ANDROID: usb: host: fix slab-out-of-bounds in xhci_vendor_get_ops
slab-out-of-bounds happens if the xhci platform drivers don't define
the extra_priv_size in their xhci_driver_overrides structure. Move
xhci_vendor_ops structure to xhci main structure to avoid
extra_priv_size affacts xhci_vendor_get_ops which causes the
slab-out-of-bounds error.
Bug: 194461020
Test: build and boot pass
Change-Id: Id17fdfbfd3e8edcc89a05c9c2f553ffab494215e
Signed-off-by: Howard Yen <howardyen@google.com>
diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
index ea5e34b..21280a6 100644
--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -199,11 +199,10 @@
static int xhci_vendor_init(struct xhci_hcd *xhci)
{
- struct xhci_vendor_ops *ops = xhci_vendor_get_ops(xhci);
- struct xhci_plat_priv *priv = xhci_to_priv(xhci);
+ struct xhci_vendor_ops *ops = NULL;
if (xhci_plat_vendor_overwrite.vendor_ops)
- ops = priv->vendor_ops = xhci_plat_vendor_overwrite.vendor_ops;
+ ops = xhci->vendor_ops = xhci_plat_vendor_overwrite.vendor_ops;
if (ops && ops->vendor_init)
return ops->vendor_init(xhci);
@@ -213,12 +212,11 @@
static void xhci_vendor_cleanup(struct xhci_hcd *xhci)
{
struct xhci_vendor_ops *ops = xhci_vendor_get_ops(xhci);
- struct xhci_plat_priv *priv = xhci_to_priv(xhci);
if (ops && ops->vendor_cleanup)
ops->vendor_cleanup(xhci);
- priv->vendor_ops = NULL;
+ xhci->vendor_ops = NULL;
}
static int xhci_plat_probe(struct platform_device *pdev)
diff --git a/drivers/usb/host/xhci-plat.h b/drivers/usb/host/xhci-plat.h
index 5b096f7..e726a57 100644
--- a/drivers/usb/host/xhci-plat.h
+++ b/drivers/usb/host/xhci-plat.h
@@ -13,7 +13,6 @@
struct xhci_plat_priv {
const char *firmware_name;
unsigned long long quirks;
- struct xhci_vendor_ops *vendor_ops;
struct xhci_vendor_data *vendor_data;
int (*plat_setup)(struct usb_hcd *);
void (*plat_start)(struct usb_hcd *);
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index dabc8a8..cd2d7ca 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -22,7 +22,6 @@
#include "xhci-trace.h"
#include "xhci-debugfs.h"
#include "xhci-dbgcap.h"
-#include "xhci-plat.h"
#define DRIVER_AUTHOR "Sarah Sharp"
#define DRIVER_DESC "'eXtensible' Host Controller (xHC) Driver"
@@ -4317,7 +4316,7 @@
struct xhci_vendor_ops *xhci_vendor_get_ops(struct xhci_hcd *xhci)
{
- return xhci_to_priv(xhci)->vendor_ops;
+ return xhci->vendor_ops;
}
EXPORT_SYMBOL_GPL(xhci_vendor_get_ops);
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
index 64a658a..73b942a 100644
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1928,6 +1928,8 @@
void *dbc;
+ struct xhci_vendor_ops *vendor_ops;
+
ANDROID_KABI_RESERVE(1);
ANDROID_KABI_RESERVE(2);
ANDROID_KABI_RESERVE(3);
