From: Douglas Anderson <dianders@chromium.org>
To: John Youn <John.Youn@synopsys.com>,
balbi@ti.com, kever.yang@rock-chips.com
Cc: william.wu@rock-chips.com, huangtao@rock-chips.com,
heiko@sntech.de, linux-rockchip@lists.infradead.org,
Julius Werner <jwerner@chromium.org>,
gregory.herrero@intel.com, yousaf.kaukab@intel.com,
dinguyen@opensource.altera.com, stern@rowland.harvard.edu,
ming.lei@canonical.com, Douglas Anderson <dianders@chromium.org>,
johnyoun@synopsys.com, gregkh@linuxfoundation.org,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v5 05/21] usb: dwc2: host: Avoid use of chan->qh after qh freed
Date: Fri, 22 Jan 2016 10:18:40 -0800 [thread overview]
Message-ID: <1453486736-15358-6-git-send-email-dianders@chromium.org> (raw)
In-Reply-To: <1453486736-15358-1-git-send-email-dianders@chromium.org>
When poking around with USB devices with slub_debug enabled, I found
another obvious use after free. Turns out that in dwc2_hc_n_intr() I
was in a state when the contents of chan->qh was filled with 0x6b,
indicating that chan->qh was freed but chan still had a reference to
it.
Let's make sure that whenever we free qh we also make sure we remove a
reference from its channel.
The bug fixed here doesn't appear to be new--I believe I just got lucky
and happened to see it while stress testing.
Signed-off-by: Douglas Anderson <dianders@chromium.org>
---
Changes in v5: None
Changes in v4:
- Avoid use of chan->qh after qh freed new for v4.
Changes in v3: None
Changes in v2: None
drivers/usb/dwc2/hcd.c | 8 ++++++++
drivers/usb/dwc2/hcd_intr.c | 10 ++++++++++
2 files changed, 18 insertions(+)
diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
index bc4bdbc1534e..7783c8ba0173 100644
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -164,6 +164,9 @@ static void dwc2_qh_list_free(struct dwc2_hsotg *hsotg,
qtd_list_entry)
dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
+ if (qh->channel && qh->channel->qh == qh)
+ qh->channel->qh = NULL;
+
spin_unlock_irqrestore(&hsotg->lock, flags);
dwc2_hcd_qh_free(hsotg, qh);
spin_lock_irqsave(&hsotg->lock, flags);
@@ -554,7 +557,12 @@ static int dwc2_hcd_endpoint_disable(struct dwc2_hsotg *hsotg,
dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
ep->hcpriv = NULL;
+
+ if (qh->channel && qh->channel->qh == qh)
+ qh->channel->qh = NULL;
+
spin_unlock_irqrestore(&hsotg->lock, flags);
+
dwc2_hcd_qh_free(hsotg, qh);
return 0;
diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c
index 352c98364317..99efc2bd1617 100644
--- a/drivers/usb/dwc2/hcd_intr.c
+++ b/drivers/usb/dwc2/hcd_intr.c
@@ -1935,6 +1935,16 @@ static void dwc2_hc_n_intr(struct dwc2_hsotg *hsotg, int chnum)
}
dwc2_writel(hcint, hsotg->regs + HCINT(chnum));
+
+ /*
+ * If we got an interrupt after someone called
+ * dwc2_hcd_endpoint_disable() we don't want to crash below
+ */
+ if (!chan->qh) {
+ dev_warn(hsotg->dev, "Interrupt on disabled channel\n");
+ return;
+ }
+
chan->hcint = hcint;
hcint &= hcintmsk;
--
2.7.0.rc3.207.g0ac5344
WARNING: multiple messages have this Message-ID (diff)
From: Douglas Anderson <dianders-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
To: John Youn <John.Youn-HKixBCOQz3hWk0Htik3J/w@public.gmane.org>,
balbi-l0cyMroinI0@public.gmane.org,
kever.yang-TNX95d0MmH7DzftRWevZcw@public.gmane.org
Cc: huangtao-TNX95d0MmH7DzftRWevZcw@public.gmane.org,
gregory.herrero-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org,
heiko-4mtYJXux2i+zQB+pC5nmwQ@public.gmane.org,
johnyoun-HKixBCOQz3hWk0Htik3J/w@public.gmane.org,
gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org,
ming.lei-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org,
linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Douglas Anderson
<dianders-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-rockchip-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org,
yousaf.kaukab-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org,
stern-nwvwT67g6+6dFdvTe/nMLpVzexx5G7lz@public.gmane.org,
william.wu-TNX95d0MmH7DzftRWevZcw@public.gmane.org,
Julius Werner <jwerner-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
dinguyen-yzvPICuk2ABMcg4IHK0kFoH6Mc4MB0Vx@public.gmane.org
Subject: [PATCH v5 05/21] usb: dwc2: host: Avoid use of chan->qh after qh freed
Date: Fri, 22 Jan 2016 10:18:40 -0800 [thread overview]
Message-ID: <1453486736-15358-6-git-send-email-dianders@chromium.org> (raw)
In-Reply-To: <1453486736-15358-1-git-send-email-dianders-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
When poking around with USB devices with slub_debug enabled, I found
another obvious use after free. Turns out that in dwc2_hc_n_intr() I
was in a state when the contents of chan->qh was filled with 0x6b,
indicating that chan->qh was freed but chan still had a reference to
it.
Let's make sure that whenever we free qh we also make sure we remove a
reference from its channel.
The bug fixed here doesn't appear to be new--I believe I just got lucky
and happened to see it while stress testing.
Signed-off-by: Douglas Anderson <dianders-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
---
Changes in v5: None
Changes in v4:
- Avoid use of chan->qh after qh freed new for v4.
Changes in v3: None
Changes in v2: None
drivers/usb/dwc2/hcd.c | 8 ++++++++
drivers/usb/dwc2/hcd_intr.c | 10 ++++++++++
2 files changed, 18 insertions(+)
diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
index bc4bdbc1534e..7783c8ba0173 100644
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -164,6 +164,9 @@ static void dwc2_qh_list_free(struct dwc2_hsotg *hsotg,
qtd_list_entry)
dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
+ if (qh->channel && qh->channel->qh == qh)
+ qh->channel->qh = NULL;
+
spin_unlock_irqrestore(&hsotg->lock, flags);
dwc2_hcd_qh_free(hsotg, qh);
spin_lock_irqsave(&hsotg->lock, flags);
@@ -554,7 +557,12 @@ static int dwc2_hcd_endpoint_disable(struct dwc2_hsotg *hsotg,
dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
ep->hcpriv = NULL;
+
+ if (qh->channel && qh->channel->qh == qh)
+ qh->channel->qh = NULL;
+
spin_unlock_irqrestore(&hsotg->lock, flags);
+
dwc2_hcd_qh_free(hsotg, qh);
return 0;
diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c
index 352c98364317..99efc2bd1617 100644
--- a/drivers/usb/dwc2/hcd_intr.c
+++ b/drivers/usb/dwc2/hcd_intr.c
@@ -1935,6 +1935,16 @@ static void dwc2_hc_n_intr(struct dwc2_hsotg *hsotg, int chnum)
}
dwc2_writel(hcint, hsotg->regs + HCINT(chnum));
+
+ /*
+ * If we got an interrupt after someone called
+ * dwc2_hcd_endpoint_disable() we don't want to crash below
+ */
+ if (!chan->qh) {
+ dev_warn(hsotg->dev, "Interrupt on disabled channel\n");
+ return;
+ }
+
chan->hcint = hcint;
hcint &= hcintmsk;
--
2.7.0.rc3.207.g0ac5344
next prev parent reply other threads:[~2016-01-22 18:24 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-22 18:18 [PATCH v5 0/21] usb: dwc2: host: Fix and speed up all the stuff, especially with splits Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 01/21] usb: dwc2: rockchip: Make the max_transfer_size automatic Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 02/21] usb: dwc2: host: Get aligned DMA in a more supported way Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 03/21] usb: dwc2: host: Set host_rx_fifo_size to 528 for rk3066 Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-27 10:13 ` Kever Yang
2016-01-27 19:44 ` Doug Anderson
2016-01-27 19:44 ` Doug Anderson
2016-01-28 8:28 ` Kever Yang
2016-01-22 18:18 ` [PATCH v5 04/21] usb: dwc2: host: Set host_perio_tx_fifo_size to 304 " Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-28 3:10 ` Kever Yang
2016-01-28 3:10 ` Kever Yang
2016-01-28 3:28 ` Doug Anderson
2016-01-28 6:41 ` Kever Yang
2016-01-28 18:16 ` Doug Anderson
2016-01-28 18:16 ` Doug Anderson
2016-01-28 23:25 ` Doug Anderson
2016-01-22 18:18 ` Douglas Anderson [this message]
2016-01-22 18:18 ` [PATCH v5 05/21] usb: dwc2: host: Avoid use of chan->qh after qh freed Douglas Anderson
2016-01-28 3:25 ` Kever Yang
2016-01-28 23:26 ` Doug Anderson
2016-01-28 23:26 ` Doug Anderson
2016-01-22 18:18 ` [PATCH v5 06/21] usb: dwc2: host: Always add to the tail of queues Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-27 10:23 ` Kever Yang
2016-01-27 10:23 ` Kever Yang
2016-01-22 18:18 ` [PATCH v5 07/21] usb: dwc2: hcd: fix split transfer schedule sequence Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-28 1:20 ` Kever Yang
2016-01-22 18:18 ` [PATCH v5 08/21] usb: dwc2: host: Add scheduler tracing Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-28 3:39 ` Kever Yang
2016-01-22 18:18 ` [PATCH v5 09/21] usb: dwc2: host: Add a delay before releasing periodic bandwidth Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 10/21] usb: dwc2: host: Giveback URB in tasklet context Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 11/21] usb: dwc2: host: Use periodic interrupt even with DMA Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 12/21] usb: dwc2: host: Rename some fields in struct dwc2_qh Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 13/21] usb: dwc2: host: Reorder things in hcd_queue.c Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 14/21] usb: dwc2: host: Split code out to make dwc2_do_reserve() Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 15/21] usb: dwc2: host: Add scheduler logging for missed SOFs Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 16/21] usb: dwc2: host: Manage frame nums better in scheduler Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-27 20:49 ` Doug Anderson
2016-01-27 20:49 ` Doug Anderson
2016-01-22 18:18 ` [PATCH v5 17/21] usb: dwc2: host: Schedule periodic right away if it's time Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 18/21] usb: dwc2: host: Add dwc2_hcd_get_future_frame_number() call Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 19/21] usb: dwc2: host: Properly set even/odd frame Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-22 18:18 ` [PATCH v5 20/21] usb: dwc2: host: Totally redo the microframe scheduler Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-24 5:44 ` Doug Anderson
2016-01-24 5:44 ` Doug Anderson
2016-01-22 18:18 ` [PATCH v5 21/21] usb: dwc2: host: If using uframe scheduler, end splits better Douglas Anderson
2016-01-22 18:18 ` Douglas Anderson
2016-01-23 17:52 ` [PATCH v5 0/21] usb: dwc2: host: Fix and speed up all the stuff, especially with splits Heiko Stuebner
2016-01-23 17:52 ` Heiko Stuebner
2016-01-23 23:09 ` Doug Anderson
2016-01-23 23:09 ` Doug Anderson
2016-01-24 5:36 ` Doug Anderson
2016-01-24 5:36 ` Doug Anderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1453486736-15358-6-git-send-email-dianders@chromium.org \
--to=dianders@chromium.org \
--cc=John.Youn@synopsys.com \
--cc=balbi@ti.com \
--cc=dinguyen@opensource.altera.com \
--cc=gregkh@linuxfoundation.org \
--cc=gregory.herrero@intel.com \
--cc=heiko@sntech.de \
--cc=huangtao@rock-chips.com \
--cc=johnyoun@synopsys.com \
--cc=jwerner@chromium.org \
--cc=kever.yang@rock-chips.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=linux-usb@vger.kernel.org \
--cc=ming.lei@canonical.com \
--cc=stern@rowland.harvard.edu \
--cc=william.wu@rock-chips.com \
--cc=yousaf.kaukab@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.