lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 26 Jan 2022 10:49:10 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Hongyu Xie <xy521521@...il.com>
Cc:     mathias.nyman@...el.com, linux-kernel@...r.kernel.org,
        linux-usb@...r.kernel.org, 125707942@...com,
        Hongyu Xie <xiehongyu1@...inos.cn>, stable@...r.kernel.org
Subject: Re: [PATCH -next] xhci: fix two places when dealing with return
 value of function xhci_check_args

On Wed, Jan 26, 2022 at 05:41:26PM +0800, Hongyu Xie wrote:
> From: Hongyu Xie <xiehongyu1@...inos.cn>
> 
> xhci_check_args returns 4 types of value, -ENODEV, -EINVAL, 1 and 0.
> xhci_urb_enqueue and xhci_check_streams_endpoint return -EINVAL if
> the return value of xhci_check_args <= 0.
> This will cause a problem.

What problem?

> For example, r8152_submit_rx calling usb_submit_urb in
> drivers/net/usb/r8152.c.
> r8152_submit_rx will never get -ENODEV after submiting an urb
> when xHC is halted,
> because xhci_urb_enqueue returns -EINVAL in the very beginning.
> 
> Fixes: 203a86613fb3 ("xhci: Avoid NULL pointer deref when host dies.")
> Cc: stable@...r.kernel.org
> Signed-off-by: Hongyu Xie <xiehongyu1@...inos.cn>
> ---
>  drivers/usb/host/xhci.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
> index dc357cabb265..a7a55dd206fe 100644
> --- a/drivers/usb/host/xhci.c
> +++ b/drivers/usb/host/xhci.c
> @@ -1604,9 +1604,12 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
>  	struct urb_priv	*urb_priv;
>  	int num_tds;
>  
> -	if (!urb || xhci_check_args(hcd, urb->dev, urb->ep,
> -					true, true, __func__) <= 0)
> +	if (!urb)
>  		return -EINVAL;
> +	ret = xhci_check_args(hcd, urb->dev, urb->ep,
> +					true, true, __func__);
> +	if (ret <= 0)
> +		return ret;

So if 0 is returned, you will now return that here, is that ok?
That is a change in functionality.

But this can only ever be the case for a root hub, is that ok?

>  
>  	slot_id = urb->dev->slot_id;
>  	ep_index = xhci_get_endpoint_index(&urb->ep->desc);
> @@ -3323,7 +3326,7 @@ static int xhci_check_streams_endpoint(struct xhci_hcd *xhci,
>  		return -EINVAL;
>  	ret = xhci_check_args(xhci_to_hcd(xhci), udev, ep, 1, true, __func__);
>  	if (ret <= 0)
> -		return -EINVAL;
> +		return ret;

Again, this means all is good?  Why is this being called for a root hub?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ