[Linux-stable-mirror] [PATCH 2/2] usb: xhci: fix panic in xhci_free_virt_devices_depth_first
From: Yu Chen chenyu56@huawei.com
Check vdev->real_port 0 to avoid panic [ 9.261347] [<ffffff800884a390>] xhci_free_virt_devices_depth_first+0x58/0x108 [ 9.261352] [<ffffff800884a814>] xhci_mem_cleanup+0x1bc/0x570 [ 9.261355] [<ffffff8008842de8>] xhci_stop+0x140/0x1c8 [ 9.261365] [<ffffff80087ed304>] usb_remove_hcd+0xfc/0x1d0 [ 9.261369] [<ffffff80088551c4>] xhci_plat_remove+0x6c/0xa8 [ 9.261377] [<ffffff80086e928c>] platform_drv_remove+0x2c/0x70 [ 9.261384] [<ffffff80086e6ea0>] __device_release_driver+0x80/0x108 [ 9.261387] [<ffffff80086e7a1c>] device_release_driver+0x2c/0x40 [ 9.261392] [<ffffff80086e5f28>] bus_remove_device+0xe0/0x120 [ 9.261396] [<ffffff80086e2e34>] device_del+0x114/0x210 [ 9.261399] [<ffffff80086e9e00>] platform_device_del+0x30/0xa0 [ 9.261403] [<ffffff8008810bdc>] dwc3_otg_work+0x204/0x488 [ 9.261407] [<ffffff80088133fc>] event_work+0x304/0x5b8 [ 9.261414] [<ffffff80080e31b0>] process_one_work+0x148/0x490 [ 9.261417] [<ffffff80080e3548>] worker_thread+0x50/0x4a0 [ 9.261421] [<ffffff80080e9ea0>] kthread+0xe8/0x100 [ 9.261427] [<ffffff8008083680>] ret_from_fork+0x10/0x50
The problem can occur if xhci_plat_remove() is called shortly after xhci_plat_probe(). While xhci_free_virt_devices_depth_first been called before the device has been setup and get real_port initialized. The problem occurred on Hikey960 and was reproduced by Guenter Roeck on Kevin with chromeos-4.4.
Cc: Guenter Roeck groeck@google.com Cc: stable@vger.kernel.org # v4.10+ Reviewed-by: Guenter Roeck groeck@chromium.org Tested-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Fan Ning fanning4@hisilicon.com Signed-off-by: Li Rui lirui39@hisilicon.com Signed-off-by: yangdi yangdi10@hisilicon.com Signed-off-by: Yu Chen chenyu56@huawei.com Signed-off-by: Mathias Nyman mathias.nyman@linux.intel.com --- drivers/usb/host/xhci-mem.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index e1fba46..15f7d42 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -934,6 +934,12 @@ void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_id) if (!vdev) return;
+ if (vdev->real_port == 0 || + vdev->real_port > HCS_MAX_PORTS(xhci->hcs_params1)) { + xhci_dbg(xhci, "Bad vdev->real_port.\n"); + goto out; + } + tt_list_head = &(xhci->rh_bw[vdev->real_port - 1].tts); list_for_each_entry_safe(tt_info, next, tt_list_head, tt_list) { /* is this a hub device that added a tt_info to the tts list */ @@ -947,6 +953,7 @@ void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_id) } } } +out: /* we are now at a leaf device */ xhci_debugfs_remove_slot(xhci, slot_id); xhci_free_virt_device(xhci, slot_id);
On Fri, Dec 1, 2017 at 3:41 AM, Mathias Nyman mathias.nyman@linux.intel.com wrote:
From: Yu Chen chenyu56@huawei.com
Check vdev->real_port 0 to avoid panic [ 9.261347] [<ffffff800884a390>] xhci_free_virt_devices_depth_first+0x58/0x108 [ 9.261352] [<ffffff800884a814>] xhci_mem_cleanup+0x1bc/0x570 [ 9.261355] [<ffffff8008842de8>] xhci_stop+0x140/0x1c8 [ 9.261365] [<ffffff80087ed304>] usb_remove_hcd+0xfc/0x1d0 [ 9.261369] [<ffffff80088551c4>] xhci_plat_remove+0x6c/0xa8 [ 9.261377] [<ffffff80086e928c>] platform_drv_remove+0x2c/0x70 [ 9.261384] [<ffffff80086e6ea0>] __device_release_driver+0x80/0x108 [ 9.261387] [<ffffff80086e7a1c>] device_release_driver+0x2c/0x40 [ 9.261392] [<ffffff80086e5f28>] bus_remove_device+0xe0/0x120 [ 9.261396] [<ffffff80086e2e34>] device_del+0x114/0x210 [ 9.261399] [<ffffff80086e9e00>] platform_device_del+0x30/0xa0 [ 9.261403] [<ffffff8008810bdc>] dwc3_otg_work+0x204/0x488 [ 9.261407] [<ffffff80088133fc>] event_work+0x304/0x5b8 [ 9.261414] [<ffffff80080e31b0>] process_one_work+0x148/0x490 [ 9.261417] [<ffffff80080e3548>] worker_thread+0x50/0x4a0 [ 9.261421] [<ffffff80080e9ea0>] kthread+0xe8/0x100 [ 9.261427] [<ffffff8008083680>] ret_from_fork+0x10/0x50
The problem can occur if xhci_plat_remove() is called shortly after xhci_plat_probe(). While xhci_free_virt_devices_depth_first been called before the device has been setup and get real_port initialized. The problem occurred on Hikey960 and was reproduced by Guenter Roeck on Kevin with chromeos-4.4.
Cc: Guenter Roeck groeck@google.com Cc: stable@vger.kernel.org # v4.10+
Fixes: ee8665e28e8d ("xhci: free xhci virtual devices with leaf nodes first")
would probably be better. That patch is in v4.4.y as well as in v4.9.y, and thus both releases are affected.
Thanks, Guenter
Reviewed-by: Guenter Roeck groeck@chromium.org Tested-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Fan Ning fanning4@hisilicon.com Signed-off-by: Li Rui lirui39@hisilicon.com Signed-off-by: yangdi yangdi10@hisilicon.com Signed-off-by: Yu Chen chenyu56@huawei.com Signed-off-by: Mathias Nyman mathias.nyman@linux.intel.com
drivers/usb/host/xhci-mem.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index e1fba46..15f7d42 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -934,6 +934,12 @@ void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_id) if (!vdev) return;
if (vdev->real_port == 0 ||vdev->real_port > HCS_MAX_PORTS(xhci->hcs_params1)) {xhci_dbg(xhci, "Bad vdev->real_port.\n");goto out;}tt_list_head = &(xhci->rh_bw[vdev->real_port - 1].tts); list_for_each_entry_safe(tt_info, next, tt_list_head, tt_list) { /* is this a hub device that added a tt_info to the tts list */@@ -947,6 +953,7 @@ void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_id) } } } +out: /* we are now at a leaf device */ xhci_debugfs_remove_slot(xhci, slot_id); xhci_free_virt_device(xhci, slot_id); -- 2.7.4
On Fri, Dec 01, 2017 at 06:38:16AM -0800, Guenter Roeck wrote:
On Fri, Dec 1, 2017 at 3:41 AM, Mathias Nyman mathias.nyman@linux.intel.com wrote:
From: Yu Chen chenyu56@huawei.com
Check vdev->real_port 0 to avoid panic [ 9.261347] [<ffffff800884a390>] xhci_free_virt_devices_depth_first+0x58/0x108 [ 9.261352] [<ffffff800884a814>] xhci_mem_cleanup+0x1bc/0x570 [ 9.261355] [<ffffff8008842de8>] xhci_stop+0x140/0x1c8 [ 9.261365] [<ffffff80087ed304>] usb_remove_hcd+0xfc/0x1d0 [ 9.261369] [<ffffff80088551c4>] xhci_plat_remove+0x6c/0xa8 [ 9.261377] [<ffffff80086e928c>] platform_drv_remove+0x2c/0x70 [ 9.261384] [<ffffff80086e6ea0>] __device_release_driver+0x80/0x108 [ 9.261387] [<ffffff80086e7a1c>] device_release_driver+0x2c/0x40 [ 9.261392] [<ffffff80086e5f28>] bus_remove_device+0xe0/0x120 [ 9.261396] [<ffffff80086e2e34>] device_del+0x114/0x210 [ 9.261399] [<ffffff80086e9e00>] platform_device_del+0x30/0xa0 [ 9.261403] [<ffffff8008810bdc>] dwc3_otg_work+0x204/0x488 [ 9.261407] [<ffffff80088133fc>] event_work+0x304/0x5b8 [ 9.261414] [<ffffff80080e31b0>] process_one_work+0x148/0x490 [ 9.261417] [<ffffff80080e3548>] worker_thread+0x50/0x4a0 [ 9.261421] [<ffffff80080e9ea0>] kthread+0xe8/0x100 [ 9.261427] [<ffffff8008083680>] ret_from_fork+0x10/0x50
The problem can occur if xhci_plat_remove() is called shortly after xhci_plat_probe(). While xhci_free_virt_devices_depth_first been called before the device has been setup and get real_port initialized. The problem occurred on Hikey960 and was reproduced by Guenter Roeck on Kevin with chromeos-4.4.
Cc: Guenter Roeck groeck@google.com Cc: stable@vger.kernel.org # v4.10+
Fixes: ee8665e28e8d ("xhci: free xhci virtual devices with leaf nodes first")
would probably be better. That patch is in v4.4.y as well as in v4.9.y, and thus both releases are affected.
I've added this fixes line, thanks.
greg k-h
On 01.12.2017 17:23, Greg Kroah-Hartman wrote:
On Fri, Dec 01, 2017 at 06:38:16AM -0800, Guenter Roeck wrote:
On Fri, Dec 1, 2017 at 3:41 AM, Mathias Nyman mathias.nyman@linux.intel.com wrote:
From: Yu Chen chenyu56@huawei.com
Check vdev->real_port 0 to avoid panic [ 9.261347] [<ffffff800884a390>] xhci_free_virt_devices_depth_first+0x58/0x108 [ 9.261352] [<ffffff800884a814>] xhci_mem_cleanup+0x1bc/0x570 [ 9.261355] [<ffffff8008842de8>] xhci_stop+0x140/0x1c8 [ 9.261365] [<ffffff80087ed304>] usb_remove_hcd+0xfc/0x1d0 [ 9.261369] [<ffffff80088551c4>] xhci_plat_remove+0x6c/0xa8 [ 9.261377] [<ffffff80086e928c>] platform_drv_remove+0x2c/0x70 [ 9.261384] [<ffffff80086e6ea0>] __device_release_driver+0x80/0x108 [ 9.261387] [<ffffff80086e7a1c>] device_release_driver+0x2c/0x40 [ 9.261392] [<ffffff80086e5f28>] bus_remove_device+0xe0/0x120 [ 9.261396] [<ffffff80086e2e34>] device_del+0x114/0x210 [ 9.261399] [<ffffff80086e9e00>] platform_device_del+0x30/0xa0 [ 9.261403] [<ffffff8008810bdc>] dwc3_otg_work+0x204/0x488 [ 9.261407] [<ffffff80088133fc>] event_work+0x304/0x5b8 [ 9.261414] [<ffffff80080e31b0>] process_one_work+0x148/0x490 [ 9.261417] [<ffffff80080e3548>] worker_thread+0x50/0x4a0 [ 9.261421] [<ffffff80080e9ea0>] kthread+0xe8/0x100 [ 9.261427] [<ffffff8008083680>] ret_from_fork+0x10/0x50
The problem can occur if xhci_plat_remove() is called shortly after xhci_plat_probe(). While xhci_free_virt_devices_depth_first been called before the device has been setup and get real_port initialized. The problem occurred on Hikey960 and was reproduced by Guenter Roeck on Kevin with chromeos-4.4.
Cc: Guenter Roeck groeck@google.com Cc: stable@vger.kernel.org # v4.10+
Fixes: ee8665e28e8d ("xhci: free xhci virtual devices with leaf nodes first")
would probably be better. That patch is in v4.4.y as well as in v4.9.y, and thus both releases are affected.
I've added this fixes line, thanks.
Thanks -Mathias
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman -
Guenter Roeck -
Mathias Nyman