linux/drivers
Sarah Sharp 203a86613f xhci: Avoid NULL pointer deref when host dies.
When the host controller fails to respond to an Enable Slot command, and
the host fails to respond to the register write to abort the command
ring, the xHCI driver will assume the host is dead, and call
usb_hc_died().

The USB device's slot_id is still set to zero, and the pointer stored at
xhci->devs[0] will always be NULL.  The call to xhci_check_args in
xhci_free_dev should have caught the NULL virt_dev pointer.

However, xhci_free_dev is designed to free the xhci_virt_device
structures, even if the host is dead, so that we don't leak kernel
memory.  xhci_free_dev checks the return value from the generic
xhci_check_args function.  If the return value is -ENODEV, it carries on
trying to free the virtual device.

The issue is that xhci_check_args looks at the host controller state
before it looks at the xhci_virt_device pointer.  It will return -ENIVAL
because the host is dead, and xhci_free_dev will ignore the return
value, and happily dereference the NULL xhci_virt_device pointer.

The fix is to make sure that xhci_check_args checks the xhci_virt_device
pointer before it checks the host state.

See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1203453 for
further details.  This patch doesn't solve the underlying issue, but
will ensure we don't see any more NULL pointer dereferences because of
the issue.

This patch should be backported to kernels as old as 3.1, that
contain the commit 7bd89b4017 "xhci: Don't
submit commands or URBs to halted hosts."

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Reported-by: Vincent Thiele <vincentthiele@gmail.com>
Cc: stable@vger.kernel.org
2013-07-25 08:09:23 -07:00
..
accessibility
acpi More power management and ACPI updates for 3.11-rc1 2013-07-11 12:28:17 -07:00
amba
ata Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
atm
auxdisplay
base Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media 2013-07-13 12:09:57 -07:00
bcma bcma: add support for BCM43142 2013-06-27 13:42:16 -04:00
block Merge branch 'next' of git://git.monstr.eu/linux-2.6-microblaze 2013-07-10 10:16:07 -07:00
bluetooth Bluetooth: Add missing reset_resume dev_pm_ops 2013-06-23 00:23:53 +01:00
bus ARM SoC device tree changes 2013-07-02 14:23:01 -07:00
cdrom drivers/cdrom/cdrom.c: use kzalloc() for failing hardware 2013-07-03 16:07:25 -07:00
char Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
clk Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
clocksource Merge branch 'timers/clockevents' of git://git.linaro.org/people/dlezcano/clockevents into timers/urgent 2013-07-12 17:10:30 +02:00
connector
cpufreq More power management and ACPI updates for 3.11-rc1 2013-07-11 12:28:17 -07:00
cpuidle Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
crypto crypto: talitos: use sg_pcopy_to_buffer() 2013-07-09 10:33:30 -07:00
dca
devfreq Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
dio
dma drivers/dma/iop-adma.c: fix new warnings 2013-07-09 10:33:19 -07:00
edac Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
eisa
extcon drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
firewire
firmware Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2013-07-04 10:29:23 -07:00
fmc FMC: fix error handling in probe() function 2013-06-24 16:23:25 -07:00
gpio Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
gpu drm: avoid warning in drm_load_edid_firmware() 2013-07-10 14:21:46 -07:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2013-07-04 15:35:08 -07:00
hsi drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
hv drivers: hv: allocate synic structures before hv_synic_init() 2013-06-24 16:24:17 -07:00
hwmon hwmon: (lm63) Drop redundant safety on cache lifetime 2013-07-08 14:18:24 +02:00
hwspinlock
i2c Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide 2013-07-10 18:15:41 -07:00
idle
iio For the 3.11 merge we only have one new MFD driver for the Kontron PLD. 2013-07-10 11:10:27 -07:00
infiniband Main batch of InfiniBand/RDMA changes for 3.11 merge window: 2013-07-13 12:57:21 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2013-07-13 18:05:13 -07:00
iommu IOMMU Updates for Linux 3.11 2013-07-10 14:46:40 -07:00
ipack
irqchip Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-07-13 15:37:30 -07:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-07-09 18:24:39 -07:00
leds leds: mc13783: Fix "uninitialized variable" warning 2013-07-02 08:44:02 -07:00
lguest Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-07-04 11:40:58 -07:00
macintosh macintosh/windfarm: Remove obsolete cleanup for clientdata 2013-07-01 11:46:56 +10:00
mailbox
md Add a device-mapper target called dm-switch to provide a multipath 2013-07-11 13:05:40 -07:00
media Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media 2013-07-13 12:09:57 -07:00
memory
memstick drivers/memstick/host/r592.c: convert to module_pci_driver 2013-07-03 16:08:06 -07:00
message drivers: avoid format strings in names passed to alloc_workqueue() 2013-07-03 16:07:41 -07:00
mfd For the 3.11 merge we only have one new MFD driver for the Kontron PLD. 2013-07-10 11:10:27 -07:00
misc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-07-04 11:40:58 -07:00
mmc MMC highlights for 3.11: 2013-07-10 11:16:00 -07:00
mtd A couple of fixes and clean-ups, allow for assigning user-defined 2013-07-05 12:09:48 -07:00
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-07-13 17:42:22 -07:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-07-09 18:24:39 -07:00
ntb
nubus
of Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-07-09 18:24:39 -07:00
oprofile
parisc parisc: fix LMMIO mismatch between PAT length and MASK register 2013-07-09 22:09:16 +02:00
parport Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
pci Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
pcmcia Driver core patches for 3.11-rc1 2013-07-02 11:44:19 -07:00
pinctrl Pin control changes for the v3.11 kernel cycle: 2013-07-03 11:48:03 -07:00
platform x86 platform drivers: fix gpio leak 2013-07-10 15:42:51 -04:00
pnp Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
power Nothing exciting this time, just assorted fixes and cleanups. 2013-07-10 11:13:00 -07:00
pps pps-gpio: add device-tree binding and support 2013-07-03 16:08:06 -07:00
ps3
ptp build some drivers only when compile-testing 2013-06-24 16:41:32 -07:00
pwm pwm: pwm-tiehrpwm: Use clk_enable/disable instead clk_prepare/unprepare. 2013-06-26 23:23:54 +02:00
rapidio Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
regulator For the 3.11 merge we only have one new MFD driver for the Kontron PLD. 2013-07-10 11:10:27 -07:00
remoteproc Trivial remoteproc fixes by Suman Anna, Wei Yongjun and Thomas Meyer. 2013-07-11 12:35:09 -07:00
reset
rpmsg
rtc For the 3.11 merge we only have one new MFD driver for the Kontron PLD. 2013-07-10 11:10:27 -07:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-07-09 18:24:39 -07:00
sbus
scsi SCSI for-linus on 20130713 2013-07-13 17:41:21 -07:00
sfi
sh Merge branch 'pm-assorted' 2013-06-28 13:01:40 +02:00
sn
spi Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
ssb Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
staging Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
target Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2013-07-11 12:57:19 -07:00
tc
thermal Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2013-07-11 12:26:08 -07:00
tty Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
uio uio: use vma_pages() to replace (vm_end - vm_start) >> PAGE_SHIFT 2013-07-03 16:07:26 -07:00
usb xhci: Avoid NULL pointer deref when host dies. 2013-07-25 08:09:23 -07:00
uwb drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
vfio vfio Updates for v3.11 2013-07-10 14:50:08 -07:00
vhost Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2013-07-11 12:57:19 -07:00
video Linux 3.11-rc1 2013-07-14 15:18:27 -07:00
virt
virtio No real surprises. 2013-07-10 14:50:58 -07:00
vlynq
vme vme: vme_tsi148.c: fix error return code in tsi148_probe() 2013-06-24 16:23:25 -07:00
w1 drivers/w1/slaves/w1_ds2408.c: add magic sequence to disable P0 test mode 2013-07-03 16:08:06 -07:00
watchdog Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
xen Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-07-06 14:09:38 -07:00
zorro zorro: switch to fixed_size_llseek() 2013-06-29 12:57:28 +04:00
Kconfig For the 3.11 merge we only have one new MFD driver for the Kontron PLD. 2013-07-10 11:10:27 -07:00
Makefile For the 3.11 merge we only have one new MFD driver for the Kontron PLD. 2013-07-10 11:10:27 -07:00