renesas_usb3.c +++ b/drivers/usb/gadget/udc/renesas_usb3.c @@ -2907,18 +2907,13 @@ static int renesas_usb3_probe(struct platform_device *pdev) renesas_usb3_role_switch_desc.driver_data = usb3; INIT_WORK(&usb3->role_work, renesas_usb3_role_work); - usb3->role_sw = usb_role_switch_register(&pdev->dev, - &renesas_usb3_role_switch_desc); - if (!IS_ERR(usb3->role_sw)) { - usb3->host_dev = usb_of_get_companion_dev(&pdev->dev); - if (!usb3->host_dev) { - /* If not found, this driver will not use a role sw */ - usb_role_switch_unregister(usb3->role_sw); - usb3->role_sw = NULL; - } - } else { + + usb3->host_dev = usb_of_get_companion_dev(&pdev->dev); + if (usb3->host_dev) + usb3->role_sw = usb_role_switch_register(&pdev->dev, + &renesas_usb3_role_switch_desc); + if (IS_ERR(usb3->role_sw)) usb3->role_sw = NULL; - } usb3->workaround_for_vbus = priv->workaround_for_vbus; > Do we need to add additional check for "fwnode_usb_role_switch_get" and > "usb_role_switch_get" to return error if there is no registered role_switch device > Like the scenario above?? No. The switch is always an optional resource. Error means that there is a switch that you can control, but you can't get a handle to it for some reason. NULL means you don't need to worry about it - there is no switch on your platform that you could control. thanks,
+ Shimoda-San > -----Original Message----- > From: Heikki Krogerus <heikki.krogerus@linux.intel.com> > Sent: 13 December 2022 08:37 > To: Biju Das <biju.das.jz@bp.renesas.com> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>; Biju Das > <biju.das@bp.renesas.com>; linux-usb@vger.kernel.org; Geert Uytterhoeven > <geert+renesas@glider.be>; Fabrizio Castro > <fabrizio.castro.jz@renesas.com>; linux-renesas-soc@vger.kernel.org; > stable@vger.kernel.org > Subject: Re: [PATCH v2] usb: typec: hd3ss3220: Fix NULL pointer crash > > Hi, > > On Mon, Dec 12, 2022 at 10:54:25AM +0000, Biju Das wrote: > > > Looks It is a bug in renesas_usb3.c rather than this driver. > > > > > > But how we will prevent hd3ss3220_set_role being called after > > > usb_role_switch_unregister(usb3->role_sw) from renesas_usb3.c driver?? > > Normally that should not be a problem. When you get a reference to the > role switch, also the reference count of the switch driver module (on top > of the device) is incremented. > > From where is usb_role_switch_unregister() being called in this case - is > it renesas_usb3_probe()? Yes, that os correct. > > If it is, would something like this help: Shimoda-San, What is your thoughts on Heikki's proposal as below? It looks good to me. > > diff --git a/drivers/usb/gadget/udc/renesas_usb3.c > b/drivers/usb/gadget/udc/renesas_usb3.c > index 615ba0a6fbee1..d2e01f7cfef11 100644 > --- a/drivers/usb/gadget/udc/renesas_usb3.c > +++ b/drivers/usb/gadget/udc/renesas_usb3.c > @@ -2907,18 +2907,13 @@ static int renesas_usb3_probe(struct > platform_device *pdev) > renesas_usb3_role_switch_desc.driver_data = usb3; > > INIT_WORK(&usb3->role_work, renesas_usb3_role_work); > - usb3->role_sw = usb_role_switch_register(&pdev->dev, > - &renesas_usb3_role_switch_desc); > - if (!IS_ERR(usb3->role_sw)) { > - usb3->host_dev = usb_of_get_companion_dev(&pdev->dev); > - if (!usb3->host_dev) { > - /* If not found, this driver will not use a role > sw */ > - usb_role_switch_unregister(usb3->role_sw); > - usb3->role_sw = NULL; > - } > - } else { > + > + usb3->host_dev = usb_of_get_companion_dev(&pdev->dev); > + if (usb3->host_dev) > + usb3->role_sw = usb_role_switch_register(&pdev->dev, > + > &renesas_usb3_role_switch_desc); > + if (IS_ERR(usb3->role_sw)) > usb3->role_sw = NULL; > - } > > usb3->workaround_for_vbus = priv->workaround_for_vbus; > > > > > Do we need to add additional check for "fwnode_usb_role_switch_get" > > and "usb_role_switch_get" to return error if there is no registered > > role_switch device Like the scenario above?? > > No. The switch is always an optional resource. > > Error means that there is a switch that you can control, but you can't get > a handle to it for some reason. > > NULL means you don't need to worry about it - there is no switch on your > platform that you could control. > > thanks, > > -- > heikki
diff --git a/drivers/usb/typec/hd3ss3220.c b/drivers/usb/typec/hd3ss3220.c index 2a58185fb14c..c24bbccd14f9 100644 --- a/drivers/usb/typec/hd3ss3220.c +++ b/drivers/usb/typec/hd3ss3220.c @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client *client, hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev); } - if (IS_ERR(hd3ss3220->role_sw)) { + if (!hd3ss3220->role_sw) { + ret = -ENODEV; + goto err_put_fwnode; + } else if (IS_ERR(hd3ss3220->role_sw)) { ret = PTR_ERR(hd3ss3220->role_sw); goto err_put_fwnode; }
The value returned by usb_role_switch_get() can be NULL and it leads to NULL pointer crash. This patch fixes this issue by adding NULL check for the role switch handle. [ 25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit EK874 (CAT874 + CAT875) (DT) [ 25.344991] Workqueue: events_unbound deferred_probe_work_func [ 25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3] [ 25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80 [renesas_usb3] [ 25.370986] sp : ffff80000a4b3a40 [ 25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27: 0000000000000000 [ 25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24: ffff80000117f178 [ 25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21: 0000000000000000 [ 25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18: 0000000000000020 [ 25.402969] x17: ffff800076196000 x16: ffff800008004000 x15: 0000000000004000 [ 25.410133] x14: 000000000000022b x13: 0000000000000001 x12: 0000000000000001 [ 25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 : ffff80000a4b3770 [ 25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 : ffff00000a8d8590 [ 25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 : ffff00000a8d84f4 [ 25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 : 0000000000000218 [ 25.445942] Call trace: [ 25.448398] renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3] [ 25.454613] renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3] [ 25.460908] usb_role_switch_set_role+0x44/0xa4 [ 25.465468] hd3ss3220_set_role+0xa0/0x100 [hd3ss3220] [ 25.470635] hd3ss3220_probe+0x118/0x2fc [hd3ss3220] [ 25.475621] i2c_device_probe+0x338/0x384 Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn: passing zero to 'PTR_ERR'") Cc: stable@vger.kernel.org Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> --- This issue triggered on RZ/G2E board, where there is no USB3 firmware and it returned a null role switch handle. v1->v2: * Make it as individual patch * Added Cc tag --- drivers/usb/typec/hd3ss3220.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)