* Patch "xhci: fix null pointer dereference in stop command timeout function" has been added to the 4.4-stable tree
@ 2016-09-22 13:42 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-09-22 13:42 UTC (permalink / raw)
To: mathias.nyman, gregkh; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
xhci: fix null pointer dereference in stop command timeout function
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From bcf42aa60c2832510b9be0f30c090bfd35bb172d Mon Sep 17 00:00:00 2001
From: Mathias Nyman <mathias.nyman@linux.intel.com>
Date: Wed, 7 Sep 2016 17:26:33 +0300
Subject: xhci: fix null pointer dereference in stop command timeout function
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit bcf42aa60c2832510b9be0f30c090bfd35bb172d upstream.
The stop endpoint command has its own 5 second timeout timer.
If the timeout function is triggered between USB3 and USB2 host
removal it will try to call usb_hc_died(xhci_to_hcd(xhci)->primary_hcd)
the ->primary_hcd will be set to NULL at USB3 hcd removal.
Fix this by first checking if the PCI host is being removed, and
also by using only xhci_to_hcd() as it will always return the primary
hcd.
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-ring.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -846,6 +846,10 @@ void xhci_stop_endpoint_command_watchdog
spin_lock_irqsave(&xhci->lock, flags);
ep->stop_cmds_pending--;
+ if (xhci->xhc_state & XHCI_STATE_REMOVING) {
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ return;
+ }
if (xhci->xhc_state & XHCI_STATE_DYING) {
xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
"Stop EP timer ran, but another timer marked "
@@ -899,7 +903,7 @@ void xhci_stop_endpoint_command_watchdog
spin_unlock_irqrestore(&xhci->lock, flags);
xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
"Calling usb_hc_died()");
- usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
+ usb_hc_died(xhci_to_hcd(xhci));
xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
"xHCI host controller is dead.");
}
Patches currently in stable-queue which might be from mathias.nyman@linux.intel.com are
queue-4.4/xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-09-22 13:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-22 13:42 Patch "xhci: fix null pointer dereference in stop command timeout function" has been added to the 4.4-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).