linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mathias Nyman <mathias.nyman@linux.intel.com>
To: Johan Hovold <johan@kernel.org>
Cc: gregkh@linuxfoundation.org, USB <linux-usb@vger.kernel.org>,
	Alan Stern <stern@rowland.harvard.edu>
Subject: Re: [PATCH 8/8] xhci: Fix NULL pointer dereference in xhci_clear_tt_buffer_complete()
Date: Fri, 11 Oct 2019 15:47:46 +0300	[thread overview]
Message-ID: <1c4b7107-f5e1-4a69-2a73-0e339c7e1072@linux.intel.com> (raw)
In-Reply-To: <c0b1f81f-db1a-8f12-6880-a686cb9c35a7@linux.intel.com>

On 8.10.2019 11.15, Mathias Nyman wrote:
> On 7.10.2019 17.02, Johan Hovold wrote:
>>
>> I didn't have time to look into this myself last week, or comment on the
>> patch before Greg picked it up, but this clearly isn't the right fix.
>>
>> As your comment suggests, ep->hcpriv may indeed be NULL here if USB core
>> have allocated a new udev. But this only happens after USB has freed the
>> old usb_device and the new one happens to get the same address.
>>
> 
> You're right, that fix doesn't solve the actual issue, it avoids a few specific
> null pointer dereference cases, but leaves both root cause and several other
> use-after-free cases open.
> 
>> Note that even the usb_host_endpoint itself (ep) has then been freed and
>> reallocated since it is member of struct usb_device, and it is the
>> use-after-free that needs fixing.
>>
>> I've even been able to trigger another NULL-deref in this function
>> before a new udev has been allocated, due to the virt dev having been
>> freed by xhci_free_dev as part of usb_release_dev:
>>
>> It seems the xhci clear-tt implementation was incomplete since it did
>> not take care to wait for any ongoing work before disabling the
>> endpoint. EHCI does this in ehci_endpoint_disable(), but xhci doesn't
>> even implement that callback.
>>
> 
> So it seems, it might be possible to remove pending clear_tt work for
> most endpoints in the .drop_endpoint callbacks, but ep0 is different,
> it isn't dropped, we might need to implement the endpoint_disable()
> callback for this.
> 

I was able to reproduce the use-after-free issue by faking a endpoint halt,
and resetting the endpoint early in enumeration at Get device descriptor request.

To fix this I added the endpoint_disable() callback that will wait for
clear_tt_work to finish before returning, similar to the ehci solution.
It works in my case.

the endpoint_disable() callback is called by usb core both before dropping
xhci endpoints belonging to a interface, and separately for ep0 before udev is
freed during enumeration retry.

Both the hack that triggers the issue (LS/FS behind HS bug won't ever enumerate with this)
and the fix to prevent use after free can be found in  clear_tt_fix branch:

git://git.kernel.org/pub/scm/linux/kernel/git/mnyman/xhci.git clear_tt_fix

I'll send the fix out to the list as well, any chance you could try that out?

-Mathias

  reply	other threads:[~2019-10-11 12:45 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-04 11:59 [PATCH 0/8] xhci fixes for usb-linus Mathias Nyman
2019-10-04 11:59 ` [PATCH 1/8] xhci: Fix false warning message about wrong bounce buffer write length Mathias Nyman
2019-10-04 11:59 ` [PATCH 2/8] xhci: Prevent device initiated U1/U2 link pm if exit latency is too long Mathias Nyman
2019-10-04 11:59 ` [PATCH 3/8] xhci: Check all endpoints for LPM timeout Mathias Nyman
2019-10-04 11:59 ` [PATCH 4/8] xhci: Fix USB 3.1 capability detection on early xHCI 1.1 spec based hosts Mathias Nyman
2019-10-04 11:59 ` [PATCH 5/8] usb: xhci: wait for CNR controller not ready bit in xhci resume Mathias Nyman
2019-10-04 11:59 ` [PATCH 6/8] xhci: Prevent deadlock when xhci adapter breaks during init Mathias Nyman
2019-10-04 11:59 ` [PATCH 7/8] xhci: Increase STS_SAVE timeout in xhci_suspend() Mathias Nyman
     [not found]   ` <20191006120750.5334F2087E@mail.kernel.org>
2019-10-07 18:51     ` Kai-Heng Feng
2019-10-04 11:59 ` [PATCH 8/8] xhci: Fix NULL pointer dereference in xhci_clear_tt_buffer_complete() Mathias Nyman
2019-10-07 14:02   ` Johan Hovold
2019-10-08  8:15     ` Mathias Nyman
2019-10-11 12:47       ` Mathias Nyman [this message]
2019-10-11 12:58         ` [RFT PATCH] xhci: Fix use-after-free regression in xhci clear hub TT implementation Mathias Nyman
2019-10-14 10:16           ` Johan Hovold
2019-10-14 13:18             ` Mathias Nyman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1c4b7107-f5e1-4a69-2a73-0e339c7e1072@linux.intel.com \
    --to=mathias.nyman@linux.intel.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=johan@kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).