Hi Sasha,
i have (back)ported the patch to the older kernels mentioned below where the original patch failed.
The patch appended to this mail applies to v4.14.121, v4.9.178, v4.4.180 and v3.18.140. Some changes within the xhci driver prevented git from finding the correct position.
Hope this helps :-)
Best regards Carsten
________________________________________ Von: Sasha Levin sashal@kernel.org Gesendet: Mittwoch, 29. Mai 2019 15:14 An: Sasha Levin; Mathias Nyman; Schmid, Carsten; gregkh@linuxfoundation.org Cc: linux-usb@vger.kernel.org; Stable; stable@vger.kernel.org Betreff: Re: [PATCH 3/5] usb: xhci: avoid null pointer deref when bos field is NULL
Hi,
[This is an automated email]
This commit has been processed because it contains a -stable tag. The stable tag indicates that it's relevant for the following trees: all
The bot has tested the following trees: v5.1.4, v5.0.18, v4.19.45, v4.14.121, v4.9.178, v4.4.180, v3.18.140.
v5.1.4: Build OK! v5.0.18: Build OK! v4.19.45: Build OK! v4.14.121: Failed to apply! Possible dependencies: 01451ad47e272 ("powerpc/powermac: Use setup_timer() helper") 38986ffa6a748 ("xhci: use port structures instead of port arrays in xhci.c functions") 83ad1e6a1dc04 ("powerpc/oprofile: Use setup_timer() helper") 8d6b1bf20f61c ("powerpc/6xx: Use setup_timer() helper") b1fc2839d2f92 ("drm/msm: Implement preemption for A5XX targets") b9eaf18722221 ("treewide: init_timer() -> setup_timer()") cd414f3d93168 ("drm/msm: Move memptrs to msm_gpu") e629cfa36ea08 ("MIPS: Lasat: Use setup_timer() helper") e99e88a9d2b06 ("treewide: setup_timer() -> timer_setup()") eec874ce5ff1f ("drm/msm/adreno: load gpu at probe/bind time") f7de15450e906 ("drm/msm: Add per-instance submit queues") f97decac5f4c2 ("drm/msm: Support multiple ringbuffers")
v4.9.178: Failed to apply! Possible dependencies: 01451ad47e272 ("powerpc/powermac: Use setup_timer() helper") 38986ffa6a748 ("xhci: use port structures instead of port arrays in xhci.c functions") 53460c53b7619 ("[media] au0828: Add timer to restart TS stream if no data arrives on bulk endpoint") 7c96f59e0cafe ("[media] s5p-mfc: Fix initialization of internal structures") 83ad1e6a1dc04 ("powerpc/oprofile: Use setup_timer() helper") 8d6b1bf20f61c ("powerpc/6xx: Use setup_timer() helper") b9eaf18722221 ("treewide: init_timer() -> setup_timer()") cf43e6be865a5 ("block: add scalable completion tracking of requests") e629cfa36ea08 ("MIPS: Lasat: Use setup_timer() helper") e806402130c9c ("block: split out request-only flags into a new namespace") e99e88a9d2b06 ("treewide: setup_timer() -> timer_setup()")
v4.4.180: Failed to apply! Possible dependencies: 01451ad47e272 ("powerpc/powermac: Use setup_timer() helper") 37f895d7e85e7 ("NFC: pn533: Fix socket deadlock") 38986ffa6a748 ("xhci: use port structures instead of port arrays in xhci.c functions") 53460c53b7619 ("[media] au0828: Add timer to restart TS stream if no data arrives on bulk endpoint") 7c96f59e0cafe ("[media] s5p-mfc: Fix initialization of internal structures") 80c1bce9aa315 ("[media] au0828: Refactoring for start_urb_transfer()") 83ad1e6a1dc04 ("powerpc/oprofile: Use setup_timer() helper") 8d6b1bf20f61c ("powerpc/6xx: Use setup_timer() helper") 9815c7cf22dac ("NFC: pn533: Separate physical layer from the core implementation") b9eaf18722221 ("treewide: init_timer() -> setup_timer()") e629cfa36ea08 ("MIPS: Lasat: Use setup_timer() helper") e997ebbe46fe4 ("NFC: pn533: Send ATR_REQ only if NFC_PROTO_NFC_DEP bit is set") e99e88a9d2b06 ("treewide: setup_timer() -> timer_setup()")
v3.18.140: Failed to apply! Possible dependencies: 0a5942c8e1480 ("NFC: Add ACPI support for NXP PN544") 34ac49664149d ("NFC: nci: remove current SLEEP mode management") 3590ebc040c9e ("NFC: logging neatening") 3682f49f32051 ("NFC: netlink: Add new netlink command NFC_CMD_ACTIVATE_TARGET") 37f895d7e85e7 ("NFC: pn533: Fix socket deadlock") 38986ffa6a748 ("xhci: use port structures instead of port arrays in xhci.c functions") 53460c53b7619 ("[media] au0828: Add timer to restart TS stream if no data arrives on bulk endpoint") 5df848f37b1d2 ("NFC: pn533: fix error return code") 7c96f59e0cafe ("[media] s5p-mfc: Fix initialization of internal structures") 80c1bce9aa315 ("[media] au0828: Refactoring for start_urb_transfer()") 9295b5b569fc4 ("NFC: nci: Add support for different NCI_DEACTIVATE_TYPE") 96d4581f0b371 ("NFC: netlink: Add mode parameter to deactivate_target functions") 9815c7cf22dac ("NFC: pn533: Separate physical layer from the core implementation") b9eaf18722221 ("treewide: init_timer() -> setup_timer()") d7979e130ebb0 ("NFC: NCI: Signal deactivation in Target mode") e997ebbe46fe4 ("NFC: pn533: Send ATR_REQ only if NFC_PROTO_NFC_DEP bit is set") e99e88a9d2b06 ("treewide: setup_timer() -> timer_setup()")
How should we proceed with this patch?
-- Thanks, Sasha
Hi Sasha,
i have (back)ported the patch to the older kernels mentioned below where the original patch failed.
The patch appended to this mail applies to v4.14.121, v4.9.178, v4.4.180 and v3.18.140. Some changes within the xhci driver prevented git from finding the correct position.
Hope this helps :-)
Best regards Carsten
Brrrr. IT stuff changed so i append the patch as text: ---
From b1ceb3787bcd6f3ae775eebead9a66b80a2b4314 Mon Sep 17 00:00:00 2001
From: Carsten Schmid carsten_schmid@mentor.com Date: Fri, 8 Mar 2019 15:15:52 +0100 Subject: [PATCH] usb: xhci: avoid null pointer deref when bos field is NULL
With defective USB sticks we see the following error happen: usb 1-3: new high-speed USB device number 6 using xhci_hcd usb 1-3: device descriptor read/64, error -71 usb 1-3: device descriptor read/64, error -71 usb 1-3: new high-speed USB device number 7 using xhci_hcd usb 1-3: device descriptor read/64, error -71 usb 1-3: unable to get BOS descriptor set usb 1-3: New USB device found, idVendor=0781, idProduct=5581 usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 ... BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
This comes from the following place: [ 1660.215380] IP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] [ 1660.222092] PGD 0 P4D 0 [ 1660.224918] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 1660.425520] CPU: 1 PID: 38 Comm: kworker/1:1 Tainted: P U W O 4.14.67-apl #1 [ 1660.434277] Workqueue: usb_hub_wq hub_event [usbcore] [ 1660.439918] task: ffffa295b6ae4c80 task.stack: ffffad4580150000 [ 1660.446532] RIP: 0010:xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] [ 1660.453821] RSP: 0018:ffffad4580153c70 EFLAGS: 00010046 [ 1660.459655] RAX: 0000000000000000 RBX: ffffa295b4d7c000 RCX: 0000000000000002 [ 1660.467625] RDX: 0000000000000002 RSI: ffffffff984a55b2 RDI: ffffffff984a55b2 [ 1660.475586] RBP: ffffad4580153cc8 R08: 0000000000d6520a R09: 0000000000000001 [ 1660.483556] R10: ffffad4580a004a0 R11: 0000000000000286 R12: ffffa295b4d7c000 [ 1660.491525] R13: 0000000000010648 R14: ffffa295a84e1800 R15: 0000000000000000 [ 1660.499494] FS: 0000000000000000(0000) GS:ffffa295bfc80000(0000) knlGS:0000000000000000 [ 1660.508530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1660.514947] CR2: 0000000000000008 CR3: 000000025a114000 CR4: 00000000003406a0 [ 1660.522917] Call Trace: [ 1660.525657] usb_set_usb2_hardware_lpm+0x3d/0x70 [usbcore] [ 1660.531792] usb_disable_device+0x242/0x260 [usbcore] [ 1660.537439] usb_disconnect+0xc1/0x2b0 [usbcore] [ 1660.542600] hub_event+0x596/0x18f0 [usbcore] [ 1660.547467] ? trace_preempt_on+0xdf/0x100 [ 1660.552040] ? process_one_work+0x1c1/0x410 [ 1660.556708] process_one_work+0x1d2/0x410 [ 1660.561184] ? preempt_count_add.part.3+0x21/0x60 [ 1660.566436] worker_thread+0x2d/0x3f0 [ 1660.570522] kthread+0x122/0x140 [ 1660.574123] ? process_one_work+0x410/0x410 [ 1660.578792] ? kthread_create_on_node+0x60/0x60 [ 1660.583849] ret_from_fork+0x3a/0x50 [ 1660.587839] Code: 00 49 89 c3 49 8b 84 24 50 16 00 00 8d 4a ff 48 8d 04 c8 48 89 ca 4c 8b 10 45 8b 6a 04 48 8b 00 48 89 45 c0 49 8b 86 80 03 00 00 <48> 8b 40 08 8b 40 03 0f 1f 44 00 00 45 85 ff 0f 84 81 01 00 00 [ 1660.608980] RIP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] RSP: ffffad4580153c70 [ 1660.617921] CR2: 0000000000000008
Tracking this down shows that udev->bos is NULL in the following code: (xhci.c, in xhci_set_usb2_hardware_lpm) field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); <<<<<<< here
xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n", enable ? "enable" : "disable", port_num + 1);
if (enable) { /* Host supports BESL timeout instead of HIRD */ if (udev->usb2_hw_lpm_besl_capable) { /* if device doesn't have a preferred BESL value use a * default one which works with mixed HIRD and BESL * systems. See XHCI_DEFAULT_BESL definition in xhci.h */ if ((field & USB_BESL_SUPPORT) && (field & USB_BESL_BASELINE_VALID)) hird = USB_GET_BESL_BASELINE(field); else hird = udev->l1_params.besl;
The failing case is when disabling LPM. So it is sufficient to avoid access to udev->bos by moving the instruction into the "enable" clause.
Signed-off-by: Carsten Schmid carsten_schmid@mentor.com --- drivers/usb/host/xhci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index c78de07c4d00..6001c3cefab3 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -4155,7 +4155,6 @@ static int xhci_set_usb2_hardware_lpm(struct usb_hcd *hcd, pm_addr = port_array[port_num] + PORTPMSC; pm_val = readl(pm_addr); hlpm_addr = port_array[port_num] + PORTHLPMC; - field = le32_to_cpu(udev->bos->ext_cap->bmAttributes);
xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n", enable ? "enable" : "disable", port_num + 1); @@ -4167,6 +4166,7 @@ static int xhci_set_usb2_hardware_lpm(struct usb_hcd *hcd, * default one which works with mixed HIRD and BESL * systems. See XHCI_DEFAULT_BESL definition in xhci.h */ + field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); if ((field & USB_BESL_SUPPORT) && (field & USB_BESL_BASELINE_VALID)) hird = USB_GET_BESL_BASELINE(field);
linux-stable-mirror@lists.linaro.org
-
Schmid, Carsten