Received: by 10.223.185.116 with SMTP id b49csp6392137wrg; Wed, 28 Feb 2018 08:39:37 -0800 (PST) X-Google-Smtp-Source: AG47ELtsw/vgoWJLrKif9qJaIHU+3pw8p/DGq+HdIpnUpolOzgNbQe1zjPDjm7BFMHoegD34um8M X-Received: by 2002:a17:902:8a4:: with SMTP id 33-v6mr9592343pll.274.1519835977072; Wed, 28 Feb 2018 08:39:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519835977; cv=none; d=google.com; s=arc-20160816; b=hlMCfGs+MrlKq72UBsqQEDP2LJGDKCNJL6NOSlfPnEIzEHMnlYh5ss2AwJWmkr+wtl blbK+o0ZsNRMsAUcJwNwY495VSBEpuOJISbiOIg0G+44VQdnGypWB7ALSKXI/TkvVkG5 l5qf19AsBQofBF9WXxw4v+7vetu27R/vm14g7hB6Fe2GUr5mpKMYmOL3w9fpFS+7Giht 5MM5Z7mYVMRFjWhX8eO55RYEJeUKV7yRSGbeBzeb4Lg888y4HpKdHab2f85EJgDIS4cV D5gZOWRbsib/6uPRnTxQkIGUmHfSTvssS9XmOZ3W1295VgFkn+dnfP8Dtmp2lDvGOcSI Amaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=zpuAxsHtSQJ/XA44kSmDw2BYtMQrGKIqZf932ilgMVM=; b=rJ32GzMqF6Nbd5Zk+Z2PG+gbAfiBbWpZH8W1pOf+Vx8oxVtGZuRp4fBsM9JIC6qbRP IuTRPfF8Y3MBmr7/p03xDG6yaOTWZ3OrZh4pWNYI8CHpCrLBaB/tp+HxwGvKLwPMIWAj 1tPVSUVQ62qVSvnvfbz6+xxScxQ7Ik6y/d2M+u2dRTtpcu1HDzBueIcjfQyxC6oKjC5f rVXcEiEJwyNXu8e+6sP34MVuGJQ58qKSYfR59ESwsHQHnFaa/S6/r3ipZnOU7ooTNl36 5WDrg9GIv8ngInwFBaUQHjP/lMQ+iEDBYM72yMRe3bzA2seJOMWZLkPEs9kqS0HX6elD VTQg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e89-v6si1516194plb.557.2018.02.28.08.39.22; Wed, 28 Feb 2018 08:39:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752906AbeB1QiZ (ORCPT + 99 others); Wed, 28 Feb 2018 11:38:25 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34814 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753202AbeB1QES (ORCPT ); Wed, 28 Feb 2018 11:04:18 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yt-0006XR-NI; Wed, 28 Feb 2018 15:22:31 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yf-0008U3-H6; Wed, 28 Feb 2018 15:22:17 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Greg Kroah-Hartman" , "Mathias Nyman" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 081/254] xhci: Don't add a virt_dev to the devs array before it's fully allocated In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Mathias Nyman commit 5d9b70f7d52eb14bb37861c663bae44de9521c35 upstream. Avoid null pointer dereference if some function is walking through the devs array accessing members of a new virt_dev that is mid allocation. Add the virt_dev to xhci->devs[i] _after_ the virt_device and all its members are properly allocated. issue found by KASAN: null-ptr-deref in xhci_find_slot_id_by_port "Quick analysis suggests that xhci_alloc_virt_device() is not mutex protected. If so, there is a time frame where xhci->devs[slot_id] is set but not fully initialized. Specifically, xhci->devs[i]->udev can be NULL." Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.16: There is an extra failure path, so we may need to free dev->eps[0].ring] Signed-off-by: Ben Hutchings --- --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -1018,10 +1018,9 @@ int xhci_alloc_virt_device(struct xhci_h return 0; } - xhci->devs[slot_id] = kzalloc(sizeof(*xhci->devs[slot_id]), flags); - if (!xhci->devs[slot_id]) + dev = kzalloc(sizeof(*dev), flags); + if (!dev) return 0; - dev = xhci->devs[slot_id]; /* Allocate the (output) device context that will be used in the HC. */ dev->out_ctx = xhci_alloc_container_ctx(xhci, XHCI_CTX_TYPE_DEVICE, flags); @@ -1069,9 +1068,19 @@ int xhci_alloc_virt_device(struct xhci_h &xhci->dcbaa->dev_context_ptrs[slot_id], le64_to_cpu(xhci->dcbaa->dev_context_ptrs[slot_id])); + xhci->devs[slot_id] = dev; + return 1; fail: - xhci_free_virt_device(xhci, slot_id); + + if (dev->eps[0].ring) + xhci_ring_free(xhci, dev->eps[0].ring); + if (dev->in_ctx) + xhci_free_container_ctx(xhci, dev->in_ctx); + if (dev->out_ctx) + xhci_free_container_ctx(xhci, dev->out_ctx); + kfree(dev); + return 0; }