leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7aa1bb2ffd
linux/drivers
History
Carsten Schmid 7aa1bb2ffd usb: xhci: avoid null pointer deref when bos field is NULL 
With defective USB sticks we see the following error happen:
usb 1-3: new high-speed USB device number 6 using xhci_hcd
usb 1-3: device descriptor read/64, error -71
usb 1-3: device descriptor read/64, error -71
usb 1-3: new high-speed USB device number 7 using xhci_hcd
usb 1-3: device descriptor read/64, error -71
usb 1-3: unable to get BOS descriptor set
usb 1-3: New USB device found, idVendor=0781, idProduct=5581
usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
...
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008

This comes from the following place:
[ 1660.215380] IP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd]
[ 1660.222092] PGD 0 P4D 0
[ 1660.224918] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 1660.425520] CPU: 1 PID: 38 Comm: kworker/1:1 Tainted: P     U  W  O    4.14.67-apl #1
[ 1660.434277] Workqueue: usb_hub_wq hub_event [usbcore]
[ 1660.439918] task: ffffa295b6ae4c80 task.stack: ffffad4580150000
[ 1660.446532] RIP: 0010:xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd]
[ 1660.453821] RSP: 0018:ffffad4580153c70 EFLAGS: 00010046
[ 1660.459655] RAX: 0000000000000000 RBX: ffffa295b4d7c000 RCX: 0000000000000002
[ 1660.467625] RDX: 0000000000000002 RSI: ffffffff984a55b2 RDI: ffffffff984a55b2
[ 1660.475586] RBP: ffffad4580153cc8 R08: 0000000000d6520a R09: 0000000000000001
[ 1660.483556] R10: ffffad4580a004a0 R11: 0000000000000286 R12: ffffa295b4d7c000
[ 1660.491525] R13: 0000000000010648 R14: ffffa295a84e1800 R15: 0000000000000000
[ 1660.499494] FS:  0000000000000000(0000) GS:ffffa295bfc80000(0000) knlGS:0000000000000000
[ 1660.508530] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1660.514947] CR2: 0000000000000008 CR3: 000000025a114000 CR4: 00000000003406a0
[ 1660.522917] Call Trace:
[ 1660.525657]  usb_set_usb2_hardware_lpm+0x3d/0x70 [usbcore]
[ 1660.531792]  usb_disable_device+0x242/0x260 [usbcore]
[ 1660.537439]  usb_disconnect+0xc1/0x2b0 [usbcore]
[ 1660.542600]  hub_event+0x596/0x18f0 [usbcore]
[ 1660.547467]  ? trace_preempt_on+0xdf/0x100
[ 1660.552040]  ? process_one_work+0x1c1/0x410
[ 1660.556708]  process_one_work+0x1d2/0x410
[ 1660.561184]  ? preempt_count_add.part.3+0x21/0x60
[ 1660.566436]  worker_thread+0x2d/0x3f0
[ 1660.570522]  kthread+0x122/0x140
[ 1660.574123]  ? process_one_work+0x410/0x410
[ 1660.578792]  ? kthread_create_on_node+0x60/0x60
[ 1660.583849]  ret_from_fork+0x3a/0x50
[ 1660.587839] Code: 00 49 89 c3 49 8b 84 24 50 16 00 00 8d 4a ff 48 8d 04 c8 48 89 ca 4c 8b 10 45 8b 6a 04 48 8b 00 48 89 45 c0 49 8b 86 80 03 00 00 <48> 8b 40 08 8b 40 03 0f 1f 44 00 00 45 85 ff 0f 84 81 01 00 00
[ 1660.608980] RIP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] RSP: ffffad4580153c70
[ 1660.617921] CR2: 0000000000000008

Tracking this down shows that udev->bos is NULL in the following code:
(xhci.c, in xhci_set_usb2_hardware_lpm)
	field = le32_to_cpu(udev->bos->ext_cap->bmAttributes);  <<<<<<< here

	xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n",
			enable ? "enable" : "disable", port_num + 1);

	if (enable) {
		/* Host supports BESL timeout instead of HIRD */
		if (udev->usb2_hw_lpm_besl_capable) {
			/* if device doesn't have a preferred BESL value use a
			 * default one which works with mixed HIRD and BESL
			 * systems. See XHCI_DEFAULT_BESL definition in xhci.h
			 */
			if ((field & USB_BESL_SUPPORT) &&
			    (field & USB_BESL_BASELINE_VALID))
				hird = USB_GET_BESL_BASELINE(field);
			else
				hird = udev->l1_params.besl;

The failing case is when disabling LPM. So it is sufficient to avoid
access to udev->bos by moving the instruction into the "enable" clause.

Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Carsten Schmid <carsten_schmid@mentor.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-05-22 14:25:37 +02:00
..
accessibility
acpi One more patch to remove io.h from clk-provider.h. We used to need this 2019-05-16 19:05:35 -07:00
amba amba: tegra-ahb: Mark PM functions as __maybe_unused 2019-05-08 14:40:39 +02:00
android Char/Misc patches for 5.2-rc1 - part 2 2019-05-07 13:39:22 -07:00
ata for-5.2/block-post-20190516 2019-05-16 19:08:15 -07:00
atm
auxdisplay
base More power management updates for 5.2-rc1 2019-05-15 08:46:44 -07:00
bcma
block for-5.2/block-post-20190516 2019-05-16 19:08:15 -07:00
bluetooth Bluetooth: hci_qca: Rename STATE_<flags> to QCA_<flags> 2019-05-05 19:34:00 +02:00
bus ARM: SoC-related driver updates 2019-05-16 09:19:14 -07:00
cdrom
char Some minor cleanups for the IPMI driver. 2019-05-08 10:34:17 -07:00
clk One more patch to remove io.h from clk-provider.h. We used to need this 2019-05-16 19:05:35 -07:00
clocksource Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-05-19 11:11:20 -07:00
connector
counter
cpufreq One more patch to remove io.h from clk-provider.h. We used to need this 2019-05-16 19:05:35 -07:00
cpuidle
crypto ARM: SoC platform updates 2019-05-16 08:31:32 -07:00
dax libnvdimm fixes 5.2-rc1 2019-05-15 18:56:50 -07:00
dca
devfreq
dio
dma dmaengine updates for v5.2-rc1 2019-05-09 08:51:45 -07:00
dma-buf drm i915, amdgpu, nouveau, msm, panfrost, bridge, pl111 fixes 2019-05-16 07:22:42 -07:00
edac * Do not build mpc85_edac as a module (Michael Ellerman) 2019-05-16 11:55:35 -07:00
eisa
extcon Char/Misc patches for 5.2-rc1 - part 2 2019-05-07 13:39:22 -07:00
firewire drivers/firewire/core-iso.c: convert to use vm_map_pages_zero() 2019-05-14 09:47:50 -07:00
firmware Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-05-19 10:58:45 -07:00
fmc
fpga ARM: SoC-related driver updates 2019-05-16 09:19:14 -07:00
fsi
gnss Char/Misc patches for 5.2-rc1 - part 2 2019-05-07 13:39:22 -07:00
gpio Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-05-19 10:58:45 -07:00
gpu One more patch to remove io.h from clk-provider.h. We used to need this 2019-05-16 19:05:35 -07:00
hid treewide: prefix header search paths with $(srctree)/ 2019-05-18 11:49:57 +09:00
hsi
hv
hwmon Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2019-05-16 16:16:18 -07:00
hwspinlock
hwtracing Char/Misc patches for 5.2-rc1 - part 2 2019-05-07 13:39:22 -07:00
i2c i2c: core: add device-managed version of i2c_new_dummy 2019-05-17 19:29:40 +02:00
i3c * Fix a shift wrap bug in the core 2019-05-07 08:50:40 -07:00
ide ide: officially deprecated the legacy IDE driver 2019-05-08 16:47:23 -07:00
idle
iio power supply and reset changes for the v5.2 series 2019-05-15 18:50:40 -07:00
infiniband 5.2 Merge Window second pull request 2019-05-14 20:56:31 -07:00
input ARM: SoC platform updates 2019-05-16 08:31:32 -07:00
interconnect
iommu Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-05-19 10:58:45 -07:00
ipack
irqchip Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-05-19 10:58:45 -07:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-05-07 22:03:58 -07:00
leds - Core Frameworks 2019-05-14 10:39:08 -07:00
lightnvm lightnvm: pblk: use nvm_rq_to_ppa_list() 2019-05-06 10:19:19 -06:00
macintosh
mailbox One more patch to remove io.h from clk-provider.h. We used to need this 2019-05-16 19:05:35 -07:00
mcb
md - Improve DM snapshot target's scalability by using finer grained 2019-05-16 15:55:48 -07:00
media media: usb: siano: Fix false-positive "uninitialized variable" warning 2019-05-22 14:25:34 +02:00
memory One more patch to remove io.h from clk-provider.h. We used to need this 2019-05-16 19:05:35 -07:00
memstick MMC core: 2019-05-07 12:56:19 -07:00
message
mfd One more patch to remove io.h from clk-provider.h. We used to need this 2019-05-16 19:05:35 -07:00
misc Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-05-19 11:11:20 -07:00
mmc One more patch to remove io.h from clk-provider.h. We used to need this 2019-05-16 19:05:35 -07:00
mtd treewide: replace #include <asm/sizes.h> with #include <linux/sizes.h> 2019-05-14 19:52:52 -07:00
mux
net treewide: prefix header search paths with $(srctree)/ 2019-05-18 11:49:57 +09:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-05-07 22:03:58 -07:00
ntb
nubus
nvdimm libnvdimm fixes 5.2-rc1 2019-05-15 18:56:50 -07:00
nvme for-5.2/block-post-20190516 2019-05-16 19:08:15 -07:00
nvmem ARM: SoC-related driver updates 2019-05-16 09:19:14 -07:00
of of_net: Fix missing of_find_device_by_node ref count drop 2019-05-13 08:52:37 -07:00
opp
oprofile
parisc parisc: Skip registering LED when running in QEMU 2019-05-03 23:47:39 +02:00
parport DMA mapping updates for 5.2 2019-05-09 08:40:55 -07:00
pci pci-v5.2-changes 2019-05-14 10:30:10 -07:00
pcmcia treewide: replace #include <asm/sizes.h> with #include <linux/sizes.h> 2019-05-14 19:52:52 -07:00
perf
phy USB/PHY patches for 5.2-rc1 2019-05-08 10:03:52 -07:00
pinctrl - Core Frameworks 2019-05-14 10:39:08 -07:00
platform - Core Frameworks 2019-05-14 10:39:08 -07:00
pnp
power power supply and reset changes for the v5.2 series 2019-05-15 18:50:40 -07:00
powercap
pps pps: pps-gpio PPS ECHO implementation 2019-05-14 19:52:51 -07:00
ps3
ptp ptp_qoriq: fix NULL access if ptp dt node missing 2019-05-09 09:19:26 -07:00
pwm Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-05-19 11:11:20 -07:00
rapidio rapidio: fix a NULL pointer dereference when create_workqueue() fails 2019-05-14 19:52:50 -07:00
ras
regulator Merge branch 'regulator-5.2' into regulator-next 2019-05-06 22:52:14 +09:00
remoteproc
reset ARM: SoC-related driver updates 2019-05-16 09:19:14 -07:00
rpmsg
rtc ARM: SoC-related driver updates 2019-05-16 09:19:14 -07:00
s390 s390 updates for the 5.2 merge window #2 2019-05-17 10:08:59 -07:00
sbus mm/gup: change GUP fast to use flags rather than a write 'bool' 2019-05-14 09:47:46 -07:00
scsi mm/gup: change GUP fast to use flags rather than a write 'bool' 2019-05-14 09:47:46 -07:00
sfi
sh treewide: replace #include <asm/sizes.h> with #include <linux/sizes.h> 2019-05-14 19:52:52 -07:00
siox
slimbus
sn
soc Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-05-19 10:58:45 -07:00
soundwire
spi ARM: SoC-related driver updates 2019-05-16 09:19:14 -07:00
spmi
ssb Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-05-07 22:03:58 -07:00
staging media updates for v5.2-rc1 2019-05-16 11:57:16 -07:00
target treewide: prefix header search paths with $(srctree)/ 2019-05-18 11:49:57 +09:00
tc
tee ARM: SoC-related driver updates 2019-05-16 09:19:14 -07:00
thermal Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2019-05-16 16:16:18 -07:00
thunderbolt Char/Misc patches for 5.2-rc1 - part 2 2019-05-07 13:39:22 -07:00
tty RISC-V Patches for the 5.2 Merge Window, Part 1 v3 2019-05-19 09:56:36 -07:00
uio
usb usb: xhci: avoid null pointer deref when bos field is NULL 2019-05-22 14:25:37 +02:00
uwb
vfio mm/gup: change GUP fast to use flags rather than a write 'bool' 2019-05-14 09:47:46 -07:00
vhost virtio: fixes, features 2019-05-14 14:12:59 -07:00
video fbdev/efifb: Ignore framebuffer memmap entries that lack any memory types 2019-05-17 11:07:42 +02:00
virt drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl 2019-05-14 19:52:52 -07:00
virtio virtio/virtio_ring: do some comment fixes 2019-05-12 13:11:35 -04:00
visorbus
vlynq
vme
w1 Char/Misc patches for 5.2-rc1 - part 2 2019-05-07 13:39:22 -07:00
watchdog ARM: SoC platform updates 2019-05-16 08:31:32 -07:00
xen xen: fixes and features for 5.2-rc1 2019-05-15 18:44:52 -07:00
zorro
Kconfig
Makefile