linux/drivers/usb
Alexander Kappner dde634057d xhci: Fix use-after-free in xhci debugfs
Trying to read from debugfs after the system has resumed from
hibernate causes a use-after-free and thus a protection fault.

Steps to reproduce:
Hibernate system, resume from hibernate, then run
$ cat /sys/kernel/debug/usb/xhci/*/command-ring/enqueue

[ 3902.765086] general protection fault: 0000 [#1] PREEMPT SMP
...
[ 3902.765136] RIP: 0010:xhci_trb_virt_to_dma.part.50+0x5/0x30
...
[ 3902.765178] Call Trace:
[ 3902.765188]  xhci_ring_enqueue_show+0x1e/0x40
[ 3902.765197]  seq_read+0xdb/0x3a0
[ 3902.765204]  ? __handle_mm_fault+0x5fb/0x1210
[ 3902.765211]  full_proxy_read+0x4a/0x70
[ 3902.765219]  __vfs_read+0x23/0x120
[ 3902.765228]  vfs_read+0x8e/0x130
[ 3902.765235]  SyS_read+0x42/0x90
[ 3902.765242]  do_syscall_64+0x6b/0x290
[ 3902.765251]  entry_SYSCALL64_slow_path+0x25/0x25

The issue is caused by the xhci ring structures being reallocated
when the system is resumed, but pointers to the old structures
being retained in the debugfs files "private" field:

The proposed patch fixes this issue by storing a pointer to the xhci_ring
field in the xhci device structure in debugfs rather than directly
storing a pointer to the xhci_ring.

Fixes: 02b6fdc2a1 ("usb: xhci: Add debugfs interface for xHCI driver")
Signed-off-by: Alexander Kappner <agk@godking.net>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-12-27 15:24:27 +01:00
..
atm usb: usbatm: Convert timers to use timer_setup() 2017-11-21 15:46:44 -08:00
c67x00 USB: add SPDX identifiers to all remaining Makefiles 2017-11-07 15:53:48 +01:00
chipidea USB: chipidea: msm: fix ulpi-node lookup 2017-12-13 09:50:52 +08:00
class USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
common USB: ulpi: fix bus-node lookup 2017-11-28 15:17:48 +01:00
core usb: Add device quirk for Logitech HD Pro Webcam C925e 2017-12-19 11:42:28 +01:00
dwc2 usb: dwc2: Fix TxFIFOn sizes and total TxFIFO size issues 2017-12-11 12:35:37 +02:00
dwc3 usb: dwc3: gadget: Fix PCM1 for ISOC EP with ep->mult less than 3 2017-12-11 12:35:37 +02:00
early USB: add SPDX identifiers to all remaining Makefiles 2017-11-07 15:53:48 +01:00
gadget Revert "usb: gadget: allow to enable legacy drivers without USB_ETH" 2017-12-12 12:48:30 +02:00
host xhci: Fix use-after-free in xhci debugfs 2017-12-27 15:24:27 +01:00
image USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
isp1760 USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
misc USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
mon USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
mtu3 USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
musb usb: musb: da8xx: fix babble condition handling 2017-12-08 17:31:20 +01:00
phy USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
renesas_usbhs USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
serial USB: serial: ftdi_sio: add id for Airbus DS P8GR 2017-12-27 11:47:31 +01:00
storage USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID 2017-12-08 17:31:20 +01:00
typec usb: add user selectable option for the whole USB Type-C Support 2017-11-28 15:15:01 +01:00
usbip usbip: stub_rx: fix static checker warning on unnecessary checks 2017-12-19 11:40:55 +01:00
wusbcore USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
Kconfig usb: Kconfig: clarify use of USB_PCI 2017-11-01 17:16:43 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
README
usb-skeleton.c USB: usb-skeleton: Remove redundant license text 2017-11-04 11:55:39 +01:00

To understand all the Linux-USB framework, you'll use these resources:

    * This source code.  This is necessarily an evolving work, and
      includes kerneldoc that should help you get a current overview.
      ("make pdfdocs", and then look at "usb.pdf" for host side and
      "gadget.pdf" for peripheral side.)  Also, Documentation/usb has
      more information.

    * The USB 2.0 specification (from www.usb.org), with supplements
      such as those for USB OTG and the various device classes.
      The USB specification has a good overview chapter, and USB
      peripherals conform to the widely known "Chapter 9".

    * Chip specifications for USB controllers.  Examples include
      host controllers (on PCs, servers, and more); peripheral
      controllers (in devices with Linux firmware, like printers or
      cell phones); and hard-wired peripherals like Ethernet adapters.

    * Specifications for other protocols implemented by USB peripheral
      functions.  Some are vendor-specific; others are vendor-neutral
      but just standardized outside of the www.usb.org team.

Here is a list of what each subdirectory here is, and what is contained in
them.

core/		- This is for the core USB host code, including the
		  usbfs files and the hub class driver ("hub_wq").

host/		- This is for USB host controller drivers.  This
		  includes UHCI, OHCI, EHCI, and others that might
		  be used with more specialized "embedded" systems.

gadget/		- This is for USB peripheral controller drivers and
		  the various gadget drivers which talk to them.


Individual USB driver directories.  A new driver should be added to the
first subdirectory in the list below that it fits into.

image/		- This is for still image drivers, like scanners or
		  digital cameras.
../input/	- This is for any driver that uses the input subsystem,
		  like keyboard, mice, touchscreens, tablets, etc.
../media/	- This is for multimedia drivers, like video cameras,
		  radios, and any other drivers that talk to the v4l
		  subsystem.
../net/		- This is for network drivers.
serial/		- This is for USB to serial drivers.
storage/	- This is for USB mass-storage drivers.
class/		- This is for all USB device drivers that do not fit
		  into any of the above categories, and work for a range
		  of USB Class specified devices. 
misc/		- This is for all USB device drivers that do not fit
		  into any of the above categories.