linux/drivers/usb/dwc2
Douglas Anderson 16e8021881 usb: dwc2: host: Avoid use of chan->qh after qh freed
When poking around with USB devices with slub_debug enabled, I found
another obvious use after free.  Turns out that in dwc2_hc_n_intr() I
was in a state when the contents of chan->qh was filled with 0x6b,
indicating that chan->qh was freed but chan still had a reference to
it.

Let's make sure that whenever we free qh we also make sure we remove a
reference from its channel.

The bug fixed here doesn't appear to be new--I believe I just got lucky
and happened to see it while stress testing.

Acked-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
2016-03-04 15:14:40 +02:00
..
core_intr.c usb: dwc2: host: Clear interrupts before handling them 2015-12-15 09:12:41 -06:00
core.c usb: dwc2: host: Get aligned DMA in a more supported way 2016-03-04 15:14:39 +02:00
core.h usb: dwc2: Improve handling of host and device hwparams 2015-12-22 12:00:51 -06:00
debug.h usb: dwc2: move debugfs code to a separate file 2015-04-29 15:18:25 -05:00
debugfs.c usb: dwc2: Use platform endianness when accessing registers 2015-09-27 10:54:31 -05:00
gadget.c usb: dwc2: gadget: Repair DSTS register decoding 2015-12-22 12:03:05 -06:00
hcd_ddma.c usb: dwc2: host: fix the data toggle error in full speed descriptor dma 2016-02-17 10:32:09 +02:00
hcd_intr.c usb: dwc2: host: Avoid use of chan->qh after qh freed 2016-03-04 15:14:40 +02:00
hcd_queue.c usb: dwc2: host: Get aligned DMA in a more supported way 2016-03-04 15:14:39 +02:00
hcd.c usb: dwc2: host: Avoid use of chan->qh after qh freed 2016-03-04 15:14:40 +02:00
hcd.h usb: dwc2: host: Get aligned DMA in a more supported way 2016-03-04 15:14:39 +02:00
hw.h usb: dwc2: host: fix descriptor list address masking 2015-12-15 09:12:41 -06:00
Kconfig usb: dwc2: USB_DWC2 should depend on HAS_DMA 2016-02-20 20:23:02 -08:00
Makefile usb: dwc2: remove dwc2_platform.ko 2015-04-29 15:20:11 -05:00
pci.c usb: dwc2: pci: Add device mode to the dwc2-pci driver 2015-03-11 15:08:17 -05:00
platform.c usb: dwc2: host: Set host_rx_fifo_size to 525 for rk3066 2016-03-04 15:14:39 +02:00