Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2977201imu; Sun, 9 Dec 2018 14:07:45 -0800 (PST) X-Google-Smtp-Source: AFSGD/VW5KwnqHYfWrgEDz11K+92fUB/mniXhwlbKWOubuTWaK0oCGNTZ4vZn0i5+xniSAaomVZm X-Received: by 2002:a63:c141:: with SMTP id p1mr8812499pgi.424.1544393265710; Sun, 09 Dec 2018 14:07:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544393265; cv=none; d=google.com; s=arc-20160816; b=kAS+mjqLCF8vZu2qoDSpEhU6QS6P2HxLhZp0b1H9gw0vSyfPAZTZxaWF5mssi8w0Jn nDvGqUd4kRlIgVQT8yG5GnhWslCR4xPdd1Wdr8JNs+sCjHK+qyDLMx81gSUksgCZmIX+ F43jsVasv+paYIAb6bbpAMY7qcBtOMcCdBnVjMAzEAOkPeTqrJ4zZo27ykmbWHXQHwpM XcRhqREHFfnfPjEwUpRA3s1BTgjDoopk0Tc+dsdTsev0SWtfLsDSwumr4JKJ9+Fa4DGf 716HHqnrtOSINN6ICLGAD+RzQbDJAgzM0Q5p9CKEVe+NosfuFAAw/KEGK0PLXwjNQ/vq 91Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=LnYOj0NhIazAvs50RuoX4NJ8r3kbdzr0rplmAaXGSHY=; b=fWUK27UmP/6fIxZ2oFx65hV4gcg61m3/8GQxeP2vkk2Psyng0u5b9+Ljo9+WzQhYKI 6o2jVGF8U0tjgiMv98k9/AaKyMj2Yry1S5JAJ7Dn5R0Rd/Fbp98GzO89tCa/42pnagnk RC2zXW36esHabUd68cFl0T0e1mvAjCZpAqVcAD5197MXuXEJuFQRWDlxG7oRfsUFRbfz QrScLptn0fMA86U8H3kIJoh1ACWgojpuOXAcV4ao82lHRskir8dRxQzS3rhngVyOTfQO fAYeDVAs6YiHLnDjRD8LVVMyeD2+oVmOIM3B9YFzIhtVIV8t4JUqn0bShhRgC572YK38 2V4g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q16si6046272pfh.138.2018.12.09.14.07.20; Sun, 09 Dec 2018 14:07:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727200AbeLIWF6 (ORCPT + 99 others); Sun, 9 Dec 2018 17:05:58 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:36998 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727664AbeLIWFt (ORCPT ); Sun, 9 Dec 2018 17:05:49 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW735-0002io-1j; Sun, 09 Dec 2018 21:55:39 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72g-0003Vf-Fi; Sun, 09 Dec 2018 21:55:14 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Greg Kroah-Hartman" , "Mathias Nyman" , "Sudip Mukherjee" , "Alan Stern" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 207/328] usb: Avoid use-after-free by flushing endpoints early in usb_set_interface() In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Mathias Nyman commit f9a5b4f58b280c1d26255376713c132f93837621 upstream. The steps taken by usb core to set a new interface is very different from what is done on the xHC host side. xHC hardware will do everything in one go. One command is used to set up new endpoints, free old endpoints, check bandwidth, and run the new endpoints. All this is done by xHC when usb core asks the hcd to check for available bandwidth. At this point usb core has not yet flushed the old endpoints, which will cause use-after-free issues in xhci driver as queued URBs are cancelled on a re-allocated endpoint. To resolve this add a call to usb_disable_interface() which will flush the endpoints before calling usb_hcd_alloc_bandwidth() Additional checks in xhci driver will also be implemented to gracefully handle stale URB cancel on freed and re-allocated endpoints Reported-by: Sudip Mukherjee Signed-off-by: Mathias Nyman Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/usb/core/message.c | 11 +++++++++++ 1 file changed, 11 insertions(+) --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -1284,6 +1284,11 @@ void usb_enable_interface(struct usb_dev * is submitted that needs that bandwidth. Some other operating systems * allocate bandwidth early, when a configuration is chosen. * + * xHCI reserves bandwidth and configures the alternate setting in + * usb_hcd_alloc_bandwidth(). If it fails the original interface altsetting + * may be disabled. Drivers cannot rely on any particular alternate + * setting being in effect after a failure. + * * This call is synchronous, and may not be used in an interrupt context. * Also, drivers must not change altsettings while urbs are scheduled for * endpoints in that interface; all such urbs must first be completed @@ -1319,6 +1324,12 @@ int usb_set_interface(struct usb_device alternate); return -EINVAL; } + /* + * usb3 hosts configure the interface in usb_hcd_alloc_bandwidth, + * including freeing dropped endpoint ring buffers. + * Make sure the interface endpoints are flushed before that + */ + usb_disable_interface(dev, iface, false); /* Make sure we have enough bandwidth for this alternate interface. * Remove the current alt setting and add the new alt setting.