linux/drivers/usb/core
Hans de Goede 90a646c770 usb: Do not allow usb_alloc_streams on unconfigured devices
This commit fixes the following oops:

[10238.622067] scsi host3: uas_eh_bus_reset_handler start
[10240.766164] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd
[10245.779365] usb 3-4: device descriptor read/8, error -110
[10245.883331] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd
[10250.897603] usb 3-4: device descriptor read/8, error -110
[10251.058200] BUG: unable to handle kernel NULL pointer dereference at  0000000000000040
[10251.058244] IP: [<ffffffff815ac6e1>] xhci_check_streams_endpoint+0x91/0x140
<snip>
[10251.059473] Call Trace:
[10251.059487]  [<ffffffff815aca6c>] xhci_calculate_streams_and_bitmask+0xbc/0x130
[10251.059520]  [<ffffffff815aeb5f>] xhci_alloc_streams+0x10f/0x5a0
[10251.059548]  [<ffffffff810a4685>] ? check_preempt_curr+0x75/0xa0
[10251.059575]  [<ffffffff810a46dc>] ? ttwu_do_wakeup+0x2c/0x100
[10251.059601]  [<ffffffff810a49e6>] ? ttwu_do_activate.constprop.111+0x66/0x70
[10251.059635]  [<ffffffff815779ab>] usb_alloc_streams+0xab/0xf0
[10251.059662]  [<ffffffffc0616b48>] uas_configure_endpoints+0x128/0x150 [uas]
[10251.059694]  [<ffffffffc0616bac>] uas_post_reset+0x3c/0xb0 [uas]
[10251.059722]  [<ffffffff815727d9>] usb_reset_device+0x1b9/0x2a0
[10251.059749]  [<ffffffffc0616f42>] uas_eh_bus_reset_handler+0xb2/0x190 [uas]
[10251.059781]  [<ffffffff81514293>] scsi_try_bus_reset+0x53/0x110
[10251.059808]  [<ffffffff815163b7>] scsi_eh_bus_reset+0xf7/0x270
<snip>

The problem is the following call sequence (simplified):

1) usb_reset_device
2)  usb_reset_and_verify_device
2)   hub_port_init
3)    hub_port_finish_reset
3)     xhci_discover_or_reset_device
        This frees xhci->devs[slot_id]->eps[ep_index].ring for all eps but 0
4)    usb_get_device_descriptor
       This fails
5)   hub_port_init fails
6)  usb_reset_and_verify_device fails, does not restore device config
7)  uas_post_reset
8)   xhci_alloc_streams
      NULL deref on the free-ed ring

This commit fixes this by not allowing usb_alloc_streams to continue if
the device is not configured.

Note that we do allow usb_free_streams to continue after a (logical)
disconnect, as it is necessary to explicitly free the streams at the xhci
controller level.

Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-11-03 15:26:15 -08:00
..
buffer.c USB: core: correct spelling mistakes in comments and warning 2014-01-07 16:17:40 -08:00
config.c usb-core bInterval quirk 2014-08-01 15:47:05 -07:00
devices.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
devio.c USB: devio: fix issue with log flooding 2014-08-01 16:01:46 -07:00
driver.c USB: shutdown all URBs after controller death 2014-07-17 16:59:27 -07:00
endpoint.c USB: core: be specific about attribute permissions 2013-08-25 15:12:03 -07:00
file.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-11-13 15:34:18 +09:00
generic.c staging: usbip: convert usbip-host driver to usb_device_driver 2014-02-07 10:54:30 -08:00
hcd-pci.c USB: core: hcd-pci: free IRQ before disabling PCI device when shutting down 2014-07-22 16:30:58 -07:00
hcd.c usb: Do not allow usb_alloc_streams on unconfigured devices 2014-11-03 15:26:15 -08:00
hub.c usb: rename phy to usb_phy in HCD 2014-09-29 11:52:59 -04:00
hub.h usb: hub: convert khubd into workqueue 2014-09-23 22:33:19 -07:00
Kconfig usb: core: Kconfig: TPL should apply for both OTG and EH 2014-09-23 21:28:41 -07:00
Makefile USB: core: remove CONFIG_USB_DEBUG usage 2013-12-21 16:01:00 -08:00
message.c usb: core: log higher level message on malformed LANGID descriptor 2014-09-28 21:54:26 -04:00
notify.c
otg_whitelist.h usb: core: TPL should apply for both OTG and EH 2014-09-23 21:28:41 -07:00
port.c usb: force warm reset to break link re-connect livelock 2014-07-09 15:43:12 -07:00
quirks.c USB: Add device quirk for ASUS T100 Base Station keyboard 2014-09-23 22:20:59 -07:00
sysfs.c USB: core: correct spelling mistakes in comments and warning 2014-01-07 16:17:40 -08:00
urb.c usb: core: allow zero packet flag for interrupt urbs 2014-07-22 16:30:58 -07:00
usb-acpi.c usb: find internal hub tier mismatch via acpi 2014-05-27 16:38:52 -07:00
usb.c USB: Add EXPORT_SYMBOL for usb_alloc_dev 2014-07-17 17:11:09 -07:00
usb.h usb: hub: rename usb_kick_khubd() to usb_kick_hub_wq() 2014-09-23 22:33:19 -07:00