From: Greg Kroah-Hartman Date: Mon, 26 Nov 2018 17:47:36 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.127~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f4efd30cd6e31bf7df3b420861897ed2c3dd6020;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: xhci-fix-usb3-null-pointer-dereference-at-logical-disconnect.patch --- diff --git a/queue-4.4/series b/queue-4.4/series index 99e6092735b..ea91ec7c17b 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -67,3 +67,4 @@ drivers-misc-sgi-gru-fix-spectre-v1-vulnerability.patch acpi-platform-add-smb0001-hid-to-forbidden_id_list.patch new-helper-uaccess_kernel.patch hid-uhid-forbid-uhid_create-under-kernel_ds-or-elevated-privileges.patch +xhci-fix-usb3-null-pointer-dereference-at-logical-disconnect.patch diff --git a/queue-4.4/xhci-fix-usb3-null-pointer-dereference-at-logical-disconnect.patch b/queue-4.4/xhci-fix-usb3-null-pointer-dereference-at-logical-disconnect.patch new file mode 100644 index 00000000000..a86ae666f2f --- /dev/null +++ b/queue-4.4/xhci-fix-usb3-null-pointer-dereference-at-logical-disconnect.patch @@ -0,0 +1,61 @@ +From 2278446e2b7cd33ad894b32e7eb63afc7db6c86e Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Mon, 14 May 2018 11:57:23 +0300 +Subject: xhci: Fix USB3 NULL pointer dereference at logical disconnect. + +From: Mathias Nyman + +commit 2278446e2b7cd33ad894b32e7eb63afc7db6c86e upstream. + +Hub driver will try to disable a USB3 device twice at logical disconnect, +racing with xhci_free_dev() callback from the first port disable. + +This can be triggered with "udisksctl power-off --block-device " +or by writing "1" to the "remove" sysfs file for a USB3 device +in 4.17-rc4. + +USB3 devices don't have a similar disabled link state as USB2 devices, +and use a U3 suspended link state instead. In this state the port +is still enabled and connected. + +hub_port_connect() first disconnects the device, then later it notices +that device is still enabled (due to U3 states) it will try to disable +the port again (set to U3). + +The xhci_free_dev() called during device disable is async, so checking +for existing xhci->devs[i] when setting link state to U3 the second time +was successful, even if device was being freed. + +The regression was caused by, and whole thing revealed by, +Commit 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") +which sets xhci->devs[i]->udev to NULL before xhci_virt_dev() returned. +and causes a NULL pointer dereference the second time we try to set U3. + +Fix this by checking xhci->devs[i]->udev exists before setting link state. + +The original patch went to stable so this fix needs to be applied there as +well. + +Fixes: 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") +Cc: +Reported-by: Jordan Glover +Tested-by: Jordan Glover +Signed-off-by: Mathias Nyman +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -348,7 +348,7 @@ int xhci_find_slot_id_by_port(struct usb + + slot_id = 0; + for (i = 0; i < MAX_HC_SLOTS; i++) { +- if (!xhci->devs[i]) ++ if (!xhci->devs[i] || !xhci->devs[i]->udev) + continue; + speed = xhci->devs[i]->udev->speed; + if (((speed >= USB_SPEED_SUPER) == (hcd->speed >= HCD_USB3))