github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 15:12:59 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
0660fe75b2
linux/drivers/usb/core
History
Alan Stern 356c1be692 USB: fix race between hub_disconnect and recursively_mark_NOTATTACHED 
commit 543d7784b0 upstream.

There is a race in the hub driver between hub_disconnect() and
recursively_mark_NOTATTACHED().  This race can be triggered if the
driver is unbound from a device at the same time as the bus's root hub
is removed.  When the race occurs, it can cause an oops:

BUG: unable to handle kernel NULL pointer dereference at 0000015c
IP: [<c16d5fb0>] recursively_mark_NOTATTACHED+0x20/0x60
Call Trace:
 [<c16d5fc4>] recursively_mark_NOTATTACHED+0x34/0x60
 [<c16d5fc4>] recursively_mark_NOTATTACHED+0x34/0x60
 [<c16d5fc4>] recursively_mark_NOTATTACHED+0x34/0x60
 [<c16d5fc4>] recursively_mark_NOTATTACHED+0x34/0x60
 [<c16d6082>] usb_set_device_state+0x92/0x120
 [<c16d862b>] usb_disconnect+0x2b/0x1a0
 [<c16dd4c0>] usb_remove_hcd+0xb0/0x160
 [<c19ca846>] ? _raw_spin_unlock_irqrestore+0x26/0x50
 [<c1704efc>] ehci_mid_remove+0x1c/0x30
 [<c1704f26>] ehci_mid_stop_host+0x16/0x30
 [<c16f7698>] penwell_otg_work+0xd28/0x3520
 [<c19c945b>] ? __schedule+0x39b/0x7f0
 [<c19cdb9d>] ? sub_preempt_count+0x3d/0x50
 [<c125e97d>] process_one_work+0x11d/0x3d0
 [<c19c7f4d>] ? mutex_unlock+0xd/0x10
 [<c125e0e5>] ? manage_workers.isra.24+0x1b5/0x270
 [<c125f009>] worker_thread+0xf9/0x320
 [<c19ca846>] ? _raw_spin_unlock_irqrestore+0x26/0x50
 [<c125ef10>] ? rescuer_thread+0x2b0/0x2b0
 [<c1264ac4>] kthread+0x94/0xa0
 [<c19d0f77>] ret_from_kernel_thread+0x1b/0x28
 [<c1264a30>] ? kthread_create_on_node+0xc0/0xc0

One problem is that recursively_mark_NOTATTACHED() uses the intfdata
value and hub->hdev->maxchild while hub_disconnect() is clearing them.
Another problem is that it uses hub->ports[i] while the port device is
being released.

To fix this race, we need to hold the device_state_lock while
hub_disconnect() changes the values.  (Note that usb_disconnect()
and hub_port_connect_change() already acquire this lock at similar
critical times during a USB device's life cycle.)  We also need to
remove the port devices after maxchild has been set to 0, instead of
before.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: "Du, Changbin" <changbinx.du@intel.com>
Tested-by: "Du, Changbin" <changbinx.du@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-06 11:08:13 -08:00
..
buffer.c
config.c usb: config->desc.bLength may not exceed amount of data returned by the device 2013-09-26 17:18:12 -07:00
devices.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
devio.c usb/core/devio.c: Don't reject control message to endpoint with wrong direction bit 2013-10-05 07:13:11 -07:00
driver.c USB: driver.c: processing failure, maching resume condition with suspend condition 2013-04-01 12:32:43 -07:00
endpoint.c usb/endpoint: Set release callback in the struct device_type instead of in the device itself directly 2012-08-20 14:38:08 -07:00
file.c USB: rename the usb misc class from "usb" to "usbmisc" 2012-06-13 15:37:13 -07:00
generic.c USB: avoid error messages when a device is disconnected 2013-03-28 11:05:52 -07:00
hcd-pci.c USB: improve port transitions when EHCI starts up 2013-03-28 14:45:57 -07:00
hcd.c usbcore: set lpm_capable field for LPM capable root hubs 2013-11-20 12:27:48 -08:00
hub.c USB: fix race between hub_disconnect and recursively_mark_NOTATTACHED 2014-02-06 11:08:13 -08:00
hub.h USB: global suspend and remote wakeup don't mix 2013-08-04 16:50:50 +08:00
Kconfig USB: remove remaining instances of USB_SUSPEND 2013-05-15 13:44:44 -04:00
Makefile usb: Add driver/usb/core/(port.c,hub.h) files 2013-01-18 15:49:00 -08:00
message.c usb/core: consider link speed while looking at bMaxPower 2013-01-11 16:16:01 -08:00
notify.c usb: Add export.h for EXPORT_SYMBOL/THIS_MODULE where needed 2011-10-31 19:31:25 -04:00
otg_whitelist.h
port.c usb: Don't fail port power resume on device disconnect. 2013-09-26 17:18:12 -07:00
quirks.c USB: quirks: add touchscreen that is dazzeled by remote wakeup 2013-11-13 12:05:30 +09:00
sysfs.c USB: remove CONFIG_USB_SUSPEND option 2013-03-28 11:10:22 -07:00
urb.c USB: fix urb-poison imbalance 2013-03-25 13:48:27 -07:00
usb-acpi.c usb/acpi: binding xhci root hub usb port with ACPI 2013-03-25 10:39:17 -07:00
usb.c USB patches for 3.10-rc1 2013-04-29 12:19:23 -07:00
usb.h usbcore: set lpm_capable field for LPM capable root hubs 2013-11-20 12:27:48 -08:00