Bug 207125

Summary: Possible null pointer dereference in ohci_restart()
Product: Drivers Reporter: Dongyang Zhan (zhandy)
Component: USBAssignee: Default virtual assignee for Drivers/USB (drivers_usb)
Status: RESOLVED WILL_NOT_FIX    
Severity: normal CC: stern, zhandy
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: Linux 4.17 Subsystem:
Regression: No Bisected commit-id:

Description Dongyang Zhan 2020-04-05 17:31:15 UTC 
In Linux 4.17, ohci_restart() in /drivers/usb/host/ohci-hcd.c does not handle the failure of ohci_init(), causing ohci->hcca could be a null pointer. After that, writting to this ohci->hcca->int_table [i] field could cause a null pointer dereference bug.

Url of ohci_restart()
https://elixir.bootlin.com/linux/v4.10.17/source/drivers/usb/host/ohci-hcd.c#L1000

int ohci_restart(struct ohci_hcd *ohci)
{
	...
	ohci_init(ohci); //does not handle the failure
        ...
        for (i = 0; i < NUM_INTS; i++) ohci->hcca->int_table [i] = 0; //null pointer dereference
        ...
}

Url of ohci_init()
https://elixir.bootlin.com/linux/v4.10.17/source/drivers/usb/host/ohci-hcd.c#L441
static int ohci_init (struct ohci_hcd *ohci)
{
...
ohci->hcca = dma_alloc_coherent (hcd->self.controller,
			sizeof(*ohci->hcca), &ohci->hcca_dma, GFP_KERNEL);
	if (!ohci->hcca)
		return -ENOMEM; // ohci->hcca can be a null pointer
...
}
Comment 1 Alan Stern 2020-04-06 14:20:03 UTC 
This is not a bug.  When ohci_restart() calls ohci_init(), ohci->hcca
has already been initialized to a non-NULL value.  Therefore the
-ENOMEM return cannot happen.
Comment 2 Dongyang Zhan 2020-04-06 15:07:22 UTC 
(In reply to Alan Stern from comment #1)
> This is not a bug.  When ohci_restart() calls ohci_init(), ohci->hcca
> has already been initialized to a non-NULL value.  Therefore the
> -ENOMEM return cannot happen.

ohci->hcca will be allocated again in the ohci_init()
Could it fail in that function?
Comment 3 Dongyang Zhan 2020-04-06 15:41:05 UTC 
(In reply to Alan Stern from comment #1)
> This is not a bug.  When ohci_restart() calls ohci_init(), ohci->hcca
> has already been initialized to a non-NULL value.  Therefore the
> -ENOMEM return cannot happen.

I mean could you tell me where ohci->hcca is initialized before ohci_restart()?
Comment 4 Alan Stern 2020-04-06 16:12:45 UTC 
ohci->hcca is initialized when ohci_setup() calls ohci_init().  This happens long before ohci_restart() will ever get called.
Comment 5 Dongyang Zhan 2020-04-06 16:34:24 UTC 
(In reply to Alan Stern from comment #4)
> ohci->hcca is initialized when ohci_setup() calls ohci_init().  This happens
> long before ohci_restart() will ever get called.

Thank you so much.