From: Douglas Anderson <dianders@chromium.org>
To: John Youn <John.Youn@synopsys.com>,
balbi@ti.com, kever.yang@rock-chips.com
Cc: "Heiko Stübner" <heiko@sntech.de>,
linux-rockchip@lists.infradead.org,
"Julius Werner" <jwerner@chromium.org>,
gregory.herrero@intel.com, yousaf.kaukab@intel.com,
dinguyen@opensource.altera.com, stern@rowland.harvard.edu,
ming.lei@canonical.com,
"Douglas Anderson" <dianders@chromium.org>,
johnyoun@synopsys.com, gregkh@linuxfoundation.org,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v4 05/21] usb: dwc2: host: Avoid use of chan->qh after qh freed
Date: Wed, 20 Jan 2016 21:04:16 -0800 [thread overview]
Message-ID: <1453352672-27890-6-git-send-email-dianders@chromium.org> (raw)
In-Reply-To: <1453352672-27890-1-git-send-email-dianders@chromium.org>
When poking around with USB devices with slub_debug enabled, I found
another obvious use after free. Turns out that in dwc2_hc_n_intr() I
was in a state when the contents of chan->qh was filled with 0x6b,
indicating that chan->qh was freed but chan still had a reference to
it.
Let's make sure that whenever we free qh we also make sure we remove a
reference from its channel.
The bug fixed here doesn't appear to be new--I believe I just got lucky
and happened to see it while stress testing.
Signed-off-by: Douglas Anderson <dianders@chromium.org>
---
Changes in v4:
- Avoid use of chan->qh after qh freed new for v4.
Changes in v3: None
Changes in v2: None
drivers/usb/dwc2/hcd.c | 8 ++++++++
drivers/usb/dwc2/hcd_intr.c | 10 ++++++++++
2 files changed, 18 insertions(+)
diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
index bc4bdbc1534e..7783c8ba0173 100644
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -164,6 +164,9 @@ static void dwc2_qh_list_free(struct dwc2_hsotg *hsotg,
qtd_list_entry)
dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
+ if (qh->channel && qh->channel->qh == qh)
+ qh->channel->qh = NULL;
+
spin_unlock_irqrestore(&hsotg->lock, flags);
dwc2_hcd_qh_free(hsotg, qh);
spin_lock_irqsave(&hsotg->lock, flags);
@@ -554,7 +557,12 @@ static int dwc2_hcd_endpoint_disable(struct dwc2_hsotg *hsotg,
dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
ep->hcpriv = NULL;
+
+ if (qh->channel && qh->channel->qh == qh)
+ qh->channel->qh = NULL;
+
spin_unlock_irqrestore(&hsotg->lock, flags);
+
dwc2_hcd_qh_free(hsotg, qh);
return 0;
diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c
index 352c98364317..99efc2bd1617 100644
--- a/drivers/usb/dwc2/hcd_intr.c
+++ b/drivers/usb/dwc2/hcd_intr.c
@@ -1935,6 +1935,16 @@ static void dwc2_hc_n_intr(struct dwc2_hsotg *hsotg, int chnum)
}
dwc2_writel(hcint, hsotg->regs + HCINT(chnum));
+
+ /*
+ * If we got an interrupt after someone called
+ * dwc2_hcd_endpoint_disable() we don't want to crash below
+ */
+ if (!chan->qh) {
+ dev_warn(hsotg->dev, "Interrupt on disabled channel\n");
+ return;
+ }
+
chan->hcint = hcint;
hcint &= hcintmsk;
--
2.7.0.rc3.207.g0ac5344
WARNING: multiple messages have this Message-ID (diff)
From: Douglas Anderson <dianders-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
To: John Youn <John.Youn-HKixBCOQz3hWk0Htik3J/w@public.gmane.org>,
balbi-l0cyMroinI0@public.gmane.org,
kever.yang-TNX95d0MmH7DzftRWevZcw@public.gmane.org
Cc: gregory.herrero-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org,
"Heiko Stübner" <heiko-4mtYJXux2i+zQB+pC5nmwQ@public.gmane.org>,
johnyoun-HKixBCOQz3hWk0Htik3J/w@public.gmane.org,
gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org,
ming.lei-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org,
linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
"Douglas Anderson"
<dianders-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-rockchip-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org,
yousaf.kaukab-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org,
stern-nwvwT67g6+6dFdvTe/nMLpVzexx5G7lz@public.gmane.org,
"Julius Werner" <jwerner-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
dinguyen-yzvPICuk2ABMcg4IHK0kFoH6Mc4MB0Vx@public.gmane.org
Subject: [PATCH v4 05/21] usb: dwc2: host: Avoid use of chan->qh after qh freed
Date: Wed, 20 Jan 2016 21:04:16 -0800 [thread overview]
Message-ID: <1453352672-27890-6-git-send-email-dianders@chromium.org> (raw)
In-Reply-To: <1453352672-27890-1-git-send-email-dianders-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
When poking around with USB devices with slub_debug enabled, I found
another obvious use after free. Turns out that in dwc2_hc_n_intr() I
was in a state when the contents of chan->qh was filled with 0x6b,
indicating that chan->qh was freed but chan still had a reference to
it.
Let's make sure that whenever we free qh we also make sure we remove a
reference from its channel.
The bug fixed here doesn't appear to be new--I believe I just got lucky
and happened to see it while stress testing.
Signed-off-by: Douglas Anderson <dianders-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
---
Changes in v4:
- Avoid use of chan->qh after qh freed new for v4.
Changes in v3: None
Changes in v2: None
drivers/usb/dwc2/hcd.c | 8 ++++++++
drivers/usb/dwc2/hcd_intr.c | 10 ++++++++++
2 files changed, 18 insertions(+)
diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
index bc4bdbc1534e..7783c8ba0173 100644
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -164,6 +164,9 @@ static void dwc2_qh_list_free(struct dwc2_hsotg *hsotg,
qtd_list_entry)
dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
+ if (qh->channel && qh->channel->qh == qh)
+ qh->channel->qh = NULL;
+
spin_unlock_irqrestore(&hsotg->lock, flags);
dwc2_hcd_qh_free(hsotg, qh);
spin_lock_irqsave(&hsotg->lock, flags);
@@ -554,7 +557,12 @@ static int dwc2_hcd_endpoint_disable(struct dwc2_hsotg *hsotg,
dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
ep->hcpriv = NULL;
+
+ if (qh->channel && qh->channel->qh == qh)
+ qh->channel->qh = NULL;
+
spin_unlock_irqrestore(&hsotg->lock, flags);
+
dwc2_hcd_qh_free(hsotg, qh);
return 0;
diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c
index 352c98364317..99efc2bd1617 100644
--- a/drivers/usb/dwc2/hcd_intr.c
+++ b/drivers/usb/dwc2/hcd_intr.c
@@ -1935,6 +1935,16 @@ static void dwc2_hc_n_intr(struct dwc2_hsotg *hsotg, int chnum)
}
dwc2_writel(hcint, hsotg->regs + HCINT(chnum));
+
+ /*
+ * If we got an interrupt after someone called
+ * dwc2_hcd_endpoint_disable() we don't want to crash below
+ */
+ if (!chan->qh) {
+ dev_warn(hsotg->dev, "Interrupt on disabled channel\n");
+ return;
+ }
+
chan->hcint = hcint;
hcint &= hcintmsk;
--
2.7.0.rc3.207.g0ac5344
next prev parent reply other threads:[~2016-01-21 5:05 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-21 5:04 [PATCH v4 0/21] usb: dwc2: host: Fix and speed up all the stuff, especially with splits Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 01/21] usb: dwc2: rockchip: Make the max_transfer_size automatic Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 02/21] usb: dwc2: host: Get aligned DMA in a more supported way Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 03/21] usb: dwc2: host: Set host_rx_fifo_size to 528 for rk3066 Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 04/21] usb: dwc2: host: Set host_perio_tx_fifo_size to 304 " Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson [this message]
2016-01-21 5:04 ` [PATCH v4 05/21] usb: dwc2: host: Avoid use of chan->qh after qh freed Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 06/21] usb: dwc2: host: Always add to the tail of queues Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 07/21] usb: dwc2: hcd: fix split transfer schedule sequence Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:24 ` kbuild test robot
2016-01-21 5:24 ` kbuild test robot
2016-01-22 0:24 ` Doug Anderson
2016-01-21 5:04 ` [PATCH v4 08/21] usb: dwc2: host: Add scheduler tracing Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 09/21] usb: dwc2: host: Add a delay before releasing periodic bandwidth Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 10/21] usb: dwc2: host: Giveback URB in tasklet context Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 11/21] usb: dwc2: host: Use periodic interrupt even with DMA Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 12/21] usb: dwc2: host: Rename some fields in struct dwc2_qh Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 13/21] usb: dwc2: host: Reorder things in hcd_queue.c Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 14/21] usb: dwc2: host: Split code out to make dwc2_do_reserve() Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 15/21] usb: dwc2: host: Add scheduler logging for missed SOFs Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 16/21] usb: dwc2: host: Manage frame nums better in scheduler Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 17/21] usb: dwc2: host: Schedule periodic right away if it's time Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 18/21] usb: dwc2: host: Add dwc2_hcd_get_future_frame_number() call Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 19/21] usb: dwc2: host: Properly set even/odd frame Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:04 ` [PATCH v4 20/21] usb: dwc2: host: Totally redo the microframe scheduler Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
2016-01-21 5:49 ` kbuild test robot
2016-01-21 5:49 ` kbuild test robot
2016-01-21 5:04 ` [PATCH v4 21/21] usb: dwc2: host: If using uframe scheduler, end splits better Douglas Anderson
2016-01-21 5:04 ` Douglas Anderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1453352672-27890-6-git-send-email-dianders@chromium.org \
--to=dianders@chromium.org \
--cc=John.Youn@synopsys.com \
--cc=balbi@ti.com \
--cc=dinguyen@opensource.altera.com \
--cc=gregkh@linuxfoundation.org \
--cc=gregory.herrero@intel.com \
--cc=heiko@sntech.de \
--cc=johnyoun@synopsys.com \
--cc=jwerner@chromium.org \
--cc=kever.yang@rock-chips.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=linux-usb@vger.kernel.org \
--cc=ming.lei@canonical.com \
--cc=stern@rowland.harvard.edu \
--cc=yousaf.kaukab@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.