lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 24 Oct 2019 09:48:20 +0000
From:   Minas Harutyunyan <Minas.Harutyunyan@...opsys.com>
To:     Douglas Anderson <dianders@...omium.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Felipe Balbi <felipe.balbi@...ux.intel.com>
CC:     "linux-rockchip@...ts.infradead.org" 
        <linux-rockchip@...ts.infradead.org>,
        "stefan.wahren@...e.com" <stefan.wahren@...e.com>,
        "mka@...omium.org" <mka@...omium.org>,
        Alexandru M Stan <amstan@...omium.org>,
        "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] usb: dwc2: Fix NULL qh in dwc2_queue_transaction



On 10/24/2019 1:06 AM, Douglas Anderson wrote:
> From: Alexandru M Stan <amstan@...omium.org>
> 
> When a usb device disconnects in a certain way, dwc2_queue_transaction
> still gets called after dwc2_hcd_cleanup_channels.
> 
> dwc2_hcd_cleanup_channels does "channel->qh = NULL;" but
> dwc2_queue_transaction still wants to dereference qh.
> This adds a check for a null qh.
> 
> Signed-off-by: Alexandru M Stan <amstan@...omium.org>
> [dianders: rebased to mainline]
> Signed-off-by: Douglas Anderson <dianders@...omium.org>

Acked-by: Minas Harutyunyan <hminas@...opsys.com>

> ---
> While testing a newer version of the Linux kernel on rk3288-veyron
> devices we saw a bunch of crashes reported in dwc2_queue_transaction()
> where chan->qh was NULL [1].  I don't know how to reproduce those
> crashes myself, but I noticed that in our 3.14 kernel we had a patch
> that probably fixed it.  That patch was sent upstream ages ago [2] but
> never landed.  Here I've rebased the patch.  While I haven't
> reproduced the crash myself, it seems fairly likely that this will fix
> the problem.
> 
> [1] https://urldefense.proofpoint.com/v2/url?u=https-3A__crbug.com_1017388&d=DwIDAQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=cQBKt4q-qzNVC53rNAwuwplH23V61rHQhhULvdLA0U8&m=cnozTly1DtI01pZ4wbwEGSQW3TtCsiwaNUy5sn5vg0w&s=7bOW1FTelQEJnZerIWHWosIBiYT6dvwbsmYTrYyzKfA&e=
> [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__lore.kernel.org_r_1442952651-2D4341-2D2-2Dgit-2Dsend-2Demail-2Damstan-40chromium.org&d=DwIDAQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=cQBKt4q-qzNVC53rNAwuwplH23V61rHQhhULvdLA0U8&m=cnozTly1DtI01pZ4wbwEGSQW3TtCsiwaNUy5sn5vg0w&s=vmZjFVWnsFPU6Sgxw5IpJ-NYIAbDqyW0itJy00MLYSs&e=
> 
> Changes in v2:
> - Rebased to mainline
> 
>   drivers/usb/dwc2/hcd.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
> index 81afe553aa66..b90f858af960 100644
> --- a/drivers/usb/dwc2/hcd.c
> +++ b/drivers/usb/dwc2/hcd.c
> @@ -2824,7 +2824,7 @@ static int dwc2_queue_transaction(struct dwc2_hsotg *hsotg,
>   		list_move_tail(&chan->split_order_list_entry,
>   			       &hsotg->split_order);
>   
> -	if (hsotg->params.host_dma) {
> +	if (hsotg->params.host_dma && chan->qh) {
>   		if (hsotg->params.dma_desc_enable) {
>   			if (!chan->xfer_started ||
>   			    chan->ep_type == USB_ENDPOINT_XFER_ISOC) {
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ