AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-27 17:36:25 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
3c6f8cb92c
linux_dsm_epyc7002/drivers/usb
History
Sriharsha Allenki 3c6f8cb92c usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list 
On platforms with IOMMU enabled, multiple SGs can be coalesced into one
by the IOMMU driver. In that case the SG list processing as part of the
completion of a urb on a bulk endpoint can result into a NULL pointer
dereference with the below stack dump.

<6> Unable to handle kernel NULL pointer dereference at virtual address 0000000c
<6> pgd = c0004000
<6> [0000000c] *pgd=00000000
<6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
<2> PC is at xhci_queue_bulk_tx+0x454/0x80c
<2> LR is at xhci_queue_bulk_tx+0x44c/0x80c
<2> pc : [<c08907c4>]    lr : [<c08907bc>]    psr: 000000d3
<2> sp : ca337c80  ip : 00000000  fp : ffffffff
<2> r10: 00000000  r9 : 50037000  r8 : 00004000
<2> r7 : 00000000  r6 : 00004000  r5 : 00000000  r4 : 00000000
<2> r3 : 00000000  r2 : 00000082  r1 : c2c1a200  r0 : 00000000
<2> Flags: nzcv  IRQs off  FIQs off  Mode SVC_32  ISA ARM  Segment none
<2> Control: 10c0383d  Table: b412c06a  DAC: 00000051
<6> Process usb-storage (pid: 5961, stack limit = 0xca336210)
<snip>
<2> [<c08907c4>] (xhci_queue_bulk_tx)
<2> [<c0881b3c>] (xhci_urb_enqueue)
<2> [<c0831068>] (usb_hcd_submit_urb)
<2> [<c08350b4>] (usb_sg_wait)
<2> [<c089f384>] (usb_stor_bulk_transfer_sglist)
<2> [<c089f2c0>] (usb_stor_bulk_srb)
<2> [<c089fe38>] (usb_stor_Bulk_transport)
<2> [<c089f468>] (usb_stor_invoke_transport)
<2> [<c08a11b4>] (usb_stor_control_thread)
<2> [<c014a534>] (kthread)

The above NULL pointer dereference is the result of block_len and the
sent_len set to zero after the first SG of the list when IOMMU driver
is enabled. Because of this the loop of processing the SGs has run
more than num_sgs which resulted in a sg_next on the last SG of the
list which has SG_END set.

Fix this by check for the sg before any attributes of the sg are
accessed.

[modified reason for null pointer dereference in commit message subject -Mathias]
Fixes: f9c589e142 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer")
Cc: stable@vger.kernel.org
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20200514110432.25564-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-14 13:44:37 +02:00
..
atm USB: atm: Use the correct style for SPDX License Identifier 2020-03-17 20:03:28 +01:00
c67x00 USB: c67x00: Use the correct style for SPDX License Identifier 2020-03-17 20:03:28 +01:00
cdns3 usb: cdns3: gadget: prev_req->trb is NULL for ep0 2020-05-09 11:05:08 +03:00
chipidea usb: chipidea: msm: Ensure proper controller reset using role switch API 2020-05-07 08:46:35 +02:00
class cdc-acm: introduce a cool down 2020-04-16 14:59:49 +02:00
common usb: common: usb-conn-gpio: Don't log an error on probe deferral 2019-12-10 11:41:20 +01:00
core usb: usbfs: correct kernel->user page attribute mismatch 2020-05-05 13:06:46 +02:00
dwc2 usb: dwc2: convert to devm_platform_get_and_ioremap_resource 2020-03-24 12:09:39 +01:00
dwc3 usb: dwc3: select USB_ROLE_SWITCH 2020-05-09 11:05:09 +03:00
early USB: early: Handle AMD's spec-compliant identifiers, too 2020-04-16 14:46:00 +02:00
gadget usb: raw-gadget: fix return value of ep read ioctls 2020-05-09 11:05:09 +03:00
host usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list 2020-05-14 13:44:37 +02:00
image Merge 5.4-rc3 into usb-next 2019-10-14 07:09:59 +02:00
isp1760 remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
misc USB: sisusbvga: Change port variable from signed to unsigned 2020-04-23 15:26:17 +02:00
mon USB: mon: Use scnprintf() for avoiding potential buffer overflow 2020-03-12 09:49:28 +01:00
mtu3 usb: roles: Provide the switch drivers handle to the switch in the API 2020-03-04 11:12:50 +01:00
musb usb: musb: tusb6010: fix a possible missing data type replacement 2020-03-17 20:03:28 +01:00
phy usb: phy: twl6030-usb: Fix a resource leak in an error handling path in 'twl6030_usb_probe()' 2020-05-09 11:05:08 +03:00
renesas_usbhs phy: for 5.6 2020-01-17 07:52:26 +01:00
roles usb: roles: Allow the role switches to be named 2020-03-04 11:12:50 +01:00
serial USB: serial: qcserial: Add DW5816e support 2020-05-04 18:23:54 +02:00
storage USB: uas: add quirk for LaCie 2Big Quadra 2020-04-30 09:28:43 +02:00
typec usb: typec: mux: intel: Fix DP_HPD_LVL bit field 2020-05-13 14:33:51 +02:00
usbip usbip: Fix error path of vhci_recv_ret_submit() 2019-12-17 16:36:33 +01:00
Kconfig usb: common: create Kconfig file 2019-09-03 19:00:39 +02:00
Makefile USB: Changes for v5.4 merge window 2019-09-02 19:20:57 +02:00
usb-skeleton.c USB: usb-skeleton: drop redundant in-urb check 2019-10-10 12:41:19 +02:00