linux/drivers
Alan Stern 543d7784b0 USB: fix race between hub_disconnect and recursively_mark_NOTATTACHED
There is a race in the hub driver between hub_disconnect() and
recursively_mark_NOTATTACHED().  This race can be triggered if the
driver is unbound from a device at the same time as the bus's root hub
is removed.  When the race occurs, it can cause an oops:

BUG: unable to handle kernel NULL pointer dereference at 0000015c
IP: [<c16d5fb0>] recursively_mark_NOTATTACHED+0x20/0x60
Call Trace:
 [<c16d5fc4>] recursively_mark_NOTATTACHED+0x34/0x60
 [<c16d5fc4>] recursively_mark_NOTATTACHED+0x34/0x60
 [<c16d5fc4>] recursively_mark_NOTATTACHED+0x34/0x60
 [<c16d5fc4>] recursively_mark_NOTATTACHED+0x34/0x60
 [<c16d6082>] usb_set_device_state+0x92/0x120
 [<c16d862b>] usb_disconnect+0x2b/0x1a0
 [<c16dd4c0>] usb_remove_hcd+0xb0/0x160
 [<c19ca846>] ? _raw_spin_unlock_irqrestore+0x26/0x50
 [<c1704efc>] ehci_mid_remove+0x1c/0x30
 [<c1704f26>] ehci_mid_stop_host+0x16/0x30
 [<c16f7698>] penwell_otg_work+0xd28/0x3520
 [<c19c945b>] ? __schedule+0x39b/0x7f0
 [<c19cdb9d>] ? sub_preempt_count+0x3d/0x50
 [<c125e97d>] process_one_work+0x11d/0x3d0
 [<c19c7f4d>] ? mutex_unlock+0xd/0x10
 [<c125e0e5>] ? manage_workers.isra.24+0x1b5/0x270
 [<c125f009>] worker_thread+0xf9/0x320
 [<c19ca846>] ? _raw_spin_unlock_irqrestore+0x26/0x50
 [<c125ef10>] ? rescuer_thread+0x2b0/0x2b0
 [<c1264ac4>] kthread+0x94/0xa0
 [<c19d0f77>] ret_from_kernel_thread+0x1b/0x28
 [<c1264a30>] ? kthread_create_on_node+0xc0/0xc0

One problem is that recursively_mark_NOTATTACHED() uses the intfdata
value and hub->hdev->maxchild while hub_disconnect() is clearing them.
Another problem is that it uses hub->ports[i] while the port device is
being released.

To fix this race, we need to hold the device_state_lock while
hub_disconnect() changes the values.  (Note that usb_disconnect()
and hub_port_connect_change() already acquire this lock at similar
critical times during a USB device's life cycle.)  We also need to
remove the port devices after maxchild has been set to 0, instead of
before.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: "Du, Changbin" <changbinx.du@intel.com>
Tested-by: "Du, Changbin" <changbinx.du@intel.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-01-07 09:30:48 -08:00
..
accessibility
acpi pstore: Don't allow high traffic options on fragile devices 2013-12-20 13:12:01 -08:00
amba
ata SCSI fixes on 20131206 2013-12-06 08:30:18 -08:00
atm atm: idt77252: fix dev refcnt leak 2013-11-19 15:53:02 -05:00
auxdisplay
base Revert "cpufreq: suspend governors on system suspend/hibernate" 2013-12-08 01:04:17 +01:00
bcma Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-11-13 17:40:34 +09:00
block null_blk: mem garbage on NUMA systems during init 2013-12-15 12:17:16 -08:00
bluetooth
bus Merge branch 'for-linus' of git://git.linaro.org/people/rmk/linux-arm 2013-11-14 08:51:29 +09:00
cdrom
char Char/Misc driver fixes for 3.13-rc3 2013-12-08 18:47:25 -08:00
clk mfd: s2mps11: Fix build after regmap field rename in sec-core.c 2013-12-16 11:30:39 +00:00
clocksource clocksource: dw_apb_timer_of: Fix support for dts binding "snps,dw-apb-timer" 2013-12-10 19:49:18 +01:00
connector connector: improved unaligned access error fix 2013-11-14 17:19:20 -05:00
cpufreq cpufreq_ at32ap-cpufreq.c: Fix section mismatch 2013-12-10 08:46:38 +01:00
cpuidle cpuidle: Check for dev before deregistering it. 2013-12-03 22:05:22 +01:00
crypto crypto: talitos - fix aead sglen for case 'dst != src' 2013-11-28 22:25:17 +08:00
dca
devfreq
dio
dma net_dma: mark broken 2013-12-18 12:53:43 -08:00
edac sb_edac: Shut up compiler warning when EDAC_DEBUG is enabled 2013-11-30 12:26:36 +01:00
eisa
extcon extcon: remove freed groups caused the panic or warning in unregister flow 2013-11-26 15:17:23 +09:00
firewire firewire: sbp2: bring back WRITE SAME support 2013-12-15 16:32:32 +01:00
firmware pstore: Don't allow high traffic options on fragile devices 2013-12-20 13:12:01 -08:00
fmc
gpio GPIO fixes for the v3.13 development cycle: 2013-12-17 11:47:40 -08:00
gpu drm/edid: add quirk for BPC in Samsung NP700G7A-S01PL notebook 2013-12-17 14:18:16 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2013-12-13 13:21:28 -08:00
hsi
hv
hwmon hwmon fixes for 3.13-rc4 2013-12-12 11:05:19 -08:00
hwspinlock
i2c i2c: imx: Check the return value from clk_prepare_enable() 2013-12-12 22:48:22 +01:00
ide More ACPI and power management updates for 3.13-rc1 2013-11-20 13:25:04 -08:00
idle intel_idle: Fixed C6 state on Avoton/Rangeley processors 2013-11-28 14:35:26 +01:00
iio iio:adc:ad7887 Fix channel reported endianness from cpu to big endian 2013-12-17 20:37:14 +00:00
infiniband iser-target: Move INIT_WORK setup into isert_create_device_ib_res 2013-12-19 00:18:43 -08:00
input Input: adxl34x - Fix bug in definition of ADXL346_2D_ORIENT 2013-12-09 22:23:31 -08:00
iommu iommu/arm-smmu: fix error return code in arm_smmu_device_dt_probe() 2013-12-06 16:44:25 +00:00
ipack
irqchip Renesas ARM based SoC fixes for v3.13 2013-12-20 11:28:30 -08:00
isdn net: rework recvmsg handler msg_name and msg_namelen logic 2013-11-20 21:52:30 -05:00
leds leds: pwm: Fix for deferred probe in DT booted mode 2013-12-02 11:53:17 -08:00
lguest
macintosh powerpc/windfarm: Fix XServe G5 fan control Makefile issue 2013-11-27 11:35:47 +11:00
mailbox
md A set of device-mapper fixes for 3.13. 2013-12-13 13:22:22 -08:00
media [media] videobuf2-dma-sg: fix possible memory leak 2013-12-10 05:40:57 -02:00
memory
memstick tree-wide: use reinit_completion instead of INIT_COMPLETION 2013-11-15 09:32:21 +09:00
message drivers/message/i2o/driver.c: add missing destroy_workqueue() on error in i2o_driver_register() 2013-11-13 12:09:26 +09:00
mfd mfd/rtc: s5m: fix register updating by adding regmap for RTC 2013-12-12 18:19:26 -08:00
misc Char/Misc driver fixes for 3.13-rc3 2013-12-08 18:47:25 -08:00
mmc mmc: omap: Fix I2C dependency and make driver usable with device tree 2013-11-26 15:51:16 -08:00
mtd mtd: nand: pxa3xx: Use info->use_dma to release DMA resources 2013-12-12 15:02:04 -08:00
net Merge branch 'fixes-for-3.13' of git://gitorious.org/linux-can/linux-can 2013-12-17 17:21:30 -05:00
nfc
ntb NTB driver bug fixes to address a missed call to pci_enable_msix, 2013-11-26 11:15:12 -08:00
nubus
of Merge branch 'for-linus-dma-masks' of git://git.linaro.org/people/rmk/linux-arm 2013-11-14 07:55:21 +09:00
oprofile
parisc
parport Kconfig cleanups for v3.13 2013-11-15 14:05:15 -08:00
pci Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-12-15 11:56:47 -08:00
pcmcia DeviceTree updates for 3.13. This is a bit larger pull request than 2013-11-12 16:52:17 +09:00
phy phy: add Broadcom Kona USB2 PHY driver 2013-12-23 14:33:02 -06:00
pinctrl sh-pfc: Fix PINMUX_GPIO macro 2013-12-10 13:12:28 +01:00
platform sony-laptop: do not scribble keyboard backlight registers on resume 2013-11-26 13:03:36 +09:00
pnp PNP: fix restoring devices after hibernation 2013-12-05 02:01:55 +01:00
power Highlights: 2013-11-18 15:35:09 -08:00
powercap PowerCap: Fix mode for energy counter 2013-12-05 02:05:48 +01:00
pps drivers/pps/clients/pps-gpio.c: remove redundant of_match_ptr 2013-11-13 12:09:35 +09:00
ps3
ptp
pwm
rapidio
regulator mfd: s2mps11: Fix build after regmap field rename in sec-core.c 2013-12-16 11:30:39 +00:00
remoteproc
reset
rpmsg
rtc mfd/rtc: s5m: fix register updating by adding regmap for RTC 2013-12-12 18:19:26 -08:00
s390 s390/sclp: replace uninitialized early_event_mask_sccb variable with sccb_early 2013-12-02 15:31:07 +01:00
sbus
scsi qla2xxx: Fix scsi_host leak on qlt_lport_register callback failure 2013-12-19 14:50:17 -08:00
sfi
sh
sn
spi Merge remote-tracking branches 'spi/fix/bcm2835', 'spi/fix/bcm63xx', 'spi/fix/mpc512x-psc', 'spi/fix/mxs', 'spi/fix/pxa2xx', 'spi/fix/qspi', 'spi/fix/rspi' and 'spi/fix/txx9' into spi-linus 2013-11-28 11:31:35 +00:00
ssb
staging Merge 3.13-rc5 into usb-next 2013-12-24 10:18:03 -08:00
target target: Remove extra percpu_ref_init 2013-12-19 14:49:54 -08:00
tc
thermal Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-11-19 15:50:47 -08:00
tty tty: xuartps: Properly guard sysrq specific code 2013-12-17 16:02:25 -08:00
uio uio: we cannot mmap unaligned page contents 2013-12-02 11:50:37 -08:00
usb USB: fix race between hub_disconnect and recursively_mark_NOTATTACHED 2014-01-07 09:30:48 -08:00
uwb uwb: move mutex_lock to error case in uwbd_evt_handle_rc_bp_slot_change 2013-12-20 12:19:44 -08:00
vfio
vhost Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2013-11-22 10:52:03 -08:00
video Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2013-12-09 19:21:39 -08:00
virt
virtio Nothing really exciting: some groundwork for changing virtio endian, and 2013-11-15 13:28:47 +09:00
vlynq
vme
w1 drivers/w1/masters/w1-gpio.c: use dev_get_platdata() 2013-11-15 09:32:21 +09:00
watchdog sc1200_wdt: Fix oops 2013-12-10 08:48:15 +01:00
xen Bug-fixes: 2013-12-20 09:34:54 -08:00
zorro
Kconfig ACPI and power management updates for 3.13-rc1 2013-11-14 13:41:48 +09:00
Makefile ACPI and power management updates for 3.13-rc1 2013-11-14 13:41:48 +09:00