From: Mathias Nyman <mathias.nyman@linux.intel.com>
To: <gregkh@linuxfoundation.org>
Cc: <linux-usb@vger.kernel.org>, Jimmy Hu <hhhuuu@google.com>,
stable@vger.kernel.org,
Mathias Nyman <mathias.nyman@linux.intel.com>
Subject: [PATCH 2/7] usb: xhci: Check endpoint is valid before dereferencing it
Date: Mon, 16 Jan 2023 16:22:11 +0200 [thread overview]
Message-ID: <20230116142216.1141605-3-mathias.nyman@linux.intel.com> (raw)
In-Reply-To: <20230116142216.1141605-1-mathias.nyman@linux.intel.com>
From: Jimmy Hu <hhhuuu@google.com>
When the host controller is not responding, all URBs queued to all
endpoints need to be killed. This can cause a kernel panic if we
dereference an invalid endpoint.
Fix this by using xhci_get_virt_ep() helper to find the endpoint and
checking if the endpoint is valid before dereferencing it.
[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead
[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8
[233311.853964] pc : xhci_hc_died+0x10c/0x270
[233311.853971] lr : xhci_hc_died+0x1ac/0x270
[233311.854077] Call trace:
[233311.854085] xhci_hc_died+0x10c/0x270
[233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4
[233311.854105] call_timer_fn+0x50/0x2d4
[233311.854112] expire_timers+0xac/0x2e4
[233311.854118] run_timer_softirq+0x300/0xabc
[233311.854127] __do_softirq+0x148/0x528
[233311.854135] irq_exit+0x194/0x1a8
[233311.854143] __handle_domain_irq+0x164/0x1d0
[233311.854149] gic_handle_irq.22273+0x10c/0x188
[233311.854156] el1_irq+0xfc/0x1a8
[233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm]
[233311.854185] cpuidle_enter_state+0x1f0/0x764
[233311.854194] do_idle+0x594/0x6ac
[233311.854201] cpu_startup_entry+0x7c/0x80
[233311.854209] secondary_start_kernel+0x170/0x198
Fixes: 50e8725e7c42 ("xhci: Refactor command watchdog and fix split string.")
Cc: stable@vger.kernel.org
Signed-off-by: Jimmy Hu <hhhuuu@google.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
---
drivers/usb/host/xhci-ring.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index ddc30037f9ce..f5b0e1ce22af 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1169,7 +1169,10 @@ static void xhci_kill_endpoint_urbs(struct xhci_hcd *xhci,
struct xhci_virt_ep *ep;
struct xhci_ring *ring;
- ep = &xhci->devs[slot_id]->eps[ep_index];
+ ep = xhci_get_virt_ep(xhci, slot_id, ep_index);
+ if (!ep)
+ return;
+
if ((ep->ep_state & EP_HAS_STREAMS) ||
(ep->ep_state & EP_GETTING_NO_STREAMS)) {
int stream_id;
--
2.25.1
next prev parent reply other threads:[~2023-01-16 14:44 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-16 14:22 [PATCH 0/7] usb and xhci fixes for usb-linus Mathias Nyman
2023-01-16 14:22 ` [PATCH 1/7] xhci-pci: set the dma max_seg_size Mathias Nyman
2023-01-16 14:22 ` Mathias Nyman [this message]
2023-01-16 16:59 ` [PATCH 2/7] usb: xhci: Check endpoint is valid before dereferencing it Ladislav Michl
2023-01-17 10:02 ` Mathias Nyman
2023-02-23 16:26 ` youling257
2023-02-24 10:29 ` Mathias Nyman
2023-02-24 15:58 ` youling 257
2023-02-24 16:03 ` youling 257
2023-01-16 14:22 ` [PATCH 3/7] xhci: Fix null pointer dereference when host dies Mathias Nyman
2023-01-16 14:22 ` [PATCH 4/7] xhci: Add update_hub_device override for PCI xHCI hosts Mathias Nyman
2023-01-16 14:22 ` [PATCH 5/7] xhci: Add a flag to disable USB3 lpm on a xhci root port level Mathias Nyman
2023-01-16 14:22 ` [PATCH 6/7] usb: acpi: add helper to check port lpm capability using acpi _DSM Mathias Nyman
2023-01-16 14:22 ` [PATCH 7/7] xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables Mathias Nyman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230116142216.1141605-3-mathias.nyman@linux.intel.com \
--to=mathias.nyman@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hhhuuu@google.com \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.