All of lore.kernel.org
 help / color / mirror / Atom feed
* USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM
@ 2018-03-09 17:34 Fredrik Noring
  0 siblings, 0 replies; 2+ messages in thread
From: Fredrik Noring @ 2018-03-09 17:34 UTC (permalink / raw)
  To: USB list, Alan Stern; +Cc: Jürgen Urban

Scatter-gather needs to be disabled when using dma_declare_coherent_memory
and HCD_LOCAL_MEM. Andrea Righi made the equivalent fix for EHCI drivers
in commit 4307a28eb01284 "USB: EHCI: fix NULL pointer dererence in HCDs
that use HCD_LOCAL_MEM".

The following NULL pointer WARN_ON_ONCE triggered with OHCI drivers:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 49 at drivers/usb/core/hcd.c:1379 hcd_alloc_coherent+0x4c/0xc8
Modules linked in:
CPU: 0 PID: 49 Comm: usb-storage Not tainted 4.15.0+ #1014
Stack : 00000000 00000000 805a78d2 0000003a 81f5c2cc 8053d367 804d77fc 00000031
        805a3a08 00000563 81ee9400 805a0000 00000000 10058c00 81f61b10 805c0000
        00000000 00000000 805a0000 00d9038e 00000004 803ee818 00000006 312e3420
        805c0000 00000000 00000073 81f61958 00000000 00000000 802eb380 804fd538
        00000009 00000563 81ee9400 805a0000 00000002 80056148 00000000 805a0000
        ...
Call Trace:
[<578af360>] show_stack+0x74/0x104
[<2f3702c6>] __warn+0x118/0x120
[<ae93fc9e>] warn_slowpath_null+0x44/0x58
[<a891a517>] hcd_alloc_coherent+0x4c/0xc8
[<3578fa36>] usb_hcd_map_urb_for_dma+0x4d8/0x534
[<110bc94c>] usb_hcd_submit_urb+0x82c/0x834
[<02eb5baf>] usb_sg_wait+0x14c/0x1a0
[<ccd09e85>] usb_stor_bulk_transfer_sglist.part.1+0xac/0x124
[<87a5c34c>] usb_stor_bulk_srb+0x40/0x60
[<ff1792ac>] usb_stor_Bulk_transport+0x160/0x37c
[<b9e2709c>] usb_stor_invoke_transport+0x3c/0x500
[<004754f4>] usb_stor_control_thread+0x258/0x28c
[<22edf42e>] kthread+0x134/0x13c
[<a419ffd0>] ret_from_kernel_thread+0x14/0x1c
---[ end trace bcdb825805eefdcc ]---

Signed-off-by: Fredrik Noring <noring@nocrew.org>
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c
--- a/drivers/usb/host/ohci-hcd.c
+++ b/drivers/usb/host/ohci-hcd.c
@@ -446,7 +446,8 @@ static int ohci_init (struct ohci_hcd *ohci)
 	struct usb_hcd *hcd = ohci_to_hcd(ohci);
 
 	/* Accept arbitrarily long scatter-gather lists */
-	hcd->self.sg_tablesize = ~0;
+	if (!(hcd->driver->flags & HCD_LOCAL_MEM))
+		hcd->self.sg_tablesize = ~0;
 
 	if (distrust_firmware)
 		ohci->flags |= OHCI_QUIRK_HUB_POWER;

^ permalink raw reply	[flat|nested] 2+ messages in thread
* USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM
@ 2018-03-09 18:31 Alan Stern
  0 siblings, 0 replies; 2+ messages in thread
From: Alan Stern @ 2018-03-09 18:31 UTC (permalink / raw)
  To: Fredrik Noring; +Cc: USB list, Jürgen Urban

On Fri, 9 Mar 2018, Fredrik Noring wrote:

> Scatter-gather needs to be disabled when using dma_declare_coherent_memory
> and HCD_LOCAL_MEM. Andrea Righi made the equivalent fix for EHCI drivers
> in commit 4307a28eb01284 "USB: EHCI: fix NULL pointer dererence in HCDs
> that use HCD_LOCAL_MEM".
> 
> The following NULL pointer WARN_ON_ONCE triggered with OHCI drivers:
> 
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 49 at drivers/usb/core/hcd.c:1379 hcd_alloc_coherent+0x4c/0xc8
> Modules linked in:
> CPU: 0 PID: 49 Comm: usb-storage Not tainted 4.15.0+ #1014
> Stack : 00000000 00000000 805a78d2 0000003a 81f5c2cc 8053d367 804d77fc 00000031
>         805a3a08 00000563 81ee9400 805a0000 00000000 10058c00 81f61b10 805c0000
>         00000000 00000000 805a0000 00d9038e 00000004 803ee818 00000006 312e3420
>         805c0000 00000000 00000073 81f61958 00000000 00000000 802eb380 804fd538
>         00000009 00000563 81ee9400 805a0000 00000002 80056148 00000000 805a0000
>         ...
> Call Trace:
> [<578af360>] show_stack+0x74/0x104
> [<2f3702c6>] __warn+0x118/0x120
> [<ae93fc9e>] warn_slowpath_null+0x44/0x58
> [<a891a517>] hcd_alloc_coherent+0x4c/0xc8
> [<3578fa36>] usb_hcd_map_urb_for_dma+0x4d8/0x534
> [<110bc94c>] usb_hcd_submit_urb+0x82c/0x834
> [<02eb5baf>] usb_sg_wait+0x14c/0x1a0
> [<ccd09e85>] usb_stor_bulk_transfer_sglist.part.1+0xac/0x124
> [<87a5c34c>] usb_stor_bulk_srb+0x40/0x60
> [<ff1792ac>] usb_stor_Bulk_transport+0x160/0x37c
> [<b9e2709c>] usb_stor_invoke_transport+0x3c/0x500
> [<004754f4>] usb_stor_control_thread+0x258/0x28c
> [<22edf42e>] kthread+0x134/0x13c
> [<a419ffd0>] ret_from_kernel_thread+0x14/0x1c
> ---[ end trace bcdb825805eefdcc ]---
> 
> Signed-off-by: Fredrik Noring <noring@nocrew.org>
> 
> diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c
> --- a/drivers/usb/host/ohci-hcd.c
> +++ b/drivers/usb/host/ohci-hcd.c
> @@ -446,7 +446,8 @@ static int ohci_init (struct ohci_hcd *ohci)
>  	struct usb_hcd *hcd = ohci_to_hcd(ohci);
>  
>  	/* Accept arbitrarily long scatter-gather lists */
> -	hcd->self.sg_tablesize = ~0;
> +	if (!(hcd->driver->flags & HCD_LOCAL_MEM))
> +		hcd->self.sg_tablesize = ~0;
>  
>  	if (distrust_firmware)
>  		ohci->flags |= OHCI_QUIRK_HUB_POWER;

Acked-by: Alan Stern <stern@rowland.harvard.edu>
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-03-09 18:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-09 17:34 USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM Fredrik Noring
2018-03-09 18:31 Alan Stern

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.