[PATCH 1/1] usb: xhci: Fix panic if disconnect

[PATCH 1/1] usb: xhci: Fix panic if disconnect

[Jim Lin]

After a device is disconnected, xhci_stop_device() will be invoked
in xhci_bus_suspend().
Also the "disconnect" IRQ will have ISR to invoke
xhci_free_virt_device() in this sequence.
xhci_irq -> xhci_handle_event -> handle_cmd_completion ->
xhci_handle_cmd_disable_slot -> xhci_free_virt_device

If xhci->devs[slot_id] has been assigned to NULL in
xhci_free_virt_device(), then virt_dev->eps[i].ring in
xhci_stop_device() may point to an invlid address to cause kernel
panic.

virt_dev = xhci->devs[slot_id];
:
if (virt_dev->eps[i].ring && virt_dev->eps[i].ring->dequeue)

[] Unable to handle kernel paging request at virtual address 00001a68
[] pgd=ffffffc001430000
[] [00001a68] *pgd=000000013c807003, *pud=000000013c807003,
*pmd=000000013c808003, *pte=0000000000000000
[] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[] CPU: 0 PID: 39 Comm: kworker/0:1 Tainted: G     U
[] Workqueue: pm pm_runtime_work
[] task: ffffffc0bc0e0bc0 ti: ffffffc0bc0ec000 task.ti:
ffffffc0bc0ec000
[] PC is at xhci_stop_device.constprop.11+0xb4/0x1a4

This issue is found when running with realtek ethernet device
(0bda:8153).

Signed-off-by: Jim Lin <jilin@nvidia.com>
---
 drivers/usb/host/xhci-hub.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index d61fcc4..730b9fd 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -386,6 +386,9 @@ static int xhci_stop_device(struct xhci_hcd *xhci, int slot_id, int suspend)
 
 	ret = 0;
 	virt_dev = xhci->devs[slot_id];
+	if (!virt_dev)
+		return -ENODEV;
+
 	cmd = xhci_alloc_command(xhci, false, true, GFP_NOIO);
 	if (!cmd) {
 		xhci_dbg(xhci, "Couldn't allocate command structure.\n");
-- 
1.9.1

[PATCH 1/1] usb: xhci: Fix panic if disconnect

[Jim Lin]

After a device is disconnected, xhci_stop_device() will be invoked
in xhci_bus_suspend().
Also the "disconnect" IRQ will have ISR to invoke
xhci_free_virt_device() in this sequence.
xhci_irq -> xhci_handle_event -> handle_cmd_completion ->
xhci_handle_cmd_disable_slot -> xhci_free_virt_device

If xhci->devs[slot_id] has been assigned to NULL in
xhci_free_virt_device(), then virt_dev->eps[i].ring in
xhci_stop_device() may point to an invlid address to cause kernel
panic.

virt_dev = xhci->devs[slot_id];
:
if (virt_dev->eps[i].ring && virt_dev->eps[i].ring->dequeue)

[] Unable to handle kernel paging request at virtual address 00001a68
[] pgd=ffffffc001430000
[] [00001a68] *pgd=000000013c807003, *pud=000000013c807003,
*pmd=000000013c808003, *pte=0000000000000000
[] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[] CPU: 0 PID: 39 Comm: kworker/0:1 Tainted: G     U
[] Workqueue: pm pm_runtime_work
[] task: ffffffc0bc0e0bc0 ti: ffffffc0bc0ec000 task.ti:
ffffffc0bc0ec000
[] PC is at xhci_stop_device.constprop.11+0xb4/0x1a4

This issue is found when running with realtek ethernet device
(0bda:8153).

Signed-off-by: Jim Lin <jilin@nvidia.com>
---
 drivers/usb/host/xhci-hub.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index d61fcc4..730b9fd 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -386,6 +386,9 @@ static int xhci_stop_device(struct xhci_hcd *xhci, int slot_id, int suspend)
 
 	ret = 0;
 	virt_dev = xhci->devs[slot_id];
+	if (!virt_dev)
+		return -ENODEV;
+
 	cmd = xhci_alloc_command(xhci, false, true, GFP_NOIO);
 	if (!cmd) {
 		xhci_dbg(xhci, "Couldn't allocate command structure.\n");
-- 
1.9.1

Re: [PATCH 1/1] usb: xhci: Fix panic if disconnect

[Felipe Balbi]

[-- Attachment #1: Type: text/plain, Size: 1475 bytes --]


Hi Jim,

Jim Lin <jilin@nvidia.com> writes:
> After a device is disconnected, xhci_stop_device() will be invoked
> in xhci_bus_suspend().
> Also the "disconnect" IRQ will have ISR to invoke
> xhci_free_virt_device() in this sequence.
> xhci_irq -> xhci_handle_event -> handle_cmd_completion ->
> xhci_handle_cmd_disable_slot -> xhci_free_virt_device
>
> If xhci->devs[slot_id] has been assigned to NULL in
> xhci_free_virt_device(), then virt_dev->eps[i].ring in
> xhci_stop_device() may point to an invlid address to cause kernel
> panic.
>
> virt_dev = xhci->devs[slot_id];
> :
> if (virt_dev->eps[i].ring && virt_dev->eps[i].ring->dequeue)
>
> [] Unable to handle kernel paging request at virtual address 00001a68
> [] pgd=ffffffc001430000
> [] [00001a68] *pgd=000000013c807003, *pud=000000013c807003,
> *pmd=000000013c808003, *pte=0000000000000000
> [] Internal error: Oops: 96000006 [#1] PREEMPT SMP
> [] CPU: 0 PID: 39 Comm: kworker/0:1 Tainted: G     U
> [] Workqueue: pm pm_runtime_work
> [] task: ffffffc0bc0e0bc0 ti: ffffffc0bc0ec000 task.ti:
> ffffffc0bc0ec000
> [] PC is at xhci_stop_device.constprop.11+0xb4/0x1a4
>
> This issue is found when running with realtek ethernet device
> (0bda:8153).
>
> Signed-off-by: Jim Lin <jilin@nvidia.com>

yes, I saw the previous version :-) So, we're pretty close to getting
the merge window opened. This will defer to v4.8-rc1.

Patch looks good, though. :-)

thanks

-- 
balbi

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]