Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2504997imm; Mon, 24 Sep 2018 05:36:02 -0700 (PDT) X-Google-Smtp-Source: ACcGV60nrtGjzThJyO2FGILvxEX5tNZ+L58QS4ls6iXWGJkyNSHL+pVDfzxAjjs9QN2yRIoV/QrC X-Received: by 2002:a17:902:6e4:: with SMTP id 91-v6mr10437966plh.226.1537792562689; Mon, 24 Sep 2018 05:36:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537792562; cv=none; d=google.com; s=arc-20160816; b=SS63zMLnOk+KxWhVY5Ee/odB4AinO70COoEjdFsJZz634b4+eznejEl8xJql86Nrl+ WbR1rlt1tfUW5D8tQOZq7+4FFPXyh7p7lvCVaZsioMxRodP29XUivq3+MYCrT+QanX0i yl2ckc1Rfxupa7QOnb39e7okByeftaNW/lyaBJDX9/oWuXHYEFW29c63x6keHH6UGoaD 6B2vo5qI8gU4zCw5NQw+nnpop8OkWA4spkOGKBKnpsr07wO9ro0ZobfyeUgVk8gBSo2M pDfsNAYALQjRM3dQI4EOHMPjaNkd7g0OfPWInUrwE4acTsYCfuu2QOsmUuVhajeoEBaX EyLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=Eo50UJtxXmkGC90fxuceyFVOlCHUtc6kB1Y/sxZmAiw=; b=zboPMwkQHkmjPOiQqAG86z9HQTHRPecw7dpkNoIe9pbROHDzhVNODoT12e7Virxd1V Zia4C3U0n6ANxe1MmHbmqoDUv4RIHNMJdTvNKKeR6LIlhFa5vw2GFRm35z1VfWZjjvUr 3gR6ztdU9GQMVEU4QjDqKFKh5X1kJRxtzelwMswjS/TivYF46xcAqc5BWCIpaCRhSwnD IEUdKW/dnzfkZyJZa2JHhhHEE4u8zFy9CaSf0TqQrzcGk96XNG8NbCrgiBnxhvG/amEe 2/WyERKHWFhpLv8pd9CfqTEngPj4L5CBCkJbxphV62vy9KJmSHuiz6SkY1KOyOtuSBLH AdPg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u2-v6si33473069pge.585.2018.09.24.05.35.47; Mon, 24 Sep 2018 05:36:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388354AbeIXSgl (ORCPT + 99 others); Mon, 24 Sep 2018 14:36:41 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:58458 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729816AbeIXSgl (ORCPT ); Mon, 24 Sep 2018 14:36:41 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 712041092; Mon, 24 Sep 2018 12:34:44 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sudip Mukherjee , Mathias Nyman Subject: [PATCH 4.18 113/235] xhci: Fix use after free for URB cancellation on a reallocated endpoint Date: Mon, 24 Sep 2018 13:51:39 +0200 Message-Id: <20180924113117.174484233@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180924113103.999624566@linuxfoundation.org> References: <20180924113103.999624566@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mathias Nyman commit 4937213ba7fafa13f30496b3965ffe93970d8b53 upstream. Make sure the cancelled URB is on the current endpoint ring. If the endpoint ring has been reallocated since the URB was enqueued then the URB may contain TD and TRB pointers to a already freed ring. In this the case return the URB without touching any of the freed ring structure data. Don't try to stop the ring. It would be useless. This can occur if endpoint is not flushed before it is dropped and re-added, which is the case in usb_set_interface() as xhci does things in an odd order. Cc: Tested-by: Sudip Mukherjee Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/xhci.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -37,6 +37,21 @@ static unsigned long long quirks; module_param(quirks, ullong, S_IRUGO); MODULE_PARM_DESC(quirks, "Bit flags for quirks to be enabled as default"); +static bool td_on_ring(struct xhci_td *td, struct xhci_ring *ring) +{ + struct xhci_segment *seg = ring->first_seg; + + if (!td || !td->start_seg) + return false; + do { + if (seg == td->start_seg) + return true; + seg = seg->next; + } while (seg && seg != ring->first_seg); + + return false; +} + /* TODO: copied from ehci-hcd.c - can this be refactored? */ /* * xhci_handshake - spin reading hc until handshake completes or fails @@ -1571,6 +1586,21 @@ static int xhci_urb_dequeue(struct usb_h goto done; } + /* + * check ring is not re-allocated since URB was enqueued. If it is, then + * make sure none of the ring related pointers in this URB private data + * are touched, such as td_list, otherwise we overwrite freed data + */ + if (!td_on_ring(&urb_priv->td[0], ep_ring)) { + xhci_err(xhci, "Canceled URB td not found on endpoint ring"); + for (i = urb_priv->num_tds_done; i < urb_priv->num_tds; i++) { + td = &urb_priv->td[i]; + if (!list_empty(&td->cancelled_td_list)) + list_del_init(&td->cancelled_td_list); + } + goto err_giveback; + } + if (xhci->xhc_state & XHCI_STATE_HALTED) { xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, "HC halted, freeing TD manually.");