Received: by 10.223.185.116 with SMTP id b49csp1054746wrg;
        Fri, 23 Feb 2018 11:04:54 -0800 (PST)
X-Google-Smtp-Source: AH8x225JAwdfuL8gYOAjyAkWLnvOVkIPvhVsYusxQ/6fo2xr67KwQ40IsRpNKTVvAWs1HN1IBJtC
X-Received: by 2002:a17:902:5e3:: with SMTP id f90-v6mr2611837plf.413.1519412694693;
        Fri, 23 Feb 2018 11:04:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519412694; cv=none;
        d=google.com; s=arc-20160816;
        b=K7uabWL5n4/O6jOTQCgMwL36bJxvB3am1VlSQdhWRr0RdUjOQ3gOua8a3hZ9KEnAXd
         S98ZXNQ2h65BOH42XwQp1eqlLDMFVu/ul9JU3qDLhnVrZ42Q/0DizWRiFjeO/7R37ihK
         k2e56NO9PqEZuIKt9H4M0L6+5n84H3xS1D9GHu22jQ+7M9LRhcU96ve01E72882Aukk+
         JqaettRQWVOJjGAI3xHCRdJQusmiARJstA2g+ejmINduORcOYu9sumON6xwFYq/ybO+o
         jI790QM83qqSPXgSQUmZaKBtaeTj1tmjxZCiI4Vdq8yza40GwOso4Yw/g6ctbXPfEKGx
         +3Yg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=O5V7N8Ed5Xtz5exDTpXs3CrNVVNTYkgWjuNfQyhgpv0=;
        b=MAYMVi0Ek12Q6Wnvo51QoBHm8EDeItCuu3nqc9I+6ckEGZFAAvU6ZUl0DfWIhH1wCF
         8p+03N82ai6mgzKyrh4YY59FxbvaJ2cqexjZSGRRHsZDY360DCwct57oAYKm50R3si3+
         dgsViac2za2i7dZ/2JIHUDZ7Ua18JEQjgqNkT1cusU80biv8MZl0/jlsvA6nKeuxhDbn
         UiwGwDMb+C5GKgsm3zlgtezT3N2KEO8Iz/ritOc2X/kQCQtzydPT1Cr+xOAoVE8h9B97
         mnXaTcM4IyX1P/gpt3UH4/3eqKHy4THqyhHJCGlyuxSRoOkfHYA8nZhaaI/EEtxpRDsO
         NR/Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l64si2207910pfi.388.2018.02.23.11.04.40;
        Fri, 23 Feb 2018 11:04:54 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965628AbeBWS6f (ORCPT <rfc822;daisukeokaopensource@gmail.com>
        + 99 others); Fri, 23 Feb 2018 13:58:35 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:50580 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S965596AbeBWS6d (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 23 Feb 2018 13:58:33 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 62CA310ED;
        Fri, 23 Feb 2018 18:58:32 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Zhengjun Xing <zhengjun.xing@linux.intel.com>,
        Mathias Nyman <mathias.nyman@linux.intel.com>
Subject: [PATCH 4.15 37/45] xhci: Fix NULL pointer in xhci debugfs
Date:   Fri, 23 Feb 2018 19:29:16 +0100
Message-Id: <20180223170721.223556618@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180223170715.197760019@linuxfoundation.org>
References: <20180223170715.197760019@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.15-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Zhengjun Xing <zhengjun.xing@linux.intel.com>

commit fa2dfd0ec22e0069c84dfae162972cbbc7c75488 upstream.

Commit dde634057da7 ("xhci: Fix use-after-free in xhci debugfs") causes a
null pointer dereference while fixing xhci-debugfs usage of ring pointers
that were freed during hibernate.

The fix passed addresses to ring pointers instead, but forgot to do this
change for the xhci_ring_trb_show function.

The address of the ring pointer passed to xhci-debugfs was of a temporary
ring pointer "new_ring" instead of the actual ring "ring" pointer. The
temporary new_ring pointer will be set to NULL later causing the NULL
pointer dereference.

This issue was seen when reading xhci related files in debugfs:

cat /sys/kernel/debug/usb/xhci/*/devices/*/ep*/trbs

[  184.604861] BUG: unable to handle kernel NULL pointer dereference at (null)
[  184.613776] IP: xhci_ring_trb_show+0x3a/0x890
[  184.618733] PGD 264193067 P4D 264193067 PUD 263238067 PMD 0
[  184.625184] Oops: 0000 [#1] SMP
[  184.726410] RIP: 0010:xhci_ring_trb_show+0x3a/0x890
[  184.731944] RSP: 0018:ffffba8243c0fd90 EFLAGS: 00010246
[  184.737880] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000000295d6
[  184.746020] RDX: 00000000000295d5 RSI: 0000000000000001 RDI: ffff971a6418d400
[  184.754121] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  184.762222] R10: ffff971a64c98a80 R11: ffff971a62a00e40 R12: ffff971a62a85500
[  184.770325] R13: 0000000000020000 R14: ffff971a6418d400 R15: ffff971a6418d400
[  184.778448] FS:  00007fe725a79700(0000) GS:ffff971a6ec00000(0000) knlGS:0000000000000000
[  184.787644] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  184.794168] CR2: 0000000000000000 CR3: 000000025f365005 CR4: 00000000003606f0
[  184.802318] Call Trace:
[  184.805094]  ? seq_read+0x281/0x3b0
[  184.809068]  seq_read+0xeb/0x3b0
[  184.812735]  full_proxy_read+0x4d/0x70
[  184.817007]  __vfs_read+0x23/0x120
[  184.820870]  vfs_read+0x91/0x130
[  184.824538]  SyS_read+0x42/0x90
[  184.828106]  entry_SYSCALL_64_fastpath+0x1a/0x7d

Fixes: dde634057da7 ("xhci: Fix use-after-free in xhci debugfs")
Cc: <stable@vger.kernel.org> # v4.15
Signed-off-by: Zhengjun Xing <zhengjun.xing@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-debugfs.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci-debugfs.c
+++ b/drivers/usb/host/xhci-debugfs.c
@@ -211,7 +211,7 @@ static void xhci_ring_dump_segment(struc
 static int xhci_ring_trb_show(struct seq_file *s, void *unused)
 {
 	int			i;
-	struct xhci_ring	*ring = s->private;
+	struct xhci_ring	*ring = *(struct xhci_ring **)s->private;
 	struct xhci_segment	*seg = ring->first_seg;
 
 	for (i = 0; i < ring->num_segs; i++) {
@@ -387,7 +387,7 @@ void xhci_debugfs_create_endpoint(struct
 
 	snprintf(epriv->name, sizeof(epriv->name), "ep%02d", ep_index);
 	epriv->root = xhci_debugfs_create_ring_dir(xhci,
-						   &dev->eps[ep_index].new_ring,
+						   &dev->eps[ep_index].ring,
 						   epriv->name,
 						   spriv->root);
 	spriv->eps[ep_index] = epriv;