UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/drivers/usb/host
History
Mathias Nyman df29b5d6f8 xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration 
commit af8e119f52e9c13e556be9e03f27957554a84656 upstream.

re-enumerating full-speed devices after a failed address device command
can trigger a NULL pointer dereference.

Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size
value during enumeration. Usb core calls usb_ep0_reinit() in this case,
which ends up calling xhci_configure_endpoint().

On Panther point xHC the xhci_configure_endpoint() function will
additionally check and reserve bandwidth in software. Other hosts do
this in hardware

If xHC address device command fails then a new xhci_virt_device structure
is allocated as part of re-enabling the slot, but the bandwidth table
pointers are not set up properly here.
This triggers the NULL pointer dereference the next time usb_ep0_reinit()
is called and xhci_configure_endpoint() tries to check and reserve
bandwidth

[46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd
[46710.713699] usb 3-1: Device not responding to setup address.
[46710.917684] usb 3-1: Device not responding to setup address.
[46711.125536] usb 3-1: device not accepting address 5, error -71
[46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008
[46711.125600] #PF: supervisor read access in kernel mode
[46711.125603] #PF: error_code(0x0000) - not-present page
[46711.125606] PGD 0 P4D 0
[46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI
[46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1
[46711.125620] Hardware name: Gigabyte Technology Co., Ltd.
[46711.125623] Workqueue: usb_hub_wq hub_event [usbcore]
[46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c

Fix this by making sure bandwidth table pointers are set up correctly
after a failed address device command, and additionally by avoiding
checking for bandwidth in cases like this where no actual endpoints are
added or removed, i.e. only context for default control endpoint 0 is
evaluated.

This fixes CVE-2024-45006

Reported-by: Karel Balej <balejk@matfyz.cz>
Closes: https://lore.kernel.org/linux-usb/D3CKQQAETH47.1MUO22RTCH2O3@matfyz.cz/
Cc: stable@vger.kernel.org
Fixes: 651aaf36a7 ("usb: xhci: Handle USB transaction error on address command")
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240815141117.2702314-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Huang Cun <cunhuang@tencent.com>
Signed-off-by: Jianping Liu <frankjpliu@tencent.com>
 		2024-11-28 15:09:19 +08:00
..
Kconfig tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
Makefile usb: remove ehci-w90x900 driver 2019-08-10 09:28:28 +02:00
bcma-hcd.c USB: host: Remove redundant license text 2017-11-07 15:45:02 +01:00
ehci-atmel.c usb: Remove dev_err() usage after platform_get_irq() 2019-07-30 20:29:18 +02:00
ehci-dbg.c USB: ehci-hcd: no need to check return value of debugfs_create functions 2018-05-31 12:54:22 +02:00
ehci-exynos.c ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
ehci-fsl.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ehci-fsl.h usb: phy: Workaround for USB erratum-A005728 2019-07-03 18:52:20 +02:00
ehci-grlib.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
ehci-hcd.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ehci-hub.c ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
ehci-mem.c Revert "usb: host: ehci: Use dma_pool_zalloc()" 2018-05-04 14:35:12 -07:00
ehci-mv.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ehci-mxc.c ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
ehci-npcm7xx.c USB: host: ehci-npcm7xx: Fix some error codes in probe 2018-06-28 19:32:42 +09:00
ehci-omap.c ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
ehci-orion.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ehci-pci.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ehci-platform.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ehci-pmcmsp.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
ehci-ppc-of.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ehci-ps3.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
ehci-q.c tkernel: add base tlinux kernel interfaces 2024-06-11 20:09:33 +08:00
ehci-sched.c usb: host: ehci-sched: remove redundant pointer dev 2018-07-13 15:41:56 +02:00
ehci-sh.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
ehci-spear.c USB: host: ehci: Remove redundant license text 2017-11-07 15:45:02 +01:00
ehci-st.c usb: Remove dev_err() usage after platform_get_irq() 2019-07-30 20:29:18 +02:00
ehci-sysfs.c USB: move many drivers to use DEVICE_ATTR_RW 2018-01-24 08:49:51 +01:00
ehci-tegra.c usb: tegra: Move utmi-pads reset from ehci-tegra to tegra-phy 2018-04-23 09:50:57 +02:00
ehci-timer.c usb: host: Replace empty define with do while 2018-09-28 15:03:37 +02:00
ehci-xilinx-of.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
ehci.h tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
fhci-dbg.c USB: fhci-hcd: no need to check return value of debugfs_create functions 2018-05-31 12:54:22 +02:00
fhci-hcd.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
fhci-hub.c USB: host: fhci: Remove redundant license text 2017-11-07 15:45:02 +01:00
fhci-mem.c USB: host: fhci: Remove redundant license text 2017-11-07 15:45:02 +01:00
fhci-q.c USB: host: fhci: Remove redundant license text 2017-11-07 15:45:02 +01:00
fhci-sched.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
fhci-tds.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
fhci.h USB: fhci-hcd: no need to check return value of debugfs_create functions 2018-05-31 12:54:22 +02:00
fotg210-hcd.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
fotg210.h tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
fsl-mph-dr-of.c ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
imx21-dbg.c USB: imx21-hcd: no need to check return value of debugfs_create functions 2018-05-31 12:54:22 +02:00
imx21-hcd.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
imx21-hcd.h USB: host: imx21: Remove redundant license text 2017-11-07 15:45:02 +01:00
isp116x-hcd.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
isp116x.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
isp1362-hcd.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
isp1362.h usb: isp1362: Spelling s/eclusive/exclusive/ 2019-06-18 08:51:28 +02:00
max3421-hcd.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ohci-at91.c USB: host: ohci-at91: add sam9x60-sfr definition for ohci 2019-01-18 09:58:04 +01:00
ohci-da8xx.c tkernel: add base tlinux kernel interfaces 2024-06-11 20:09:33 +08:00
ohci-dbg.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
ohci-exynos.c ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
ohci-hcd.c ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
ohci-hub.c ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and io_watchdog_func() 2018-02-15 18:43:57 +01:00
ohci-mem.c usb: host: Fix excessive alignment restriction for local memory allocations 2019-06-28 07:57:07 +02:00
ohci-nxp.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ohci-omap.c usb: add a flag to skip PHY initialization to struct usb_hcd 2018-03-09 09:43:52 -08:00
ohci-pci.c usb: pci-quirks: Minor cleanup for AMD PLL quirk 2019-07-25 10:40:02 +02:00
ohci-platform.c usb: Remove dev_err() usage after platform_get_irq() 2019-07-30 20:29:18 +02:00
ohci-ppc-of.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ohci-ps3.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
ohci-pxa27x.c usb: host: ohci-pxa27x: Fix and & vs | typo 2019-08-21 09:59:30 -07:00
ohci-q.c usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() 2018-02-15 18:45:34 +01:00
ohci-s3c2410.c usb: ohci-s3c2410: Remove set but not used variable 'hcd' 2019-06-03 15:21:57 +02:00
ohci-sa1111.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
ohci-sm501.c ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
ohci-spear.c USB: ohci-spear: Remove set but not used variable 'ohci' 2019-06-03 15:21:57 +02:00
ohci-st.c usb: Remove dev_err() usage after platform_get_irq() 2019-07-30 20:29:18 +02:00
ohci-tmio.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ohci.h USB: use genalloc for USB HCs with local memory 2019-06-03 16:00:07 +02:00
oxu210hp-hcd.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
pci-quirks.c usb: pci-quirks: Minor cleanup for AMD PLL quirk 2019-07-25 10:40:02 +02:00
pci-quirks.h usb: pci-quirks: Minor cleanup for AMD PLL quirk 2019-07-25 10:40:02 +02:00
r8a66597-hcd.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
r8a66597.h USB: host: Remove redundant license text 2017-11-07 15:45:02 +01:00
sl811-hcd.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
sl811.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sl811_cs.c USB: add SPDX identifiers to all remaining files in drivers/usb/ 2017-11-04 11:48:02 +01:00
ssb-hcd.c USB: host: Remove redundant license text 2017-11-07 15:45:02 +01:00
u132-hcd.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
uhci-debug.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
uhci-grlib.c usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
uhci-hcd.c USB: drop HCD_LOCAL_MEM flag 2019-06-03 16:00:08 +02:00
uhci-hcd.h usb: uhci: Add clk support to uhci-platform 2018-01-17 15:08:56 +01:00
uhci-hub.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
uhci-pci.c USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value 2024-10-21 14:27:55 +08:00
uhci-platform.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
uhci-q.c USB: remove the URB_NO_FSBR flag 2017-12-12 13:16:07 +01:00
xhci-dbg.c usb: xhci: Cleanup printk debug message for ERST 2017-12-08 17:43:52 +01:00
xhci-dbgcap.c usb: host: Remove call to memset after dma_alloc_coherent 2019-07-25 11:10:54 +02:00
xhci-dbgcap.h usb: xhci: dbc: Add SPDX identifiers to dbc files 2018-05-24 18:03:07 +02:00
xhci-dbgtty.c usb: xhci: dbc: Use GFP_KERNEL instead of GFP_ATOMIC in 'xhci_dbc_alloc_requests()' 2019-09-03 15:49:11 +02:00
xhci-debugfs.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
xhci-debugfs.h usb: xhci: remove unused member 'parent' in xhci_regset struct 2019-02-20 20:18:23 +01:00
xhci-ext-caps.c xhci-ext-caps.c: Add missing platform_device_put() on error in xhci_create_intel_xhci_sw_pdev() 2019-10-04 14:37:53 +02:00
xhci-ext-caps.h tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
xhci-histb.c ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
xhci-hub.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
xhci-mem.c xHCI-Add-XHCI_SLOWDOWN_QUIRK-quirk-for-phytium-xHCI 2024-11-28 12:28:09 +08:00
xhci-mtk-sch.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
xhci-mtk.c ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
xhci-mtk.h tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
xhci-mvebu.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
xhci-mvebu.h ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
xhci-pci.c xHCI-Add-XHCI_SLOWDOWN_QUIRK-quirk-for-phytium-xHCI 2024-11-28 12:28:09 +08:00
xhci-plat.c usb: xhci: xhci-plat: Support for Phytium Pe220x 2024-11-28 12:27:46 +08:00
xhci-plat.h ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
xhci-rcar.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
xhci-rcar.h usb: host: xhci-rcar: Use xhci_plat_priv.quirks instead of code settings 2019-09-03 15:53:27 +02:00
xhci-ring.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
xhci-tegra.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
xhci-trace.c USB: host: xhci: Remove redundant license text 2017-11-07 15:45:02 +01:00
xhci-trace.h tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
xhci.c xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration 2024-11-28 15:09:19 +08:00
xhci.h xHCI-Add-XHCI_SLOWDOWN_QUIRK-quirk-for-phytium-xHCI 2024-11-28 12:28:09 +08:00