linux/drivers/usb/core
Guenter Roeck f5cccf4942 usb: hub: Do not attempt to autosuspend disconnected devices
While running a bind/unbind stress test with the dwc3 usb driver on rk3399,
the following crash was observed.

Unable to handle kernel NULL pointer dereference at virtual address 00000218
pgd = ffffffc00165f000
[00000218] *pgd=000000000174f003, *pud=000000000174f003,
				*pmd=0000000001750003, *pte=00e8000001751713
Internal error: Oops: 96000005 [#1] PREEMPT SMP
Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac
ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat rfcomm
xt_mark fuse bridge stp llc zram btusb btrtl btbcm btintel bluetooth
ip6table_filter mwifiex_pcie mwifiex cfg80211 cdc_ether usbnet r8152 mii joydev
snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async
ppp_generic slhc tun
CPU: 1 PID: 29814 Comm: kworker/1:1 Not tainted 4.4.52 #507
Hardware name: Google Kevin (DT)
Workqueue: pm pm_runtime_work
task: ffffffc0ac540000 ti: ffffffc0af4d4000 task.ti: ffffffc0af4d4000
PC is at autosuspend_check+0x74/0x174
LR is at autosuspend_check+0x70/0x174
...
Call trace:
[<ffffffc00080dcc0>] autosuspend_check+0x74/0x174
[<ffffffc000810500>] usb_runtime_idle+0x20/0x40
[<ffffffc000785ae0>] __rpm_callback+0x48/0x7c
[<ffffffc000786af0>] rpm_idle+0x1e8/0x498
[<ffffffc000787cdc>] pm_runtime_work+0x88/0xcc
[<ffffffc000249bb8>] process_one_work+0x390/0x6b8
[<ffffffc00024abcc>] worker_thread+0x480/0x610
[<ffffffc000251a80>] kthread+0x164/0x178
[<ffffffc0002045d0>] ret_from_fork+0x10/0x40

Source:

(gdb) l *0xffffffc00080dcc0
0xffffffc00080dcc0 is in autosuspend_check
(drivers/usb/core/driver.c:1778).
1773		/* We don't need to check interfaces that are
1774		 * disabled for runtime PM.  Either they are unbound
1775		 * or else their drivers don't support autosuspend
1776		 * and so they are permanently active.
1777		 */
1778		if (intf->dev.power.disable_depth)
1779			continue;
1780		if (atomic_read(&intf->dev.power.usage_count) > 0)
1781			return -EBUSY;
1782		w |= intf->needs_remote_wakeup;

Code analysis shows that intf is set to NULL in usb_disable_device() prior
to setting actconfig to NULL. At the same time, usb_runtime_idle() does not
lock the usb device, and neither does any of the functions in the
traceback. This means that there is no protection against a race condition
where usb_disable_device() is removing dev->actconfig->interface[] pointers
while those are being accessed from autosuspend_check().

To solve the problem, synchronize and validate device state between
autosuspend_check() and usb_disconnect().

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-03-23 08:13:22 +01:00
..
buffer.c USB: core: add missing license information to some files 2016-10-29 12:51:56 -04:00
config.c USB: fix problems with duplicate endpoint addresses 2017-01-05 19:38:40 +01:00
devices.c usb: core: devices: remove unnecessary & operation 2016-11-03 10:38:23 +02:00
devio.c sched/headers: Prepare for new header dependencies before moving code to <linux/sched/signal.h> 2017-03-02 08:42:29 +01:00
driver.c usb: hub: Do not attempt to autosuspend disconnected devices 2017-03-23 08:13:22 +01:00
endpoint.c usb: patches for v4.10 merge window 2016-11-18 16:02:15 +01:00
file.c USB: core: add missing license information to some files 2016-10-29 12:51:56 -04:00
generic.c USB: core: add missing license information to some files 2016-10-29 12:51:56 -04:00
hcd-pci.c usb: hcd: out of bounds access in for_each_companion 2016-04-13 12:06:18 -07:00
hcd.c usb: hcd: initialize hcd->flags to 0 when rm hcd 2017-01-19 10:34:41 +01:00
hub.c usb: hub: Do not attempt to autosuspend disconnected devices 2017-03-23 08:13:22 +01:00
hub.h usb: Support USB 3.1 extended port status request 2016-01-24 20:16:52 -08:00
Kconfig usb: core: Introduce a USB port LED trigger 2016-09-27 12:20:17 +02:00
ledtrig-usbport.c usb: core: usbport: Use proper LED API to fix potential crash 2016-12-06 08:37:41 +01:00
Makefile usb: add CONFIG_USB_PCI for system have both PCI HW and non-PCI based USB HW 2017-03-17 13:16:56 +09:00
message.c usb: core: update comments for send message functions 2017-01-19 10:34:40 +01:00
notify.c USB: core: add missing license information to some files 2016-10-29 12:51:56 -04:00
of.c usb: of: add functions to bind a companion controller 2017-03-17 13:24:48 +09:00
otg_whitelist.h usb: core: use IS_ENABLED() instead of checking for built-in or module 2016-09-02 14:36:33 +02:00
port.c Revert "USB / PM: Allow USB devices to remain runtime-suspended when sleeping" 2016-05-02 08:44:31 -07:00
quirks.c USB: Add quirk for WORLDE easykey.25 MIDI keyboard 2017-01-25 11:02:29 +01:00
sysfs.c USB: core: add missing license information to some files 2016-10-29 12:51:56 -04:00
urb.c usb: patches for v4.10 merge window 2016-11-18 16:02:15 +01:00
usb-acpi.c usb: find internal hub tier mismatch via acpi 2014-05-27 16:38:52 -07:00
usb.c USB: core: add missing license information to some files 2016-10-29 12:51:56 -04:00
usb.h USB: core: add missing license information to some files 2016-10-29 12:51:56 -04:00