Commit
dde634057da7 ("xhci: Fix use-after-free in xhci debugfs") causes a
null pointer dereference while fixing xhci-debugfs usage of ring pointers
that were freed during hibernate.
The fix passed addresses to ring pointers instead, but forgot to do this
change for the xhci_ring_trb_show function.
The address of the ring pointer passed to xhci-debugfs was of a temporary
ring pointer "new_ring" instead of the actual ring "ring" pointer. The
temporary new_ring pointer will be set to NULL later causing the NULL
pointer dereference.
This issue was seen when reading xhci related files in debugfs:
cat /sys/kernel/debug/usb/xhci/*/devices/*/ep*/trbs
[ 184.604861] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 184.613776] IP: xhci_ring_trb_show+0x3a/0x890
[ 184.618733] PGD
264193067 P4D
264193067 PUD
263238067 PMD 0
[ 184.625184] Oops: 0000 [#1] SMP
[ 184.726410] RIP: 0010:xhci_ring_trb_show+0x3a/0x890
[ 184.731944] RSP: 0018:
ffffba8243c0fd90 EFLAGS:
00010246
[ 184.737880] RAX:
0000000000000000 RBX:
0000000000000000 RCX:
00000000000295d6
[ 184.746020] RDX:
00000000000295d5 RSI:
0000000000000001 RDI:
ffff971a6418d400
[ 184.754121] RBP:
0000000000000000 R08:
0000000000000000 R09:
0000000000000000
[ 184.762222] R10:
ffff971a64c98a80 R11:
ffff971a62a00e40 R12:
ffff971a62a85500
[ 184.770325] R13:
0000000000020000 R14:
ffff971a6418d400 R15:
ffff971a6418d400
[ 184.778448] FS:
00007fe725a79700(0000) GS:
ffff971a6ec00000(0000) knlGS:
0000000000000000
[ 184.787644] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 184.794168] CR2:
0000000000000000 CR3:
000000025f365005 CR4:
00000000003606f0
[ 184.802318] Call Trace:
[ 184.805094] ? seq_read+0x281/0x3b0
[ 184.809068] seq_read+0xeb/0x3b0
[ 184.812735] full_proxy_read+0x4d/0x70
[ 184.817007] __vfs_read+0x23/0x120
[ 184.820870] vfs_read+0x91/0x130
[ 184.824538] SyS_read+0x42/0x90
[ 184.828106] entry_SYSCALL_64_fastpath+0x1a/0x7d
Fixes: dde634057da7 ("xhci: Fix use-after-free in xhci debugfs")
Cc: <stable@vger.kernel.org> # v4.15
Signed-off-by: Zhengjun Xing <zhengjun.xing@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
static int xhci_ring_trb_show(struct seq_file *s, void *unused)
{
int i;
- struct xhci_ring *ring = s->private;
+ struct xhci_ring *ring = *(struct xhci_ring **)s->private;
struct xhci_segment *seg = ring->first_seg;
for (i = 0; i < ring->num_segs; i++) {
snprintf(epriv->name, sizeof(epriv->name), "ep%02d", ep_index);
epriv->root = xhci_debugfs_create_ring_dir(xhci,
- &dev->eps[ep_index].new_ring,
+ &dev->eps[ep_index].ring,
epriv->name,
spriv->root);
spriv->eps[ep_index] = epriv;