From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Mathias Nyman <mathias.nyman@linux.intel.com>
Subject: [PATCH 4.19 09/37] xhci: Fix null pointer dereference when host dies
Date: Sun, 22 Jan 2023 16:04:06 +0100 [thread overview]
Message-ID: <20230122150219.971826703@linuxfoundation.org> (raw)
In-Reply-To: <20230122150219.557984692@linuxfoundation.org>
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit a2bc47c43e70cf904b1af49f76d572326c08bca7 upstream.
Make sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race
and cause null pointer dereference when host suddenly dies.
Usb core may call xhci_free_dev() which frees the xhci->devs[slot_id]
virt device at the same time that xhci_kill_endpoint_urbs() tries to
loop through all the device's endpoints, checking if there are any
cancelled urbs left to give back.
hold the xhci spinlock while freeing the virt device
Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20230116142216.1141605-4-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3830,6 +3830,7 @@ static void xhci_free_dev(struct usb_hcd
struct xhci_hcd *xhci = hcd_to_xhci(hcd);
struct xhci_virt_device *virt_dev;
struct xhci_slot_ctx *slot_ctx;
+ unsigned long flags;
int i, ret;
/*
@@ -3859,7 +3860,11 @@ static void xhci_free_dev(struct usb_hcd
xhci_debugfs_remove_slot(xhci, udev->slot_id);
virt_dev->udev = NULL;
xhci_disable_slot(xhci, udev->slot_id);
+
+ spin_lock_irqsave(&xhci->lock, flags);
xhci_free_virt_device(xhci, udev->slot_id);
+ spin_unlock_irqrestore(&xhci->lock, flags);
+
}
int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id)
next prev parent reply other threads:[~2023-01-22 15:08 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-22 15:03 [PATCH 4.19 00/37] 4.19.271-rc1 review Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 4.19 01/37] pNFS/filelayout: Fix coalescing test for single DS Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 4.19 02/37] net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 03/37] RDMA/srp: Move large values to a new enum for gcc13 Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 04/37] f2fs: lets avoid panic if extent_tree is not created Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 05/37] Add exception protection processing for vd in axi_chan_handle_err function Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 06/37] nilfs2: fix general protection fault in nilfs_btree_insert() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 07/37] xhci-pci: set the dma max_seg_size Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 08/37] usb: xhci: Check endpoint is valid before dereferencing it Greg Kroah-Hartman
2023-01-22 15:04 ` Greg Kroah-Hartman [this message]
2023-01-22 15:04 ` [PATCH 4.19 10/37] xhci: Add a flag to disable USB3 lpm on a xhci root port level Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 11/37] prlimit: do_prlimit needs to have a speculation check Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 12/37] USB: serial: option: add Quectel EM05-G (GR) modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 13/37] USB: serial: option: add Quectel EM05-G (CS) modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 14/37] USB: serial: option: add Quectel EM05-G (RS) modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 15/37] USB: serial: option: add Quectel EC200U modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 16/37] USB: serial: option: add Quectel EM05CN (SG) modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 17/37] USB: serial: option: add Quectel EM05CN modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 18/37] USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100 Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 19/37] usb: core: hub: disable autosuspend for TI TUSB8041 Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 20/37] comedi: adv_pci1760: Fix PWM instruction handling Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 21/37] mmc: sunxi-mmc: Fix clock refcount imbalance during unbind Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 22/37] cifs: do not include page data when checking signature Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 23/37] USB: serial: cp210x: add SCALANCE LPE-9000 device id Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 24/37] usb: host: ehci-fsl: Fix module alias Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 25/37] usb: typec: altmodes/displayport: Add pin assignment helper Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 26/37] usb: typec: altmodes/displayport: Fix pin assignment calculation Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 27/37] usb: gadget: g_webcam: Send color matching descriptor per frame Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 28/37] usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 29/37] usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 30/37] serial: pch_uart: Pass correct sg to dma_unmap_sg() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 31/37] serial: atmel: fix incorrect baudrate setup Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 32/37] gsmi: fix null-deref in gsmi_get_variable Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 33/37] Revert "ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline" Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 34/37] Revert "ext4: fix reserved cluster accounting at delayed write time" Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 35/37] Revert "ext4: add new pending reservation mechanism" Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 36/37] Revert "ext4: generalize extents status tree search functions" Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 4.19 37/37] x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN Greg Kroah-Hartman
2023-01-23 10:02 ` [PATCH 4.19 00/37] 4.19.271-rc1 review Naresh Kamboju
2023-01-23 11:21 ` Sudip Mukherjee
2023-01-23 11:33 ` Pavel Machek
2023-01-24 1:16 ` Shuah Khan
2023-01-24 2:47 ` Guenter Roeck
2023-01-26 8:59 ` Greg Kroah-Hartman
2023-01-27 16:54 ` Guenter Roeck
2023-01-24 13:08 ` Pavel Machek
2023-01-26 8:56 ` Greg Kroah-Hartman
2023-01-25 10:30 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230122150219.971826703@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=mathias.nyman@linux.intel.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.