shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-06 10:58:48 +09:00
Code Issues Packages Projects Releases Wiki Activity

ANDROID: usb: host: fix slab-out-of-bounds in xhci_vendor_get_ops

Browse Source 
slab-out-of-bounds happens if the xhci platform drivers don't define
the extra_priv_size in their xhci_driver_overrides structure. Move
xhci_vendor_ops structure to xhci main structure to avoid
extra_priv_size affacts xhci_vendor_get_ops which causes the
slab-out-of-bounds error.

Fixes: 90ab8e7f98 ("ANDROID: usb: host: add xhci hooks for USB offload")
Bug: 293869685
Bug: 194461020
Test: build and boot pass
Change-Id: Id17fdfbfd3e8edcc89a05c9c2f553ffab494215e
Signed-off-by: Howard Yen <howardyen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
(cherry picked from commit 34f6c9c308)
(cherry picked from commit 00666b8e3e)
This commit is contained in:
Howard Yen
2021-07-23 18:56:32 +08:00
committed by Treehugger Robot
parent 64787ee451
commit c2cbb3cc24
4 changed files with 7 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/usb/host/xhci-plat.c
View File

@@ -188,11 +188,10 @@ EXPORT_SYMBOL_GPL(xhci_plat_register_vendor_ops);
static int xhci_vendor_init(struct xhci_hcd *xhci) static int xhci_vendor_init(struct xhci_hcd *xhci)
{ {
struct xhci_vendor_ops *ops = xhci_vendor_get_ops(xhci); struct xhci_vendor_ops *ops = NULL;
struct xhci_plat_priv *priv = xhci_to_priv(xhci);
if (xhci_plat_vendor_overwrite.vendor_ops) if (xhci_plat_vendor_overwrite.vendor_ops)
ops = priv->vendor_ops = xhci_plat_vendor_overwrite.vendor_ops; ops = xhci->vendor_ops = xhci_plat_vendor_overwrite.vendor_ops;
if (ops && ops->vendor_init) if (ops && ops->vendor_init)
return ops->vendor_init(xhci); return ops->vendor_init(xhci);
@@ -202,12 +201,11 @@ static int xhci_vendor_init(struct xhci_hcd *xhci)
static void xhci_vendor_cleanup(struct xhci_hcd *xhci) static void xhci_vendor_cleanup(struct xhci_hcd *xhci)
{ {
struct xhci_vendor_ops *ops = xhci_vendor_get_ops(xhci); struct xhci_vendor_ops *ops = xhci_vendor_get_ops(xhci);
struct xhci_plat_priv *priv = xhci_to_priv(xhci);
if (ops && ops->vendor_cleanup) if (ops && ops->vendor_cleanup)
ops->vendor_cleanup(xhci); ops->vendor_cleanup(xhci);
priv->vendor_ops = NULL; xhci->vendor_ops = NULL;
} }
static int xhci_plat_probe(struct platform_device *pdev) static int xhci_plat_probe(struct platform_device *pdev)

1
drivers/usb/host/xhci-plat.h
View File

@@ -13,7 +13,6 @@
struct xhci_plat_priv { struct xhci_plat_priv {
const char *firmware_name; const char *firmware_name;
unsigned long long quirks; unsigned long long quirks;
struct xhci_vendor_ops *vendor_ops;
struct xhci_vendor_data *vendor_data; struct xhci_vendor_data *vendor_data;
int (*plat_setup)(struct usb_hcd *); int (*plat_setup)(struct usb_hcd *);
void (*plat_start)(struct usb_hcd *); void (*plat_start)(struct usb_hcd *);

3
drivers/usb/host/xhci.c
View File

@@ -25,7 +25,6 @@
#include "xhci-trace.h" #include "xhci-trace.h"
#include "xhci-debugfs.h" #include "xhci-debugfs.h"
#include "xhci-dbgcap.h" #include "xhci-dbgcap.h"
#include "xhci-plat.h"
#define DRIVER_AUTHOR "Sarah Sharp" #define DRIVER_AUTHOR "Sarah Sharp"
#define DRIVER_DESC "'eXtensible' Host Controller (xHC) Driver" #define DRIVER_DESC "'eXtensible' Host Controller (xHC) Driver"
@@ -4517,7 +4516,7 @@ static int __maybe_unused xhci_change_max_exit_latency(struct xhci_hcd *xhci,
struct xhci_vendor_ops *xhci_vendor_get_ops(struct xhci_hcd *xhci) struct xhci_vendor_ops *xhci_vendor_get_ops(struct xhci_hcd *xhci)
{ {
return xhci_to_priv(xhci)->vendor_ops; return xhci->vendor_ops;
} }
EXPORT_SYMBOL_GPL(xhci_vendor_get_ops); EXPORT_SYMBOL_GPL(xhci_vendor_get_ops);

4
drivers/usb/host/xhci.h
View File

@@ -1941,7 +1941,9 @@ struct xhci_hcd {
void *dbc; void *dbc;
ANDROID_KABI_RESERVE(1); /* Used for bug 194461020 */
ANDROID_KABI_USE(1, struct xhci_vendor_ops *vendor_ops);
ANDROID_KABI_RESERVE(2); ANDROID_KABI_RESERVE(2);
ANDROID_KABI_RESERVE(3); ANDROID_KABI_RESERVE(3);
ANDROID_KABI_RESERVE(4); ANDROID_KABI_RESERVE(4);