Bug 204257

Summary: kernel NULL pointer dereference
Product: Drivers Reporter: Maik Stohn (maik.stohn)
Component: USBAssignee: Greg Kroah-Hartman (greg)
Status: RESOLVED PATCH_ALREADY_AVAILABLE    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.2 / 5.2.1 / + Subsystem:
Regression: No Bisected commit-id:

Description Maik Stohn 2019-07-21 21:53:50 UTC 
XHCI driver causes a kernel Ooops with a "BUG: NULL pointer dereference" message.

This started with Kernel 5.2 and is still present in 5.2.1

Bug was introduced by patch: https://patchwork.kernel.org/patch/10919167 / commit 33e39350ebd20fe6a77a51b8c21c3aa6b4a208cf - "usb: xhci: add Immediate Data Transfer support"

It seems to be a race condition triggered by a user land program which immediately accesses the just enumerated USB device.

The NULL pointer dereference is either in "xhci.h" new function "xhci_urb_suitable_for_idt" (maybe "urb->ep->desc" is NULL)

or in "xhci-ring.c function "xhci_queue_bulk_tx" (new code added by the mentioned patch) (maybe "urb->transfer_buffer" is NULL)


Adding some NULL checks before using the pointers should solve the problem.


Greetings,

Maik Stohn

'''
Jul 19 16:41:56 lenovo kernel: usb 2-2: new full-speed USB device number 5 using xhci_hcd
Jul 19 16:41:56 lenovo kernel: usb 2-2: New USB device found, idVendor=219c, idProduct=0010, bcdDevice= 1.00
Jul 19 16:41:56 lenovo kernel: usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Jul 19 16:41:56 lenovo kernel: usb 2-2: Product: SecureSignToken
Jul 19 16:41:56 lenovo kernel: usb 2-2: Manufacturer: SEALONE AG
Jul 19 16:41:57 lenovo kernel: hidraw: raw HID events driver (C) Jiri Kosina
Jul 19 16:41:57 lenovo kernel: usb-storage 2-2:1.0: USB Mass Storage device detected
Jul 19 16:41:57 lenovo kernel: scsi host5: usb-storage 2-2:1.0
Jul 19 16:41:57 lenovo kernel: usbcore: registered new interface driver usb-storage
Jul 19 16:41:57 lenovo kernel: usbcore: registered new interface driver usbhid
Jul 19 16:41:57 lenovo kernel: usbhid: USB HID core driver
Jul 19 16:41:57 lenovo kernel: usbcore: registered new interface driver uas
Jul 19 16:41:57 lenovo kernel: hid-generic 0003:219C:0010.0001: hiddev0,hidraw0: USB HID v1.11 Device [SEALONE AG SecureSignToken] on usb-0000:00:14.0-2/input1
Jul 19 16:41:58 lenovo kernel: scsi 5:0:0:0: CD-ROM            SEALONE  SecureSignToken  1.72 PQ: 0 ANSI: 2
Jul 19 16:41:58 lenovo kernel: sr 5:0:0:0: [sr1] scsi3-mmc drive: 99x/99x cd/rw tray
Jul 19 16:41:58 lenovo kernel: sr 5:0:0:0: Attached scsi CD-ROM sr1
Jul 19 16:41:58 lenovo kernel: sr 5:0:0:0: Attached scsi generic sg2 type 5

Jul 19 16:43:29 lenovo kernel: BUG: kernel NULL pointer dereference, address: 0000000000000018
Jul 19 16:43:29 lenovo kernel: #PF: supervisor read access in kernel mode
Jul 19 16:43:29 lenovo kernel: #PF: error_code(0x0000) - not-present page
Jul 19 16:43:29 lenovo kernel: PGD 0 P4D 0 
Jul 19 16:43:29 lenovo kernel: Oops: 0000 [#1] PREEMPT SMP PTI
Jul 19 16:43:29 lenovo kernel: CPU: 3 PID: 3901 Comm: usb-storage Tainted: P          IOE     5.2.1-arch1-1-ARCH #1
Jul 19 16:43:29 lenovo kernel: Hardware name: LENOVO 20287/AILZAZBZC, BIOS 8DCN26WW 09/23/2013
Jul 19 16:43:29 lenovo kernel: RIP: 0010:xhci_queue_bulk_tx+0x285/0x990 [xhci_hcd]
Jul 19 16:43:29 lenovo kernel: Code: 77 38 48 85 ed 74 33 48 89 ef eb 0a 48 85 ff 74 26 44 39 e3 72 21 44 29 e3 41 83 ee 01 74 ed e8 71 a2 1e e0 4c 63 d3 48 89 c7 <44> 8b 60 18 4c 03 50 10 >
Jul 19 16:43:29 lenovo kernel: RSP: 0018:ffffa7e6c1ce3b20 EFLAGS: 00010046
Jul 19 16:43:29 lenovo kernel: RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000410
Jul 19 16:43:29 lenovo kernel: RDX: ffff8b9112353ab0 RSI: 0000000000000010 RDI: 0000000000000000
Jul 19 16:43:29 lenovo kernel: RBP: ffff8b9113c5d570 R08: 0000000000000000 R09: 0000000000000000
Jul 19 16:43:29 lenovo kernel: R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
Jul 19 16:43:29 lenovo kernel: R13: 0000000000000410 R14: 00000000ffffffff R15: 0000000000000001
Jul 19 16:43:29 lenovo kernel: FS:  0000000000000000(0000) GS:ffff8b91572c0000(0000) knlGS:0000000000000000
Jul 19 16:43:29 lenovo kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul 19 16:43:29 lenovo kernel: CR2: 0000000000000018 CR3: 0000000053a0a002 CR4: 00000000001606e0
Jul 19 16:43:29 lenovo kernel: Call Trace:
Jul 19 16:43:29 lenovo kernel:  ? __switch_to_asm+0x41/0x70
Jul 19 16:43:29 lenovo kernel:  ? finish_task_switch+0x84/0x2d0
Jul 19 16:43:29 lenovo kernel:  ? __switch_to+0x87/0x460
Jul 19 16:43:29 lenovo kernel:  xhci_urb_enqueue+0x334/0x5b0 [xhci_hcd]
Jul 19 16:43:29 lenovo kernel:  usb_hcd_submit_urb+0xc7/0xbb0
Jul 19 16:43:29 lenovo kernel:  ? __kmalloc+0x189/0x220
Jul 19 16:43:29 lenovo kernel:  ? usb_alloc_urb+0x3e/0x60
Jul 19 16:43:29 lenovo kernel:  usb_sg_wait+0x7b/0x150
Jul 19 16:43:29 lenovo kernel:  usb_stor_bulk_transfer_sglist.part.0+0x71/0xd0 [usb_storage]
Jul 19 16:43:29 lenovo kernel:  usb_stor_bulk_srb+0x60/0x90 [usb_storage]
Jul 19 16:43:29 lenovo kernel:  usb_stor_Bulk_transport+0x179/0x3f0 [usb_storage]
Jul 19 16:43:29 lenovo kernel:  usb_stor_invoke_transport+0x63/0x520 [usb_storage]
Jul 19 16:43:29 lenovo kernel:  usb_stor_control_thread+0x233/0x300 [usb_storage]
Jul 19 16:43:29 lenovo kernel:  kthread+0xfd/0x130
Jul 19 16:43:29 lenovo kernel:  ? fill_inquiry_response+0x40/0x40 [usb_storage]
Jul 19 16:43:29 lenovo kernel:  ? kthread_park+0x90/0x90
Jul 19 16:43:29 lenovo kernel:  ret_from_fork+0x35/0x40
Jul 19 16:43:29 lenovo kernel: Modules linked in: hid_generic uas usbhid usb_storage hid rfcomm fuse xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mang>


'''
Comment 1 Greg Kroah-Hartman 2019-07-22 05:16:19 UTC 
On Sun, Jul 21, 2019 at 09:53:50PM +0000, bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=204257
> 
>             Bug ID: 204257
>            Summary: kernel NULL pointer dereference
>            Product: Drivers
>            Version: 2.5
>     Kernel Version: 5.2 / 5.2.1 / +

All USB bugs should be sent to the linux-usb@vger.kernel.org mailing
list, and not entered into bugzilla.  Please bring this issue up there,
if it is still a problem in the latest kernel release.
Comment 2 Maik Stohn 2019-08-01 12:29:06 UTC 
The cause of this regression was found and a patch is available / included since 5.2.5 kernel:

commit ddc2ea0c281bfa75dfedeba1a336ce449a7b9480
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Thu Jul 25 11:54:21 2019 +0300

    xhci: Fix crash if scatter gather is used with Immediate Data Transfer (IDT).
    
    commit d39b5bad8658d6d94cb2d98a44a7e159db4f5030 upstream.
    
    A second regression was found in the immediate data transfer (IDT)
    support which was added to 5.2 kernel
    
    IDT is used to transfer small amounts of data (up to 8 bytes) in the
    field normally used for data dma address, thus avoiding dma mapping.
    
    If the data was not already dma mapped, then IDT support assumed data was
    in urb->transfer_buffer, and did not take into accound that even
    small amounts of data (8 bytes) can be in a scatterlist instead.
    
    This caused a NULL pointer dereference when sg_dma_len() was used
    with non-dma mapped data.
    
    Solve this by not using IDT if scatter gather buffer list is used.
    
    Fixes: 33e39350ebd2 ("usb: xhci: add Immediate Data Transfer support")
    Cc: <stable@vger.kernel.org> # v5.2
    Reported-by: Maik Stohn <maik.stohn@seal-one.com>
    Tested-by: Maik Stohn <maik.stohn@seal-one.com>
    CC: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/1564044861-1445-1-git-send-email-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>