xhci: fix possible null pointer dereference at secondary interrupter removal

commit a54a594d72f25b08f39d743880a76721fba9ae77 upstream.

Don't try to remove a secondary interrupter that is known to be invalid.
Also check if the interrupter is valid inside the spinlock that protects
the array of interrupters.

Found by smatch static checker

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/linux-usb/ffaa0a1b-5984-4a1f-bfd3-9184630a97b9@moroto.mountain/
Fixes: c99b38c41234 ("xhci: add support to allocate several interrupters")
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240125152737.2983959-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index ff732ddc6e8c23dcec1680ff7a7127b9e877d1bc..22cca89efbfd7251e7ccd4de40dd615097a85114 100644 (file)
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1855,14 +1855,14 @@ void xhci_remove_secondary_interrupter(struct usb_hcd *hcd, struct xhci_interrup
        struct xhci_hcd *xhci = hcd_to_xhci(hcd);
        unsigned int intr_num;
 
+       spin_lock_irq(&xhci->lock);
+
        /* interrupter 0 is primary interrupter, don't touch it */
-       if (!ir || !ir->intr_num || ir->intr_num >= xhci->max_interrupters)
+       if (!ir || !ir->intr_num || ir->intr_num >= xhci->max_interrupters) {
                xhci_dbg(xhci, "Invalid secondary interrupter, can't remove\n");
-
-       /* fixme, should we check xhci->interrupter[intr_num] == ir */
-       /* fixme locking */
-
-       spin_lock_irq(&xhci->lock);
+               spin_unlock_irq(&xhci->lock);
+               return;
+       }
 
        intr_num = ir->intr_num;