From: Michal Pecio <michal.pecio@gmail.com>
To: Mathias Nyman <mathias.nyman@intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/1] usb: xhci: Fix NULL pointer dereference on certain command aborts
Date: Wed, 4 Dec 2024 18:53:35 +0100 [thread overview]
Message-ID: <20241204185335.7514166d@foxbook> (raw)
In-Reply-To: <20241203205249.513f1153@foxbook>
I confirmed that the bug is real and behaves exactly as expected, using
a USB microcontroller programmed to NAK the status stage of SET_ADDRESS
requests forever and to reconnect if the host gives up enumerating it.
Command timeout was reduced to 500ms to sooner reach the segment's end
and some relevant debug info was added, hopefully self-explanatory:
[ +0,378926] usb 10-1: new full-speed USB device number 109 using xhci_hcd
[ +0,501006] xhci_hcd 0000:03:00.0: cur_cmd 0000000000000000 enq ffff88814671bff0 deq ffff88814671b000
[ +0,000001] xhci_hcd 0000:03:00.0: Timeout while waiting for setup device command
[ +0,000005] xhci_hcd 0000:03:00.0: !!! avoiding dereferencing a NULL pointer !!!
[ +0,712001] xhci_hcd 0000:03:00.0: cur_cmd 0000000000000000 enq ffff88814671b010 deq ffff88814671b010
[ +0,000001] xhci_hcd 0000:03:00.0: Timeout while waiting for setup device command
[ +0,207981] usb 10-1: device not accepting address 109, error -62
The driver and host controller continue working normally after one hour
of testing and several avoided crashes.
The only thing I haven't tried is actually crashing the kernel, but
considering what's inside xhci_mod_cmd_timer() I think it's obvious
that this is exactly what would happen next without this patch.
Regards,
Michal
next prev parent reply other threads:[~2024-12-04 17:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-03 19:51 [PATCH 0/1] usb: xhci: Fix NULL pointer dereference on certain command aborts Michal Pecio
2024-12-03 19:52 ` [PATCH 1/1] " Michal Pecio
2024-12-04 17:53 ` Michal Pecio [this message]
2024-12-19 20:55 ` [PATCH v2] " Michal Pecio
2024-12-20 12:47 ` Mathias Nyman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241204185335.7514166d@foxbook \
--to=michal.pecio@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mathias.nyman@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).