Commit 4843b4b5 authored by Mathias Nyman's avatar Mathias Nyman Committed by Greg Kroah-Hartman
Browse files

xhci: fix even more unsafe memory usage in xhci tracing 



Removes static char buffer usage in the following decode functions:
	xhci_decode_ctrl_ctx()
	xhci_decode_slot_context()
	xhci_decode_usbsts()
	xhci_decode_doorbell()
	xhci_decode_ep_context()

Caller must provide a buffer to use.
In tracing use __get_str() as recommended to pass buffer.

Minor changes are needed in other xhci code as these functions are also
used elsewhere

Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20210820123503.2605901-3-mathias.nyman@linux.intel.com


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent cbf286e8

drivers/usb/host/xhci-debugfs.c

+6 −2
Original line number Diff line number Diff line
@@ -261,11 +261,13 @@ static int xhci_slot_context_show(struct seq_file *s, void *unused) 
	struct xhci_slot_ctx	*slot_ctx;

	struct xhci_slot_priv	*priv = s->private;

	struct xhci_virt_device	*dev = priv->dev;

	char			str[XHCI_MSG_MAX];



	xhci = hcd_to_xhci(bus_to_hcd(dev->udev->bus));

	slot_ctx = xhci_get_slot_ctx(xhci, dev->out_ctx);

	seq_printf(s, "%pad: %s\n", &dev->out_ctx->dma,

		   xhci_decode_slot_context(le32_to_cpu(slot_ctx->dev_info),

		   xhci_decode_slot_context(str,

					    le32_to_cpu(slot_ctx->dev_info),

					    le32_to_cpu(slot_ctx->dev_info2),

					    le32_to_cpu(slot_ctx->tt_info),

					    le32_to_cpu(slot_ctx->dev_state)));
@@ -281,6 +283,7 @@ static int xhci_endpoint_context_show(struct seq_file *s, void *unused) 
	struct xhci_ep_ctx	*ep_ctx;

	struct xhci_slot_priv	*priv = s->private;

	struct xhci_virt_device	*dev = priv->dev;

	char			str[XHCI_MSG_MAX];



	xhci = hcd_to_xhci(bus_to_hcd(dev->udev->bus));
@@ -288,7 +291,8 @@ static int xhci_endpoint_context_show(struct seq_file *s, void *unused) 
		ep_ctx = xhci_get_ep_ctx(xhci, dev->out_ctx, ep_index);

		dma = dev->out_ctx->dma + (ep_index + 1) * CTX_SIZE(xhci->hcc_params);

		seq_printf(s, "%pad: %s\n", &dma,

			   xhci_decode_ep_context(le32_to_cpu(ep_ctx->ep_info),

			   xhci_decode_ep_context(str,

						  le32_to_cpu(ep_ctx->ep_info),

						  le32_to_cpu(ep_ctx->ep_info2),

						  le64_to_cpu(ep_ctx->deq),

						  le32_to_cpu(ep_ctx->tx_info)));

drivers/usb/host/xhci-ring.c

+2 −1
Original line number Diff line number Diff line
@@ -1212,6 +1212,7 @@ void xhci_stop_endpoint_command_watchdog(struct timer_list *t) 
	struct xhci_hcd *xhci = ep->xhci;

	unsigned long flags;

	u32 usbsts;

	char str[XHCI_MSG_MAX];



	spin_lock_irqsave(&xhci->lock, flags);
@@ -1225,7 +1226,7 @@ void xhci_stop_endpoint_command_watchdog(struct timer_list *t) 
	usbsts = readl(&xhci->op_regs->status);



	xhci_warn(xhci, "xHCI host not responding to stop endpoint command.\n");

	xhci_warn(xhci, "USBSTS:%s\n", xhci_decode_usbsts(usbsts));

	xhci_warn(xhci, "USBSTS:%s\n", xhci_decode_usbsts(str, usbsts));



	ep->ep_state &= ~EP_STOP_CMD_PENDING;

drivers/usb/host/xhci-trace.h

+11 −7
Original line number Diff line number Diff line
@@ -322,6 +322,7 @@ DECLARE_EVENT_CLASS(xhci_log_ep_ctx, 
		__field(u32, info2)

		__field(u64, deq)

		__field(u32, tx_info)

		__dynamic_array(char, str, XHCI_MSG_MAX)

	),

	TP_fast_assign(

		__entry->info = le32_to_cpu(ctx->ep_info);
@@ -329,8 +330,8 @@ DECLARE_EVENT_CLASS(xhci_log_ep_ctx, 
		__entry->deq = le64_to_cpu(ctx->deq);

		__entry->tx_info = le32_to_cpu(ctx->tx_info);

	),

	TP_printk("%s", xhci_decode_ep_context(__entry->info,

		__entry->info2, __entry->deq, __entry->tx_info)

	TP_printk("%s", xhci_decode_ep_context(__get_str(str),

		__entry->info, __entry->info2, __entry->deq, __entry->tx_info)

	)

);
@@ -367,6 +368,7 @@ DECLARE_EVENT_CLASS(xhci_log_slot_ctx, 
		__field(u32, info2)

		__field(u32, tt_info)

		__field(u32, state)

		__dynamic_array(char, str, XHCI_MSG_MAX)

	),

	TP_fast_assign(

		__entry->info = le32_to_cpu(ctx->dev_info);
@@ -374,9 +376,9 @@ DECLARE_EVENT_CLASS(xhci_log_slot_ctx, 
		__entry->tt_info = le64_to_cpu(ctx->tt_info);

		__entry->state = le32_to_cpu(ctx->dev_state);

	),

	TP_printk("%s", xhci_decode_slot_context(__entry->info,

			__entry->info2, __entry->tt_info,

			__entry->state)

	TP_printk("%s", xhci_decode_slot_context(__get_str(str),

			__entry->info, __entry->info2,

			__entry->tt_info, __entry->state)

	)

);
@@ -431,12 +433,13 @@ DECLARE_EVENT_CLASS(xhci_log_ctrl_ctx, 
	TP_STRUCT__entry(

		__field(u32, drop)

		__field(u32, add)

		__dynamic_array(char, str, XHCI_MSG_MAX)

	),

	TP_fast_assign(

		__entry->drop = le32_to_cpu(ctrl_ctx->drop_flags);

		__entry->add = le32_to_cpu(ctrl_ctx->add_flags);

	),

	TP_printk("%s", xhci_decode_ctrl_ctx(__entry->drop, __entry->add)

	TP_printk("%s", xhci_decode_ctrl_ctx(__get_str(str), __entry->drop, __entry->add)

	)

);
@@ -555,13 +558,14 @@ DECLARE_EVENT_CLASS(xhci_log_doorbell, 
	TP_STRUCT__entry(

		__field(u32, slot)

		__field(u32, doorbell)

		__dynamic_array(char, str, XHCI_MSG_MAX)

	),

	TP_fast_assign(

		__entry->slot = slot;

		__entry->doorbell = doorbell;

	),

	TP_printk("Ring doorbell for %s",

		xhci_decode_doorbell(__entry->slot, __entry->doorbell)

		  xhci_decode_doorbell(__get_str(str), __entry->slot, __entry->doorbell)

	)

);

drivers/usb/host/xhci.h

+8 −13
Original line number Diff line number Diff line
@@ -2460,10 +2460,9 @@ static inline const char *xhci_decode_trb(char *str, size_t size, 
	return str;

}



static inline const char *xhci_decode_ctrl_ctx(unsigned long drop,

					       unsigned long add)

static inline const char *xhci_decode_ctrl_ctx(char *str,

		unsigned long drop, unsigned long add)

{

	static char	str[1024];

	unsigned int	bit;

	int		ret = 0;
@@ -2489,10 +2488,9 @@ static inline const char *xhci_decode_ctrl_ctx(unsigned long drop, 
	return str;

}



static inline const char *xhci_decode_slot_context(u32 info, u32 info2,

		u32 tt_info, u32 state)

static inline const char *xhci_decode_slot_context(char *str,

		u32 info, u32 info2, u32 tt_info, u32 state)

{

	static char str[1024];

	u32 speed;

	u32 hub;

	u32 mtt;
@@ -2621,9 +2619,8 @@ static inline const char *xhci_decode_portsc(char *str, u32 portsc) 
	return str;

}



static inline const char *xhci_decode_usbsts(u32 usbsts)

static inline const char *xhci_decode_usbsts(char *str, u32 usbsts)

{

	static char str[256];

	int ret = 0;



	if (usbsts == ~(u32)0)
@@ -2650,9 +2647,8 @@ static inline const char *xhci_decode_usbsts(u32 usbsts) 
	return str;

}



static inline const char *xhci_decode_doorbell(u32 slot, u32 doorbell)

static inline const char *xhci_decode_doorbell(char *str, u32 slot, u32 doorbell)

{

	static char str[256];

	u8 ep;

	u16 stream;

	int ret;
@@ -2719,10 +2715,9 @@ static inline const char *xhci_ep_type_string(u8 type) 
	}

}



static inline const char *xhci_decode_ep_context(u32 info, u32 info2, u64 deq,

		u32 tx_info)

static inline const char *xhci_decode_ep_context(char *str, u32 info,

		u32 info2, u64 deq, u32 tx_info)

{

	static char str[1024];

	int ret;



	u32 esit;