From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
To: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: Julius Werner <jwerner@chromium.org>,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Vincent Palatin <vpalatin@chromium.org>
Subject: Re: [PATCH] xhci: fix null-pointer dereference when destroying half-built segment rings
Date: Thu, 1 Nov 2012 13:15:52 -0700 [thread overview]
Message-ID: <20121101201552.GA9472@xanatos> (raw)
In-Reply-To: <CAHp75VfqYNMxxDKKvHOVOdtf0+ZkC_N3Zfy0Ahb0nNdG4Xh9xA@mail.gmail.com>
On Thu, Nov 01, 2012 at 10:13:00PM +0200, Andy Shevchenko wrote:
> On Thu, Nov 1, 2012 at 9:47 PM, Julius Werner <jwerner@chromium.org> wrote:
> > xhci_alloc_segments_for_ring() builds a list of xhci_segments and links
> > the tail to head at the end (forming a ring). When it bails out for OOM
> > reasons half-way through, it tries to destroy its half-built list with
> > xhci_free_segments_for_ring(), even though it is not a ring yet. This
> > causes a null-pointer dereference upon hitting the last element.
> >
> > Furthermore, one of its callers (xhci_ring_alloc()) mistakenly believes
> > the output parameters to be valid upon this kind of OOM failure, and
> > calls xhci_ring_free() on them. Since the (incomplete) list/ring should
> > already be destroyed in that case, this would lead to a use after free.
> >
> > This patch fixes those issues by having xhci_alloc_segments_for_ring()
> > destroy its half-built, non-circular list manually and destroying the
> > invalid struct xhci_ring in xhci_ring_alloc() with a plain kfree().
> >
> > Signed-off-by: Julius Werner <jwerner@chromium.org>
> > ---
> > drivers/usb/host/xhci-mem.c | 9 +++++++--
> > 1 files changed, 7 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
> > index 487bc08..fb51c70 100644
> > --- a/drivers/usb/host/xhci-mem.c
> > +++ b/drivers/usb/host/xhci-mem.c
> > @@ -205,7 +205,12 @@ static int xhci_alloc_segments_for_ring(struct xhci_hcd *xhci,
> >
> > next = xhci_segment_alloc(xhci, cycle_state, flags);
> > if (!next) {
> > - xhci_free_segments_for_ring(xhci, *first);
> > + prev = *first;
> > + while (prev) {
> > + next = prev->next;
> > + xhci_segment_free(xhci, prev);
> > + prev = next;
> > + }
>
> Is it just
> for (prev = *first; prev; prev = prev->next)
> xhci_segment_free(xhci, prev);
>
> ?
Yeah, that seems cleaner.
Sarah Sharp
next prev parent reply other threads:[~2012-11-01 20:15 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-29 17:00 [PATCH] xhci: fix null-pointer dereference when destroying half-built segment rings Julius Werner
2012-10-29 18:35 ` Sergei Shtylyov
2012-10-29 18:54 ` Julius Werner
2012-11-01 17:52 ` Sarah Sharp
2012-11-01 19:47 ` Julius Werner
2012-11-01 20:13 ` Andy Shevchenko
2012-11-01 20:15 ` Sarah Sharp [this message]
2012-11-01 20:28 ` Julius Werner
2012-11-12 18:03 ` Sarah Sharp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121101201552.GA9472@xanatos \
--to=sarah.a.sharp@linux.intel.com \
--cc=andy.shevchenko@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=jwerner@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=vpalatin@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.