From: Douglas Anderson <dianders@chromium.org>
To: John Youn <John.Youn@synopsys.com>,
balbi@ti.com, kever.yang@rock-chips.com
Cc: william.wu@rock-chips.com, huangtao@rock-chips.com,
heiko@sntech.de, stefan.wahren@i2se.com,
linux-rockchip@lists.infradead.org,
linux-rpi-kernel@lists.infradead.org,
Julius Werner <jwerner@chromium.org>,
gregory.herrero@intel.com, yousaf.kaukab@intel.com,
dinguyen@opensource.altera.com, stern@rowland.harvard.edu,
ming.lei@canonical.com, Douglas Anderson <dianders@chromium.org>,
johnyoun@synopsys.com, gregkh@linuxfoundation.org,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v6 04/22] usb: dwc2: host: Avoid use of chan->qh after qh freed
Date: Thu, 28 Jan 2016 18:19:55 -0800 [thread overview]
Message-ID: <1454034013-24657-5-git-send-email-dianders@chromium.org> (raw)
In-Reply-To: <1454034013-24657-1-git-send-email-dianders@chromium.org>
When poking around with USB devices with slub_debug enabled, I found
another obvious use after free. Turns out that in dwc2_hc_n_intr() I
was in a state when the contents of chan->qh was filled with 0x6b,
indicating that chan->qh was freed but chan still had a reference to
it.
Let's make sure that whenever we free qh we also make sure we remove a
reference from its channel.
The bug fixed here doesn't appear to be new--I believe I just got lucky
and happened to see it while stress testing.
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
---
Changes in v6:
- Add one more instance of check; kept Reviewed-by / Tested-by (OK?).
- Add Kever's Reviewed-by.
- Add Heiko's Tested-by.
- Add Stefan's Tested-by.
Changes in v5: None
Changes in v4:
- Avoid use of chan->qh after qh freed new for v4.
Changes in v3: None
Changes in v2: None
drivers/usb/dwc2/hcd.c | 10 ++++++++++
drivers/usb/dwc2/hcd_intr.c | 10 ++++++++++
2 files changed, 20 insertions(+)
diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
index bc4bdbc1534e..e2d2e9be366e 100644
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -164,6 +164,9 @@ static void dwc2_qh_list_free(struct dwc2_hsotg *hsotg,
qtd_list_entry)
dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
+ if (qh->channel && qh->channel->qh == qh)
+ qh->channel->qh = NULL;
+
spin_unlock_irqrestore(&hsotg->lock, flags);
dwc2_hcd_qh_free(hsotg, qh);
spin_lock_irqsave(&hsotg->lock, flags);
@@ -554,7 +557,12 @@ static int dwc2_hcd_endpoint_disable(struct dwc2_hsotg *hsotg,
dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
ep->hcpriv = NULL;
+
+ if (qh->channel && qh->channel->qh == qh)
+ qh->channel->qh = NULL;
+
spin_unlock_irqrestore(&hsotg->lock, flags);
+
dwc2_hcd_qh_free(hsotg, qh);
return 0;
@@ -2782,6 +2790,8 @@ static int _dwc2_hcd_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
fail3:
dwc2_urb->priv = NULL;
usb_hcd_unlink_urb_from_ep(hcd, urb);
+ if (qh_allocated && qh->channel && qh->channel->qh == qh)
+ qh->channel->qh = NULL;
fail2:
spin_unlock_irqrestore(&hsotg->lock, flags);
urb->hcpriv = NULL;
diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c
index 352c98364317..99efc2bd1617 100644
--- a/drivers/usb/dwc2/hcd_intr.c
+++ b/drivers/usb/dwc2/hcd_intr.c
@@ -1935,6 +1935,16 @@ static void dwc2_hc_n_intr(struct dwc2_hsotg *hsotg, int chnum)
}
dwc2_writel(hcint, hsotg->regs + HCINT(chnum));
+
+ /*
+ * If we got an interrupt after someone called
+ * dwc2_hcd_endpoint_disable() we don't want to crash below
+ */
+ if (!chan->qh) {
+ dev_warn(hsotg->dev, "Interrupt on disabled channel\n");
+ return;
+ }
+
chan->hcint = hcint;
hcint &= hcintmsk;
--
2.7.0.rc3.207.g0ac5344
next prev parent reply other threads:[~2016-01-29 2:27 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-29 2:19 [PATCH v6 0/22] usb: dwc2: host: Fix and speed up all the stuff, especially with splits Douglas Anderson
2016-01-29 2:19 ` [PATCH v6 01/22] usb: dwc2: rockchip: Make the max_transfer_size automatic Douglas Anderson
2016-01-29 2:19 ` [PATCH v6 02/22] usb: dwc2: host: Get aligned DMA in a more supported way Douglas Anderson
2016-01-29 2:19 ` [PATCH v6 03/22] usb: dwc2: host: Set host_rx_fifo_size to 525 for rk3066 Douglas Anderson
2016-01-29 2:19 ` Douglas Anderson [this message]
2016-01-29 2:19 ` [PATCH v6 05/22] usb: dwc2: host: Always add to the tail of queues Douglas Anderson
2016-01-29 2:19 ` [PATCH v6 06/22] usb: dwc2: host: fix split transfer schedule sequence Douglas Anderson
2016-01-29 2:19 ` [PATCH v6 07/22] usb: dwc2: host: Add scheduler tracing Douglas Anderson
2016-01-29 2:19 ` [PATCH v6 08/22] usb: dwc2: host: Add a delay before releasing periodic bandwidth Douglas Anderson
2016-01-29 2:20 ` [PATCH v6 09/22] usb: dwc2: host: Giveback URB in tasklet context Douglas Anderson
2016-01-29 2:20 ` [PATCH v6 10/22] usb: dwc2: host: Properly set the HFIR Douglas Anderson
2016-01-31 9:23 ` Kever Yang
2016-01-31 22:19 ` Doug Anderson
2016-02-10 2:08 ` John Youn
2016-01-29 2:20 ` [PATCH v6 11/22] usb: dwc2: host: There's not really a TT for the root hub Douglas Anderson
2016-01-31 9:25 ` Kever Yang
2016-01-29 2:20 ` [PATCH v6 12/22] usb: dwc2: host: Use periodic interrupt even with DMA Douglas Anderson
2016-01-29 2:20 ` [PATCH v6 13/22] usb: dwc2: host: Rename some fields in struct dwc2_qh Douglas Anderson
2016-01-29 2:20 ` [PATCH v6 14/22] usb: dwc2: host: Reorder things in hcd_queue.c Douglas Anderson
2016-01-29 2:20 ` [PATCH v6 15/22] usb: dwc2: host: Split code out to make dwc2_do_reserve() Douglas Anderson
2016-01-29 2:20 ` [PATCH v6 16/22] usb: dwc2: host: Add scheduler logging for missed SOFs Douglas Anderson
2016-01-29 2:20 ` [PATCH v6 17/22] usb: dwc2: host: Manage frame nums better in scheduler Douglas Anderson
2016-02-03 20:29 ` Doug Anderson
2016-02-09 9:53 ` Herrero, Gregory
2016-01-29 2:20 ` [PATCH v6 18/22] usb: dwc2: host: Schedule periodic right away if it's time Douglas Anderson
2016-01-31 9:36 ` Kever Yang
2016-01-31 22:09 ` Doug Anderson
2016-02-01 3:32 ` Kever Yang
2016-02-01 4:36 ` Doug Anderson
2016-02-02 0:36 ` Doug Anderson
2016-02-02 7:04 ` Kever Yang
2016-02-02 23:28 ` Doug Anderson
2016-01-29 2:20 ` [PATCH v6 19/22] usb: dwc2: host: Add dwc2_hcd_get_future_frame_number() call Douglas Anderson
2016-01-29 2:20 ` [PATCH v6 20/22] usb: dwc2: host: Properly set even/odd frame Douglas Anderson
2016-02-02 7:46 ` Kever Yang
2016-02-02 22:47 ` Doug Anderson
2016-02-03 7:47 ` Kever Yang
2016-01-29 2:20 ` [PATCH v6 21/22] usb: dwc2: host: Totally redo the microframe scheduler Douglas Anderson
2016-01-29 2:20 ` [PATCH v6 22/22] usb: dwc2: host: If using uframe scheduler, end splits better Douglas Anderson
2016-02-02 23:57 ` [PATCH v6 0/22] usb: dwc2: host: Fix and speed up all the stuff, especially with splits John Youn
2016-02-03 18:23 ` Doug Anderson
2016-02-10 2:25 ` John Youn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1454034013-24657-5-git-send-email-dianders@chromium.org \
--to=dianders@chromium.org \
--cc=John.Youn@synopsys.com \
--cc=balbi@ti.com \
--cc=dinguyen@opensource.altera.com \
--cc=gregkh@linuxfoundation.org \
--cc=gregory.herrero@intel.com \
--cc=heiko@sntech.de \
--cc=huangtao@rock-chips.com \
--cc=johnyoun@synopsys.com \
--cc=jwerner@chromium.org \
--cc=kever.yang@rock-chips.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=linux-rpi-kernel@lists.infradead.org \
--cc=linux-usb@vger.kernel.org \
--cc=ming.lei@canonical.com \
--cc=stefan.wahren@i2se.com \
--cc=stern@rowland.harvard.edu \
--cc=william.wu@rock-chips.com \
--cc=yousaf.kaukab@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).