UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/drivers
History
Mathias Nyman df29b5d6f8 xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration 
commit af8e119f52e9c13e556be9e03f27957554a84656 upstream.

re-enumerating full-speed devices after a failed address device command
can trigger a NULL pointer dereference.

Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size
value during enumeration. Usb core calls usb_ep0_reinit() in this case,
which ends up calling xhci_configure_endpoint().

On Panther point xHC the xhci_configure_endpoint() function will
additionally check and reserve bandwidth in software. Other hosts do
this in hardware

If xHC address device command fails then a new xhci_virt_device structure
is allocated as part of re-enabling the slot, but the bandwidth table
pointers are not set up properly here.
This triggers the NULL pointer dereference the next time usb_ep0_reinit()
is called and xhci_configure_endpoint() tries to check and reserve
bandwidth

[46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd
[46710.713699] usb 3-1: Device not responding to setup address.
[46710.917684] usb 3-1: Device not responding to setup address.
[46711.125536] usb 3-1: device not accepting address 5, error -71
[46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008
[46711.125600] #PF: supervisor read access in kernel mode
[46711.125603] #PF: error_code(0x0000) - not-present page
[46711.125606] PGD 0 P4D 0
[46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI
[46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1
[46711.125620] Hardware name: Gigabyte Technology Co., Ltd.
[46711.125623] Workqueue: usb_hub_wq hub_event [usbcore]
[46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c

Fix this by making sure bandwidth table pointers are set up correctly
after a failed address device command, and additionally by avoiding
checking for bandwidth in cases like this where no actual endpoints are
added or removed, i.e. only context for default control endpoint 0 is
evaluated.

This fixes CVE-2024-45006

Reported-by: Karel Balej <balejk@matfyz.cz>
Closes: https://lore.kernel.org/linux-usb/D3CKQQAETH47.1MUO22RTCH2O3@matfyz.cz/
Cc: stable@vger.kernel.org
Fixes: 651aaf36a7 ("usb: xhci: Handle USB transaction error on address command")
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240815141117.2702314-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Huang Cun <cunhuang@tencent.com>
Signed-off-by: Jianping Liu <frankjpliu@tencent.com>
 		2024-11-28 15:09:19 +08:00
..
accessibility
acpi ACPI: video: check for error while searching for backlight device parent 2024-11-28 15:03:20 +08:00
amba tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
android tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ata ata: libata-core: Fix null pointer dereference on error 2024-11-28 15:09:19 +08:00
atm tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
auxdisplay tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
base drivers: core: synchronize really_probe() and dev_uevent() 2024-11-28 15:09:18 +08:00
bcma tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
block nbd: null check for nla_nest_start 2024-11-28 15:08:37 +08:00
bluetooth Bluetooth: btintel: Fixe build regression 2024-11-28 14:55:53 +08:00
bus tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
cdrom tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
char Add Phytium BT BMC driver support 2024-11-28 12:26:14 +08:00
clk clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays 2024-11-28 15:07:13 +08:00
clocksource clocksource/drivers/arm_arch_timer: Fix masking for high freq counters 2024-06-12 13:16:41 +08:00
connector
counter tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
cpufreq cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations 2024-11-28 14:55:53 +08:00
cpuidle tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
crypto crypto: bcm - Fix pointer arithmetic 2024-11-28 15:03:50 +08:00
dax tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
dca
devfreq tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
dio tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
dma tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
dma-buf dma-buf/sw-sync: don't enable IRQ from sync_print_obj() 2024-11-28 14:54:40 +08:00
edac EDAC/amd64: Adjust UMC channel for Hygon family 18h model 6h 2024-11-14 17:48:30 +08:00
eisa
extcon tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
firewire firewire: ohci: mask bus reset interrupts between ISR and bottom half 2024-11-28 14:55:53 +08:00
firmware sdei_watchdog: set secure timer period base on 'watchdog_thresh' 2024-11-05 18:57:53 +08:00
fpga tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
fsi tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
gnss ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
gpio gpio: davinci: Validate the obtained number of IRQs 2024-11-28 15:09:19 +08:00
gpu drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep 2024-11-28 15:09:19 +08:00
greybus greybus: Fix use-after-free bug in gb_interface_release due to race condition. 2024-11-28 15:09:18 +08:00
hid HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up 2024-11-28 14:55:53 +08:00
hsi tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
hv tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
hwmon Add support for Phytium fan tacho driver support 2024-11-28 12:28:09 +08:00
hwspinlock
hwtracing stm class: Fix a double free in stm_register_device() 2024-11-28 14:54:40 +08:00
i2c i2c: smbus: fix NULL function pointer dereference 2024-11-28 14:55:53 +08:00
i3c ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
ide ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
idle tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
iio iio: chemical: bme680: Fix overflows in compensate() functions 2024-11-28 15:09:19 +08:00
infiniband RDMA/mlx5: Add check for srq max_sge attribute 2024-11-28 14:53:53 +08:00
input tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
interconnect tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
iommu iommu/hygon: Add support for Hygon family 18h model 4h IOAPIC 2024-11-14 17:48:28 +08:00
ipack tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
irqchip Add support for Phytium INTx controller 2024-11-28 12:28:09 +08:00
isdn tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
leds tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
lightnvm tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
macintosh tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
mailbox mailbox driver support for Phytium desktop and embedded CPUs 2024-11-28 12:26:14 +08:00
mcb tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
md md/raid10: use dereference_rdev_and_rrdev() to get devices 2024-11-28 14:58:45 +08:00
media media: v4l2-tpg: fix some memleaks in tpg_alloc 2024-11-28 14:55:52 +08:00
memory tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
memstick tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
message ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
mfd tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
misc VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() 2024-11-28 14:55:52 +08:00
mmc tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
mtd Add support for the Phytium QuadSPI controller driver 2024-11-28 12:28:10 +08:00
mux
net i40e: Do not use WQ_MEM_RECLAIM flag for workqueue 2024-11-28 14:57:54 +08:00
nfc tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ntb NTB: Add Hygon Device ID 2024-11-14 17:48:27 +08:00
nubus
nvdimm tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
nvme tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
nvmem tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
of tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
opp tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
oprofile
parisc tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
parport tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
pci Add support for PCIe endpoint controller support 2024-11-28 12:28:09 +08:00
pcmcia tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
perf arm_pmu: arm64: Use NMIs for PMU 2024-11-05 17:04:08 +08:00
phy tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
pinctrl pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER 2024-11-28 15:09:19 +08:00
platform platform/x86: wmi: Fix opening of char device 2024-11-28 14:55:53 +08:00
pnp tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
power tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
powercap tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
pps
ps3 ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
ptp tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
pwm tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
rapidio tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ras tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
regulator tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
remoteproc tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
reset tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
rpmsg tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
rtc RTC driver support for Phytium desktop and embedded CPUs 2024-11-28 12:26:14 +08:00
s390 ethtool: extend ringparam setting/getting API with rx_buf_len 2024-06-12 13:17:44 +08:00
sbus
scsi scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() 2024-11-28 14:55:52 +08:00
sfi
sh tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
siox tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
slimbus tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
soc tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
soundwire tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
spi SPI platform driver support for Phytium desktop CPUS 2024-11-28 12:26:14 +08:00
spmi tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ssb tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
staging media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak 2024-11-28 14:55:52 +08:00
target scsi: target: core: Add TMF to tmr_list handling 2024-11-28 15:07:13 +08:00
tc
tee tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
thermal tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
thirdparty ice: add ice driver for arm64 2024-11-27 15:04:26 +08:00
thunderbolt tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
tty tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc 2024-11-28 14:55:53 +08:00
uio tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
usb xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration 2024-11-28 15:09:19 +08:00
vfio tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
vhost tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
video fbmon: prevent division by zero in fb_videomode_from_videomode() 2024-11-28 14:55:52 +08:00
virt tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
virtio tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
visorbus tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
vlynq
vme tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
w1 tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
watchdog tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
xen tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
zorro
Kconfig tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
Makefile tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00