[2/4] usb: typec: hd3ss3220: Fix NULL pointer crash

The value returned by usb_role_switch_get() can be NULL and it leads
to NULL pointer crash. This patch fixes this issue by adding NULL
check for the role switch handle.

[   25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit EK874 (CAT874 + CAT875) (DT)
[   25.344991] Workqueue: events_unbound deferred_probe_work_func
[   25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3]
[   25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80 [renesas_usb3]
[   25.370986] sp : ffff80000a4b3a40
[   25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27: 0000000000000000
[   25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24: ffff80000117f178
[   25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21: 0000000000000000
[   25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18: 0000000000000020
[   25.402969] x17: ffff800076196000 x16: ffff800008004000 x15: 0000000000004000
[   25.410133] x14: 000000000000022b x13: 0000000000000001 x12: 0000000000000001
[   25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 : ffff80000a4b3770
[   25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 : ffff00000a8d8590
[   25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 : ffff00000a8d84f4
[   25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 : 0000000000000218
[   25.445942] Call trace:
[   25.448398]  renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3]
[   25.454613]  renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3]
[   25.460908]  usb_role_switch_set_role+0x44/0xa4
[   25.465468]  hd3ss3220_set_role+0xa0/0x100 [hd3ss3220]
[   25.470635]  hd3ss3220_probe+0x118/0x2fc [hd3ss3220]
[   25.475621]  i2c_device_probe+0x338/0x384

Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn: passing zero to 'PTR_ERR'")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
---
This issue triggered on RZ/G2E board, where there is no USB3 firmware and it
returned a null role switch handle.
---
 drivers/usb/typec/hd3ss3220.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

On Fri, Dec 09, 2022 at 03:56:21PM +0000, Biju Das wrote:
> The value returned by usb_role_switch_get() can be NULL and it leads
> to NULL pointer crash. This patch fixes this issue by adding NULL
> check for the role switch handle.

Why isn't this the first patch here, and cc: stable, or just as an
individual patch that has nothing to do with the other new feature
patches?

thanks,

greg k-h

Hi Greg,

Thanks for the feedback.

> Subject: Re: [PATCH 2/4] usb: typec: hd3ss3220: Fix NULL pointer crash
> 
> On Fri, Dec 09, 2022 at 03:56:21PM +0000, Biju Das wrote:
> > The value returned by usb_role_switch_get() can be NULL and it leads
> > to NULL pointer crash. This patch fixes this issue by adding NULL
> > check for the role switch handle.
> 
> Why isn't this the first patch here, and cc: stable, or just as an
> individual patch that has nothing to do with the other new feature
> patches?

OK, I will send this as standalone patch, cc to stable on next version.

Cheers,
Biju

Hello!

On 12/9/22 6:56 PM, Biju Das wrote:

> The value returned by usb_role_switch_get() can be NULL and it leads
> to NULL pointer crash. This patch fixes this issue by adding NULL
> check for the role switch handle.
> 
> [   25.336613] Hardware name: Silicon Linux RZ/G2E evaluation kit EK874 (CAT874 + CAT875) (DT)
> [   25.344991] Workqueue: events_unbound deferred_probe_work_func
> [   25.350869] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> [   25.357854] pc : renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3]
> [   25.364428] lr : renesas_usb3_role_switch_get+0x24/0x80 [renesas_usb3]
> [   25.370986] sp : ffff80000a4b3a40
> [   25.374311] x29: ffff80000a4b3a40 x28: 0000000000000000 x27: 0000000000000000
> [   25.381476] x26: ffff80000a3ade78 x25: ffff00000a809005 x24: ffff80000117f178
> [   25.388641] x23: ffff00000a8d7810 x22: ffff00000a8d8410 x21: 0000000000000000
> [   25.395805] x20: ffff000011cd7080 x19: ffff000011cd7080 x18: 0000000000000020
> [   25.402969] x17: ffff800076196000 x16: ffff800008004000 x15: 0000000000004000
> [   25.410133] x14: 000000000000022b x13: 0000000000000001 x12: 0000000000000001
> [   25.417291] x11: 0000000000000000 x10: 0000000000000a40 x9 : ffff80000a4b3770
> [   25.424452] x8 : ffff00007fbc9000 x7 : 0040000000000008 x6 : ffff00000a8d8590
> [   25.431615] x5 : ffff80000a4b3960 x4 : 0000000000000000 x3 : ffff00000a8d84f4
> [   25.438776] x2 : 0000000000000218 x1 : ffff80000a715218 x0 : 0000000000000218
> [   25.445942] Call trace:
> [   25.448398]  renesas_usb3_role_switch_get+0x40/0x80 [renesas_usb3]
> [   25.454613]  renesas_usb3_role_switch_set+0x4c/0x440 [renesas_usb3]
> [   25.460908]  usb_role_switch_set_role+0x44/0xa4
> [   25.465468]  hd3ss3220_set_role+0xa0/0x100 [hd3ss3220]
> [   25.470635]  hd3ss3220_probe+0x118/0x2fc [hd3ss3220]
> [   25.475621]  i2c_device_probe+0x338/0x384
> 
> Fixes: 5a9a8a4c5058 ("usb: typec: hd3ss3220: hd3ss3220_probe() warn: passing zero to 'PTR_ERR'")
> Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
> ---
> This issue triggered on RZ/G2E board, where there is no USB3 firmware and it
> returned a null role switch handle.
> ---
>  drivers/usb/typec/hd3ss3220.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/typec/hd3ss3220.c b/drivers/usb/typec/hd3ss3220.c
> index 2a58185fb14c..c24bbccd14f9 100644
> --- a/drivers/usb/typec/hd3ss3220.c
> +++ b/drivers/usb/typec/hd3ss3220.c
> @@ -186,7 +186,10 @@ static int hd3ss3220_probe(struct i2c_client *client,
>  		hd3ss3220->role_sw = usb_role_switch_get(hd3ss3220->dev);
>  	}
>  
> -	if (IS_ERR(hd3ss3220->role_sw)) {
> +	if (!hd3ss3220->role_sw) {
> +		ret = -ENODEV;
> +		goto err_put_fwnode;
> +	} else if (IS_ERR(hd3ss3220->role_sw)) {

   No need for *else* after *goto*.

[...]

MBR, Sergey