Received: by 2002:a05:7412:9c07:b0:fa:6e18:a558 with SMTP id lr7csp779099rdb; Sun, 28 Jan 2024 08:33:09 -0800 (PST) X-Google-Smtp-Source: AGHT+IGH+a6tHJQGC57fmArBUrBtEPVMk5j4yBE2N3ehM3EAhMworhjHo3MT3GMiYfe9ATV4I0d8 X-Received: by 2002:a2e:9806:0:b0:2cc:e921:de18 with SMTP id a6-20020a2e9806000000b002cce921de18mr2227796ljj.23.1706459588973; Sun, 28 Jan 2024 08:33:08 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706459588; cv=pass; d=google.com; s=arc-20160816; b=z+cvNNTomrahB9jkiqxlPvYKGJPKskBzUf9vwUSAxLcxzjI6vITcKoLKgbvaBOMAqr 04GavxnTvLdY0S0xhlA8nGRlopzxj5kJaDtotZ6hv+3QhNv0zExTmYtTrowkluBxuHkr bxniLFuzxdjYjH0R/ZI/KMdaLiJXxDRKJWdApaL5nzW7rLe9GTa+dOJtTabxDz0/SC4g UiIlptpPIV+C7TnZUwBGYVn0xO6N7U0pQkdtYk+jm2PXY/5Ai4rQ2Vr3QG3pJscmT45X IuibIzW4ElphFmvVImatIm0gnkB0NMFqDTw6uIH8zUHUZ34g3lyNKKIsKESrefKF/8b+ RVew== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=k2cES68FAn4hh930om9X3nGuHRsWogMB8jrhi7LzqTY=; fh=PQ1rcwyX96PzPpLYkq69Nsps352xthrT7ryUc5/g5m8=; b=m/I0KfKWEadDwM4BZLKfBcSKWlCEtpn/48It0AJSnpYjHsqNi62pMMCwB308EBQwTU 0uWqRLxtUFnxKd3VrccWuUR/pOg9tQDktZgt3hPfT+ED0lZ5wo2Wh0G3tBJn7TzPDvua ugAgRCMoR0+07Q3B6+lhF5ElcoKTjFuGeN616ntF5NxhjxVSUilDS6kkkbEYh6RroXUO cYPeX7PrnAvTipcSheDBLQiQ0ye8m5m2pemU3LAYQbX0pQ0GmGZdrWKnqrnoQaX1OfkA iy0cOfhZ/V4oMNZuEeHXrxV0bftb0FdnDXgJoG7VdnfhucLVjPufilr8NW1NGQg/55vn 9lUA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="A8/dH8Y1"; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-41725-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-41725-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id h22-20020aa7c616000000b0055ef8abee26si237179edq.537.2024.01.28.08.33.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 28 Jan 2024 08:33:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-41725-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="A8/dH8Y1"; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-41725-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-41725-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 5905D1F29BB7 for ; Sun, 28 Jan 2024 16:23:36 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EB4DD5C8E4; Sun, 28 Jan 2024 16:13:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="A8/dH8Y1" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C5B35B211; Sun, 28 Jan 2024 16:13:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706458403; cv=none; b=SWppDSv1EEPTo5RS3/vf/xXbdCcGZqMX2nfbegJJJQXSDRnloCUSRbmnhY7gasATiYWQwc6Ys3DbzkbVStobVvGfAki2RxTo8H0dwgg4k/wkIlEYrbxJX/HX+xQA3m7tbTlZ8bnmYVkQ//d1G1hgTO+CXPp9HX1FEFg1bcj30M4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706458403; c=relaxed/simple; bh=IIE6rK5b2ck2c5U9EOv80xRLq3JhUK13cGioQvyBkoo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nbCRSamw/i3wA+WbV2Pewkyglcsdk7PV9o5pvtZvyWdf5dBwkJsiaPy8Jr29TRiXb/WhROzbIWmIjxD3t28RiNhvRPN7P0yeSq+GoNdu+qFERhjiyW+omGj3+KinS/ZM/dEBNRbnITg3gZ7Z+QQbXSXi85RSM4t8rP1jZ/xoxfI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=A8/dH8Y1; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id C6AC6C43390; Sun, 28 Jan 2024 16:13:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1706458402; bh=IIE6rK5b2ck2c5U9EOv80xRLq3JhUK13cGioQvyBkoo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A8/dH8Y1KQPzTOKd10VuVEGhI/tvS4s4YzBOE4eLsIgRQu0Jz7ryiHJdXuH4Jdzog NLvpS5vJ43/vCYNbzfhB/x69ewu368wvtQQN1qDRpHoIiOe+RibHJLqVMJ8ZaQXtKQ YsxIjgOmSJyvJq/NmKhQKMrlWleksyBu6AJ24nSkB2X9nFLoM4V6uxmLndOXTcNR1b RNcv8zbSXJaiN5F5ndF6dsWHDELoygU8SWiCegEyow6dUhmbR+HoFFQysbwXZxZPXP NX9ihskK9ToWAmso/FEyubjZc7Q6sGJ3vdBUN8TJxm5Njjp7sY3Uz1W783ekTtQa1G JwerPtpb0pREw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Mathias Nyman , Kuen-Han Tsai , Greg Kroah-Hartman , Sasha Levin , mathias.nyman@intel.com, linux-usb@vger.kernel.org Subject: [PATCH AUTOSEL 6.6 04/31] xhci: fix possible null pointer deref during xhci urb enqueue Date: Sun, 28 Jan 2024 11:12:34 -0500 Message-ID: <20240128161315.201999-4-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240128161315.201999-1-sashal@kernel.org> References: <20240128161315.201999-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.6.14 Content-Transfer-Encoding: 8bit From: Mathias Nyman [ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ] There is a short gap between urb being submitted and actually added to the endpoint queue (linked). If the device is disconnected during this time then usb core is not yet aware of the pending urb, and device may be freed just before xhci_urq_enqueue() continues, dereferencing the freed device. Freeing the device is protected by the xhci spinlock, so make sure we take and keep the lock while checking that device exists, dereference it, and add the urb to the queue. Remove the unnecessary URB check, usb core checks it before calling xhci_urb_enqueue() Suggested-by: Kuen-Han Tsai Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 132b76fa7ca6..e39c5ba9b7c7 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -1498,24 +1498,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag struct urb_priv *urb_priv; int num_tds; - if (!urb) - return -EINVAL; - ret = xhci_check_args(hcd, urb->dev, urb->ep, - true, true, __func__); - if (ret <= 0) - return ret ? ret : -EINVAL; - - slot_id = urb->dev->slot_id; ep_index = xhci_get_endpoint_index(&urb->ep->desc); - ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; - - if (!HCD_HW_ACCESSIBLE(hcd)) - return -ESHUTDOWN; - - if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { - xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); - return -ENODEV; - } if (usb_endpoint_xfer_isoc(&urb->ep->desc)) num_tds = urb->number_of_packets; @@ -1554,12 +1537,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag spin_lock_irqsave(&xhci->lock, flags); + ret = xhci_check_args(hcd, urb->dev, urb->ep, + true, true, __func__); + if (ret <= 0) { + ret = ret ? ret : -EINVAL; + goto free_priv; + } + + slot_id = urb->dev->slot_id; + + if (!HCD_HW_ACCESSIBLE(hcd)) { + ret = -ESHUTDOWN; + goto free_priv; + } + + if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { + xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); + ret = -ENODEV; + goto free_priv; + } + if (xhci->xhc_state & XHCI_STATE_DYING) { xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n", urb->ep->desc.bEndpointAddress, urb); ret = -ESHUTDOWN; goto free_priv; } + + ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; + if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) { xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n", *ep_state); -- 2.43.0