Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp329922ybi; Fri, 7 Jun 2019 08:44:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqw72w1rkfwqbQki5HOwx+M+mQm2ET/T3V6gbdX/VHW1miQn2LHFc67hituq5ZVGnuprZjf3 X-Received: by 2002:a17:90a:898e:: with SMTP id v14mr6204976pjn.119.1559922252182; Fri, 07 Jun 2019 08:44:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559922252; cv=none; d=google.com; s=arc-20160816; b=1C5/P2B841bxJet6Hla6QlmpHSEVRYzmxcvdrDH3teWvojgx30yzUrBpDMEG00eLYg I7Am4llRXMNJ7IjREEgf3SJBc9QH061N2ENtTU/Urb7m8+NAfycqm/b5fVNHDMNk6M3r UvBpoNtyHGC/Mad4Lv3nF6+OXUA/nv4w4KXXEi7gs0O6XN6JNNtbRLxgFfL6he9FKuk1 NWLap2WijzFAiZzGaWtF0OV0tU5lYZzvtcEwEFzYUUXyfBe7rmXQ27HhGYDVbz08kyCV qW7kOs0KzjHm1Mw0pUD9Fmi+gJ6E3aduFgb6QWOJf8gU5UqxnMkPw1jVt2v/4yERhtOr Sz9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=FEZOYbALfFQDoZO7S5+P42jmXhUSP/gpqr9bfNXtAig=; b=zxMrR+GoFYewphSiMkNGKoxhSdRduMzHs370L4ImdJOKfBEnpSrwm00kxNA8D+Mndg ijty5SHaWklu2DnRvLuu2sSgG+2QL1WO5U8053g3DelY1RFN/RbGxDfuwWATbIQdkusP tYtOrHXddBnQK7TKsuVvlic8oI87jSaokLNXgtdBSTgOz3OwNH3xktQm4RHRFXxIINPS eUDkxxJqqdiYUtLP+1tHny52C251VMdcf8Y/6Oz0ljwiwYSuUjY/GFA6rajR342e6rjj BXJSQYyYzBYuXnvZ8yfUdu917D9wDa/F3R1p0CW5Na7fkw4yN1pGTibdetogP00sfnSZ Nzmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=I7Q7u1k8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ay3si2016111plb.298.2019.06.07.08.43.56; Fri, 07 Jun 2019 08:44:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=I7Q7u1k8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730250AbfFGPlO (ORCPT + 99 others); Fri, 7 Jun 2019 11:41:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:50902 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729325AbfFGPlM (ORCPT ); Fri, 7 Jun 2019 11:41:12 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 455AC21473; Fri, 7 Jun 2019 15:41:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1559922071; bh=sf1zS4ZEoXAqZMoWb6cwHXhSAtlifoh9hzRdpXTTarM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=I7Q7u1k8PL7RvIbJEL07GoxNpOdmvMA8BK3rCLgjBzaih/PkTbj2IcozLUFXEBQ1/ aHmcpNivczHbSL1sH44AN/cZC+YUjGHhCSzVjX6M/lI6Y/f/PrrJvCZM6kNhhczNH6 HQmZw1qwCk2esn9UwBbViiqcZ5F93IEJ0C1OXPhQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Carsten Schmid , Mathias Nyman Subject: [PATCH 4.14 26/69] usb: xhci: avoid null pointer deref when bos field is NULL Date: Fri, 7 Jun 2019 17:39:07 +0200 Message-Id: <20190607153851.613841948@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190607153848.271562617@linuxfoundation.org> References: <20190607153848.271562617@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Carsten Schmid commit 7aa1bb2ffd84d6b9b5f546b079bb15cd0ab6e76e upstream. With defective USB sticks we see the following error happen: usb 1-3: new high-speed USB device number 6 using xhci_hcd usb 1-3: device descriptor read/64, error -71 usb 1-3: device descriptor read/64, error -71 usb 1-3: new high-speed USB device number 7 using xhci_hcd usb 1-3: device descriptor read/64, error -71 usb 1-3: unable to get BOS descriptor set usb 1-3: New USB device found, idVendor=0781, idProduct=5581 usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 ... BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 This comes from the following place: [ 1660.215380] IP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] [ 1660.222092] PGD 0 P4D 0 [ 1660.224918] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 1660.425520] CPU: 1 PID: 38 Comm: kworker/1:1 Tainted: P U W O 4.14.67-apl #1 [ 1660.434277] Workqueue: usb_hub_wq hub_event [usbcore] [ 1660.439918] task: ffffa295b6ae4c80 task.stack: ffffad4580150000 [ 1660.446532] RIP: 0010:xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] [ 1660.453821] RSP: 0018:ffffad4580153c70 EFLAGS: 00010046 [ 1660.459655] RAX: 0000000000000000 RBX: ffffa295b4d7c000 RCX: 0000000000000002 [ 1660.467625] RDX: 0000000000000002 RSI: ffffffff984a55b2 RDI: ffffffff984a55b2 [ 1660.475586] RBP: ffffad4580153cc8 R08: 0000000000d6520a R09: 0000000000000001 [ 1660.483556] R10: ffffad4580a004a0 R11: 0000000000000286 R12: ffffa295b4d7c000 [ 1660.491525] R13: 0000000000010648 R14: ffffa295a84e1800 R15: 0000000000000000 [ 1660.499494] FS: 0000000000000000(0000) GS:ffffa295bfc80000(0000) knlGS:0000000000000000 [ 1660.508530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1660.514947] CR2: 0000000000000008 CR3: 000000025a114000 CR4: 00000000003406a0 [ 1660.522917] Call Trace: [ 1660.525657] usb_set_usb2_hardware_lpm+0x3d/0x70 [usbcore] [ 1660.531792] usb_disable_device+0x242/0x260 [usbcore] [ 1660.537439] usb_disconnect+0xc1/0x2b0 [usbcore] [ 1660.542600] hub_event+0x596/0x18f0 [usbcore] [ 1660.547467] ? trace_preempt_on+0xdf/0x100 [ 1660.552040] ? process_one_work+0x1c1/0x410 [ 1660.556708] process_one_work+0x1d2/0x410 [ 1660.561184] ? preempt_count_add.part.3+0x21/0x60 [ 1660.566436] worker_thread+0x2d/0x3f0 [ 1660.570522] kthread+0x122/0x140 [ 1660.574123] ? process_one_work+0x410/0x410 [ 1660.578792] ? kthread_create_on_node+0x60/0x60 [ 1660.583849] ret_from_fork+0x3a/0x50 [ 1660.587839] Code: 00 49 89 c3 49 8b 84 24 50 16 00 00 8d 4a ff 48 8d 04 c8 48 89 ca 4c 8b 10 45 8b 6a 04 48 8b 00 48 89 45 c0 49 8b 86 80 03 00 00 <48> 8b 40 08 8b 40 03 0f 1f 44 00 00 45 85 ff 0f 84 81 01 00 00 [ 1660.608980] RIP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] RSP: ffffad4580153c70 [ 1660.617921] CR2: 0000000000000008 Tracking this down shows that udev->bos is NULL in the following code: (xhci.c, in xhci_set_usb2_hardware_lpm) field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); <<<<<<< here xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n", enable ? "enable" : "disable", port_num + 1); if (enable) { /* Host supports BESL timeout instead of HIRD */ if (udev->usb2_hw_lpm_besl_capable) { /* if device doesn't have a preferred BESL value use a * default one which works with mixed HIRD and BESL * systems. See XHCI_DEFAULT_BESL definition in xhci.h */ if ((field & USB_BESL_SUPPORT) && (field & USB_BESL_BASELINE_VALID)) hird = USB_GET_BESL_BASELINE(field); else hird = udev->l1_params.besl; The failing case is when disabling LPM. So it is sufficient to avoid access to udev->bos by moving the instruction into the "enable" clause. Cc: Stable Signed-off-by: Carsten Schmid Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/xhci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -4153,7 +4153,6 @@ static int xhci_set_usb2_hardware_lpm(st pm_addr = port_array[port_num] + PORTPMSC; pm_val = readl(pm_addr); hlpm_addr = port_array[port_num] + PORTHLPMC; - field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n", enable ? "enable" : "disable", port_num + 1); @@ -4165,6 +4164,7 @@ static int xhci_set_usb2_hardware_lpm(st * default one which works with mixed HIRD and BESL * systems. See XHCI_DEFAULT_BESL definition in xhci.h */ + field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); if ((field & USB_BESL_SUPPORT) && (field & USB_BESL_BASELINE_VALID)) hird = USB_GET_BESL_BASELINE(field);