forked from Minki/linux
fa2dfd0ec2
Commitdde634057d
("xhci: Fix use-after-free in xhci debugfs") causes a null pointer dereference while fixing xhci-debugfs usage of ring pointers that were freed during hibernate. The fix passed addresses to ring pointers instead, but forgot to do this change for the xhci_ring_trb_show function. The address of the ring pointer passed to xhci-debugfs was of a temporary ring pointer "new_ring" instead of the actual ring "ring" pointer. The temporary new_ring pointer will be set to NULL later causing the NULL pointer dereference. This issue was seen when reading xhci related files in debugfs: cat /sys/kernel/debug/usb/xhci/*/devices/*/ep*/trbs [ 184.604861] BUG: unable to handle kernel NULL pointer dereference at (null) [ 184.613776] IP: xhci_ring_trb_show+0x3a/0x890 [ 184.618733] PGD 264193067 P4D 264193067 PUD 263238067 PMD 0 [ 184.625184] Oops: 0000 [#1] SMP [ 184.726410] RIP: 0010:xhci_ring_trb_show+0x3a/0x890 [ 184.731944] RSP: 0018:ffffba8243c0fd90 EFLAGS: 00010246 [ 184.737880] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000000295d6 [ 184.746020] RDX: 00000000000295d5 RSI: 0000000000000001 RDI: ffff971a6418d400 [ 184.754121] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 184.762222] R10: ffff971a64c98a80 R11: ffff971a62a00e40 R12: ffff971a62a85500 [ 184.770325] R13: 0000000000020000 R14: ffff971a6418d400 R15: ffff971a6418d400 [ 184.778448] FS: 00007fe725a79700(0000) GS:ffff971a6ec00000(0000) knlGS:0000000000000000 [ 184.787644] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 184.794168] CR2: 0000000000000000 CR3: 000000025f365005 CR4: 00000000003606f0 [ 184.802318] Call Trace: [ 184.805094] ? seq_read+0x281/0x3b0 [ 184.809068] seq_read+0xeb/0x3b0 [ 184.812735] full_proxy_read+0x4d/0x70 [ 184.817007] __vfs_read+0x23/0x120 [ 184.820870] vfs_read+0x91/0x130 [ 184.824538] SyS_read+0x42/0x90 [ 184.828106] entry_SYSCALL_64_fastpath+0x1a/0x7d Fixes:dde634057d
("xhci: Fix use-after-free in xhci debugfs") Cc: <stable@vger.kernel.org> # v4.15 Signed-off-by: Zhengjun Xing <zhengjun.xing@linux.intel.com> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
524 lines
13 KiB
C
524 lines
13 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* xhci-debugfs.c - xHCI debugfs interface
|
|
*
|
|
* Copyright (C) 2017 Intel Corporation
|
|
*
|
|
* Author: Lu Baolu <baolu.lu@linux.intel.com>
|
|
*/
|
|
|
|
#include <linux/slab.h>
|
|
|
|
#include "xhci.h"
|
|
#include "xhci-debugfs.h"
|
|
|
|
static const struct debugfs_reg32 xhci_cap_regs[] = {
|
|
dump_register(CAPLENGTH),
|
|
dump_register(HCSPARAMS1),
|
|
dump_register(HCSPARAMS2),
|
|
dump_register(HCSPARAMS3),
|
|
dump_register(HCCPARAMS1),
|
|
dump_register(DOORBELLOFF),
|
|
dump_register(RUNTIMEOFF),
|
|
dump_register(HCCPARAMS2),
|
|
};
|
|
|
|
static const struct debugfs_reg32 xhci_op_regs[] = {
|
|
dump_register(USBCMD),
|
|
dump_register(USBSTS),
|
|
dump_register(PAGESIZE),
|
|
dump_register(DNCTRL),
|
|
dump_register(CRCR),
|
|
dump_register(DCBAAP_LOW),
|
|
dump_register(DCBAAP_HIGH),
|
|
dump_register(CONFIG),
|
|
};
|
|
|
|
static const struct debugfs_reg32 xhci_runtime_regs[] = {
|
|
dump_register(MFINDEX),
|
|
dump_register(IR0_IMAN),
|
|
dump_register(IR0_IMOD),
|
|
dump_register(IR0_ERSTSZ),
|
|
dump_register(IR0_ERSTBA_LOW),
|
|
dump_register(IR0_ERSTBA_HIGH),
|
|
dump_register(IR0_ERDP_LOW),
|
|
dump_register(IR0_ERDP_HIGH),
|
|
};
|
|
|
|
static const struct debugfs_reg32 xhci_extcap_legsup[] = {
|
|
dump_register(EXTCAP_USBLEGSUP),
|
|
dump_register(EXTCAP_USBLEGCTLSTS),
|
|
};
|
|
|
|
static const struct debugfs_reg32 xhci_extcap_protocol[] = {
|
|
dump_register(EXTCAP_REVISION),
|
|
dump_register(EXTCAP_NAME),
|
|
dump_register(EXTCAP_PORTINFO),
|
|
dump_register(EXTCAP_PORTTYPE),
|
|
dump_register(EXTCAP_MANTISSA1),
|
|
dump_register(EXTCAP_MANTISSA2),
|
|
dump_register(EXTCAP_MANTISSA3),
|
|
dump_register(EXTCAP_MANTISSA4),
|
|
dump_register(EXTCAP_MANTISSA5),
|
|
dump_register(EXTCAP_MANTISSA6),
|
|
};
|
|
|
|
static const struct debugfs_reg32 xhci_extcap_dbc[] = {
|
|
dump_register(EXTCAP_DBC_CAPABILITY),
|
|
dump_register(EXTCAP_DBC_DOORBELL),
|
|
dump_register(EXTCAP_DBC_ERSTSIZE),
|
|
dump_register(EXTCAP_DBC_ERST_LOW),
|
|
dump_register(EXTCAP_DBC_ERST_HIGH),
|
|
dump_register(EXTCAP_DBC_ERDP_LOW),
|
|
dump_register(EXTCAP_DBC_ERDP_HIGH),
|
|
dump_register(EXTCAP_DBC_CONTROL),
|
|
dump_register(EXTCAP_DBC_STATUS),
|
|
dump_register(EXTCAP_DBC_PORTSC),
|
|
dump_register(EXTCAP_DBC_CONT_LOW),
|
|
dump_register(EXTCAP_DBC_CONT_HIGH),
|
|
dump_register(EXTCAP_DBC_DEVINFO1),
|
|
dump_register(EXTCAP_DBC_DEVINFO2),
|
|
};
|
|
|
|
static struct dentry *xhci_debugfs_root;
|
|
|
|
static struct xhci_regset *xhci_debugfs_alloc_regset(struct xhci_hcd *xhci)
|
|
{
|
|
struct xhci_regset *regset;
|
|
|
|
regset = kzalloc(sizeof(*regset), GFP_KERNEL);
|
|
if (!regset)
|
|
return NULL;
|
|
|
|
/*
|
|
* The allocation and free of regset are executed in order.
|
|
* We needn't a lock here.
|
|
*/
|
|
INIT_LIST_HEAD(®set->list);
|
|
list_add_tail(®set->list, &xhci->regset_list);
|
|
|
|
return regset;
|
|
}
|
|
|
|
static void xhci_debugfs_free_regset(struct xhci_regset *regset)
|
|
{
|
|
if (!regset)
|
|
return;
|
|
|
|
list_del(®set->list);
|
|
kfree(regset);
|
|
}
|
|
|
|
static void xhci_debugfs_regset(struct xhci_hcd *xhci, u32 base,
|
|
const struct debugfs_reg32 *regs,
|
|
size_t nregs, struct dentry *parent,
|
|
const char *fmt, ...)
|
|
{
|
|
struct xhci_regset *rgs;
|
|
va_list args;
|
|
struct debugfs_regset32 *regset;
|
|
struct usb_hcd *hcd = xhci_to_hcd(xhci);
|
|
|
|
rgs = xhci_debugfs_alloc_regset(xhci);
|
|
if (!rgs)
|
|
return;
|
|
|
|
va_start(args, fmt);
|
|
vsnprintf(rgs->name, sizeof(rgs->name), fmt, args);
|
|
va_end(args);
|
|
|
|
regset = &rgs->regset;
|
|
regset->regs = regs;
|
|
regset->nregs = nregs;
|
|
regset->base = hcd->regs + base;
|
|
|
|
debugfs_create_regset32((const char *)rgs->name, 0444, parent, regset);
|
|
}
|
|
|
|
static void xhci_debugfs_extcap_regset(struct xhci_hcd *xhci, int cap_id,
|
|
const struct debugfs_reg32 *regs,
|
|
size_t n, const char *cap_name)
|
|
{
|
|
u32 offset;
|
|
int index = 0;
|
|
size_t psic, nregs = n;
|
|
void __iomem *base = &xhci->cap_regs->hc_capbase;
|
|
|
|
offset = xhci_find_next_ext_cap(base, 0, cap_id);
|
|
while (offset) {
|
|
if (cap_id == XHCI_EXT_CAPS_PROTOCOL) {
|
|
psic = XHCI_EXT_PORT_PSIC(readl(base + offset + 8));
|
|
nregs = min(4 + psic, n);
|
|
}
|
|
|
|
xhci_debugfs_regset(xhci, offset, regs, nregs,
|
|
xhci->debugfs_root, "%s:%02d",
|
|
cap_name, index);
|
|
offset = xhci_find_next_ext_cap(base, offset, cap_id);
|
|
index++;
|
|
}
|
|
}
|
|
|
|
static int xhci_ring_enqueue_show(struct seq_file *s, void *unused)
|
|
{
|
|
dma_addr_t dma;
|
|
struct xhci_ring *ring = *(struct xhci_ring **)s->private;
|
|
|
|
dma = xhci_trb_virt_to_dma(ring->enq_seg, ring->enqueue);
|
|
seq_printf(s, "%pad\n", &dma);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int xhci_ring_dequeue_show(struct seq_file *s, void *unused)
|
|
{
|
|
dma_addr_t dma;
|
|
struct xhci_ring *ring = *(struct xhci_ring **)s->private;
|
|
|
|
dma = xhci_trb_virt_to_dma(ring->deq_seg, ring->dequeue);
|
|
seq_printf(s, "%pad\n", &dma);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int xhci_ring_cycle_show(struct seq_file *s, void *unused)
|
|
{
|
|
struct xhci_ring *ring = *(struct xhci_ring **)s->private;
|
|
|
|
seq_printf(s, "%d\n", ring->cycle_state);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void xhci_ring_dump_segment(struct seq_file *s,
|
|
struct xhci_segment *seg)
|
|
{
|
|
int i;
|
|
dma_addr_t dma;
|
|
union xhci_trb *trb;
|
|
|
|
for (i = 0; i < TRBS_PER_SEGMENT; i++) {
|
|
trb = &seg->trbs[i];
|
|
dma = seg->dma + i * sizeof(*trb);
|
|
seq_printf(s, "%pad: %s\n", &dma,
|
|
xhci_decode_trb(trb->generic.field[0],
|
|
trb->generic.field[1],
|
|
trb->generic.field[2],
|
|
trb->generic.field[3]));
|
|
}
|
|
}
|
|
|
|
static int xhci_ring_trb_show(struct seq_file *s, void *unused)
|
|
{
|
|
int i;
|
|
struct xhci_ring *ring = *(struct xhci_ring **)s->private;
|
|
struct xhci_segment *seg = ring->first_seg;
|
|
|
|
for (i = 0; i < ring->num_segs; i++) {
|
|
xhci_ring_dump_segment(s, seg);
|
|
seg = seg->next;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static struct xhci_file_map ring_files[] = {
|
|
{"enqueue", xhci_ring_enqueue_show, },
|
|
{"dequeue", xhci_ring_dequeue_show, },
|
|
{"cycle", xhci_ring_cycle_show, },
|
|
{"trbs", xhci_ring_trb_show, },
|
|
};
|
|
|
|
static int xhci_ring_open(struct inode *inode, struct file *file)
|
|
{
|
|
int i;
|
|
struct xhci_file_map *f_map;
|
|
const char *file_name = file_dentry(file)->d_iname;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(ring_files); i++) {
|
|
f_map = &ring_files[i];
|
|
|
|
if (strcmp(f_map->name, file_name) == 0)
|
|
break;
|
|
}
|
|
|
|
return single_open(file, f_map->show, inode->i_private);
|
|
}
|
|
|
|
static const struct file_operations xhci_ring_fops = {
|
|
.open = xhci_ring_open,
|
|
.read = seq_read,
|
|
.llseek = seq_lseek,
|
|
.release = single_release,
|
|
};
|
|
|
|
static int xhci_slot_context_show(struct seq_file *s, void *unused)
|
|
{
|
|
struct xhci_hcd *xhci;
|
|
struct xhci_slot_ctx *slot_ctx;
|
|
struct xhci_slot_priv *priv = s->private;
|
|
struct xhci_virt_device *dev = priv->dev;
|
|
|
|
xhci = hcd_to_xhci(bus_to_hcd(dev->udev->bus));
|
|
slot_ctx = xhci_get_slot_ctx(xhci, dev->out_ctx);
|
|
seq_printf(s, "%pad: %s\n", &dev->out_ctx->dma,
|
|
xhci_decode_slot_context(slot_ctx->dev_info,
|
|
slot_ctx->dev_info2,
|
|
slot_ctx->tt_info,
|
|
slot_ctx->dev_state));
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int xhci_endpoint_context_show(struct seq_file *s, void *unused)
|
|
{
|
|
int dci;
|
|
dma_addr_t dma;
|
|
struct xhci_hcd *xhci;
|
|
struct xhci_ep_ctx *ep_ctx;
|
|
struct xhci_slot_priv *priv = s->private;
|
|
struct xhci_virt_device *dev = priv->dev;
|
|
|
|
xhci = hcd_to_xhci(bus_to_hcd(dev->udev->bus));
|
|
|
|
for (dci = 1; dci < 32; dci++) {
|
|
ep_ctx = xhci_get_ep_ctx(xhci, dev->out_ctx, dci);
|
|
dma = dev->out_ctx->dma + dci * CTX_SIZE(xhci->hcc_params);
|
|
seq_printf(s, "%pad: %s\n", &dma,
|
|
xhci_decode_ep_context(ep_ctx->ep_info,
|
|
ep_ctx->ep_info2,
|
|
ep_ctx->deq,
|
|
ep_ctx->tx_info));
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int xhci_device_name_show(struct seq_file *s, void *unused)
|
|
{
|
|
struct xhci_slot_priv *priv = s->private;
|
|
struct xhci_virt_device *dev = priv->dev;
|
|
|
|
seq_printf(s, "%s\n", dev_name(&dev->udev->dev));
|
|
|
|
return 0;
|
|
}
|
|
|
|
static struct xhci_file_map context_files[] = {
|
|
{"name", xhci_device_name_show, },
|
|
{"slot-context", xhci_slot_context_show, },
|
|
{"ep-context", xhci_endpoint_context_show, },
|
|
};
|
|
|
|
static int xhci_context_open(struct inode *inode, struct file *file)
|
|
{
|
|
int i;
|
|
struct xhci_file_map *f_map;
|
|
const char *file_name = file_dentry(file)->d_iname;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(context_files); i++) {
|
|
f_map = &context_files[i];
|
|
|
|
if (strcmp(f_map->name, file_name) == 0)
|
|
break;
|
|
}
|
|
|
|
return single_open(file, f_map->show, inode->i_private);
|
|
}
|
|
|
|
static const struct file_operations xhci_context_fops = {
|
|
.open = xhci_context_open,
|
|
.read = seq_read,
|
|
.llseek = seq_lseek,
|
|
.release = single_release,
|
|
};
|
|
|
|
static void xhci_debugfs_create_files(struct xhci_hcd *xhci,
|
|
struct xhci_file_map *files,
|
|
size_t nentries, void *data,
|
|
struct dentry *parent,
|
|
const struct file_operations *fops)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; i < nentries; i++)
|
|
debugfs_create_file(files[i].name, 0444, parent, data, fops);
|
|
}
|
|
|
|
static struct dentry *xhci_debugfs_create_ring_dir(struct xhci_hcd *xhci,
|
|
struct xhci_ring **ring,
|
|
const char *name,
|
|
struct dentry *parent)
|
|
{
|
|
struct dentry *dir;
|
|
|
|
dir = debugfs_create_dir(name, parent);
|
|
xhci_debugfs_create_files(xhci, ring_files, ARRAY_SIZE(ring_files),
|
|
ring, dir, &xhci_ring_fops);
|
|
|
|
return dir;
|
|
}
|
|
|
|
static void xhci_debugfs_create_context_files(struct xhci_hcd *xhci,
|
|
struct dentry *parent,
|
|
int slot_id)
|
|
{
|
|
struct xhci_virt_device *dev = xhci->devs[slot_id];
|
|
|
|
xhci_debugfs_create_files(xhci, context_files,
|
|
ARRAY_SIZE(context_files),
|
|
dev->debugfs_private,
|
|
parent, &xhci_context_fops);
|
|
}
|
|
|
|
void xhci_debugfs_create_endpoint(struct xhci_hcd *xhci,
|
|
struct xhci_virt_device *dev,
|
|
int ep_index)
|
|
{
|
|
struct xhci_ep_priv *epriv;
|
|
struct xhci_slot_priv *spriv = dev->debugfs_private;
|
|
|
|
if (spriv->eps[ep_index])
|
|
return;
|
|
|
|
epriv = kzalloc(sizeof(*epriv), GFP_KERNEL);
|
|
if (!epriv)
|
|
return;
|
|
|
|
snprintf(epriv->name, sizeof(epriv->name), "ep%02d", ep_index);
|
|
epriv->root = xhci_debugfs_create_ring_dir(xhci,
|
|
&dev->eps[ep_index].ring,
|
|
epriv->name,
|
|
spriv->root);
|
|
spriv->eps[ep_index] = epriv;
|
|
}
|
|
|
|
void xhci_debugfs_remove_endpoint(struct xhci_hcd *xhci,
|
|
struct xhci_virt_device *dev,
|
|
int ep_index)
|
|
{
|
|
struct xhci_ep_priv *epriv;
|
|
struct xhci_slot_priv *spriv = dev->debugfs_private;
|
|
|
|
if (!spriv || !spriv->eps[ep_index])
|
|
return;
|
|
|
|
epriv = spriv->eps[ep_index];
|
|
debugfs_remove_recursive(epriv->root);
|
|
spriv->eps[ep_index] = NULL;
|
|
kfree(epriv);
|
|
}
|
|
|
|
void xhci_debugfs_create_slot(struct xhci_hcd *xhci, int slot_id)
|
|
{
|
|
struct xhci_slot_priv *priv;
|
|
struct xhci_virt_device *dev = xhci->devs[slot_id];
|
|
|
|
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
|
|
if (!priv)
|
|
return;
|
|
|
|
snprintf(priv->name, sizeof(priv->name), "%02d", slot_id);
|
|
priv->root = debugfs_create_dir(priv->name, xhci->debugfs_slots);
|
|
priv->dev = dev;
|
|
dev->debugfs_private = priv;
|
|
|
|
xhci_debugfs_create_ring_dir(xhci, &dev->eps[0].ring,
|
|
"ep00", priv->root);
|
|
|
|
xhci_debugfs_create_context_files(xhci, priv->root, slot_id);
|
|
}
|
|
|
|
void xhci_debugfs_remove_slot(struct xhci_hcd *xhci, int slot_id)
|
|
{
|
|
int i;
|
|
struct xhci_slot_priv *priv;
|
|
struct xhci_virt_device *dev = xhci->devs[slot_id];
|
|
|
|
if (!dev || !dev->debugfs_private)
|
|
return;
|
|
|
|
priv = dev->debugfs_private;
|
|
|
|
debugfs_remove_recursive(priv->root);
|
|
|
|
for (i = 0; i < 31; i++)
|
|
kfree(priv->eps[i]);
|
|
|
|
kfree(priv);
|
|
dev->debugfs_private = NULL;
|
|
}
|
|
|
|
void xhci_debugfs_init(struct xhci_hcd *xhci)
|
|
{
|
|
struct device *dev = xhci_to_hcd(xhci)->self.controller;
|
|
|
|
xhci->debugfs_root = debugfs_create_dir(dev_name(dev),
|
|
xhci_debugfs_root);
|
|
|
|
INIT_LIST_HEAD(&xhci->regset_list);
|
|
|
|
xhci_debugfs_regset(xhci,
|
|
0,
|
|
xhci_cap_regs, ARRAY_SIZE(xhci_cap_regs),
|
|
xhci->debugfs_root, "reg-cap");
|
|
|
|
xhci_debugfs_regset(xhci,
|
|
HC_LENGTH(readl(&xhci->cap_regs->hc_capbase)),
|
|
xhci_op_regs, ARRAY_SIZE(xhci_op_regs),
|
|
xhci->debugfs_root, "reg-op");
|
|
|
|
xhci_debugfs_regset(xhci,
|
|
readl(&xhci->cap_regs->run_regs_off) & RTSOFF_MASK,
|
|
xhci_runtime_regs, ARRAY_SIZE(xhci_runtime_regs),
|
|
xhci->debugfs_root, "reg-runtime");
|
|
|
|
xhci_debugfs_extcap_regset(xhci, XHCI_EXT_CAPS_LEGACY,
|
|
xhci_extcap_legsup,
|
|
ARRAY_SIZE(xhci_extcap_legsup),
|
|
"reg-ext-legsup");
|
|
|
|
xhci_debugfs_extcap_regset(xhci, XHCI_EXT_CAPS_PROTOCOL,
|
|
xhci_extcap_protocol,
|
|
ARRAY_SIZE(xhci_extcap_protocol),
|
|
"reg-ext-protocol");
|
|
|
|
xhci_debugfs_extcap_regset(xhci, XHCI_EXT_CAPS_DEBUG,
|
|
xhci_extcap_dbc,
|
|
ARRAY_SIZE(xhci_extcap_dbc),
|
|
"reg-ext-dbc");
|
|
|
|
xhci_debugfs_create_ring_dir(xhci, &xhci->cmd_ring,
|
|
"command-ring",
|
|
xhci->debugfs_root);
|
|
|
|
xhci_debugfs_create_ring_dir(xhci, &xhci->event_ring,
|
|
"event-ring",
|
|
xhci->debugfs_root);
|
|
|
|
xhci->debugfs_slots = debugfs_create_dir("devices", xhci->debugfs_root);
|
|
}
|
|
|
|
void xhci_debugfs_exit(struct xhci_hcd *xhci)
|
|
{
|
|
struct xhci_regset *rgs, *tmp;
|
|
|
|
debugfs_remove_recursive(xhci->debugfs_root);
|
|
xhci->debugfs_root = NULL;
|
|
xhci->debugfs_slots = NULL;
|
|
|
|
list_for_each_entry_safe(rgs, tmp, &xhci->regset_list, list)
|
|
xhci_debugfs_free_regset(rgs);
|
|
}
|
|
|
|
void __init xhci_debugfs_create_root(void)
|
|
{
|
|
xhci_debugfs_root = debugfs_create_dir("xhci", usb_debug_root);
|
|
}
|
|
|
|
void __exit xhci_debugfs_remove_root(void)
|
|
{
|
|
debugfs_remove_recursive(xhci_debugfs_root);
|
|
xhci_debugfs_root = NULL;
|
|
}
|