From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5E8023D7EA for ; Mon, 22 Dec 2025 16:49:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766422182; cv=none; b=fRk8lzVwnHToHwVkWBMO/StipGUP+ZEdvCep2BOCBr4Jenr+157HFPI/iBzBv7rbehZps5tSQc0Gfcejl212dSpqkW+wFTUV0y2bZNVVorH/UrZ1lyEUEWxJlQwWBzhDTO+AtSBXqC4KRZpUFtLgHMhlMUPNU8K735gVH3AmD+A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766422182; c=relaxed/simple; bh=s4al1YcouowCwEMJpRHJhKgg9Wb10qp8TsQHudR5GSw=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Zw/LmxIJAvT6fisrwSpflSCdV9RisMnlvOPtjBmVshtpjfI1fdIWNh+L7aN5kOL3gZsPcbRzIYS4CBqnscuN+dezWtg+gt01EkihJZNCbnDUGC9siJYqY0WF7/uR5mEMf1lxFVaaSHh8iq4YzgTYzR4Svb4L6JUEpzxte2SKlsU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NbxREXt8; arc=none smtp.client-ip=209.85.208.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NbxREXt8" Received: by mail-ed1-f48.google.com with SMTP id 4fb4d7f45d1cf-64b8123c333so5819929a12.3 for ; Mon, 22 Dec 2025 08:49:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766422179; x=1767026979; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=Y2TeGU1yZihTwXXuF0l6WZeB3CYaTSrLUKvNNXrmTmU=; b=NbxREXt8qrNLnJ9WJw2LUuohXLeqz0qvRZ8rkDShgbA5sxQ/e/dXXnLRVn/ERxiIBQ /qOkS++HMW3xw2WP0gRCDrSfAIhhkffA8PG9Rbaq6YreG7cKviBVvgUJp/rWhGm6p16s wmT3IWrqEqEEzVwJ9t+Q2rEkFsIiG7TNgXBrvhQSyeYxoyP99kLGGLetTUJn1gUWHTiy HYAQhJ+yvkzm6TgfUn/0ve12JWO1tpJNELbAykbxgGNFrLO7okhWoMM8Z/f+KfguvOeV 6q3n3q0eIbN7qxlR4JUx5+p0cfqytytjy7njQunyezYMGFyQ1ivtx1V/WbsN16UDNVOH /pFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766422179; x=1767026979; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Y2TeGU1yZihTwXXuF0l6WZeB3CYaTSrLUKvNNXrmTmU=; b=aapPqAl2nGrEJWrhR5XiLZtfWfcXqWY0v7/gSG5zYyW5tdQ20sdgoOtpNRMxjQmzjr VOjDSZ2DhU61d/DxVvywOhhG1OnafJdC7J9n7abLsR6Mui7Gv+Zzo4aEjqje8Z2JouqG TBIsu5nHnPBDdEIzELeh9YX2HT1ycB866ALW1CsZAPr4Cx6svF2WWZNMuCFU6DHfKBcu dlURex31i8tUGswEFqnIOP5KUbU/MIi5SK9PEtSXNpcTmLQCLWVA+YmA5b/mSks6CCbS +j5990NLMLUEvxRZ7YHpoWN2MiYJ3b1ElwBOvzS1sKU6TfpgUXXCo47QnsID0lJvf3Br FEgw== X-Forwarded-Encrypted: i=1; AJvYcCXh6qNLrmMdLnD6QZ3o3dYuj6h5PdIwmbCX5ORm4jKJ640B2ceaKKge8f8N1ZpJdBKo0aP2/FdJYOEQZlI=@vger.kernel.org X-Gm-Message-State: AOJu0Yz9j/kJsISOIlnwUSUCycPU2MLUK4dz6JQWeycMVxaJqYgQt8R4 3ITl3dsSbr+cHVqTAQhdS2h9CLL4LZz5pjCBHVh+y2M9EGjIcDmawY+Y X-Gm-Gg: AY/fxX5QlIGgi6eS37+5UTW7rSWR6W0eGH57e8I9ghOM4EoCox2MRG06L6jDE10TmwH bGhd87PDAoH5MozxOfvqnAmwtw9WUPLL3Om6hBH0Cy3EaS/tvYsOpE5S1KnGFEQ3gQL80jlF/L9 4cpHW/P30s1aY7CMGkDBgrRtElIrglzZLM+LHoy68Ap2OR+kJKu8/jhqgZyFf8r89P29Fpbyiwz nJGiv8TsvRYWDx4e/PAZ2mhQ6jXOMY9gEGchY/n0WFr0I9nZ7PIoJXHIcyqmPwTCfqMHn/ef4NF wfo1xQvTJ1RjvHxtJss7xQybQjTBFJukAa14KT3euoaRu/pKC5tuyYi61G97+kyCBbtJsFJk0Xe NomUG0msqOO7zsjTEolpgcaLvjAD+hxOCLeueARK5J4QknbU0BmBy9pwXzHP/3ZWkHXmC4Zsh8c FfQdjzkawmu0U0nv7uhfIpisc= X-Google-Smtp-Source: AGHT+IEuoajuyQPlnJMJHAzpLoiP+2gWrQxeVR+VMMx8YYpqOOZ/n023XBImwrvD2WSRLXwF4/OUGg== X-Received: by 2002:a05:6402:3c6:b0:647:a127:7c1e with SMTP id 4fb4d7f45d1cf-64b8ec6dfb0mr8295768a12.20.1766422179064; Mon, 22 Dec 2025 08:49:39 -0800 (PST) Received: from foxbook (bfd193.neoplus.adsl.tpnet.pl. [83.28.41.193]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-64b9105a9c4sm10993483a12.12.2025.12.22.08.49.38 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Mon, 22 Dec 2025 08:49:38 -0800 (PST) Date: Mon, 22 Dec 2025 17:49:34 +0100 From: Michal Pecio To: Alan Stern Cc: =?UTF-8?B?6IOh6L+e5Yuk?= , Greg Kroah-Hartman , Lee Jones , Mathias Nyman , Mathias Nyman , Sarah Sharp , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] usb: xhci: check Null pointer in segment alloc Message-ID: <20251222174934.4c9b62d2.michal.pecio@gmail.com> In-Reply-To: References: <4935bdf5-4d36-45c3-9bcd-9d14606dd54e@linux.intel.com> <20251220141510.1bc1ef19.michal.pecio@gmail.com> <20251222064252.GA1196800@google.com> <2025122253-stopper-tweed-6e68@gregkh> <20251222085543.4d7430d5.michal.pecio@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, 22 Dec 2025 08:34:14 -0500, Alan Stern wrote: > On Mon, Dec 22, 2025 at 12:21:09PM +0000, =E8=83=A1=E8=BF=9E=E5=8B=A4 wro= te: > > Hi Michal: > > =20 > > > On Mon, 22 Dec 2025 08:13:21 +0100, Greg Kroah-Hartman wrote: =20 > > > > > An API that insists on its users exercising care, knowledge > > > > > and cognisance sounds fragile and vulnerable. =20 > > > > > > > > Fragile yes, vulnerable no. Let's fix the fragility then, but > > > > as has been pointed out in this thread, we don't know the root > > > > cause, and I don't even think this "fix" would do the right > > > > thing anyway. =20 > > >=20 > > > The patch looks wrong. I suspect this happens when add_endpoint() > > > is called concurrently with resume(), which makes little sense. > > > And it means the same code can probably call add_endpoint() > > > before resume(), which makes no sense either. We can't do that > > > with suspended HW. > > >=20 > > > Chances are that this crash isn't even the only thing that could > > > go wrong when such calls are attempted. For one, xhci_resume() > > > drops the spinlock after reporting usb_root_hub_lost_power(), so > > > your guess elsewhere was correct - this code isn't even locked > > > properly. > > >=20 > > > It seems no operations on USB devices during resume() are > > > expected. =20 >=20 > Let's be more precise. No extraneous operations are expected on a > USB device while that device is being resumed (i.e., no operations > other than those directly involved with the resume itself). However,=20 > operations on a USB hub or controller are expected and allowed while > a downstream device is being resumed. That's not the situation here. The problematic resume is that of the host controller itself, it's the only place I see which is expected to destroy the segment pool at runtime (other than stop()) and possibly cause the reported NULL derefence. It is not expected that anyone will add endpoints (and probably do anything) while the HC is resuming. No sanity checks for that either, the driver just does stupid things. It likely does stupid things too if you try to manipulate devices while the HC is suspended. And it looks like somebody found a way of doing just that, by calling snd_usb_autoresume() at inappropriate time for some reason. The export was added by Wesley Chang, so I guess it was part of "audio offload". IDK if offload uses it correctly. Somebody uses it incorrectly. > > Currently, after checking the logic of our KO section, we found that > > there might be two places simultaneously calling snd_usb_autoresume > > to wake up the headset device. Resuming some USB device wouldn't destroy the segment pool and cause this crash. Here, device resume tries to add an endpoint and crashes because something else has destroyed the pool. Regards, Michal