From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com ([134.134.136.24]:33981 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727678AbeHaSLA (ORCPT ); Fri, 31 Aug 2018 14:11:00 -0400 From: Mathias Nyman To: Cc: , sudipm.mukherjee@gmail.com, Mathias Nyman , stable@vger.kernel.org Subject: [PATCH] usb: Avoid use-after-free by flushing endpoints early in usb_set_interface() Date: Fri, 31 Aug 2018 17:06:21 +0300 Message-Id: <1535724381-24890-1-git-send-email-mathias.nyman@linux.intel.com> Sender: stable-owner@vger.kernel.org List-ID: The steps taken by usb core to set a new interface is very different from what is done on the xHC host side. xHC hardware will do everything in one go. One command is used to set up new endpoints, free old endpoints, check bandwidth, and run the new endpoints. All this is done by xHC when usb core asks the hcd to check for available bandwidth. At this point usb core has not yet flushed the old endpoints, which will cause use-after-free issues in xhci driver as queued URBs are cancelled on a re-allocated endpoint. To resolve this add a call to usb_disable_interface() which will flush the endpoints before calling usb_hcd_alloc_bandwidth() Additional checks in xhci driver will also be implemented to gracefully handle stale URB cancel on freed and re-allocated endpoints Cc: Reported-by: Sudip Mukherjee Signed-off-by: Mathias Nyman --- drivers/usb/core/message.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index 228672f..304bef2 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -1377,6 +1377,13 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate) return -EINVAL; } + /* + * usb3 hosts configure the interface in usb_hcd_alloc_bandwidth, + * including freeing dropped endpoint ring buffers. + * Make sure the interface endpoints are flushed before that + */ + usb_disable_interface(dev, iface, false); + /* Make sure we have enough bandwidth for this alternate interface. * Remove the current alt setting and add the new alt setting. */ -- 2.7.4 From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: usb: Avoid use-after-free by flushing endpoints early in usb_set_interface() From: Mathias Nyman Message-Id: <1535724381-24890-1-git-send-email-mathias.nyman@linux.intel.com> Date: Fri, 31 Aug 2018 17:06:21 +0300 To: linux-usb@vger.kernel.org Cc: stern@rowland.harvard.edu, sudipm.mukherjee@gmail.com, Mathias Nyman , stable@vger.kernel.org List-ID: VGhlIHN0ZXBzIHRha2VuIGJ5IHVzYiBjb3JlIHRvIHNldCBhIG5ldyBpbnRlcmZhY2UgaXMgdmVy eSBkaWZmZXJlbnQgZnJvbQp3aGF0IGlzIGRvbmUgb24gdGhlIHhIQyBob3N0IHNpZGUuCgp4SEMg aGFyZHdhcmUgd2lsbCBkbyBldmVyeXRoaW5nIGluIG9uZSBnby4gT25lIGNvbW1hbmQgaXMgdXNl ZCB0byBzZXQgdXAKbmV3IGVuZHBvaW50cywgZnJlZSBvbGQgZW5kcG9pbnRzLCBjaGVjayBiYW5k d2lkdGgsIGFuZCBydW4gdGhlIG5ldwplbmRwb2ludHMuCgpBbGwgdGhpcyBpcyBkb25lIGJ5IHhI QyB3aGVuIHVzYiBjb3JlIGFza3MgdGhlIGhjZCB0byBjaGVjayBmb3IKYXZhaWxhYmxlIGJhbmR3 aWR0aC4gQXQgdGhpcyBwb2ludCB1c2IgY29yZSBoYXMgbm90IHlldCBmbHVzaGVkIHRoZSBvbGQK ZW5kcG9pbnRzLCB3aGljaCB3aWxsIGNhdXNlIHVzZS1hZnRlci1mcmVlIGlzc3VlcyBpbiB4aGNp IGRyaXZlciBhcwpxdWV1ZWQgVVJCcyBhcmUgY2FuY2VsbGVkIG9uIGEgcmUtYWxsb2NhdGVkIGVu ZHBvaW50LgoKVG8gcmVzb2x2ZSB0aGlzIGFkZCBhIGNhbGwgdG8gdXNiX2Rpc2FibGVfaW50ZXJm YWNlKCkgd2hpY2ggd2lsbCBmbHVzaAp0aGUgZW5kcG9pbnRzIGJlZm9yZSBjYWxsaW5nIHVzYl9o Y2RfYWxsb2NfYmFuZHdpZHRoKCkKCkFkZGl0aW9uYWwgY2hlY2tzIGluIHhoY2kgZHJpdmVyIHdp bGwgYWxzbyBiZSBpbXBsZW1lbnRlZCB0byBncmFjZWZ1bGx5CmhhbmRsZSBzdGFsZSBVUkIgY2Fu Y2VsIG9uIGZyZWVkIGFuZCByZS1hbGxvY2F0ZWQgZW5kcG9pbnRzCgpDYzogPHN0YWJsZUB2Z2Vy Lmtlcm5lbC5vcmc+ClJlcG9ydGVkLWJ5OiBTdWRpcCBNdWtoZXJqZWUgPHN1ZGlwbS5tdWtoZXJq ZWVAZ21haWwuY29tPgpTaWduZWQtb2ZmLWJ5OiBNYXRoaWFzIE55bWFuIDxtYXRoaWFzLm55bWFu QGxpbnV4LmludGVsLmNvbT4KLS0tCiBkcml2ZXJzL3VzYi9jb3JlL21lc3NhZ2UuYyB8IDcgKysr KysrKwogMSBmaWxlIGNoYW5nZWQsIDcgaW5zZXJ0aW9ucygrKQoKZGlmZiAtLWdpdCBhL2RyaXZl cnMvdXNiL2NvcmUvbWVzc2FnZS5jIGIvZHJpdmVycy91c2IvY29yZS9tZXNzYWdlLmMKaW5kZXgg MjI4NjcyZi4uMzA0YmVmMiAxMDA2NDQKLS0tIGEvZHJpdmVycy91c2IvY29yZS9tZXNzYWdlLmMK KysrIGIvZHJpdmVycy91c2IvY29yZS9tZXNzYWdlLmMKQEAgLTEzNzcsNiArMTM3NywxMyBAQCBp bnQgdXNiX3NldF9pbnRlcmZhY2Uoc3RydWN0IHVzYl9kZXZpY2UgKmRldiwgaW50IGludGVyZmFj ZSwgaW50IGFsdGVybmF0ZSkKIAkJcmV0dXJuIC1FSU5WQUw7CiAJfQogCisJLyoKKwkgKiB1c2Iz IGhvc3RzIGNvbmZpZ3VyZSB0aGUgaW50ZXJmYWNlIGluIHVzYl9oY2RfYWxsb2NfYmFuZHdpZHRo LAorCSAqIGluY2x1ZGluZyBmcmVlaW5nIGRyb3BwZWQgZW5kcG9pbnQgcmluZyBidWZmZXJzLgor CSAqIE1ha2Ugc3VyZSB0aGUgaW50ZXJmYWNlIGVuZHBvaW50cyBhcmUgZmx1c2hlZCBiZWZvcmUg dGhhdAorCSAqLworCXVzYl9kaXNhYmxlX2ludGVyZmFjZShkZXYsIGlmYWNlLCBmYWxzZSk7CisK IAkvKiBNYWtlIHN1cmUgd2UgaGF2ZSBlbm91Z2ggYmFuZHdpZHRoIGZvciB0aGlzIGFsdGVybmF0 ZSBpbnRlcmZhY2UuCiAJICogUmVtb3ZlIHRoZSBjdXJyZW50IGFsdCBzZXR0aW5nIGFuZCBhZGQg dGhlIG5ldyBhbHQgc2V0dGluZy4KIAkgKi8K