From c2cbb3cc246828bc2a4465110966e4ff2cf2fef3 Mon Sep 17 00:00:00 2001
From: Howard Yen <howardyen@google.com>
Date: Fri, 23 Jul 2021 18:56:32 +0800
Subject: [PATCH] ANDROID: usb: host: fix slab-out-of-bounds in
 xhci_vendor_get_ops

slab-out-of-bounds happens if the xhci platform drivers don't define
the extra_priv_size in their xhci_driver_overrides structure. Move
xhci_vendor_ops structure to xhci main structure to avoid
extra_priv_size affacts xhci_vendor_get_ops which causes the
slab-out-of-bounds error.

Fixes: 90ab8e7f988d ("ANDROID: usb: host: add xhci hooks for USB offload")
Bug: 293869685
Bug: 194461020
Test: build and boot pass
Change-Id: Id17fdfbfd3e8edcc89a05c9c2f553ffab494215e
Signed-off-by: Howard Yen <howardyen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
(cherry picked from commit 34f6c9c3088b13884567429e3c2ceb08d2235b5b)
(cherry picked from commit 00666b8e3e6ed6ba82fd23d8c83390c30f426469)
---
 drivers/usb/host/xhci-plat.c | 8 +++-----
 drivers/usb/host/xhci-plat.h | 1 -
 drivers/usb/host/xhci.c      | 3 +--
 drivers/usb/host/xhci.h      | 4 +++-
 4 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
index 42909318609c..3829e1be0383 100644
--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -188,11 +188,10 @@ EXPORT_SYMBOL_GPL(xhci_plat_register_vendor_ops);
 
 static int xhci_vendor_init(struct xhci_hcd *xhci)
 {
-	struct xhci_vendor_ops *ops = xhci_vendor_get_ops(xhci);
-	struct xhci_plat_priv *priv = xhci_to_priv(xhci);
+	struct xhci_vendor_ops *ops = NULL;
 
 	if (xhci_plat_vendor_overwrite.vendor_ops)
-		ops = priv->vendor_ops = xhci_plat_vendor_overwrite.vendor_ops;
+		ops = xhci->vendor_ops = xhci_plat_vendor_overwrite.vendor_ops;
 
 	if (ops && ops->vendor_init)
 		return ops->vendor_init(xhci);
@@ -202,12 +201,11 @@ static int xhci_vendor_init(struct xhci_hcd *xhci)
 static void xhci_vendor_cleanup(struct xhci_hcd *xhci)
 {
 	struct xhci_vendor_ops *ops = xhci_vendor_get_ops(xhci);
-	struct xhci_plat_priv *priv = xhci_to_priv(xhci);
 
 	if (ops && ops->vendor_cleanup)
 		ops->vendor_cleanup(xhci);
 
-	priv->vendor_ops = NULL;
+	xhci->vendor_ops = NULL;
 }
 
 static int xhci_plat_probe(struct platform_device *pdev)
diff --git a/drivers/usb/host/xhci-plat.h b/drivers/usb/host/xhci-plat.h
index 5b096f72636f..e726a572321d 100644
--- a/drivers/usb/host/xhci-plat.h
+++ b/drivers/usb/host/xhci-plat.h
@@ -13,7 +13,6 @@
 struct xhci_plat_priv {
 	const char *firmware_name;
 	unsigned long long quirks;
-	struct xhci_vendor_ops *vendor_ops;
 	struct xhci_vendor_data *vendor_data;
 	int (*plat_setup)(struct usb_hcd *);
 	void (*plat_start)(struct usb_hcd *);
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 9304e0d42982..be041bd65b19 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -25,7 +25,6 @@
 #include "xhci-trace.h"
 #include "xhci-debugfs.h"
 #include "xhci-dbgcap.h"
-#include "xhci-plat.h"
 
 #define DRIVER_AUTHOR "Sarah Sharp"
 #define DRIVER_DESC "'eXtensible' Host Controller (xHC) Driver"
@@ -4517,7 +4516,7 @@ static int __maybe_unused xhci_change_max_exit_latency(struct xhci_hcd *xhci,
 
 struct xhci_vendor_ops *xhci_vendor_get_ops(struct xhci_hcd *xhci)
 {
-	return xhci_to_priv(xhci)->vendor_ops;
+	return xhci->vendor_ops;
 }
 EXPORT_SYMBOL_GPL(xhci_vendor_get_ops);
 
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
index 5d1c57bfd0af..dd634668f5d4 100644
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1941,7 +1941,9 @@ struct xhci_hcd {
 
 	void			*dbc;
 
-	ANDROID_KABI_RESERVE(1);
+	/* Used for bug 194461020 */
+	ANDROID_KABI_USE(1, struct xhci_vendor_ops *vendor_ops);
+
 	ANDROID_KABI_RESERVE(2);
 	ANDROID_KABI_RESERVE(3);
 	ANDROID_KABI_RESERVE(4);