In Linux 4.17, ohci_restart() in /drivers/usb/host/ohci-hcd.c does not handle the failure of ohci_init(), causing ohci->hcca could be a null pointer. After that, writting to this ohci->hcca->int_table [i] field could cause a null pointer dereference bug. Url of ohci_restart() https://elixir.bootlin.com/linux/v4.10.17/source/drivers/usb/host/ohci-hcd.c#L1000 int ohci_restart(struct ohci_hcd *ohci) { ... ohci_init(ohci); //does not handle the failure ... for (i = 0; i < NUM_INTS; i++) ohci->hcca->int_table [i] = 0; //null pointer dereference ... } Url of ohci_init() https://elixir.bootlin.com/linux/v4.10.17/source/drivers/usb/host/ohci-hcd.c#L441 static int ohci_init (struct ohci_hcd *ohci) { ... ohci->hcca = dma_alloc_coherent (hcd->self.controller, sizeof(*ohci->hcca), &ohci->hcca_dma, GFP_KERNEL); if (!ohci->hcca) return -ENOMEM; // ohci->hcca can be a null pointer ... }
This is not a bug. When ohci_restart() calls ohci_init(), ohci->hcca has already been initialized to a non-NULL value. Therefore the -ENOMEM return cannot happen.
(In reply to Alan Stern from comment #1) > This is not a bug. When ohci_restart() calls ohci_init(), ohci->hcca > has already been initialized to a non-NULL value. Therefore the > -ENOMEM return cannot happen. ohci->hcca will be allocated again in the ohci_init() Could it fail in that function?
(In reply to Alan Stern from comment #1) > This is not a bug. When ohci_restart() calls ohci_init(), ohci->hcca > has already been initialized to a non-NULL value. Therefore the > -ENOMEM return cannot happen. I mean could you tell me where ohci->hcca is initialized before ohci_restart()?
ohci->hcca is initialized when ohci_setup() calls ohci_init(). This happens long before ohci_restart() will ever get called.
(In reply to Alan Stern from comment #4) > ohci->hcca is initialized when ohci_setup() calls ohci_init(). This happens > long before ohci_restart() will ever get called. Thank you so much.