From patchwork Mon Nov  6 12:26:46 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrey Konovalov <andreyknvl@google.com>
X-Patchwork-Id: 834686
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=google.com header.i=@google.com
	header.b="XxyPMtvh"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3yVsJF6dznz9s7m
	for <patchwork-incoming@ozlabs.org>;
	Mon,  6 Nov 2017 23:27:09 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752741AbdKFM1A (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 6 Nov 2017 07:27:00 -0500
Received: from mail-wm0-f68.google.com ([74.125.82.68]:56814 "EHLO
	mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752658AbdKFM06 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 6 Nov 2017 07:26:58 -0500
Received: by mail-wm0-f68.google.com with SMTP id z3so13816972wme.5
	for <netdev@vger.kernel.org>; Mon, 06 Nov 2017 04:26:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=KhIq2zgmtI4Bwh1AvlVIrEB5hMCY72UNHRq1IDnIKhk=;
	b=XxyPMtvhPG0EAdGzeiSPNpVPxTagBEOFZmjG6wQlnJ7iO1tpYYN2a2ynUX/QktWxbC
	IYKX/HZtVsfINMvMprB+aMDSAVz71je5ph1yb7LZBbwHSduZmCK/m8Vc5j4Y7xKQFqMM
	kyeMLoiOVo+6WjPenk/rrQSK3bmCVj+grez5aGd1JLXMGEO1HBcQvIyVHYiBY7WEjXlU
	JJfIyuGocBt9TznY9RZx+A/xTfWYJODEfeC/Ia2UCCuesJhLEWz0r9RKlAjG3y+ot0Ft
	7vJx4qNx86vnTNmIGRByDpEHpvU4u/8yKqXF0bSZ3ZR5vp99VxYiVf45gytXRQpsOr8Q
	yXkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=KhIq2zgmtI4Bwh1AvlVIrEB5hMCY72UNHRq1IDnIKhk=;
	b=RY8EpKpEo3IpTI+Af4HPuoLm3sDdf9mfpeHQnTKiI8X2mI7uvRMbTVi0/peqgm2qX8
	KYlIu7GTIjmPVZ/EDHWHsUGsOcIFLJCA9KspcSxhmxRsrKu9uq/ePJvVUwvWuhE3U/jD
	NIFth+PP2JrkH2QRSQDGiY4BDhRG8bva3hoYfgJunZFQls7SRE9Fi6lhkPFMcvmDFVmx
	5dtoxS+Vmq62QQjiZUu44F+lzMMB8/iw1Vnwt3weouKCvmonTV7dRIZAMsjzcNwHv2bt
	vVvscSnxKsVFbiwbO9UvXcYe2clWo5iGa/RyfwunzLM7Kk6kcuYhupt3eezp9Em72cZk
	0qIQ==
X-Gm-Message-State: AJaThX6e0b3a6gDW8REJUXPLzd4Ge3T3fO3BGgZAp8DQsIai6QpZZ9Y+
	zaX4l/plMbVVMPfeG1co7vpzWw==
X-Google-Smtp-Source: 
 ABhQp+TYZHFWVhcCXTMhrp9jj6MqVIKofD0OMU+qEBMDwgsTPu9Fm27tY8f5YHShumDkoLB/mFakZg==
X-Received: by 10.28.100.212 with SMTP id y203mr5348579wmb.64.1509971216875;
	Mon, 06 Nov 2017 04:26:56 -0800 (PST)
Received: from andreyknvl0.muc.corp.google.com
	([2a00:79e0:15:10:4e5:dc7d:ddcf:4060])
	by smtp.gmail.com with ESMTPSA id
	5sm7470329wrj.22.2017.11.06.04.26.55
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 06 Nov 2017 04:26:56 -0800 (PST)
Received: by andreyknvl0.muc.corp.google.com (Postfix, from userid 206546)
	id 0AEEC180936; Mon,  6 Nov 2017 13:26:54 +0100 (CET)
From: Andrey Konovalov <andreyknvl@google.com>
To: "David S . Miller" <davem@davemloft.net>,
	Dean Jenkins <Dean_Jenkins@mentor.com>, allan <allan@asix.com.tw>,
	Andrey Konovalov <andreyknvl@google.com>,
	Peter Chen <peter.chen@nxp.com>, Philippe Reynes <tremyfr@gmail.com>,
	Greg Ungerer <gerg@linux-m68k.org>,
	Colin Ian King <colin.king@canonical.com>,
	linux-usb@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Dmitry Vyukov <dvyukov@google.com>, Kostya Serebryany <kcc@google.com>
Subject: [PATCH v2] net: usb: asix: fill null-ptr-deref in asix_suspend
Date: Mon,  6 Nov 2017 13:26:46 +0100
Message-Id: 
 <e413217cf7fd1c91c56a30cddf72e9cb80a77830.1509971128.git.andreyknvl@google.com>
X-Mailer: git-send-email 2.15.0.403.gc27cc4dac6-goog
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

When asix_suspend() is called dev->driver_priv might not have been
assigned a value, so we need to check that it's not NULL.

Similar issue is present in asix_resume(), this patch fixes it as well.

Found by syzkaller.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc4-43422-geccacdd69a8c #400
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: ffff88006bb36300 task.stack: ffff88006bba8000
RIP: 0010:asix_suspend+0x76/0xc0 drivers/net/usb/asix_devices.c:629
RSP: 0018:ffff88006bbae718 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff880061ba3b80 RCX: 1ffff1000c34d644
RDX: 0000000000000001 RSI: 0000000000000402 RDI: 0000000000000008
RBP: ffff88006bbae738 R08: 1ffff1000d775cad R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800630a8b40
R13: 0000000000000000 R14: 0000000000000402 R15: ffff880061ba3b80
FS:  0000000000000000(0000) GS:ffff88006c600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff33cf89000 CR3: 0000000061c0a000 CR4: 00000000000006f0
Call Trace:
 usb_suspend_interface drivers/usb/core/driver.c:1209
 usb_suspend_both+0x27f/0x7e0 drivers/usb/core/driver.c:1314
 usb_runtime_suspend+0x41/0x120 drivers/usb/core/driver.c:1852
 __rpm_callback+0x339/0xb60 drivers/base/power/runtime.c:334
 rpm_callback+0x106/0x220 drivers/base/power/runtime.c:461
 rpm_suspend+0x465/0x1980 drivers/base/power/runtime.c:596
 __pm_runtime_suspend+0x11e/0x230 drivers/base/power/runtime.c:1009
 pm_runtime_put_sync_autosuspend ./include/linux/pm_runtime.h:251
 usb_new_device+0xa37/0x1020 drivers/usb/core/hub.c:2487
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: 8d 7c 24 20 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5b 48 b8 00 00
00 00 00 fc ff df 4d 8b 6c 24 20 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80>
3c 02 00 75 34 4d 8b 6d 08 4d 85 ed 74 0b e8 26 2b 51 fd 4c
RIP: asix_suspend+0x76/0xc0 RSP: ffff88006bbae718
---[ end trace dfc4f5649284342c ]---

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---

Changes in v2:
- added asix_resume() fix

---
 drivers/net/usb/asix_devices.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
index b2ff88e69a81..3d4f7959dabb 100644
--- a/drivers/net/usb/asix_devices.c
+++ b/drivers/net/usb/asix_devices.c
@@ -626,7 +626,7 @@ static int asix_suspend(struct usb_interface *intf, pm_message_t message)
 	struct usbnet *dev = usb_get_intfdata(intf);
 	struct asix_common_private *priv = dev->driver_priv;
 
-	if (priv->suspend)
+	if (priv && priv->suspend)
 		priv->suspend(dev);
 
 	return usbnet_suspend(intf, message);
@@ -678,7 +678,7 @@ static int asix_resume(struct usb_interface *intf)
 	struct usbnet *dev = usb_get_intfdata(intf);
 	struct asix_common_private *priv = dev->driver_priv;
 
-	if (priv->resume)
+	if (priv && priv->resume)
 		priv->resume(dev);
 
 	return usbnet_resume(intf);