From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Sriharsha Allenki <sallenki@codeaurora.org>,
Mathias Nyman <mathias.nyman@linux.intel.com>
Subject: [PATCH 4.9 78/90] usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list
Date: Mon, 18 May 2020 19:36:56 +0200 [thread overview]
Message-ID: <20200518173507.126798691@linuxfoundation.org> (raw)
In-Reply-To: <20200518173450.930655662@linuxfoundation.org>
From: Sriharsha Allenki <sallenki@codeaurora.org>
commit 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a upstream.
On platforms with IOMMU enabled, multiple SGs can be coalesced into one
by the IOMMU driver. In that case the SG list processing as part of the
completion of a urb on a bulk endpoint can result into a NULL pointer
dereference with the below stack dump.
<6> Unable to handle kernel NULL pointer dereference at virtual address 0000000c
<6> pgd = c0004000
<6> [0000000c] *pgd=00000000
<6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
<2> PC is at xhci_queue_bulk_tx+0x454/0x80c
<2> LR is at xhci_queue_bulk_tx+0x44c/0x80c
<2> pc : [<c08907c4>] lr : [<c08907bc>] psr: 000000d3
<2> sp : ca337c80 ip : 00000000 fp : ffffffff
<2> r10: 00000000 r9 : 50037000 r8 : 00004000
<2> r7 : 00000000 r6 : 00004000 r5 : 00000000 r4 : 00000000
<2> r3 : 00000000 r2 : 00000082 r1 : c2c1a200 r0 : 00000000
<2> Flags: nzcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none
<2> Control: 10c0383d Table: b412c06a DAC: 00000051
<6> Process usb-storage (pid: 5961, stack limit = 0xca336210)
<snip>
<2> [<c08907c4>] (xhci_queue_bulk_tx)
<2> [<c0881b3c>] (xhci_urb_enqueue)
<2> [<c0831068>] (usb_hcd_submit_urb)
<2> [<c08350b4>] (usb_sg_wait)
<2> [<c089f384>] (usb_stor_bulk_transfer_sglist)
<2> [<c089f2c0>] (usb_stor_bulk_srb)
<2> [<c089fe38>] (usb_stor_Bulk_transport)
<2> [<c089f468>] (usb_stor_invoke_transport)
<2> [<c08a11b4>] (usb_stor_control_thread)
<2> [<c014a534>] (kthread)
The above NULL pointer dereference is the result of block_len and the
sent_len set to zero after the first SG of the list when IOMMU driver
is enabled. Because of this the loop of processing the SGs has run
more than num_sgs which resulted in a sg_next on the last SG of the
list which has SG_END set.
Fix this by check for the sg before any attributes of the sg are
accessed.
[modified reason for null pointer dereference in commit message subject -Mathias]
Fixes: f9c589e142d04 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer")
Cc: stable@vger.kernel.org
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20200514110432.25564-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-ring.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -3347,8 +3347,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *
/* New sg entry */
--num_sgs;
sent_len -= block_len;
- if (num_sgs != 0) {
- sg = sg_next(sg);
+ sg = sg_next(sg);
+ if (num_sgs != 0 && sg) {
block_len = sg_dma_len(sg);
addr = (u64) sg_dma_address(sg);
addr += sent_len;
next prev parent reply other threads:[~2020-05-18 18:27 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-18 17:35 [PATCH 4.9 00/90] 4.9.224-rc1 review Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 01/90] USB: serial: qcserial: Add DW5816e support Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 02/90] dp83640: reverse arguments to list_add_tail Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 03/90] fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 04/90] net: macsec: preserve ingress frame ordering Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 05/90] net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 06/90] net: usb: qmi_wwan: add support for DW5816e Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 07/90] sch_choke: avoid potential panic in choke_reset() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 08/90] sch_sfq: validate silly quantum values Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 09/90] bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 10/90] net/mlx5: Fix forced completion access non initialized command entry Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 11/90] net/mlx5: Fix command entry leak in Internal Error State Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 12/90] bnxt_en: Improve AER slot reset Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 13/90] Revert "ACPI / video: Add force_native quirk for HP Pavilion dv6" Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 14/90] binfmt_elf: move brk out of mmap when doing direct loader exec Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 15/90] USB: uas: add quirk for LaCie 2Big Quadra Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 16/90] USB: serial: garmin_gps: add sanity checking for data length Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 17/90] tracing: Add a vmalloc_sync_mappings() for safe measure Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 18/90] mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 19/90] batman-adv: fix batadv_nc_random_weight_tq Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 20/90] batman-adv: Fix refcnt leak in batadv_show_throughput_override Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.9 21/90] batman-adv: Fix refcnt leak in batadv_store_throughput_override Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 22/90] batman-adv: Fix refcnt leak in batadv_v_ogm_process Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 23/90] objtool: Fix stack offset tracking for indirect CFAs Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 24/90] scripts/decodecode: fix trapping instruction formatting Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 25/90] binfmt_elf: Do not move brk for INTERP-less ET_EXEC Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 26/90] ext4: add cond_resched() to ext4_protect_reserved_inode Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 27/90] net: ipv6: add net argument to ip6_dst_lookup_flow Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 28/90] net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 29/90] blktrace: Fix potential deadlock between delete & sysfs ops Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 30/90] blktrace: fix unlocked access to init/start-stop/teardown Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 31/90] blktrace: fix trace mutex deadlock Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 32/90] blktrace: Protect q->blk_trace with RCU Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 33/90] blktrace: fix dereference after null check Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 34/90] ptp: do not explicitly set drvdata in ptp_clock_register() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 35/90] ptp: use is_visible method to hide unused attributes Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 36/90] ptp: create "pins" together with the rest of attributes Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 37/90] chardev: add helper function to register char devs with a struct device Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 38/90] ptp: Fix pass zero to ERR_PTR() in ptp_clock_register Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 39/90] ptp: fix the race between the release of ptp_clock and cdev Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 40/90] ptp: free ptp device pin descriptors properly Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 41/90] shmem: fix possible deadlocks on shmlock_user_lock Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 42/90] net/sonic: Fix a resource leak in an error handling path in jazz_sonic_probe() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 43/90] net: moxa: Fix a potential double free_irq() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 44/90] drop_monitor: work around gcc-10 stringop-overflow warning Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 45/90] scsi: sg: add sg_remove_request in sg_write Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 46/90] spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 47/90] cifs: Check for timeout on Negotiate stage Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 48/90] cifs: Fix a race condition with cifs_echo_request Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 49/90] dmaengine: pch_dma.c: Avoid data race between probe and irq handler Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 50/90] dmaengine: mmp_tdma: Reset channel error on release Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 51/90] ALSA: hda/hdmi: fix race in monitor detection during probe Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 52/90] drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 53/90] ipc/util.c: sysvipc_find_ipc() incorrectly updates position index Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 54/90] pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 55/90] i40iw: Fix error handling in i40iw_manage_arp_cache() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 56/90] netfilter: conntrack: avoid gcc-10 zero-length-bounds warning Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 57/90] IB/mlx4: Test return value of calls to ib_get_cached_pkey Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 58/90] pnp: Use list_for_each_entry() instead of open coding Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 59/90] gcc-10 warnings: fix low-hanging fruit Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 60/90] kbuild: compute false-positive -Wmaybe-uninitialized cases in Kconfig Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 61/90] Stop the ad-hoc games with -Wno-maybe-initialized Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 62/90] net: phy: micrel: Use strlcpy() for ethtool::get_strings Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 63/90] gcc-10: avoid shadowing standard library free() in crypto Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 64/90] gcc-10: disable zero-length-bounds warning for now Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 65/90] gcc-10: disable array-bounds " Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 66/90] gcc-10: disable stringop-overflow " Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 67/90] gcc-10: disable restrict " Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 68/90] net: fix a potential recursive NETDEV_FEAT_CHANGE Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 69/90] netlabel: cope with NULL catmap Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 70/90] Revert "ipv6: add mtu lock check in __ip6_rt_update_pmtu" Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 71/90] net: ipv4: really enforce backoff for redirects Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 72/90] netprio_cgroup: Fix unlimited memory leak of v2 cgroups Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 73/90] ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 74/90] ALSA: rawmidi: Initialize allocated buffers Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 75/90] ALSA: rawmidi: Fix racy buffer resize under concurrent accesses Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 76/90] ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 77/90] USB: gadget: fix illegal array access in binding with UDC Greg Kroah-Hartman
2020-05-18 17:36 ` Greg Kroah-Hartman [this message]
2020-05-18 17:36 ` [PATCH 4.9 79/90] ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 80/90] x86: Fix early boot crash on gcc-10, third try Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.9 81/90] exec: Move would_dump into flush_old_exec Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.9 82/90] usb: gadget: net2272: Fix a memory leak in an error handling path in net2272_plat_probe() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.9 83/90] usb: gadget: audio: Fix a missing error return value in audio_bind() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.9 84/90] usb: gadget: legacy: fix error return code in gncm_bind() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.9 85/90] usb: gadget: legacy: fix error return code in cdc_bind() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.9 86/90] Revert "ALSA: hda/realtek: Fix pop noise on ALC225" Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.9 87/90] ARM: dts: r8a73a4: Add missing CMT1 interrupts Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.9 88/90] ARM: dts: r8a7740: Add missing extal2 to CPG node Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.9 89/90] KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.9 90/90] Makefile: disallow data races on gcc-10 as well Greg Kroah-Hartman
2020-05-19 8:19 ` [PATCH 4.9 00/90] 4.9.224-rc1 review Naresh Kamboju
2020-05-19 8:49 ` Jon Hunter
2020-05-19 15:08 ` shuah
2020-05-19 16:27 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200518173507.126798691@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathias.nyman@linux.intel.com \
--cc=sallenki@codeaurora.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).