CVE-2021-47413

In the Linux kernel, the following vulnerability has been resolved: usb:
chipidea: ci_hdrc_imx: Also search for ‘phys’ phandle When passing ‘phys’
in the devicetree to describe the USB PHY phandle (which is the recommended
way according to Documentation/devicetree/bindings/usb/ci-hdrc-usb2.txt)
the following NULL pointer dereference is observed on i.MX7 and i.MX8MM: [
1.489344] Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000098 [ 1.498170] Mem abort info: [ 1.500966] ESR =
0x96000044 [ 1.504030] EC = 0x25: DABT (current EL), IL = 32 bits [
1.509356] SET = 0, FnV = 0 [ 1.512416] EA = 0, S1PTW = 0 [ 1.515569] FSC =
0x04: level 0 translation fault [ 1.520458] Data abort info: [ 1.523349]
ISV = 0, ISS = 0x00000044 [ 1.527196] CM = 0, WnR = 1 [ 1.530176]
[0000000000000098] user address but active_mm is swapper [ 1.536544]
Internal error: Oops: 96000044 [#1] PREEMPT SMP [ 1.542125] Modules linked
in: [ 1.545190] CPU: 3 PID: 7 Comm: kworker/u8:0 Not tainted 5.14.0-dirty
#3 [ 1.551901] Hardware name: Kontron i.MX8MM N801X S (DT) [ 1.557133]
Workqueue: events_unbound deferred_probe_work_func [ 1.562984] pstate:
80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=–) [ 1.568998] pc :
imx7d_charger_detection+0x3f0/0x510 [ 1.573973] lr :
imx7d_charger_detection+0x22c/0x510 This happens because the charger
functions check for the phy presence inside the imx_usbmisc_data structure
(data->usb_phy), but the chipidea core populates the usb_phy passed via
‘phys’ inside ‘struct ci_hdrc’ (ci->usb_phy) instead. This causes the NULL
pointer dereference inside imx7d_charger_detection(). Fix it by also
searching for ‘phys’ in case ‘fsl,usbphy’ is not found. Tested on a
imx7s-warp board.