Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp1355946ybp; Thu, 17 Oct 2019 11:32:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqzIjHOHC2NIDF1roQq7FvY4okN6brJnhcMVizm5+Sw8F9NOHwhfiMOKvZroAKKdWCX0TluY X-Received: by 2002:a17:906:2584:: with SMTP id m4mr4925782ejb.287.1571337140400; Thu, 17 Oct 2019 11:32:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571337140; cv=none; d=google.com; s=arc-20160816; b=A5Oda7y7YZQQbqTfCuYJWC4L0EXb4qg2z2gFg/MiujaM3TeEyEoodNvQNaj02YkuLu UlPIh9H+qF5Ew09zDf16v8LWZ24NMJG8X8qAWwygh1Qx7oHGSkZDsTz8xfZA5KN6z+Z4 b5OqTqWVi2GrhiBUE1FqPEAPrjx/d8qtO6yDznob8kqQ5KrtHly6FQMdHQVIj3K0RezF UNNBuPRbqcYti57xyiaB1QvzD3KXa8/p2AX6gBEljRAka0SjJ37XlAeIk9MV37Lp4dLG qmPCLkeHLKjjNWxmkK0z2uzRQJVNendIwFcZTJkPbUBzBdXIWRULsvLzaEcg6yEz4L9+ hePQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QSMt9qggrrmK7/AcMnoprBnAHA+kARVLLJ9L79f4zr4=; b=CsGsK8r6sMSdJ0a9S5wA3/ZKDZ7DVWnHTKp+DCT+gs8UNscQjURX5WvwsovaMcuh2C kXhHMFXBXDYp2hkUtOo0OJKF6RlXcHVJQ1HoRgxZBy19zCtsvOSyzaQLJQFmfIjpMYvR Zh2Uo/ZCaRU3NM4ziTmoRaaul8doQ15vTB7G01PRl8em88oMy2uWpdPg6IeDVim5zIJH JZkAanqgXLR2mlgEYa9IuenJrjyaaa31u8oBJ6rkXkThEXq1Z2Pu6NZvN6Nu0DciEZsJ 21KELJdypih5IyKCF1RoUyl4tTRo83zmW8fA/NUuvrt048bga3t82DwNFnIw1IR8jKKB UYlA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WTbyRA6i; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b4si2558138edk.331.2019.10.17.11.31.57; Thu, 17 Oct 2019 11:32:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WTbyRA6i; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2407039AbfJPWHT (ORCPT + 99 others); Wed, 16 Oct 2019 18:07:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:51606 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2406690AbfJPV6O (ORCPT ); Wed, 16 Oct 2019 17:58:14 -0400 Received: from localhost (unknown [192.55.54.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B2C0921928; Wed, 16 Oct 2019 21:58:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1571263092; bh=hFaSuMMtLqZ7dMbrUvxByma5TWhJWl68+RXBc3wEyL0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WTbyRA6io6leGUumT9tq0W/wBhJuxk7dGESlN44DrX51Z8ggrqXVCNwE0Gc0pBJoC kVkz6MLMCb1OsRZ5QCga5Jo0a1Xyz52Gp89oJY0Pn6kWKmvdijceF75beYPREusx9V R+MVLPlYj2Rlt0VMn1bF7pwtsxv4PI9ODVYV5cVs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Hovold , Mathias Nyman Subject: [PATCH 5.3 014/112] xhci: Fix NULL pointer dereference in xhci_clear_tt_buffer_complete() Date: Wed, 16 Oct 2019 14:50:06 -0700 Message-Id: <20191016214847.698593207@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191016214844.038848564@linuxfoundation.org> References: <20191016214844.038848564@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mathias Nyman commit cfbb8a84c2d2ef49bccacb511002bca4f6053555 upstream. udev stored in ep->hcpriv might be NULL if tt buffer is cleared due to a halted control endpoint during device enumeration xhci_clear_tt_buffer_complete is called by hub_tt_work() once it's scheduled, and by then usb core might have freed and allocated a new udev for the next enumeration attempt. Fixes: ef513be0a905 ("usb: xhci: Add Clear_TT_Buffer") Cc: # v5.3 Reported-by: Johan Hovold Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/1570190373-30684-9-git-send-email-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/xhci.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -5237,8 +5237,16 @@ static void xhci_clear_tt_buffer_complet unsigned int ep_index; unsigned long flags; + /* + * udev might be NULL if tt buffer is cleared during a failed device + * enumeration due to a halted control endpoint. Usb core might + * have allocated a new udev for the next enumeration attempt. + */ + xhci = hcd_to_xhci(hcd); udev = (struct usb_device *)ep->hcpriv; + if (!udev) + return; slot_id = udev->slot_id; ep_index = xhci_get_endpoint_index(&ep->desc);