From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752335AbdLGJhE (ORCPT ); Thu, 7 Dec 2017 04:37:04 -0500 Received: from s18231873.onlinehome-server.info ([217.160.179.168]:54952 "EHLO godking.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751004AbdLGJhD (ORCPT ); Thu, 7 Dec 2017 04:37:03 -0500 X-Greylist: delayed 586 seconds by postgrey-1.27 at vger.kernel.org; Thu, 07 Dec 2017 04:37:03 EST From: Alexander Kappner To: mathias.nyman@intel.com, Greg Kroah-Hartman , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Alexander Kappner Subject: Date: Thu, 7 Dec 2017 01:26:14 -0800 Message-Id: <1512638774-6837-1-git-send-email-agk@godking.net> X-Mailer: git-send-email 2.1.4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Date: Wed, 6 Dec 2017 15:28:37 -0800 Subject: [PATCH] usb-core: Fix potential null pointer dereference in xhci-debugfs.c My kernel crashed just after resuming from hibernate and starting usbmuxd (a user-space daemon for iOS device pairing) with several USB devices connected (dmesg attached). Backtrace leads to: 0xffffffff8170465d is in xhci_debugfs_create_endpoint (drivers/usb/host/xhci-debugfs.c:381). 376 int ep_index) 377 { 378 struct xhci_ep_priv *epriv; 379 struct xhci_slot_priv *spriv = dev->debugfs_private; 380 381 if (spriv->eps[ep_index]) 382 return; 383 384 epriv = kzalloc(sizeof(*epriv), GFP_KERNEL); 385 if (!epriv) The read violation happens at address 0x40 and sizeof(struct xhci_ep_priv)=0x40, so it seems ep_index is 1 and spriv is NULL here. spriv gets allocated in xhci_debugfs_create_slot: ... priv = kzalloc(sizeof(*priv), GFP_KERNEL); if (!priv) return; ... There's no separate error path if this allocation fails, so we might be left with NULL in priv. Subsequent users of priv thus need to check for this NULL - so this is what the patch does. There might be other ways of triggering this null pointer dereference, including when xhci_resume frees the device structures (e.g. after returning from a hibernate), but I wasn't able to find or reproduce it. [63953.758083] BUG: unable to handle kernel NULL pointer dereference at 0000000000000040 [63953.758090] IP: xhci_debugfs_create_endpoint+0x1d/0xa0 [63953.758091] PGD bb911d067 P4D bb911d067 PUD 10500ff067 PMD 0 [63953.758093] Oops: 0000 [#1] PREEMPT SMP [63953.758094] Modules linked in: ipheth tun nvidia_modeset(PO) iwlmvm mac80211 iwlwifi nvidia(PO) btusb btrtl btbcm btintel bluetooth cfg80211 qmi_wwan ecdh_generic thinkpad_acpi rfkill [63953.758103] CPU: 4 PID: 27091 Comm: usbmuxd Tainted: P O 4.14.0.1-12769-g1deab8c #1 [63953.758104] Hardware name: LENOVO 20ENCTO1WW/20ENCTO1WW, BIOS N1EET62W (1.35 ) 11/10/2016 [63953.758105] task: ffff8810527ba0c0 task.stack: ffffc9000a8ec000 [63953.758107] RIP: 0010:xhci_debugfs_create_endpoint+0x1d/0xa0 [63953.758108] RSP: 0018:ffffc9000a8efc80 EFLAGS: 00010206 [63953.758109] RAX: 0000000000000000 RBX: ffff88105a71c000 RCX: 0000000000030000 [63953.758110] RDX: 0000000000000003 RSI: ffff880c0b57e000 RDI: ffff88105a71c238 [63953.758110] RBP: 0000000000000003 R08: ffff881063800600 R09: 0000000000000003 [63953.758111] R10: ffff88105a71c238 R11: 0000000000000001 R12: 0000000000000011 [63953.758112] R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000 [63953.758113] FS: 00007f0a77715700(0000) GS:ffff8810a3d00000(0000) knlGS:0000000000000000 [63953.758114] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [63953.758115] CR2: 0000000000000040 CR3: 00000003f91a8006 CR4: 00000000003606e0 [63953.758115] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [63953.758116] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [63953.758117] Call Trace: [63953.758120] xhci_add_endpoint+0x127/0x2b0 [63953.758123] usb_hcd_alloc_bandwidth+0x1ad/0x300 [63953.758125] usb_set_configuration+0x1c8/0x880 [63953.758128] usbdev_do_ioctl+0xc41/0x1120 [63953.758130] usbdev_ioctl+0xa/0x10 [63953.758151] do_vfs_ioctl+0x8b/0x5c0 [63953.758153] ? __fget+0x6c/0xb0 [63953.758155] SyS_ioctl+0x76/0x90 [63953.758157] do_syscall_64+0x6b/0x290 [63953.758173] entry_SYSCALL64_slow_path+0x25/0x25 [63953.758175] RIP: 0033:0x7f0a76a151c7 [63953.758175] RSP: 002b:00007ffd1431b0c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [63953.758177] RAX: ffffffffffffffda RBX: 00000000023239a0 RCX: 00007f0a76a151c7 [63953.758178] RDX: 00007ffd1431b0dc RSI: 0000000080045505 RDI: 000000000000000e [63953.758178] RBP: 00000000023240c0 R08: 00007ffd1431b008 R09: 0000000000000004 [63953.758179] R10: 00007ffd1431aec0 R11: 0000000000000202 R12: 00000000023240c0 [63953.758180] R13: 0000000000000001 R14: 0000000000000056 R15: 0000000000000038 [63953.758182] Code: e9 39 ff ff ff 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 56 41 55 41 54 55 48 63 ea 53 4c 8b b6 88 15 00 00 4d 8d 2c ee <49> 83 7d 28 00 74 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 8b 3d [63953.758202] RIP: xhci_debugfs_create_endpoint+0x1d/0xa0 RSP: ffffc9000a8efc80 [63953.758203] CR2: 0000000000000040 [63953.758204] ---[ end trace 1f7ea9a959f02054 ]--- Signed-off-by: Alexander Kappner --- drivers/usb/host/xhci-debugfs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/host/xhci-debugfs.c b/drivers/usb/host/xhci-debugfs.c index 4f7895d..1cea59c 100644 --- a/drivers/usb/host/xhci-debugfs.c +++ b/drivers/usb/host/xhci-debugfs.c @@ -378,6 +378,9 @@ void xhci_debugfs_create_endpoint(struct xhci_hcd *xhci, struct xhci_ep_priv *epriv; struct xhci_slot_priv *spriv = dev->debugfs_private; + if (!spriv) + return; + if (spriv->eps[ep_index]) return; -- 2.1.4 From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: From: Alexander Kappner Message-Id: <1512638774-6837-1-git-send-email-agk@godking.net> Date: Thu, 7 Dec 2017 01:26:14 -0800 To: mathias.nyman@intel.com, Greg Kroah-Hartman , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Alexander Kappner List-ID: RGF0ZTogV2VkLCA2IERlYyAyMDE3IDE1OjI4OjM3IC0wODAwClN1YmplY3Q6IFtQQVRDSF0gdXNi LWNvcmU6IEZpeCBwb3RlbnRpYWwgbnVsbCBwb2ludGVyIGRlcmVmZXJlbmNlIGluIHhoY2ktZGVi dWdmcy5jCgpNeSBrZXJuZWwgY3Jhc2hlZCBqdXN0IGFmdGVyIHJlc3VtaW5nIGZyb20gaGliZXJu YXRlIGFuZCBzdGFydGluZyB1c2JtdXhkCihhIHVzZXItc3BhY2UgZGFlbW9uIGZvciBpT1MgZGV2 aWNlIHBhaXJpbmcpIHdpdGggc2V2ZXJhbCBVU0IgZGV2aWNlcwpjb25uZWN0ZWQgKGRtZXNnIGF0 dGFjaGVkKS4KCkJhY2t0cmFjZSBsZWFkcyB0bzoKCjB4ZmZmZmZmZmY4MTcwNDY1ZCBpcyBpbiB4 aGNpX2RlYnVnZnNfY3JlYXRlX2VuZHBvaW50Cihkcml2ZXJzL3VzYi9ob3N0L3hoY2ktZGVidWdm cy5jOjM4MSkuCjM3NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGludCBl cF9pbmRleCkKMzc3ICAgICB7CjM3OCAgICAgICAgICAgICBzdHJ1Y3QgeGhjaV9lcF9wcml2ICAg ICAqZXByaXY7CjM3OSAgICAgICAgICAgICBzdHJ1Y3QgeGhjaV9zbG90X3ByaXYgICAqc3ByaXYg PSBkZXYtPmRlYnVnZnNfcHJpdmF0ZTsKMzgwCjM4MSAgICAgICAgICAgICBpZiAoc3ByaXYtPmVw c1tlcF9pbmRleF0pCjM4MiAgICAgICAgICAgICAgICAgICAgIHJldHVybjsKMzgzCjM4NCAgICAg ICAgICAgICBlcHJpdiA9IGt6YWxsb2Moc2l6ZW9mKCplcHJpdiksIEdGUF9LRVJORUwpOwozODUg ICAgICAgICAgICAgaWYgKCFlcHJpdikKClRoZSByZWFkIHZpb2xhdGlvbiBoYXBwZW5zIGF0IGFk ZHJlc3MgMHg0MCBhbmQgc2l6ZW9mKHN0cnVjdAp4aGNpX2VwX3ByaXYpPTB4NDAsIHNvIGl0IHNl ZW1zIGVwX2luZGV4IGlzIDEgYW5kIHNwcml2IGlzIE5VTEwgaGVyZS4KCnNwcml2IGdldHMgYWxs b2NhdGVkIGluIHhoY2lfZGVidWdmc19jcmVhdGVfc2xvdDoKCi4uLgpwcml2ID0ga3phbGxvYyhz aXplb2YoKnByaXYpLCBHRlBfS0VSTkVMKTsKaWYgKCFwcml2KQogICAgcmV0dXJuOwouLi4KClRo ZXJlJ3Mgbm8gc2VwYXJhdGUgZXJyb3IgcGF0aCBpZiB0aGlzIGFsbG9jYXRpb24gZmFpbHMsIHNv IHdlIG1pZ2h0IGJlCmxlZnQgd2l0aCBOVUxMIGluIHByaXYuIFN1YnNlcXVlbnQgdXNlcnMgb2Yg cHJpdiB0aHVzIG5lZWQgdG8gY2hlY2sgZm9yCnRoaXMgTlVMTCAtIHNvIHRoaXMgaXMgd2hhdCB0 aGUgcGF0Y2ggZG9lcy4KClRoZXJlIG1pZ2h0IGJlIG90aGVyIHdheXMgb2YgdHJpZ2dlcmluZyB0 aGlzIG51bGwgcG9pbnRlciBkZXJlZmVyZW5jZSwKaW5jbHVkaW5nIHdoZW4geGhjaV9yZXN1bWUg ZnJlZXMgdGhlIGRldmljZSBzdHJ1Y3R1cmVzIChlLmcuIGFmdGVyCnJldHVybmluZyBmcm9tIGEg aGliZXJuYXRlKSwgYnV0IEkgd2Fzbid0IGFibGUgdG8gZmluZCBvciByZXByb2R1Y2UgaXQuIAoK WzYzOTUzLjc1ODA4M10gQlVHOiB1bmFibGUgdG8gaGFuZGxlIGtlcm5lbCBOVUxMIHBvaW50ZXIg ZGVyZWZlcmVuY2UgYXQKMDAwMDAwMDAwMDAwMDA0MApbNjM5NTMuNzU4MDkwXSBJUDogeGhjaV9k ZWJ1Z2ZzX2NyZWF0ZV9lbmRwb2ludCsweDFkLzB4YTAKWzYzOTUzLjc1ODA5MV0gUEdEIGJiOTEx ZDA2NyBQNEQgYmI5MTFkMDY3IFBVRCAxMDUwMGZmMDY3IFBNRCAwCls2Mzk1My43NTgwOTNdIE9v cHM6IDAwMDAgWyMxXSBQUkVFTVBUIFNNUApbNjM5NTMuNzU4MDk0XSBNb2R1bGVzIGxpbmtlZCBp bjogaXBoZXRoIHR1biBudmlkaWFfbW9kZXNldChQTykgaXdsbXZtCm1hYzgwMjExIGl3bHdpZmkg bnZpZGlhKFBPKSBidHVzYiBidHJ0bCBidGJjbSBidGludGVsIGJsdWV0b290aCBjZmc4MDIxMQpx bWlfd3dhbiBlY2RoX2dlbmVyaWMgdGhpbmtwYWRfYWNwaSByZmtpbGwKWzYzOTUzLjc1ODEwM10g Q1BVOiA0IFBJRDogMjcwOTEgQ29tbTogdXNibXV4ZCBUYWludGVkOiBQICAgICAgICAgICBPCjQu MTQuMC4xLTEyNzY5LWcxZGVhYjhjICMxCls2Mzk1My43NTgxMDRdIEhhcmR3YXJlIG5hbWU6IExF Tk9WTyAyMEVOQ1RPMVdXLzIwRU5DVE8xV1csIEJJT1MgTjFFRVQ2MlcKKDEuMzUgKSAxMS8xMC8y MDE2Cls2Mzk1My43NTgxMDVdIHRhc2s6IGZmZmY4ODEwNTI3YmEwYzAgdGFzay5zdGFjazogZmZm ZmM5MDAwYThlYzAwMApbNjM5NTMuNzU4MTA3XSBSSVA6IDAwMTA6eGhjaV9kZWJ1Z2ZzX2NyZWF0 ZV9lbmRwb2ludCsweDFkLzB4YTAKWzYzOTUzLjc1ODEwOF0gUlNQOiAwMDE4OmZmZmZjOTAwMGE4 ZWZjODAgRUZMQUdTOiAwMDAxMDIwNgpbNjM5NTMuNzU4MTA5XSBSQVg6IDAwMDAwMDAwMDAwMDAw MDAgUkJYOiBmZmZmODgxMDVhNzFjMDAwIFJDWDoKMDAwMDAwMDAwMDAzMDAwMApbNjM5NTMuNzU4 MTEwXSBSRFg6IDAwMDAwMDAwMDAwMDAwMDMgUlNJOiBmZmZmODgwYzBiNTdlMDAwIFJESToKZmZm Zjg4MTA1YTcxYzIzOApbNjM5NTMuNzU4MTEwXSBSQlA6IDAwMDAwMDAwMDAwMDAwMDMgUjA4OiBm ZmZmODgxMDYzODAwNjAwIFIwOToKMDAwMDAwMDAwMDAwMDAwMwpbNjM5NTMuNzU4MTExXSBSMTA6 IGZmZmY4ODEwNWE3MWMyMzggUjExOiAwMDAwMDAwMDAwMDAwMDAxIFIxMjoKMDAwMDAwMDAwMDAw MDAxMQpbNjM5NTMuNzU4MTEyXSBSMTM6IDAwMDAwMDAwMDAwMDAwMTggUjE0OiAwMDAwMDAwMDAw MDAwMDAwIFIxNToKMDAwMDAwMDAwMDAwMDAwMApbNjM5NTMuNzU4MTEzXSBGUzogIDAwMDA3ZjBh Nzc3MTU3MDAoMDAwMCkgR1M6ZmZmZjg4MTBhM2QwMDAwMCgwMDAwKQprbmxHUzowMDAwMDAwMDAw MDAwMDAwCls2Mzk1My43NTgxMTRdIENTOiAgMDAxMCBEUzogMDAwMCBFUzogMDAwMCBDUjA6IDAw MDAwMDAwODAwNTAwMzMKWzYzOTUzLjc1ODExNV0gQ1IyOiAwMDAwMDAwMDAwMDAwMDQwIENSMzog MDAwMDAwMDNmOTFhODAwNiBDUjQ6CjAwMDAwMDAwMDAzNjA2ZTAKWzYzOTUzLjc1ODExNV0gRFIw OiAwMDAwMDAwMDAwMDAwMDAwIERSMTogMDAwMDAwMDAwMDAwMDAwMCBEUjI6CjAwMDAwMDAwMDAw MDAwMDAKWzYzOTUzLjc1ODExNl0gRFIzOiAwMDAwMDAwMDAwMDAwMDAwIERSNjogMDAwMDAwMDBm ZmZlMGZmMCBEUjc6CjAwMDAwMDAwMDAwMDA0MDAKWzYzOTUzLjc1ODExN10gQ2FsbCBUcmFjZToK WzYzOTUzLjc1ODEyMF0gIHhoY2lfYWRkX2VuZHBvaW50KzB4MTI3LzB4MmIwCls2Mzk1My43NTgx MjNdICB1c2JfaGNkX2FsbG9jX2JhbmR3aWR0aCsweDFhZC8weDMwMApbNjM5NTMuNzU4MTI1XSAg dXNiX3NldF9jb25maWd1cmF0aW9uKzB4MWM4LzB4ODgwCls2Mzk1My43NTgxMjhdICB1c2JkZXZf ZG9faW9jdGwrMHhjNDEvMHgxMTIwCls2Mzk1My43NTgxMzBdICB1c2JkZXZfaW9jdGwrMHhhLzB4 MTAKWzYzOTUzLjc1ODE1MV0gIGRvX3Zmc19pb2N0bCsweDhiLzB4NWMwCls2Mzk1My43NTgxNTNd ICA/IF9fZmdldCsweDZjLzB4YjAKWzYzOTUzLjc1ODE1NV0gIFN5U19pb2N0bCsweDc2LzB4OTAK WzYzOTUzLjc1ODE1N10gIGRvX3N5c2NhbGxfNjQrMHg2Yi8weDI5MApbNjM5NTMuNzU4MTczXSAg ZW50cnlfU1lTQ0FMTDY0X3Nsb3dfcGF0aCsweDI1LzB4MjUKWzYzOTUzLjc1ODE3NV0gUklQOiAw MDMzOjB4N2YwYTc2YTE1MWM3Cls2Mzk1My43NTgxNzVdIFJTUDogMDAyYjowMDAwN2ZmZDE0MzFi MGM4IEVGTEFHUzogMDAwMDAyMDIgT1JJR19SQVg6CjAwMDAwMDAwMDAwMDAwMTAKWzYzOTUzLjc1 ODE3N10gUkFYOiBmZmZmZmZmZmZmZmZmZmRhIFJCWDogMDAwMDAwMDAwMjMyMzlhMCBSQ1g6CjAw MDA3ZjBhNzZhMTUxYzcKWzYzOTUzLjc1ODE3OF0gUkRYOiAwMDAwN2ZmZDE0MzFiMGRjIFJTSTog MDAwMDAwMDA4MDA0NTUwNSBSREk6CjAwMDAwMDAwMDAwMDAwMGUKWzYzOTUzLjc1ODE3OF0gUkJQ OiAwMDAwMDAwMDAyMzI0MGMwIFIwODogMDAwMDdmZmQxNDMxYjAwOCBSMDk6CjAwMDAwMDAwMDAw MDAwMDQKWzYzOTUzLjc1ODE3OV0gUjEwOiAwMDAwN2ZmZDE0MzFhZWMwIFIxMTogMDAwMDAwMDAw MDAwMDIwMiBSMTI6CjAwMDAwMDAwMDIzMjQwYzAKWzYzOTUzLjc1ODE4MF0gUjEzOiAwMDAwMDAw MDAwMDAwMDAxIFIxNDogMDAwMDAwMDAwMDAwMDA1NiBSMTU6CjAwMDAwMDAwMDAwMDAwMzgKWzYz OTUzLjc1ODE4Ml0gQ29kZTogZTkgMzkgZmYgZmYgZmYgNjYgMGYgMWYgODQgMDAgMDAgMDAgMDAg MDAgMGYgMWYgNDQgMDAKMDAgNDEgNTcgNDEgNTYgNDEgNTUgNDEgNTQgNTUgNDggNjMgZWEgNTMg NGMgOGIgYjYgODggMTUgMDAgMDAgNGQgOGQgMmMgZWUKPDQ5PiA4MyA3ZCAyOCAwMCA3NCAwYiA1 YiA1ZCA0MSA1YyA0MSA1ZCA0MSA1ZSA0MSA1ZiBjMyA0OCA4YiAzZApbNjM5NTMuNzU4MjAyXSBS SVA6IHhoY2lfZGVidWdmc19jcmVhdGVfZW5kcG9pbnQrMHgxZC8weGEwIFJTUDoKZmZmZmM5MDAw YThlZmM4MApbNjM5NTMuNzU4MjAzXSBDUjI6IDAwMDAwMDAwMDAwMDAwNDAKWzYzOTUzLjc1ODIw NF0gLS0tWyBlbmQgdHJhY2UgMWY3ZWE5YTk1OWYwMjA1NCBdLS0tCgpTaWduZWQtb2ZmLWJ5OiBB bGV4YW5kZXIgS2FwcG5lciA8YWdrQGdvZGtpbmcubmV0PgotLS0KIGRyaXZlcnMvdXNiL2hvc3Qv eGhjaS1kZWJ1Z2ZzLmMgfCAzICsrKwogMSBmaWxlIGNoYW5nZWQsIDMgaW5zZXJ0aW9ucygrKQoK ZGlmZiAtLWdpdCBhL2RyaXZlcnMvdXNiL2hvc3QveGhjaS1kZWJ1Z2ZzLmMgYi9kcml2ZXJzL3Vz Yi9ob3N0L3hoY2ktZGVidWdmcy5jCmluZGV4IDRmNzg5NWQuLjFjZWE1OWMgMTAwNjQ0Ci0tLSBh L2RyaXZlcnMvdXNiL2hvc3QveGhjaS1kZWJ1Z2ZzLmMKKysrIGIvZHJpdmVycy91c2IvaG9zdC94 aGNpLWRlYnVnZnMuYwpAQCAtMzc4LDYgKzM3OCw5IEBAIHZvaWQgeGhjaV9kZWJ1Z2ZzX2NyZWF0 ZV9lbmRwb2ludChzdHJ1Y3QgeGhjaV9oY2QgKnhoY2ksCiAJc3RydWN0IHhoY2lfZXBfcHJpdgkq ZXByaXY7CiAJc3RydWN0IHhoY2lfc2xvdF9wcml2CSpzcHJpdiA9IGRldi0+ZGVidWdmc19wcml2 YXRlOwogCisJaWYgKCFzcHJpdikKKwkJcmV0dXJuOworCiAJaWYgKHNwcml2LT5lcHNbZXBfaW5k ZXhdKQogCQlyZXR1cm47CiAK