Unverified Commit 7b8c61ed authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!11061 Fix CVE-2023-52898 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zheng Yejian <zhengyejian1@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/FTTCFSMZHHQLLZKEM4QBS52QY4IBZU75/ 
Mathias Nyman (2):
  xhci: avoid race between disable slot command and host runtime suspend
  xhci: Fix null pointer dereference when host dies


-- 
2.25.1
 
https://gitee.com/src-openeuler/kernel/issues/IALLDG 
 
Link:https://gitee.com/openeuler/kernel/pulls/11061

 

Reviewed-by: default avatarYe Weihua <yeweihua4@huawei.com>
Reviewed-by: default avatarLiu YongQiang <liuyongqiang13@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents 90f4d81f c9978130

drivers/usb/host/xhci-hub.c

+1 −0
Original line number Diff line number Diff line
@@ -624,6 +624,7 @@ static int xhci_enter_test_mode(struct xhci_hcd *xhci, 
			continue;



		retval = xhci_disable_slot(xhci, i);

		xhci_free_virt_device(xhci, i);

		if (retval)

			xhci_err(xhci, "Failed to disable slot %d, %d. Enter test mode anyway\n",

				 i, retval);

drivers/usb/host/xhci-ring.c

+0 −1
Original line number Diff line number Diff line
@@ -1198,7 +1198,6 @@ static void xhci_handle_cmd_disable_slot(struct xhci_hcd *xhci, int slot_id) 
	if (xhci->quirks & XHCI_EP_LIMIT_QUIRK)

		/* Delete default control endpoint resources */

		xhci_free_device_endpoint_resources(xhci, virt_dev, true);

	xhci_free_virt_device(xhci, slot_id);

}



static void xhci_handle_cmd_config_ep(struct xhci_hcd *xhci, int slot_id,

drivers/usb/host/xhci.c

+20 −7
Original line number Diff line number Diff line
@@ -3774,6 +3774,7 @@ static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev) 
	struct xhci_hcd *xhci = hcd_to_xhci(hcd);

	struct xhci_virt_device *virt_dev;

	struct xhci_slot_ctx *slot_ctx;

	unsigned long flags;

	int i, ret;



#ifndef CONFIG_USB_DEFAULT_PERSIST
@@ -3803,9 +3804,12 @@ static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev) 
		del_timer_sync(&virt_dev->eps[i].stop_cmd_timer);

	}

	virt_dev->udev = NULL;

	ret = xhci_disable_slot(xhci, udev->slot_id);

	if (ret)

	xhci_disable_slot(xhci, udev->slot_id);



	spin_lock_irqsave(&xhci->lock, flags);

	xhci_free_virt_device(xhci, udev->slot_id);

	spin_unlock_irqrestore(&xhci->lock, flags);



}



int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id)
@@ -3815,7 +3819,7 @@ int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id) 
	u32 state;

	int ret = 0;



	command = xhci_alloc_command(xhci, false, GFP_KERNEL);

	command = xhci_alloc_command(xhci, true, GFP_KERNEL);

	if (!command)

		return -ENOMEM;
@@ -3840,6 +3844,15 @@ int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id) 
	}

	xhci_ring_cmd_db(xhci);

	spin_unlock_irqrestore(&xhci->lock, flags);



	wait_for_completion(command->completion);



	if (command->status != COMP_SUCCESS)

		xhci_warn(xhci, "Unsuccessful disable slot %u command, status %d\n",

			  slot_id, command->status);



	xhci_free_command(xhci, command);



	return ret;

}
@@ -3950,8 +3963,7 @@ int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev) 
	return 1;



disable_slot:

	ret = xhci_disable_slot(xhci, udev->slot_id);

	if (ret)

	xhci_disable_slot(xhci, udev->slot_id);

	xhci_free_virt_device(xhci, udev->slot_id);



	return 0;
@@ -4081,6 +4093,7 @@ static int xhci_setup_device(struct usb_hcd *hcd, struct usb_device *udev, 


		mutex_unlock(&xhci->mutex);

		ret = xhci_disable_slot(xhci, udev->slot_id);

		xhci_free_virt_device(xhci, udev->slot_id);

		if (!ret)

			xhci_alloc_dev(hcd, udev);

		kfree(command->completion);