All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mathias Nyman <mathias.nyman@linux.intel.com>
To: Ladislav Michl <oss-lists@triops.cz>
Cc: gregkh@linuxfoundation.org, linux-usb@vger.kernel.org,
	Jimmy Hu <hhhuuu@google.com>,
	stable@vger.kernel.org
Subject: Re: [PATCH 2/7] usb: xhci: Check endpoint is valid before dereferencing it
Date: Tue, 17 Jan 2023 12:02:59 +0200	[thread overview]
Message-ID: <bd5ba5bb-4f1c-1ed9-8bd1-46fcd2eeac52@linux.intel.com> (raw)
In-Reply-To: <Y8WCdG5YSpX/Seit@lenoch>

On 16.1.2023 18.59, Ladislav Michl wrote:
> Hi Mathias,
> 
> On Mon, Jan 16, 2023 at 04:22:11PM +0200, Mathias Nyman wrote:
>> From: Jimmy Hu <hhhuuu@google.com>
>>
>> When the host controller is not responding, all URBs queued to all
>> endpoints need to be killed. This can cause a kernel panic if we
>> dereference an invalid endpoint.
>>
>> Fix this by using xhci_get_virt_ep() helper to find the endpoint and
>> checking if the endpoint is valid before dereferencing it.
> 
> I'm a bit confused this goes in and even to stable. Let me quote your
> own analysis from
> Message-ID: <0fe978ed-8269-9774-1c40-f8a98c17e838@linux.intel.com>
> On Thu, Dec 22, 2022 at 03:18:53PM +0200, Mathias Nyman wrote:
>> I think root cause is that freeing xhci->devs[i] and including rings isn't
>> protected by the lock, this happens in xhci_free_virt_device() called by
>> xhci_free_dev(), which in turn may be called by usbcore at any time
>>
>> So xhci->devs[i] might just suddenly disappear
>>
>> Patch just checks more often if xhci->devs[i] is valid, between every endpoint.
>> So the race between xhci_free_virt_device() and xhci_kill_endpoint_urbs()
>> doesn't trigger null pointer deref as easily.> 
> I believe the above is correct and even Jimmy was unable to verify your
> later patch (3rd in this serie), which brings a question how could be this
> patch tested. It just burns a bug a bit deeper and I do not think it is the
> right approach.

As I said in a direct response to the original patch I think this is a valid fix
for older kernels where we used to unlock xhci->lock while giving back
URBs. Together with PATCH 3/7 the issue should be completely resolved.
For later kernels PATCH 3/7 should be enough by itself, but no harm in keeping this.

See Message-ID: <379b395f-b65c-96fe-7ecc-f18e3740b990@linux.intel.com>

Older kernels are all before v5.5 that lack commit
36dc01657b49 usb: host: xhci: Support running urb giveback in tasklet context.

I haven't been able to trigger this issue myself, but based on the report and finding in
the code I still think this the right approach. The internal testing this has been
through could only prove these patches (2/7 and 3/7) don't cause any additional issues.

If you think the analysis or solution is incorrect let me know, and we can come up with a
better one.

Thanks
Mathias


  reply	other threads:[~2023-01-17 10:02 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-16 14:22 [PATCH 0/7] usb and xhci fixes for usb-linus Mathias Nyman
2023-01-16 14:22 ` [PATCH 1/7] xhci-pci: set the dma max_seg_size Mathias Nyman
2023-01-16 14:22 ` [PATCH 2/7] usb: xhci: Check endpoint is valid before dereferencing it Mathias Nyman
2023-01-16 16:59   ` Ladislav Michl
2023-01-17 10:02     ` Mathias Nyman [this message]
2023-02-23 16:26   ` youling257
2023-02-24 10:29     ` Mathias Nyman
2023-02-24 15:58       ` youling 257
2023-02-24 16:03         ` youling 257
2023-01-16 14:22 ` [PATCH 3/7] xhci: Fix null pointer dereference when host dies Mathias Nyman
2023-01-16 14:22 ` [PATCH 4/7] xhci: Add update_hub_device override for PCI xHCI hosts Mathias Nyman
2023-01-16 14:22 ` [PATCH 5/7] xhci: Add a flag to disable USB3 lpm on a xhci root port level Mathias Nyman
2023-01-16 14:22 ` [PATCH 6/7] usb: acpi: add helper to check port lpm capability using acpi _DSM Mathias Nyman
2023-01-16 14:22 ` [PATCH 7/7] xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables Mathias Nyman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bd5ba5bb-4f1c-1ed9-8bd1-46fcd2eeac52@linux.intel.com \
    --to=mathias.nyman@linux.intel.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hhhuuu@google.com \
    --cc=linux-usb@vger.kernel.org \
    --cc=oss-lists@triops.cz \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.