From: "Schmid, Carsten" <Carsten_Schmid@mentor.com>
To: Sasha Levin <sashal@kernel.org>,
Mathias Nyman <mathias.nyman@linux.intel.com>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Cc: "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
Stable <stable@vger.kernel.org>, Stable <stable@vger.kernel.org>
Subject: AW: [PATCH 3/5] usb: xhci: avoid null pointer deref when bos field is NULL
Date: Mon, 3 Jun 2019 15:00:03 +0000 [thread overview]
Message-ID: <1559574003412.30745@mentor.com> (raw)
In-Reply-To: <20190529131455.C7A8C217D4@mail.kernel.org>
[-- Attachment #1: Type: text/plain, Size: 5154 bytes --]
Hi Sasha,
i have (back)ported the patch to the older kernels mentioned below
where the original patch failed.
The patch appended to this mail applies to v4.14.121, v4.9.178, v4.4.180 and v3.18.140.
Some changes within the xhci driver prevented git from finding the correct position.
Hope this helps :-)
Best regards
Carsten
________________________________________
Von: Sasha Levin <sashal@kernel.org>
Gesendet: Mittwoch, 29. Mai 2019 15:14
An: Sasha Levin; Mathias Nyman; Schmid, Carsten; gregkh@linuxfoundation.org
Cc: linux-usb@vger.kernel.org; Stable; stable@vger.kernel.org
Betreff: Re: [PATCH 3/5] usb: xhci: avoid null pointer deref when bos field is NULL
Hi,
[This is an automated email]
This commit has been processed because it contains a -stable tag.
The stable tag indicates that it's relevant for the following trees: all
The bot has tested the following trees: v5.1.4, v5.0.18, v4.19.45, v4.14.121, v4.9.178, v4.4.180, v3.18.140.
v5.1.4: Build OK!
v5.0.18: Build OK!
v4.19.45: Build OK!
v4.14.121: Failed to apply! Possible dependencies:
01451ad47e272 ("powerpc/powermac: Use setup_timer() helper")
38986ffa6a748 ("xhci: use port structures instead of port arrays in xhci.c functions")
83ad1e6a1dc04 ("powerpc/oprofile: Use setup_timer() helper")
8d6b1bf20f61c ("powerpc/6xx: Use setup_timer() helper")
b1fc2839d2f92 ("drm/msm: Implement preemption for A5XX targets")
b9eaf18722221 ("treewide: init_timer() -> setup_timer()")
cd414f3d93168 ("drm/msm: Move memptrs to msm_gpu")
e629cfa36ea08 ("MIPS: Lasat: Use setup_timer() helper")
e99e88a9d2b06 ("treewide: setup_timer() -> timer_setup()")
eec874ce5ff1f ("drm/msm/adreno: load gpu at probe/bind time")
f7de15450e906 ("drm/msm: Add per-instance submit queues")
f97decac5f4c2 ("drm/msm: Support multiple ringbuffers")
v4.9.178: Failed to apply! Possible dependencies:
01451ad47e272 ("powerpc/powermac: Use setup_timer() helper")
38986ffa6a748 ("xhci: use port structures instead of port arrays in xhci.c functions")
53460c53b7619 ("[media] au0828: Add timer to restart TS stream if no data arrives on bulk endpoint")
7c96f59e0cafe ("[media] s5p-mfc: Fix initialization of internal structures")
83ad1e6a1dc04 ("powerpc/oprofile: Use setup_timer() helper")
8d6b1bf20f61c ("powerpc/6xx: Use setup_timer() helper")
b9eaf18722221 ("treewide: init_timer() -> setup_timer()")
cf43e6be865a5 ("block: add scalable completion tracking of requests")
e629cfa36ea08 ("MIPS: Lasat: Use setup_timer() helper")
e806402130c9c ("block: split out request-only flags into a new namespace")
e99e88a9d2b06 ("treewide: setup_timer() -> timer_setup()")
v4.4.180: Failed to apply! Possible dependencies:
01451ad47e272 ("powerpc/powermac: Use setup_timer() helper")
37f895d7e85e7 ("NFC: pn533: Fix socket deadlock")
38986ffa6a748 ("xhci: use port structures instead of port arrays in xhci.c functions")
53460c53b7619 ("[media] au0828: Add timer to restart TS stream if no data arrives on bulk endpoint")
7c96f59e0cafe ("[media] s5p-mfc: Fix initialization of internal structures")
80c1bce9aa315 ("[media] au0828: Refactoring for start_urb_transfer()")
83ad1e6a1dc04 ("powerpc/oprofile: Use setup_timer() helper")
8d6b1bf20f61c ("powerpc/6xx: Use setup_timer() helper")
9815c7cf22dac ("NFC: pn533: Separate physical layer from the core implementation")
b9eaf18722221 ("treewide: init_timer() -> setup_timer()")
e629cfa36ea08 ("MIPS: Lasat: Use setup_timer() helper")
e997ebbe46fe4 ("NFC: pn533: Send ATR_REQ only if NFC_PROTO_NFC_DEP bit is set")
e99e88a9d2b06 ("treewide: setup_timer() -> timer_setup()")
v3.18.140: Failed to apply! Possible dependencies:
0a5942c8e1480 ("NFC: Add ACPI support for NXP PN544")
34ac49664149d ("NFC: nci: remove current SLEEP mode management")
3590ebc040c9e ("NFC: logging neatening")
3682f49f32051 ("NFC: netlink: Add new netlink command NFC_CMD_ACTIVATE_TARGET")
37f895d7e85e7 ("NFC: pn533: Fix socket deadlock")
38986ffa6a748 ("xhci: use port structures instead of port arrays in xhci.c functions")
53460c53b7619 ("[media] au0828: Add timer to restart TS stream if no data arrives on bulk endpoint")
5df848f37b1d2 ("NFC: pn533: fix error return code")
7c96f59e0cafe ("[media] s5p-mfc: Fix initialization of internal structures")
80c1bce9aa315 ("[media] au0828: Refactoring for start_urb_transfer()")
9295b5b569fc4 ("NFC: nci: Add support for different NCI_DEACTIVATE_TYPE")
96d4581f0b371 ("NFC: netlink: Add mode parameter to deactivate_target functions")
9815c7cf22dac ("NFC: pn533: Separate physical layer from the core implementation")
b9eaf18722221 ("treewide: init_timer() -> setup_timer()")
d7979e130ebb0 ("NFC: NCI: Signal deactivation in Target mode")
e997ebbe46fe4 ("NFC: pn533: Send ATR_REQ only if NFC_PROTO_NFC_DEP bit is set")
e99e88a9d2b06 ("treewide: setup_timer() -> timer_setup()")
How should we proceed with this patch?
--
Thanks,
Sasha
[-- Attachment #2: 0001-usb-xhci-avoid-null-pointer-deref-when-bos-field-is-.patch.4.14 --]
[-- Type: application/octet-stream, Size: 4900 bytes --]
From b1ceb3787bcd6f3ae775eebead9a66b80a2b4314 Mon Sep 17 00:00:00 2001
From: Carsten Schmid <carsten_schmid@mentor.com>
Date: Fri, 8 Mar 2019 15:15:52 +0100
Subject: [PATCH] usb: xhci: avoid null pointer deref when bos field is NULL
With defective USB sticks we see the following error happen:
usb 1-3: new high-speed USB device number 6 using xhci_hcd
usb 1-3: device descriptor read/64, error -71
usb 1-3: device descriptor read/64, error -71
usb 1-3: new high-speed USB device number 7 using xhci_hcd
usb 1-3: device descriptor read/64, error -71
usb 1-3: unable to get BOS descriptor set
usb 1-3: New USB device found, idVendor=0781, idProduct=5581
usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
...
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
This comes from the following place:
[ 1660.215380] IP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd]
[ 1660.222092] PGD 0 P4D 0
[ 1660.224918] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 1660.425520] CPU: 1 PID: 38 Comm: kworker/1:1 Tainted: P U W O 4.14.67-apl #1
[ 1660.434277] Workqueue: usb_hub_wq hub_event [usbcore]
[ 1660.439918] task: ffffa295b6ae4c80 task.stack: ffffad4580150000
[ 1660.446532] RIP: 0010:xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd]
[ 1660.453821] RSP: 0018:ffffad4580153c70 EFLAGS: 00010046
[ 1660.459655] RAX: 0000000000000000 RBX: ffffa295b4d7c000 RCX: 0000000000000002
[ 1660.467625] RDX: 0000000000000002 RSI: ffffffff984a55b2 RDI: ffffffff984a55b2
[ 1660.475586] RBP: ffffad4580153cc8 R08: 0000000000d6520a R09: 0000000000000001
[ 1660.483556] R10: ffffad4580a004a0 R11: 0000000000000286 R12: ffffa295b4d7c000
[ 1660.491525] R13: 0000000000010648 R14: ffffa295a84e1800 R15: 0000000000000000
[ 1660.499494] FS: 0000000000000000(0000) GS:ffffa295bfc80000(0000) knlGS:0000000000000000
[ 1660.508530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1660.514947] CR2: 0000000000000008 CR3: 000000025a114000 CR4: 00000000003406a0
[ 1660.522917] Call Trace:
[ 1660.525657] usb_set_usb2_hardware_lpm+0x3d/0x70 [usbcore]
[ 1660.531792] usb_disable_device+0x242/0x260 [usbcore]
[ 1660.537439] usb_disconnect+0xc1/0x2b0 [usbcore]
[ 1660.542600] hub_event+0x596/0x18f0 [usbcore]
[ 1660.547467] ? trace_preempt_on+0xdf/0x100
[ 1660.552040] ? process_one_work+0x1c1/0x410
[ 1660.556708] process_one_work+0x1d2/0x410
[ 1660.561184] ? preempt_count_add.part.3+0x21/0x60
[ 1660.566436] worker_thread+0x2d/0x3f0
[ 1660.570522] kthread+0x122/0x140
[ 1660.574123] ? process_one_work+0x410/0x410
[ 1660.578792] ? kthread_create_on_node+0x60/0x60
[ 1660.583849] ret_from_fork+0x3a/0x50
[ 1660.587839] Code: 00 49 89 c3 49 8b 84 24 50 16 00 00 8d 4a ff 48 8d 04 c8 48 89 ca 4c 8b 10 45 8b 6a 04 48 8b 00 48 89 45 c0 49 8b 86 80 03 00 00 <48> 8b 40 08 8b 40 03 0f 1f 44 00 00 45 85 ff 0f 84 81 01 00 00
[ 1660.608980] RIP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] RSP: ffffad4580153c70
[ 1660.617921] CR2: 0000000000000008
Tracking this down shows that udev->bos is NULL in the following code:
(xhci.c, in xhci_set_usb2_hardware_lpm)
field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); <<<<<<< here
xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n",
enable ? "enable" : "disable", port_num + 1);
if (enable) {
/* Host supports BESL timeout instead of HIRD */
if (udev->usb2_hw_lpm_besl_capable) {
/* if device doesn't have a preferred BESL value use a
* default one which works with mixed HIRD and BESL
* systems. See XHCI_DEFAULT_BESL definition in xhci.h
*/
if ((field & USB_BESL_SUPPORT) &&
(field & USB_BESL_BASELINE_VALID))
hird = USB_GET_BESL_BASELINE(field);
else
hird = udev->l1_params.besl;
The failing case is when disabling LPM. So it is sufficient to avoid
access to udev->bos by moving the instruction into the "enable" clause.
Signed-off-by: Carsten Schmid <carsten_schmid@mentor.com>
---
drivers/usb/host/xhci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index c78de07c4d00..6001c3cefab3 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -4155,7 +4155,6 @@ static int xhci_set_usb2_hardware_lpm(struct usb_hcd *hcd,
pm_addr = port_array[port_num] + PORTPMSC;
pm_val = readl(pm_addr);
hlpm_addr = port_array[port_num] + PORTHLPMC;
- field = le32_to_cpu(udev->bos->ext_cap->bmAttributes);
xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n",
enable ? "enable" : "disable", port_num + 1);
@@ -4167,6 +4166,7 @@ static int xhci_set_usb2_hardware_lpm(struct usb_hcd *hcd,
* default one which works with mixed HIRD and BESL
* systems. See XHCI_DEFAULT_BESL definition in xhci.h
*/
+ field = le32_to_cpu(udev->bos->ext_cap->bmAttributes);
if ((field & USB_BESL_SUPPORT) &&
(field & USB_BESL_BASELINE_VALID))
hird = USB_GET_BESL_BASELINE(field);
--
2.17.1
next prev parent reply other threads:[~2019-06-03 15:00 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-22 11:33 [PATCH 0/5] xhci fixes for usb-linus Mathias Nyman
2019-05-22 11:33 ` [PATCH 1/5] xhci: update bounce buffer with correct sg num Mathias Nyman
2019-05-22 11:33 ` [PATCH 2/5] usb: xhci: Fix a potential null pointer dereference in xhci_debugfs_create_endpoint() Mathias Nyman
2019-05-22 11:33 ` [PATCH 3/5] usb: xhci: avoid null pointer deref when bos field is NULL Mathias Nyman
[not found] ` <20190529131455.C7A8C217D4@mail.kernel.org>
2019-06-03 7:12 ` AW: " Schmid, Carsten
2019-06-03 15:00 ` Schmid, Carsten [this message]
2019-06-04 6:52 ` Schmid, Carsten
2019-05-22 11:34 ` [PATCH 4/5] xhci: Fix immediate data transfer if buffer is already DMA mapped Mathias Nyman
2019-05-22 11:34 ` [PATCH 5/5] xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic() Mathias Nyman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1559574003412.30745@mentor.com \
--to=carsten_schmid@mentor.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=mathias.nyman@linux.intel.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).