[PATCH] usb: typec: mux: fix NULL pointer dereference in {typec_switch,mux}_put

[齐柯宇]

This fix was discovered through static code analysis.

In typec_switch_put() and typec_mux_put(), the code directly dereferences
sw_dev->dev.parent->driver->owner without checking if 'driver' is NULL.
This can lead to a NULL pointer dereference kernel crash.

[Call Chain Analysis]
The vulnerable functions are called through the following paths:

  Acquisition path (fwnode_typec_switch_get):
    typec_port_register()           [class.c]
      -> typec_switch_get()         [typec_mux.h]
        -> fwnode_typec_switch_get() [mux.c]
          -> class_find_device()    (gets device reference)
          -> try_module_get(sw_devs[i]->dev.parent->driver->owner)
          -> stores to sw->sw_devs[i]

  Release path (typec_switch_put):
    typec_release()                 [class.c]
      -> typec_switch_put()         [mux.c]
        -> module_put(sw_dev->dev.parent->driver->owner)  <- BUG!
        -> put_device(&sw_dev->dev)

  Registration path (typec_switch_register):
    I2C/Platform driver probe()
      -> typec_switch_register(dev, &sw_desc) [mux.c]
        -> sw_dev->dev.parent = parent  (sets parent device)
        -> device_add(&sw_dev->dev)

[Data Flow Analysis]
The critical data flow is:

  sw_dev->dev.parent:
    - Set by typec_switch_register() from the 'parent' parameter
    - Typically an I2C or Platform device (e.g., &client->dev)

  sw_dev->dev.parent->driver:
    - Managed by kernel driver model (drivers/base/dd.c)
    - Set to driver pointer when driver binds (really_probe)
    - Set to NULL when driver unbinds (__device_release_driver)

[Race Condition Scenario]
The vulnerability can be triggered by the following race condition:

  Thread A (normal operation)        Thread B (attacker/event)
  ----------------------------       -------------------------
  T1: typec_port_register()
  T2: fwnode_typec_switch_get()
  T3: try_module_get(parent->driver->owner)
  T4: store sw_devs[i]
      ...
                                     T5: echo <dev> > unbind
                                     T6: device_driver_detach()
                                     T7: parent->driver = NULL
  T8: typec_switch_put(sw)
  T9: module_put(parent->driver->owner)
      -> NULL pointer dereference!

[User-Triggerable Paths]
Users can trigger this vulnerability through:

  1. sysfs unbind interface (requires root):
     # echo "<device>" > /sys/bus/i2c/drivers/<driver>/unbind

  2. Module unloading (requires root):
     # rmmod <switch_driver_module>

  3. USB Type-C hot-unplug (physical access):
     Physically removing the USB-C device or its parent device

How to fix:
Add NULL checks for both 'parent' and 'parent->driver' before calling
module_put() in typec_switch_put() and typec_mux_put().

Fixes: 71793b579ba68 ("usb: typec: mux: Allow multiple mux_devs per mux")
Signed-off-by: Kery Qi <qikeyu2017@xxxxxxxxx>
---
 drivers/usb/typec/mux.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/typec/mux.c b/drivers/usb/typec/mux.c
index 182c902c42f6..6ed8bb999ee0 100644
--- a/drivers/usb/typec/mux.c
+++ b/drivers/usb/typec/mux.c
@@ -134,7 +134,8 @@ void typec_switch_put(struct typec_switch *sw)
  for (i = 0; i < sw->num_sw_devs; i++) {
    sw_dev = sw->sw_devs[i];

-   module_put(sw_dev->dev.parent->driver->owner);
+   if (sw_dev->dev.parent && sw_dev->dev.parent->driver)
+     module_put(sw_dev->dev.parent->driver->owner);
    put_device(&sw_dev->dev);
  }
  kfree(sw);
@@ -358,7 +359,8 @@ void typec_mux_put(struct typec_mux *mux)

  for (i = 0; i < mux->num_mux_devs; i++) {
    mux_dev = mux->mux_devs[i];
-   module_put(mux_dev->dev.parent->driver->owner);
+   if (mux_dev->dev.parent && mux_dev->dev.parent->driver)
+     module_put(mux_dev->dev.parent->driver->owner);
    put_device(&mux_dev->dev);
  }
  kfree(mux);
-- 
2.34.1