patches/0261-xhci-Fix-xhci-debugfs-NULL-pointer-dereference-in-re.patch - pub/scm/linux/kernel/git/ltsi/ltsi-kernel - Git at Google

 From 244b4f620363b798348f0302d62c8b36db28e2d5 Mon Sep 17 00:00:00 2001
 From: Mathias Nyman <mathias.nyman@linux.intel.com>
 Date: Thu, 21 Dec 2017 15:06:13 +0200
 Subject: [PATCH 0261/1795] xhci: Fix xhci debugfs NULL pointer dereference in
  resume from hibernate

 Free the virt_device and its debugfs_private member together.

 When resuming from hibernate the .free_dev callback unconditionally
 freed the debugfs_private member, but could leave virt_device intact.

 This triggered a NULL pointer dereference after resume when usbmuxd
 sent a USBDEVFS_SETCONFIGURATION ioctl to a device, trying to add a
 endpoint debugfs entry to a already freed debugfs_private pointer.

 Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver")
 Reported-by: Alexander Kappner <agk@godking.net>
 Tested-by: Alexander Kappner <agk@godking.net>
 Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 (cherry picked from commit 052f71e25a7ecd80a9567b291df8ea333d9a8565)
 Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
 Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
 ---
  drivers/usb/host/xhci.c | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)

 diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
 index 4bceebb965ca..05d45079a259 100644
 --- a/drivers/usb/host/xhci.c
 +++ b/drivers/usb/host/xhci.c
 @@ -3567,8 +3567,6 @@ static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev)
  	struct xhci_slot_ctx *slot_ctx;
  	int i, ret;

 -	xhci_debugfs_remove_slot(xhci, udev->slot_id);
 -
  #ifndef CONFIG_USB_DEFAULT_PERSIST
  	/*
  	 * We called pm_runtime_get_noresume when the device was attached.
 @@ -3598,8 +3596,10 @@ static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev)

  	virt_dev->udev = NULL;
  	ret = xhci_disable_slot(xhci, udev->slot_id);
 -	if (ret)
 +	if (ret) {
 +		xhci_debugfs_remove_slot(xhci, udev->slot_id);
  		xhci_free_virt_device(xhci, udev->slot_id);
 +	}
  }

  int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id)
 --
 2.19.0
	From 244b4f620363b798348f0302d62c8b36db28e2d5 Mon Sep 17 00:00:00 2001
	From: Mathias Nyman <mathias.nyman@linux.intel.com>
	Date: Thu, 21 Dec 2017 15:06:13 +0200
	Subject: [PATCH 0261/1795] xhci: Fix xhci debugfs NULL pointer dereference in
	resume from hibernate

	Free the virt_device and its debugfs_private member together.

	When resuming from hibernate the .free_dev callback unconditionally
	freed the debugfs_private member, but could leave virt_device intact.

	This triggered a NULL pointer dereference after resume when usbmuxd
	sent a USBDEVFS_SETCONFIGURATION ioctl to a device, trying to add a
	endpoint debugfs entry to a already freed debugfs_private pointer.

	Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver")
	Reported-by: Alexander Kappner <agk@godking.net>
	Tested-by: Alexander Kappner <agk@godking.net>
	Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	(cherry picked from commit 052f71e25a7ecd80a9567b291df8ea333d9a8565)
	Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
	Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
	---
	drivers/usb/host/xhci.c \| 6 +++---
	1 file changed, 3 insertions(+), 3 deletions(-)

	diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
	index 4bceebb965ca..05d45079a259 100644
	--- a/drivers/usb/host/xhci.c
	+++ b/drivers/usb/host/xhci.c
	@@ -3567,8 +3567,6 @@ static void xhci_free_dev(struct usb_hcd hcd, struct usb_device udev)
	struct xhci_slot_ctx *slot_ctx;
	int i, ret;

	- xhci_debugfs_remove_slot(xhci, udev->slot_id);
	-
	#ifndef CONFIG_USB_DEFAULT_PERSIST
	/*
	* We called pm_runtime_get_noresume when the device was attached.
	@@ -3598,8 +3596,10 @@ static void xhci_free_dev(struct usb_hcd hcd, struct usb_device udev)

	virt_dev->udev = NULL;
	ret = xhci_disable_slot(xhci, udev->slot_id);
	- if (ret)
	+ if (ret) {
	+ xhci_debugfs_remove_slot(xhci, udev->slot_id);
	xhci_free_virt_device(xhci, udev->slot_id);
	+ }
	}

	int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id)
	--
	2.19.0