Commit 4937213b authored by Mathias Nyman's avatar Mathias Nyman Committed by Greg Kroah-Hartman

xhci: Fix use after free for URB cancellation on a reallocated endpoint

Make sure the cancelled URB is on the current endpoint ring.

If the endpoint ring has been reallocated since the URB was enqueued
then the URB may contain TD and TRB pointers to a already freed ring.
In this the case return the URB without touching any of the freed ring
structure data.

Don't try to stop the ring. It would be useless.

This can occur if endpoint is not flushed before it is dropped and
re-added, which is the case in usb_set_interface() as xhci does
things in an odd order.

Cc: <stable@vger.kernel.org>
Tested-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 9b83a1c3
...@@ -37,6 +37,21 @@ static unsigned long long quirks; ...@@ -37,6 +37,21 @@ static unsigned long long quirks;
module_param(quirks, ullong, S_IRUGO); module_param(quirks, ullong, S_IRUGO);
MODULE_PARM_DESC(quirks, "Bit flags for quirks to be enabled as default"); MODULE_PARM_DESC(quirks, "Bit flags for quirks to be enabled as default");
static bool td_on_ring(struct xhci_td *td, struct xhci_ring *ring)
{
struct xhci_segment *seg = ring->first_seg;
if (!td || !td->start_seg)
return false;
do {
if (seg == td->start_seg)
return true;
seg = seg->next;
} while (seg && seg != ring->first_seg);
return false;
}
/* TODO: copied from ehci-hcd.c - can this be refactored? */ /* TODO: copied from ehci-hcd.c - can this be refactored? */
/* /*
* xhci_handshake - spin reading hc until handshake completes or fails * xhci_handshake - spin reading hc until handshake completes or fails
...@@ -1571,6 +1586,21 @@ static int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) ...@@ -1571,6 +1586,21 @@ static int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
goto done; goto done;
} }
/*
* check ring is not re-allocated since URB was enqueued. If it is, then
* make sure none of the ring related pointers in this URB private data
* are touched, such as td_list, otherwise we overwrite freed data
*/
if (!td_on_ring(&urb_priv->td[0], ep_ring)) {
xhci_err(xhci, "Canceled URB td not found on endpoint ring");
for (i = urb_priv->num_tds_done; i < urb_priv->num_tds; i++) {
td = &urb_priv->td[i];
if (!list_empty(&td->cancelled_td_list))
list_del_init(&td->cancelled_td_list);
}
goto err_giveback;
}
if (xhci->xhc_state & XHCI_STATE_HALTED) { if (xhci->xhc_state & XHCI_STATE_HALTED) {
xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
"HC halted, freeing TD manually."); "HC halted, freeing TD manually.");
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment