github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
f0cd63e5dd
linux/drivers/usb/host
History
Sriharsha Allenki 563cdec835 usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list 
commit 3c6f8cb92c upstream.

On platforms with IOMMU enabled, multiple SGs can be coalesced into one
by the IOMMU driver. In that case the SG list processing as part of the
completion of a urb on a bulk endpoint can result into a NULL pointer
dereference with the below stack dump.

<6> Unable to handle kernel NULL pointer dereference at virtual address 0000000c
<6> pgd = c0004000
<6> [0000000c] *pgd=00000000
<6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
<2> PC is at xhci_queue_bulk_tx+0x454/0x80c
<2> LR is at xhci_queue_bulk_tx+0x44c/0x80c
<2> pc : [<c08907c4>]    lr : [<c08907bc>]    psr: 000000d3
<2> sp : ca337c80  ip : 00000000  fp : ffffffff
<2> r10: 00000000  r9 : 50037000  r8 : 00004000
<2> r7 : 00000000  r6 : 00004000  r5 : 00000000  r4 : 00000000
<2> r3 : 00000000  r2 : 00000082  r1 : c2c1a200  r0 : 00000000
<2> Flags: nzcv  IRQs off  FIQs off  Mode SVC_32  ISA ARM  Segment none
<2> Control: 10c0383d  Table: b412c06a  DAC: 00000051
<6> Process usb-storage (pid: 5961, stack limit = 0xca336210)
<snip>
<2> [<c08907c4>] (xhci_queue_bulk_tx)
<2> [<c0881b3c>] (xhci_urb_enqueue)
<2> [<c0831068>] (usb_hcd_submit_urb)
<2> [<c08350b4>] (usb_sg_wait)
<2> [<c089f384>] (usb_stor_bulk_transfer_sglist)
<2> [<c089f2c0>] (usb_stor_bulk_srb)
<2> [<c089fe38>] (usb_stor_Bulk_transport)
<2> [<c089f468>] (usb_stor_invoke_transport)
<2> [<c08a11b4>] (usb_stor_control_thread)
<2> [<c014a534>] (kthread)

The above NULL pointer dereference is the result of block_len and the
sent_len set to zero after the first SG of the list when IOMMU driver
is enabled. Because of this the loop of processing the SGs has run
more than num_sgs which resulted in a sg_next on the last SG of the
list which has SG_END set.

Fix this by check for the sg before any attributes of the sg are
accessed.

[modified reason for null pointer dereference in commit message subject -Mathias]
Fixes: f9c589e142 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer")
Cc: stable@vger.kernel.org
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20200514110432.25564-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-20 08:18:48 +02:00
..
whci USB: host: whci: remove redundant variable t 2018-07-13 15:41:56 +02:00
bcma-hcd.c
ehci-atmel.c
ehci-dbg.c USB: ehci-hcd: no need to check return value of debugfs_create functions 2018-05-31 12:54:22 +02:00
ehci-exynos.c usb: host: exynos: Remove support for Exynos5440 2018-07-24 18:44:00 +02:00
ehci-fsl.c usb: add a flag to skip PHY initialization to struct usb_hcd 2018-03-09 09:43:52 -08:00
ehci-fsl.h
ehci-grlib.c
ehci-hcd.c USB: ehci-hcd: Add get_resuming_ports method 2018-06-25 21:44:43 +08:00
ehci-hub.c USB: ehci-hcd: Add get_resuming_ports method 2018-06-25 21:44:43 +08:00
ehci-mem.c Revert "usb: host: ehci: Use dma_pool_zalloc()" 2018-05-04 14:35:12 -07:00
ehci-mv.c
ehci-mxc.c
ehci-npcm7xx.c USB: host: ehci-npcm7xx: Fix some error codes in probe 2018-06-28 19:32:42 +09:00
ehci-omap.c usb: ehci-omap: Fix deferred probe for phy handling 2019-12-05 09:20:20 +01:00
ehci-orion.c
ehci-pci.c
ehci-platform.c usb: host: ehci-platform: remove custom USB PHY handling 2018-03-09 09:43:53 -08:00
ehci-pmcmsp.c
ehci-ppc-of.c
ehci-ps3.c powerpc/ps3: Set driver coherent_dma_mask 2018-07-20 12:50:37 +10:00
ehci-q.c USB: EHCI: Do not return -EPIPE when hub is disconnected 2019-12-31 16:36:23 +01:00
ehci-sched.c usb: host: ehci-sched: remove redundant pointer dev 2018-07-13 15:41:56 +02:00
ehci-sh.c
ehci-spear.c
ehci-st.c pinctrl: files should directly include apis they use 2018-02-05 09:41:54 -08:00
ehci-sysfs.c USB: move many drivers to use DEVICE_ATTR_RW 2018-01-24 08:49:51 +01:00
ehci-tegra.c usb: tegra: Move utmi-pads reset from ehci-tegra to tegra-phy 2018-04-23 09:50:57 +02:00
ehci-timer.c
ehci-w90x900.c
ehci-xilinx-of.c
ehci.h
fhci-dbg.c USB: fhci-hcd: no need to check return value of debugfs_create functions 2018-05-31 12:54:22 +02:00
fhci-hcd.c
fhci-hub.c
fhci-mem.c
fhci-q.c
fhci-sched.c
fhci-tds.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
fhci.h USB: fhci-hcd: no need to check return value of debugfs_create functions 2018-05-31 12:54:22 +02:00
fotg210-hcd.c usb: host: fotg2: restart hcd after port reset 2019-09-06 10:21:59 +02:00
fotg210.h
fsl-mph-dr-of.c
hwa-hc.c usb: wusbcore: fix unbalanced get/put cluster_id 2019-07-31 07:27:10 +02:00
imx21-dbg.c USB: imx21-hcd: no need to check return value of debugfs_create functions 2018-05-31 12:54:22 +02:00
imx21-hcd.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
imx21-hcd.h
isp116x-hcd.c USB: isp116x-hcd: no need to check return value of debugfs_create functions 2018-05-31 12:54:21 +02:00
isp116x.h
isp1362-hcd.c
isp1362.h usb: isp1362: remove blackfin arch glue 2018-03-26 15:57:14 +02:00
Kconfig USB host: Add USB ehci support for nuvoton npcm7xx platform 2018-06-25 21:59:15 +08:00
Makefile USB host: Add USB ehci support for nuvoton npcm7xx platform 2018-06-25 21:59:15 +08:00
max3421-hcd.c
ohci-at91.c usb: host: ohci-at91: fix request of irq for optional gpio 2018-11-13 11:08:33 -08:00
ohci-da8xx.c USB: ohci: da8xx: remove clk con_id 2018-01-09 16:15:19 +01:00
ohci-dbg.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
ohci-exynos.c usb: host: exynos: Remove support for Exynos5440 2018-07-24 18:44:00 +02:00
ohci-hcd.c usb: host: ohci: fix a race condition between shutdown and irq 2019-09-06 10:22:15 +02:00
ohci-hub.c ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and io_watchdog_func() 2018-02-15 18:43:57 +01:00
ohci-mem.c
ohci-nxp.c
ohci-omap.c usb: add a flag to skip PHY initialization to struct usb_hcd 2018-03-09 09:43:52 -08:00
ohci-pci.c
ohci-platform.c usb: host: ohci-platform: remove custom USB PHY handling 2018-03-09 09:43:53 -08:00
ohci-ppc-of.c
ohci-ps3.c powerpc/ps3: Set driver coherent_dma_mask 2018-07-20 12:50:37 +10:00
ohci-pxa27x.c
ohci-q.c usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() 2018-02-15 18:45:34 +01:00
ohci-s3c2410.c
ohci-sa1111.c
ohci-sm501.c
ohci-spear.c
ohci-st.c
ohci-tmio.c
ohci.h USB: ohci: no need to check return value of debugfs_create functions 2018-05-31 12:54:21 +02:00
oxu210hp-hcd.c
oxu210hp.h
pci-quirks.c usb: pci-quirks: Correct AMD PLL quirk detection 2019-07-31 07:27:10 +02:00
pci-quirks.h Revert "xhci: Reset Renesas uPD72020x USB controller for 32-bit DMA issue" 2018-06-01 13:24:51 +02:00
r8a66597-hcd.c usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() 2019-01-09 17:38:39 +01:00
r8a66597.h
sl811_cs.c
sl811-hcd.c USB: host: sl811: Re-use DEFINE_SHOW_ATTRIBUTE() macro 2018-03-16 15:40:19 +01:00
sl811.h
ssb-hcd.c
u132-hcd.c usb: u132-hcd: fix resource leak 2019-05-04 09:20:21 +02:00
uhci-debug.c
uhci-grlib.c
uhci-hcd.c USB: uhci: no need to check return value of debugfs_create functions 2018-05-31 12:54:21 +02:00
uhci-hcd.h usb: uhci: Add clk support to uhci-platform 2018-01-17 15:08:56 +01:00
uhci-hub.c
uhci-pci.c
uhci-platform.c usb: uhci: Add clk support to uhci-platform 2018-01-17 15:08:56 +01:00
uhci-q.c USB: remove the URB_NO_FSBR flag 2017-12-12 13:16:07 +01:00
xhci-dbg.c usb: xhci: Cleanup printk debug message for ERST 2017-12-08 17:43:52 +01:00
xhci-dbgcap.c usb: xhci: dbc: Don't free all memory with spinlock held 2019-04-03 06:26:27 +02:00
xhci-dbgcap.h usb: xhci: dbc: Add SPDX identifiers to dbc files 2018-05-24 18:03:07 +02:00
xhci-dbgtty.c usb: xhci: dbc: Add SPDX identifiers to dbc files 2018-05-24 18:03:07 +02:00
xhci-debugfs.c usb: xhci: fix __le32/__le64 accessors in debugfs code 2019-11-06 13:06:17 +01:00
xhci-debugfs.h
xhci-ext-caps.c xhci: Add Intel extended cap / otg phy mux handling 2018-03-22 13:40:10 +01:00
xhci-ext-caps.h xhci: Add Intel extended cap / otg phy mux handling 2018-03-22 13:40:10 +01:00
xhci-histb.c xhci: Fix leaking USB3 shared_hcd at xhci removal 2018-12-01 09:37:25 +01:00
xhci-hub.c xhci: prevent bus suspend if a roothub port detected a over-current condition 2020-04-29 16:31:34 +02:00
xhci-mem.c xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2 2020-02-28 16:38:46 +01:00
xhci-mtk-sch.c usb: xhci-mtk: fix ISOC error when interval is zero 2019-11-20 18:47:52 +01:00
xhci-mtk.c xhci: Fix leaking USB3 shared_hcd at xhci removal 2018-12-01 09:37:25 +01:00
xhci-mtk.h usb: xhci-mtk: supports remote wakeup for mt2712 with two xHCI IPs 2018-01-09 16:21:28 +01:00
xhci-mvebu.c
xhci-mvebu.h
xhci-pci.c usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c 2020-03-25 08:06:09 +01:00
xhci-plat.c usb: host: xhci-plat: keep runtime active when removing host 2020-05-20 08:18:48 +02:00
xhci-plat.h
xhci-rcar.c usb: host: xhci: rcar: Fix typo in compatible string matching 2019-09-06 10:22:16 +02:00
xhci-rcar.h
xhci-ring.c usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list 2020-05-20 08:18:48 +02:00
xhci-tegra.c usb: host: xhci-tegra: Set DMA mask correctly 2019-09-21 07:17:04 +02:00
xhci-trace.c
xhci-trace.h xhci: Do not open code __print_symbolic() in xhci trace events 2020-03-25 08:06:12 +01:00
xhci.c xhci: bail out early if driver can't accress host in resume 2020-04-17 10:48:39 +02:00
xhci.h xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2 2020-02-28 16:38:46 +01:00