Received: by 2002:a05:7412:9c07:b0:fa:6e18:a558 with SMTP id lr7csp770865rdb;
        Sun, 28 Jan 2024 08:12:31 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFhBm9bZwRe/ved1Gzc9hGCFnmkjP8RW8o8YflFnO9AVWCc2ZyH6NmaGScadcAqaGUErfC7
X-Received: by 2002:ac8:59d5:0:b0:42a:9c3b:a133 with SMTP id f21-20020ac859d5000000b0042a9c3ba133mr1990571qtf.74.1706458351609;
        Sun, 28 Jan 2024 08:12:31 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706458351; cv=pass;
        d=google.com; s=arc-20160816;
        b=sDAeKObjdgWXtKLhQVGzEOMi+PCyDswvdMBhjbqKPiqEP7ywXqT1dXS6q6fGHaoBzI
         4/PH5nAEm2taSvJy2+/BJv1Q5R3O6EIOrYyC6iE0yLtT0f0WPK1KMrLPRcRPKioz1w2z
         PBftLJTejeq/DMlTrSrmNXuAqFxaGtVWGKw+jNlAacnKfZH2qbSeSsYQxF0uB20X57lf
         snCGxJJAF137h2SwDB2eokUt6rsVeSENvZxBnChl3tRtzozHkU2sQ+3H79Dho7nsyK67
         Dw6jh7MCNmW7Pmpa9T8f7oHVV9y3MKA7RqlDV7sNNE8LZ9F+8Kdrid+qWTUMgjVmxKwe
         abMw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=zt+VpYo3wIfZAsgJBhTVu6X15ZS3GeH0AOEj+r3hOVg=;
        fh=PQ1rcwyX96PzPpLYkq69Nsps352xthrT7ryUc5/g5m8=;
        b=gnElfUdOVLe0EsO4ZV1cAFknX5gg7eXwrynfhjOjBjpQ3EKny0YFa/J2oDJQO/ub+z
         1Fw1fJL34A5t3tbyVtkOiS1o9TbaNqHnOHEQAKhDPSNovUyO272HX9G1oWK9DenLu0gE
         82rRjyabTnC2o5PSDspXyRgydkP0X2PPVSohB/CJSWscWadUrxOXnEbKIvnI9UsQLJxy
         R6odb59ELX3RyBcIvaYSWFUoPVSDYllHgs8uQM/tgq37ulU0GpTKhP6o3pYAryhAZ041
         ntR12b+pKxqBXJ2OxLYf3WgMKVzJP7CrB+nU8oIrSf3KB8GdmujcIE8PQnK8tPOp98VN
         Whfw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XMEHDjX6;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-41686-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-41686-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-41686-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id v2-20020a05622a144200b0042a83442254si5166886qtx.102.2024.01.28.08.12.31
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 28 Jan 2024 08:12:31 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-41686-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XMEHDjX6;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-41686-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-41686-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 5EA471C21594
	for <linux.lists.archive@gmail.com>; Sun, 28 Jan 2024 16:12:31 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 59D5D2E646;
	Sun, 28 Jan 2024 16:11:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="XMEHDjX6"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 797802E859;
	Sun, 28 Jan 2024 16:11:38 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706458298; cv=none; b=YXc4OqNn+Ki+RVBAN+d1b02iwrjezbsBIkJzW78awfQX/lT+Q4i2YIkT1SKS9eWAfEjEsmTBi2Nss681da0IVApFpw4GKMyjXmbiVje/7cFXiWf5lAWffLC29JYdi0Qz05fwl/8SfFq8kCScpKlhsMw8y+uVi9q6627rUwDEtjI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706458298; c=relaxed/simple;
	bh=i9w97A/UPdtvWNElCK7Md2UfyJCJGsdEuguymyFbZBo=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=UOBm/R8Fvscy4g/kf3PgjQnbOqSzodW0i9iPVL9k05O8HnA6ke9E6kPaZRvNbia8/egiI7/fM45TCu+FOiRLwJ5PrStpzRRFeoVK/jOOawyAoIIaMjP9S9HDQFihnNOI7U547G4la4OD1m7LAno1bnO4BpMj8gHV5qvuJeVY7cI=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=XMEHDjX6; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1093AC433F1;
	Sun, 28 Jan 2024 16:11:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1706458297;
	bh=i9w97A/UPdtvWNElCK7Md2UfyJCJGsdEuguymyFbZBo=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=XMEHDjX6iOaGRyHCZ+wmnhsWgZvgMOhTso3kf6+jIgPaEpuT3qyYeO/UbtoOBiGSN
	 2QOcv2kowr01AL7S2V0bdHBdopqMiPo9cxMpbSHQuDAhyri6U6gW0nL61SKoX6Yuve
	 9pzB5NdmSqjHdbFC5Ctqr51sRB2Xk1QybfQjame8iwQOgm2xpby/PFvjX9Se41jOcg
	 vgJk1GBUj63Cc1vZ9BYklTWsl0orJ0ATqDqt1Izc5Qio6M28Q61lBiYQvDsBE7RvMs
	 qKB4X3NfDt1FeRvlEmi0tJupUtZbbeLw2eHO0sD6YUGCw8fTh83w8IgOMfBmTn7I/Y
	 iA2XOPSXyh6Wg==
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Cc: Mathias Nyman <mathias.nyman@linux.intel.com>,
	Kuen-Han Tsai <khtsai@google.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>,
	mathias.nyman@intel.com,
	linux-usb@vger.kernel.org
Subject: [PATCH AUTOSEL 6.7 04/39] xhci: fix possible null pointer deref during xhci urb enqueue
Date: Sun, 28 Jan 2024 11:10:24 -0500
Message-ID: <20240128161130.200783-4-sashal@kernel.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240128161130.200783-1-sashal@kernel.org>
References: <20240128161130.200783-1-sashal@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
X-stable-base: Linux 6.7.2
Content-Transfer-Encoding: 8bit

From: Mathias Nyman <mathias.nyman@linux.intel.com>

[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ]

There is a short gap between urb being submitted and actually added to the
endpoint queue (linked). If the device is disconnected during this time
then usb core is not yet aware of the pending urb, and device may be freed
just before xhci_urq_enqueue() continues, dereferencing the freed device.

Freeing the device is protected by the xhci spinlock, so make sure we take
and keep the lock while checking that device exists, dereference it, and
add the urb to the queue.

Remove the unnecessary URB check, usb core checks it before calling
xhci_urb_enqueue()

Suggested-by: Kuen-Han Tsai <khtsai@google.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++-----------------
 1 file changed, 23 insertions(+), 17 deletions(-)

diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 884b0898d9c9..ddb686301af5 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1522,24 +1522,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
 	struct urb_priv	*urb_priv;
 	int num_tds;
 
-	if (!urb)
-		return -EINVAL;
-	ret = xhci_check_args(hcd, urb->dev, urb->ep,
-					true, true, __func__);
-	if (ret <= 0)
-		return ret ? ret : -EINVAL;
-
-	slot_id = urb->dev->slot_id;
 	ep_index = xhci_get_endpoint_index(&urb->ep->desc);
-	ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state;
-
-	if (!HCD_HW_ACCESSIBLE(hcd))
-		return -ESHUTDOWN;
-
-	if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) {
-		xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n");
-		return -ENODEV;
-	}
 
 	if (usb_endpoint_xfer_isoc(&urb->ep->desc))
 		num_tds = urb->number_of_packets;
@@ -1578,12 +1561,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
 
 	spin_lock_irqsave(&xhci->lock, flags);
 
+	ret = xhci_check_args(hcd, urb->dev, urb->ep,
+			      true, true, __func__);
+	if (ret <= 0) {
+		ret = ret ? ret : -EINVAL;
+		goto free_priv;
+	}
+
+	slot_id = urb->dev->slot_id;
+
+	if (!HCD_HW_ACCESSIBLE(hcd)) {
+		ret = -ESHUTDOWN;
+		goto free_priv;
+	}
+
+	if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) {
+		xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n");
+		ret = -ENODEV;
+		goto free_priv;
+	}
+
 	if (xhci->xhc_state & XHCI_STATE_DYING) {
 		xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n",
 			 urb->ep->desc.bEndpointAddress, urb);
 		ret = -ESHUTDOWN;
 		goto free_priv;
 	}
+
+	ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state;
+
 	if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) {
 		xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n",
 			  *ep_state);
-- 
2.43.0