6.6-stable patches

added patches:
	usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch
	xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch

diff --git a/queue-6.6/series b/queue-6.6/series
index cc4411a7bdc0423e36e03a585cdfbffb87de2dc7..d827ef645bd5ef2bb4ff3d67165fd279cdbeda27 100644 (file)
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -129,3 +129,5 @@ iommu-arm-smmu-v3-use-the-new-rb-tree-helpers.patch
 iommu-arm-smmu-v3-fix-iommu_device_probe-bug-due-to-.patch
 drm-amd-display-add-scoped-mutexes-for-amdgpu_dm_dhc.patch
 drm-amd-display-fix-slab-use-after-free-in-hdcp.patch
+usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch
+xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch

diff --git a/queue-6.6/usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch b/queue-6.6/usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch
new file mode 100644 (file)
index 0000000..1852537
--- /dev/null
+++ b/queue-6.6/usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch
@@ -0,0 +1,46 @@
+From dcdb52d948f3a17ccd3fce757d9bd981d7c32039 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Fri, 9 Aug 2024 15:44:07 +0300
+Subject: usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup()
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit dcdb52d948f3a17ccd3fce757d9bd981d7c32039 upstream.
+
+If xhci_mem_init() fails, it calls into xhci_mem_cleanup() to mop
+up the damage. If it fails early enough, before xhci->interrupters
+is allocated but after xhci->max_interrupters has been set, which
+happens in most (all?) cases, things get uglier, as xhci_mem_cleanup()
+unconditionally derefences xhci->interrupters. With prejudice.
+
+Gate the interrupt freeing loop with a check on xhci->interrupters
+being non-NULL.
+
+Found while debugging a DMA allocation issue that led the XHCI driver
+on this exact path.
+
+Fixes: c99b38c41234 ("xhci: add support to allocate several interrupters")
+Cc: Mathias Nyman <mathias.nyman@linux.intel.com>
+Cc: Wesley Cheng <quic_wcheng@quicinc.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org # 6.8+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20240809124408.505786-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mem.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1882,7 +1882,7 @@ void xhci_mem_cleanup(struct xhci_hcd *x
+ 
+       cancel_delayed_work_sync(&xhci->cmd_timer);
+ 
+-      for (i = 0; i < xhci->max_interrupters; i++) {
++      for (i = 0; xhci->interrupters && i < xhci->max_interrupters; i++) {
+               if (xhci->interrupters[i]) {
+                       xhci_remove_interrupter(xhci, xhci->interrupters[i]);
+                       xhci_free_interrupter(xhci, xhci->interrupters[i]);

diff --git a/queue-6.6/xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch b/queue-6.6/xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch
new file mode 100644 (file)
index 0000000..09e8abd
--- /dev/null
+++ b/queue-6.6/xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch
@@ -0,0 +1,49 @@
+From a54a594d72f25b08f39d743880a76721fba9ae77 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 25 Jan 2024 17:27:34 +0200
+Subject: xhci: fix possible null pointer dereference at secondary interrupter removal
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit a54a594d72f25b08f39d743880a76721fba9ae77 upstream.
+
+Don't try to remove a secondary interrupter that is known to be invalid.
+Also check if the interrupter is valid inside the spinlock that protects
+the array of interrupters.
+
+Found by smatch static checker
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/linux-usb/ffaa0a1b-5984-4a1f-bfd3-9184630a97b9@moroto.mountain/
+Fixes: c99b38c41234 ("xhci: add support to allocate several interrupters")
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20240125152737.2983959-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mem.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1855,14 +1855,14 @@ void xhci_remove_secondary_interrupter(s
+       struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+       unsigned int intr_num;
+ 
++      spin_lock_irq(&xhci->lock);
++
+       /* interrupter 0 is primary interrupter, don't touch it */
+-      if (!ir || !ir->intr_num || ir->intr_num >= xhci->max_interrupters)
++      if (!ir || !ir->intr_num || ir->intr_num >= xhci->max_interrupters) {
+               xhci_dbg(xhci, "Invalid secondary interrupter, can't remove\n");
+-
+-      /* fixme, should we check xhci->interrupter[intr_num] == ir */
+-      /* fixme locking */
+-
+-      spin_lock_irq(&xhci->lock);
++              spin_unlock_irq(&xhci->lock);
++              return;
++      }
+ 
+       intr_num = ir->intr_num;
+