From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:45994 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933785AbcIVNj3 (ORCPT ); Thu, 22 Sep 2016 09:39:29 -0400 Subject: Patch "xhci: fix null pointer dereference in stop command timeout function" has been added to the 4.7-stable tree To: mathias.nyman@linux.intel.com, gregkh@linuxfoundation.org Cc: , From: Date: Thu, 22 Sep 2016 15:36:37 +0200 Message-ID: <1474551397124@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled xhci: fix null pointer dereference in stop command timeout function to the 4.7-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch and it can be found in the queue-4.7 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From bcf42aa60c2832510b9be0f30c090bfd35bb172d Mon Sep 17 00:00:00 2001 From: Mathias Nyman Date: Wed, 7 Sep 2016 17:26:33 +0300 Subject: xhci: fix null pointer dereference in stop command timeout function From: Mathias Nyman commit bcf42aa60c2832510b9be0f30c090bfd35bb172d upstream. The stop endpoint command has its own 5 second timeout timer. If the timeout function is triggered between USB3 and USB2 host removal it will try to call usb_hc_died(xhci_to_hcd(xhci)->primary_hcd) the ->primary_hcd will be set to NULL at USB3 hcd removal. Fix this by first checking if the PCI host is being removed, and also by using only xhci_to_hcd() as it will always return the primary hcd. Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/xhci-ring.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -840,6 +840,10 @@ void xhci_stop_endpoint_command_watchdog spin_lock_irqsave(&xhci->lock, flags); ep->stop_cmds_pending--; + if (xhci->xhc_state & XHCI_STATE_REMOVING) { + spin_unlock_irqrestore(&xhci->lock, flags); + return; + } if (xhci->xhc_state & XHCI_STATE_DYING) { xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, "Stop EP timer ran, but another timer marked " @@ -893,7 +897,7 @@ void xhci_stop_endpoint_command_watchdog spin_unlock_irqrestore(&xhci->lock, flags); xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, "Calling usb_hc_died()"); - usb_hc_died(xhci_to_hcd(xhci)->primary_hcd); + usb_hc_died(xhci_to_hcd(xhci)); xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, "xHCI host controller is dead."); } Patches currently in stable-queue which might be from mathias.nyman@linux.intel.com are queue-4.7/xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch