github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 07:03:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
e0daafbbf3
linux/drivers
History
Hans de Goede e0daafbbf3 usb: Do not allow usb_alloc_streams on unconfigured devices 
commit 90a646c770 upstream.

This commit fixes the following oops:

[10238.622067] scsi host3: uas_eh_bus_reset_handler start
[10240.766164] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd
[10245.779365] usb 3-4: device descriptor read/8, error -110
[10245.883331] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd
[10250.897603] usb 3-4: device descriptor read/8, error -110
[10251.058200] BUG: unable to handle kernel NULL pointer dereference at  0000000000000040
[10251.058244] IP: [<ffffffff815ac6e1>] xhci_check_streams_endpoint+0x91/0x140
<snip>
[10251.059473] Call Trace:
[10251.059487]  [<ffffffff815aca6c>] xhci_calculate_streams_and_bitmask+0xbc/0x130
[10251.059520]  [<ffffffff815aeb5f>] xhci_alloc_streams+0x10f/0x5a0
[10251.059548]  [<ffffffff810a4685>] ? check_preempt_curr+0x75/0xa0
[10251.059575]  [<ffffffff810a46dc>] ? ttwu_do_wakeup+0x2c/0x100
[10251.059601]  [<ffffffff810a49e6>] ? ttwu_do_activate.constprop.111+0x66/0x70
[10251.059635]  [<ffffffff815779ab>] usb_alloc_streams+0xab/0xf0
[10251.059662]  [<ffffffffc0616b48>] uas_configure_endpoints+0x128/0x150 [uas]
[10251.059694]  [<ffffffffc0616bac>] uas_post_reset+0x3c/0xb0 [uas]
[10251.059722]  [<ffffffff815727d9>] usb_reset_device+0x1b9/0x2a0
[10251.059749]  [<ffffffffc0616f42>] uas_eh_bus_reset_handler+0xb2/0x190 [uas]
[10251.059781]  [<ffffffff81514293>] scsi_try_bus_reset+0x53/0x110
[10251.059808]  [<ffffffff815163b7>] scsi_eh_bus_reset+0xf7/0x270
<snip>

The problem is the following call sequence (simplified):

1) usb_reset_device
2)  usb_reset_and_verify_device
2)   hub_port_init
3)    hub_port_finish_reset
3)     xhci_discover_or_reset_device
        This frees xhci->devs[slot_id]->eps[ep_index].ring for all eps but 0
4)    usb_get_device_descriptor
       This fails
5)   hub_port_init fails
6)  usb_reset_and_verify_device fails, does not restore device config
7)  uas_post_reset
8)   xhci_alloc_streams
      NULL deref on the free-ed ring

This commit fixes this by not allowing usb_alloc_streams to continue if
the device is not configured.

Note that we do allow usb_free_streams to continue after a (logical)
disconnect, as it is necessary to explicitly free the streams at the xhci
controller level.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-11-14 08:47:59 -08:00
..
accessibility
acpi ACPICA: Update to GPIO region handler interface. 2014-10-05 14:54:11 -07:00
amba
ata libata-sff: Fix controllers with no ctl port 2014-11-14 08:47:53 -08:00
atm atm: idt77252: fix dev refcnt leak 2013-12-08 07:29:25 -08:00
auxdisplay
base firmware_class: make sure fw requests contain a name 2014-10-30 09:35:10 -07:00
bcma
block drbd: compute the end before rb_insert_augmented() 2014-11-14 08:47:55 -08:00
bluetooth Bluetooth: Fix issue with USB suspend in btusb driver 2014-10-30 09:35:12 -07:00
bus bus: mvebu-mbus: allow several windows with the same target/attribute 2014-06-07 13:25:37 -07:00
cdrom drivers/cdrom/cdrom.c: use kzalloc() for failing hardware 2013-07-13 11:42:26 -07:00
char random: add and use memzero_explicit() for clearing data 2014-11-14 08:47:55 -08:00
clk clk: spear3xx: Use proper control register offset 2014-07-17 15:58:02 -07:00
clocksource clocksource: Exynos_mct: Register clock event after request_irq() 2014-06-07 13:25:29 -07:00
connector net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:12:37 -04:00
cpufreq cpufreq: intel_pstate: Fix setting max_perf_pct in performance policy 2014-11-14 08:47:58 -08:00
cpuidle cpuidle: Check the result of cpuidle_get_driver() against NULL 2014-04-14 06:42:15 -07:00
crypto crypto: ux500 - make interrupt mode plausible 2014-09-05 16:28:35 -07:00
dca
devfreq
dio
dma ioat: fix tasklet tear down 2014-03-06 21:30:14 -08:00
edac i7300_edac: Fix device reference count 2014-03-06 21:30:13 -08:00
eisa Revert "EISA: Initialize device before its resources" 2014-02-13 13:47:59 -08:00
extcon extcon: max77693: Fix two NULL pointer exceptions on missing pdata 2014-07-06 18:54:15 -07:00
firewire firewire: ohci: fix probe failure with Agere/LSI controllers 2014-05-30 21:52:11 -07:00
firmware firmware: Do not use WARN_ON(!spin_is_locked()) 2014-09-17 09:03:57 -07:00
gpio gpio: mxs: Allow for recursive enable_irq_wake() call 2014-05-13 13:59:45 +02:00
gpu drm/nouveau/bios: memset dcb struct to zero before parsing 2014-11-14 08:47:56 -08:00
hid HID: logitech-dj: prevent false errors to be shown 2014-10-05 14:54:08 -07:00
hsi
hv Drivers: hv: vmbus: Fix a bug in vmbus_open() 2014-10-30 09:35:11 -07:00
hwmon hwmon: (dme1737) Prevent overflow problem when writing large limits 2014-09-05 16:28:35 -07:00
hwspinlock
i2c i2c: at91: Fix a race condition during signal handling in at91_do_twi_xfer. 2014-10-05 14:54:07 -07:00
ide
idle x86 idle: Repair large-server 50-watt idle-power regression 2014-01-09 12:24:21 -08:00
iio iio:inkern: fix overwritten -EPROBE_DEFER in of_iio_channel_get_by_name 2014-10-05 14:54:12 -07:00
infiniband Target/iser: Don't put isert_conn inside disconnected handler 2014-10-05 14:54:12 -07:00
input Input: i8042 - quirks for Fujitsu Lifebook A544 and Lifebook AH544 2014-11-14 08:47:56 -08:00
iommu iommu/amd: Fix cleanup_domain for mass device removal 2014-09-17 09:03:57 -07:00
ipack
irqchip irqchip: gic: Fix core ID calculation when topology is read from DT 2014-07-28 08:00:06 -07:00
isdn isdnloop: several buffer overflows 2014-04-14 06:42:18 -07:00
leds leds: leds-pwm: properly clean up after probe failure 2014-06-07 13:25:34 -07:00
lguest x86, flags: Rename X86_EFLAGS_BIT1 to X86_EFLAGS_FIXED 2014-11-14 08:47:54 -08:00
macintosh powerpc/windfarm: Fix noisy slots-fan on Xserve (rm31) 2013-08-11 18:35:20 -07:00
mailbox
md dm log userspace: fix memory leak in dm_ulog_tfr_init failure path 2014-11-14 08:47:55 -08:00
media media: tda7432: Fix setting TDA7432_MUTE bit for TDA7432_RF register 2014-11-14 08:47:56 -08:00
memory
memstick
message mptfusion: enable no_write_same for vmware scsi disks 2014-10-30 09:35:10 -07:00
mfd mfd: rtsx_pcr: Fix MSI enable error handling 2014-11-14 08:47:55 -08:00
misc mei: nfc: fix memory leak in error path 2014-09-05 16:28:36 -07:00
mmc mmc: rtsx_pci_sdmmc: fix incorrect last byte in R2 response 2014-11-14 08:47:53 -08:00
mtd UBI: add missing kmem_cache_free() in process_pool_aeb error path 2014-11-14 08:47:55 -08:00
net wireless: rt2x00: add new rt2800usb device 2014-11-14 08:47:59 -08:00
nfc NFC: microread: Potential overflows in microread_target_discovered() 2014-10-05 14:54:12 -07:00
ntb NTB: Correct debugfs to work with more than 1 NTB Device 2013-11-13 12:05:35 +09:00
nubus
of of: fix PCI bus match for PCIe slots 2014-02-22 12:41:27 -08:00
oprofile
parisc parisc: Fix interrupt routing for C8000 serial ports 2013-08-11 18:35:21 -07:00
parport parport: parport_pc: remove double PCI ID for NetMos 2014-02-06 11:08:15 -08:00
pci PCI: Generate uppercase hex for modalias interface class 2014-10-30 09:35:12 -07:00
pcmcia pcmcia: at91_cf: fix gpio_get_value in at91_cf_get_status 2013-07-21 18:21:25 -07:00
pinctrl pinctrl: protect pinctrl_list add 2014-02-20 11:06:11 -08:00
platform hp_accel: Add a new PnP ID HPQ6007 for new HP laptops 2014-02-06 11:08:16 -08:00
pnp PNP / ACPI: proper handling of ACPI IO/Memory resource parsing failures 2014-03-23 21:38:22 -07:00
power power: max17040: Fix NULL pointer dereference when there is no platform_data 2014-02-22 12:41:29 -08:00
pps
ps3
ptp
pwm
rapidio rapidio/tsi721_dma: fix failure to obtain transaction descriptor 2014-08-07 14:30:25 -07:00
regulator regulator: arizona-ldo1: remove bypass functionality 2014-09-17 09:03:57 -07:00
remoteproc
reset
rpmsg
rtc rtc: rtc-at91rm9200: fix infinite wait for ACKUPD irq 2014-06-26 15:12:37 -04:00
s390 s390/chsc: fix SEI usage on old FW levels 2014-05-13 13:59:42 +02:00
sbus bbc-i2c: Fix BBC I2C envctrl on SunBlade 2000 2014-08-14 09:24:16 +08:00
scsi qla_target: don't delete changed nacls 2014-11-14 08:47:57 -08:00
sfi
sh
sn
spi spi: pxa2xx: toggle clocks on suspend if not disabled by runtime PM 2014-11-14 08:47:59 -08:00
ssb
ssbi
staging staging:iio:ade7758: Remove "raw" from channel name 2014-11-14 08:47:58 -08:00
target target: Fix APTPL metadata handling for dynamic MappedLUNs 2014-11-14 08:47:57 -08:00
tc
thermal
tty serial: Fix divide-by-zero fault in uart_get_divisor() 2014-11-14 08:47:58 -08:00
uio Fix a few incorrectly checked [io_]remap_pfn_range() calls 2013-11-13 12:05:33 +09:00
usb usb: Do not allow usb_alloc_streams on unconfigured devices 2014-11-14 08:47:59 -08:00
uwb
vfio mm: close PageTail race 2014-04-03 12:01:05 -07:00
vhost vhost: validate vhost_get_vq_desc return value 2014-04-14 06:42:18 -07:00
video framebuffer: fix border color 2014-11-14 08:47:56 -08:00
virt
virtio virtio_pci: fix virtio spec compliance on restore 2014-11-14 08:47:55 -08:00
vlynq
vme VME: Correct read/write alignment algorithm 2014-02-22 12:41:28 -08:00
w1 w1: fix w1_send_slave dropping a slave id 2014-05-06 07:55:28 -07:00
watchdog watchdog: ath79_wdt: avoid spurious restarts on AR934x 2014-07-06 18:54:14 -07:00
xen xen/gnttab: leave lazy MMU mode in the case of a m2p override failure 2013-12-11 22:36:27 -08:00
zorro
Kconfig
Makefile