| Message ID | 20240731205910.2060752-1-maz@kernel.org (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | dcdb52d948f3a17ccd3fce757d9bd981d7c32039 |
| Headers | show |
| Series | usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup() | expand |
On 31.7.2024 23.59, Marc Zyngier wrote: > If xhci_mem_init() fails, it calls into xhci_mem_cleanup() to mop > up the damage. If it fails early enough, before xhci->interrupters > is allocated but after xhci->max_interrupters has been set, which > happens in most (all?) cases, things get uglier, as xhci_mem_cleanup() > unconditionally derefences xhci->interrupters. With prejudice. > > Gate the interrupt freeing loop with a check on xhci->interrupters > being non-NULL. > > Found while debugging a DMA allocation issue that led the XHCI driver > on this exact path. > > Fixes: c99b38c41234 ("xhci: add support to allocate several interrupters") > Cc: Mathias Nyman <mathias.nyman@linux.intel.com> > Cc: Wesley Cheng <quic_wcheng@quicinc.com> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Signed-off-by: Marc Zyngier <maz@kernel.org> > --- Thanks, Adding to queue -Mathias
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index d7654f475daf..937ce5fd5809 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -1872,7 +1872,7 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci) cancel_delayed_work_sync(&xhci->cmd_timer); - for (i = 0; i < xhci->max_interrupters; i++) { + for (i = 0; xhci->interrupters && i < xhci->max_interrupters; i++) { if (xhci->interrupters[i]) { xhci_remove_interrupter(xhci, xhci->interrupters[i]); xhci_free_interrupter(xhci, xhci->interrupters[i]);
If xhci_mem_init() fails, it calls into xhci_mem_cleanup() to mop up the damage. If it fails early enough, before xhci->interrupters is allocated but after xhci->max_interrupters has been set, which happens in most (all?) cases, things get uglier, as xhci_mem_cleanup() unconditionally derefences xhci->interrupters. With prejudice. Gate the interrupt freeing loop with a check on xhci->interrupters being non-NULL. Found while debugging a DMA allocation issue that led the XHCI driver on this exact path. Fixes: c99b38c41234 ("xhci: add support to allocate several interrupters") Cc: Mathias Nyman <mathias.nyman@linux.intel.com> Cc: Wesley Cheng <quic_wcheng@quicinc.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Marc Zyngier <maz@kernel.org> --- drivers/usb/host/xhci-mem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)