usb: dwc2: host: Avoid use of chan->qh after qh freed
authorDouglas Anderson <dianders@chromium.org>
Fri, 29 Jan 2016 02:19:55 +0000 (18:19 -0800)
committerFelipe Balbi <balbi@kernel.org>
Fri, 4 Mar 2016 13:14:40 +0000 (15:14 +0200)
When poking around with USB devices with slub_debug enabled, I found
another obvious use after free.  Turns out that in dwc2_hc_n_intr() I
was in a state when the contents of chan->qh was filled with 0x6b,
indicating that chan->qh was freed but chan still had a reference to
it.

Let's make sure that whenever we free qh we also make sure we remove a
reference from its channel.

The bug fixed here doesn't appear to be new--I believe I just got lucky
and happened to see it while stress testing.

Acked-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
drivers/usb/dwc2/hcd.c
drivers/usb/dwc2/hcd_intr.c

index bc4bdbc1534ec52707c7eb38e8b2e2bc4e9610ac..e2d2e9be366efaaca197deec4ad2c42ff36f485d 100644 (file)
@@ -164,6 +164,9 @@ static void dwc2_qh_list_free(struct dwc2_hsotg *hsotg,
                                         qtd_list_entry)
                        dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
 
+               if (qh->channel && qh->channel->qh == qh)
+                       qh->channel->qh = NULL;
+
                spin_unlock_irqrestore(&hsotg->lock, flags);
                dwc2_hcd_qh_free(hsotg, qh);
                spin_lock_irqsave(&hsotg->lock, flags);
@@ -554,7 +557,12 @@ static int dwc2_hcd_endpoint_disable(struct dwc2_hsotg *hsotg,
                dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
 
        ep->hcpriv = NULL;
+
+       if (qh->channel && qh->channel->qh == qh)
+               qh->channel->qh = NULL;
+
        spin_unlock_irqrestore(&hsotg->lock, flags);
+
        dwc2_hcd_qh_free(hsotg, qh);
 
        return 0;
@@ -2782,6 +2790,8 @@ static int _dwc2_hcd_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
 fail3:
        dwc2_urb->priv = NULL;
        usb_hcd_unlink_urb_from_ep(hcd, urb);
+       if (qh_allocated && qh->channel && qh->channel->qh == qh)
+               qh->channel->qh = NULL;
 fail2:
        spin_unlock_irqrestore(&hsotg->lock, flags);
        urb->hcpriv = NULL;
index 4270f6c719c60d63d3d4c336ce13fbf5a374ff80..0d0fd2a7f1f90c412be0ec5a6a430e50e4e151b4 100644 (file)
@@ -1943,6 +1943,16 @@ static void dwc2_hc_n_intr(struct dwc2_hsotg *hsotg, int chnum)
        }
 
        dwc2_writel(hcint, hsotg->regs + HCINT(chnum));
+
+       /*
+        * If we got an interrupt after someone called
+        * dwc2_hcd_endpoint_disable() we don't want to crash below
+        */
+       if (!chan->qh) {
+               dev_warn(hsotg->dev, "Interrupt on disabled channel\n");
+               return;
+       }
+
        chan->hcint = hcint;
        hcint &= hcintmsk;