Re: [PATCH 2/7] usb: xhci: Check endpoint is valid before dereferencing it

Linux USB
 help / color / mirror / Atom feed

From: Mathias Nyman <mathias.nyman@linux.intel.com>
To: Ladislav Michl <oss-lists@triops.cz>
Cc: gregkh@linuxfoundation.org, linux-usb@vger.kernel.org,
	Jimmy Hu <hhhuuu@google.com>,
	stable@vger.kernel.org
Subject: Re: [PATCH 2/7] usb: xhci: Check endpoint is valid before dereferencing it
Date: Tue, 17 Jan 2023 12:02:59 +0200	[thread overview]
Message-ID: <bd5ba5bb-4f1c-1ed9-8bd1-46fcd2eeac52@linux.intel.com> (raw)
In-Reply-To: <Y8WCdG5YSpX/Seit@lenoch>

On 16.1.2023 18.59, Ladislav Michl wrote:
> Hi Mathias,
> 
> On Mon, Jan 16, 2023 at 04:22:11PM +0200, Mathias Nyman wrote:
>> From: Jimmy Hu <hhhuuu@google.com>
>>
>> When the host controller is not responding, all URBs queued to all
>> endpoints need to be killed. This can cause a kernel panic if we
>> dereference an invalid endpoint.
>>
>> Fix this by using xhci_get_virt_ep() helper to find the endpoint and
>> checking if the endpoint is valid before dereferencing it.
> 
> I'm a bit confused this goes in and even to stable. Let me quote your
> own analysis from
> Message-ID: <0fe978ed-8269-9774-1c40-f8a98c17e838@linux.intel.com>
> On Thu, Dec 22, 2022 at 03:18:53PM +0200, Mathias Nyman wrote:
>> I think root cause is that freeing xhci->devs[i] and including rings isn't
>> protected by the lock, this happens in xhci_free_virt_device() called by
>> xhci_free_dev(), which in turn may be called by usbcore at any time
>>
>> So xhci->devs[i] might just suddenly disappear
>>
>> Patch just checks more often if xhci->devs[i] is valid, between every endpoint.
>> So the race between xhci_free_virt_device() and xhci_kill_endpoint_urbs()
>> doesn't trigger null pointer deref as easily.> 
> I believe the above is correct and even Jimmy was unable to verify your
> later patch (3rd in this serie), which brings a question how could be this
> patch tested. It just burns a bug a bit deeper and I do not think it is the
> right approach.

As I said in a direct response to the original patch I think this is a valid fix
for older kernels where we used to unlock xhci->lock while giving back
URBs. Together with PATCH 3/7 the issue should be completely resolved.
For later kernels PATCH 3/7 should be enough by itself, but no harm in keeping this.

See Message-ID: <379b395f-b65c-96fe-7ecc-f18e3740b990@linux.intel.com>

Older kernels are all before v5.5 that lack commit
36dc01657b49 usb: host: xhci: Support running urb giveback in tasklet context.

I haven't been able to trigger this issue myself, but based on the report and finding in
the code I still think this the right approach. The internal testing this has been
through could only prove these patches (2/7 and 3/7) don't cause any additional issues.

If you think the analysis or solution is incorrect let me know, and we can come up with a
better one.

Thanks
Mathias

next prev parent reply	other threads:[~2023-01-17 10:02 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-16 14:22 [PATCH 0/7] usb and xhci fixes for usb-linus Mathias Nyman
2023-01-16 14:22 ` [PATCH 1/7] xhci-pci: set the dma max_seg_size Mathias Nyman
2023-01-16 14:22 ` [PATCH 2/7] usb: xhci: Check endpoint is valid before dereferencing it Mathias Nyman
2023-01-16 16:59   ` Ladislav Michl
2023-01-17 10:02     ` Mathias Nyman [this message]
2023-02-23 16:26   ` youling257
2023-02-24 10:29     ` Mathias Nyman
2023-02-24 15:58       ` youling 257
2023-02-24 16:03         ` youling 257
2023-01-16 14:22 ` [PATCH 3/7] xhci: Fix null pointer dereference when host dies Mathias Nyman
2023-01-16 14:22 ` [PATCH 4/7] xhci: Add update_hub_device override for PCI xHCI hosts Mathias Nyman
2023-01-16 14:22 ` [PATCH 5/7] xhci: Add a flag to disable USB3 lpm on a xhci root port level Mathias Nyman
2023-01-16 14:22 ` [PATCH 6/7] usb: acpi: add helper to check port lpm capability using acpi _DSM Mathias Nyman
2023-01-16 14:22 ` [PATCH 7/7] xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables Mathias Nyman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bd5ba5bb-4f1c-1ed9-8bd1-46fcd2eeac52@linux.intel.com \
    --to=mathias.nyman@linux.intel.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hhhuuu@google.com \
    --cc=linux-usb@vger.kernel.org \
    --cc=oss-lists@triops.cz \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox