lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID:
 <TYUPR06MB6217F5AA7DA1E43A567CBA04D2A9A@TYUPR06MB6217.apcprd06.prod.outlook.com>
Date: Fri, 19 Dec 2025 07:18:10 +0000
From: 胡连勤 <hulianqin@...o.com>
To: Mathias Nyman <mathias.nyman@...el.com>, Greg Kroah-Hartman
	<gregkh@...uxfoundation.org>, Sarah Sharp <sarah.a.sharp@...ux.intel.com>
CC: "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	胡连勤 <hulianqin@...o.com>
Subject: [PATCH] usb: xhci: check Null pointer in segment alloc

From: Lianqin Hu <hulianqin@...o.com>

Considering that in some extreme cases,
when a digital headset is connected and a wake-up
operation is performed,if the headset is plug out
or the headset connection is abnormally disconnected at this time,
segment_pool will be set to null, resulting in accessing a null pointer.

So, add null pointer checks to fix the problem.

Call trace:
 dma_pool_alloc+0x3c/0x248
 xhci_segment_alloc+0x9c/0x184
 xhci_alloc_segments_for_ring+0xcc/0x1cc
 xhci_ring_alloc+0xc4/0x1a8
 xhci_endpoint_init+0x36c/0x4ac
 xhci_add_endpoint+0x18c/0x2a4
 usb_hcd_alloc_bandwidth+0x384/0x3e4
 usb_set_interface+0x144/0x510
 usb_reset_and_verify_device+0x248/0x5fc
 usb_port_resume+0x580/0x700
 usb_generic_driver_resume+0x24/0x5c
 usb_resume_both+0x104/0x32c
 usb_runtime_resume+0x18/0x28
 __rpm_callback+0x94/0x3d4
 rpm_resume+0x3f8/0x5fc
 rpm_resume+0x1fc/0x5fc

Fixes: 0ebbab374223 ("USB: xhci: Ring allocation and initialization.")
Cc: stable@...r.kernel.org
Signed-off-by: Lianqin Hu <hulianqin@...o.com>

 drivers/usb/host/xhci-mem.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index c708bdd69f16..2ea5fb810a80 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -35,6 +35,9 @@ static struct xhci_segment *xhci_segment_alloc(struct xhci_hcd *xhci,
 	dma_addr_t	dma;
 	struct device *dev = xhci_to_hcd(xhci)->self.sysdev;
 
+	if (!xhci->segment_pool)
+		return NULL;
+
 	seg = kzalloc_node(sizeof(*seg), flags, dev_to_node(dev));
 	if (!seg)
 		return NULL;
-- 
2.39.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ