Patch "Revert "usb: hub: do not clear BOS field during reset device"" has been added to the 3.14-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    Revert "usb: hub: do not clear BOS field during reset device"

to the 3.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch
and it can be found in the queue-3.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From e5bdfd50d6f76077bf8441d130c606229e100d40 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 20 Feb 2016 14:19:34 -0800
Subject: Revert "usb: hub: do not clear BOS field during reset device"

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e5bdfd50d6f76077bf8441d130c606229e100d40 upstream.

This reverts commit d8f00cd685f5c8e0def8593e520a7fef12c22407.

Tony writes:

This upstream commit is causing an oops:
d8f00cd685f5 ("usb: hub: do not clear BOS field during reset device")

This patch has already been included in several -stable kernels.  Here
are the affected kernels:
4.5.0-rc4 (current git)
4.4.2
4.3.6 (currently in review)
4.1.18
3.18.27
3.14.61

How to reproduce the problem:
Boot kernel with slub debugging enabled (otherwise memory corruption
will cause random oopses later instead of immediately)
Plug in USB 3.0 disk to xhci USB 3.0 port
dd if=/dev/sdc of=/dev/null bs=65536
(where /dev/sdc is the USB 3.0 disk)
Unplug USB cable while dd is still going
Oops is immediate:

Reported-by: Tony Battersby <tonyb@cybernetics.com>
Cc: Du, Changbin <changbin.du@intel.com>
Cc: Roger Quadros <rogerq@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/hub.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5231,6 +5231,7 @@ static int usb_reset_and_verify_device(s
 		usb_set_usb2_hardware_lpm(udev, 0);
 
 	bos = udev->bos;
+	udev->bos = NULL;
 
 	/* Disable LPM and LTM while we reset the device and reinstall the alt
 	 * settings.  Device-initiated LPM settings, and system exit latency
@@ -5339,11 +5340,8 @@ done:
 	usb_set_usb2_hardware_lpm(udev, 1);
 	usb_unlocked_enable_lpm(udev);
 	usb_enable_ltm(udev);
-	/* release the new BOS descriptor allocated  by hub_port_init() */
-	if (udev->bos != bos) {
-		usb_release_bos_descriptor(udev);
-		udev->bos = bos;
-	}
+	usb_release_bos_descriptor(udev);
+	udev->bos = bos;
 	return 0;
 
 re_enumerate:


Patches currently in stable-queue which might be from gregkh@linuxfoundation.org are

queue-3.14/ipv4-fix-broadcast-packets-reception.patch
queue-3.14/ext4-add-lockdep-annotations-for-i_data_sem.patch
queue-3.14/qlge-fix-receive-packets-drop.patch
queue-3.14/drm-radeon-add-a-dpm-quirk-for-all-r7-370-parts.patch
queue-3.14/mac80211-fix-unnecessary-frame-drops-in-mesh-fwding.patch
queue-3.14/0001-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_.patch
queue-3.14/revert-bad-backport-of-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_new.patch
queue-3.14/parisc-fix-kernel-crash-with-reversed-copy_from_user.patch
queue-3.14/perf-cure-event-pending_disable-race.patch
queue-3.14/ppp-take-reference-on-channels-netns.patch
queue-3.14/usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch
queue-3.14/drm-radeon-add-a-dpm-quirk-for-sapphire-dual-x-r7-370-2g-d5.patch
queue-3.14/ip6_tunnel-set-rtnl_link_ops-before-calling-register_netdevice.patch
queue-3.14/parisc-avoid-function-pointers-for-kernel-exception-routines.patch
queue-3.14/sh_eth-fix-null-pointer-dereference-in-sh_eth_ring_format.patch
queue-3.14/farsync-fix-off-by-one-bug-in-fst_add_one.patch
queue-3.14/qmi_wwan-add-d-link-dwm-221-b1-device-id.patch
queue-3.14/sctp-lack-the-check-for-ports-in-sctp_v6_cmp_addr.patch
queue-3.14/net-fix-use-after-free-in-the-recvmmsg-exit-path.patch
queue-3.14/xen-events-mask-a-moving-irq.patch
queue-3.14/usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch
queue-3.14/alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch
queue-3.14/ipv4-l2tp-fix-a-potential-issue-in-l2tp_ip_recv.patch
queue-3.14/ath9k-fix-buffer-overrun-for-ar9287.patch
queue-3.14/usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch
queue-3.14/usbvision-fix-overflow-of-interfaces-array.patch
queue-3.14/ipv6-l2tp-fix-a-potential-issue-in-l2tp_ip6_recv.patch
queue-3.14/usbnet-cleanup-after-bind-in-probe.patch
queue-3.14/net-jme-fix-suspend-resume-on-jmc260.patch
queue-3.14/udp6-fix-udp-ipv6-encap-resubmit-path.patch
queue-3.14/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch
queue-3.14/ipv6-re-enable-fragment-header-matching-in-ipv6_find_hdr.patch
queue-3.14/hid-usbhid-fix-inconsistent-reset-resume-reset-resume-behavior.patch
queue-3.14/hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch
queue-3.14/cdc_ncm-toggle-altsetting-to-force-reset-before-setup.patch
queue-3.14/revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch
queue-3.14/mm-fix-invalid-node-in-alloc_migrate_target.patch