| From b5f072f9bbd7d2ffa25e43b3445e5ec280305faa Mon Sep 17 00:00:00 2001 |
| From: Guenter Roeck <linux@roeck-us.net> |
| Date: Wed, 8 Mar 2017 10:19:36 -0800 |
| Subject: [PATCH] usb: hub: Fix crash after failure to read BOS descriptor |
| |
| commit 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc upstream. |
| |
| If usb_get_bos_descriptor() returns an error, usb->bos will be NULL. |
| Nevertheless, it is dereferenced unconditionally in |
| hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set. |
| This results in a crash. |
| |
| usb 5-1: unable to get BOS descriptor |
| ... |
| Unable to handle kernel NULL pointer dereference at virtual address 00000008 |
| pgd = ffffffc00165f000 |
| [00000008] *pgd=000000000174f003, *pud=000000000174f003, |
| *pmd=0000000001750003, *pte=00e8000001751713 |
| Internal error: Oops: 96000005 [#1] PREEMPT SMP |
| Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ] |
| CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G B 4.4.52 #480 |
| Hardware name: Google Kevin (DT) |
| Workqueue: events driver_set_config_work |
| task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000 |
| PC is at hub_port_init+0xc3c/0xd10 |
| LR is at hub_port_init+0xc3c/0xd10 |
| ... |
| Call trace: |
| [<ffffffc0007fbbfc>] hub_port_init+0xc3c/0xd10 |
| [<ffffffc0007fbe2c>] usb_reset_and_verify_device+0x15c/0x82c |
| [<ffffffc0007fc5e0>] usb_reset_device+0xe4/0x298 |
| [<ffffffbffc0e3fcc>] rtl8152_probe+0x84/0x9b0 [r8152] |
| [<ffffffc00080ca8c>] usb_probe_interface+0x244/0x2f8 |
| [<ffffffc000774a24>] driver_probe_device+0x180/0x3b4 |
| [<ffffffc000774e48>] __device_attach_driver+0xb4/0xe0 |
| [<ffffffc000772168>] bus_for_each_drv+0xb4/0xe4 |
| [<ffffffc0007747ec>] __device_attach+0xd0/0x158 |
| [<ffffffc000775080>] device_initial_probe+0x24/0x30 |
| [<ffffffc0007739d4>] bus_probe_device+0x50/0xe4 |
| [<ffffffc000770bd0>] device_add+0x414/0x738 |
| [<ffffffc000809fe8>] usb_set_configuration+0x89c/0x914 |
| [<ffffffc00080a120>] driver_set_config_work+0xc0/0xf0 |
| [<ffffffc000249bb8>] process_one_work+0x390/0x6b8 |
| [<ffffffc00024abcc>] worker_thread+0x480/0x610 |
| [<ffffffc000251a80>] kthread+0x164/0x178 |
| [<ffffffc0002045d0>] ret_from_fork+0x10/0x40 |
| |
| Since we don't know anything about LPM capabilities without BOS descriptor, |
| don't attempt to enable LPM if it is not available. |
| |
| Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...") |
| Cc: stable <stable@vger.kernel.org> |
| Cc: Mathias Nyman <mathias.nyman@linux.intel.com> |
| Signed-off-by: Guenter Roeck <linux@roeck-us.net> |
| Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c |
| index c8efb0f515eb..ae54ee189cd4 100644 |
| --- a/drivers/usb/core/hub.c |
| +++ b/drivers/usb/core/hub.c |
| @@ -4268,7 +4268,7 @@ static void hub_set_initial_usb2_lpm_policy(struct usb_device *udev) |
| struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent); |
| int connect_type = USB_PORT_CONNECT_TYPE_UNKNOWN; |
| |
| - if (!udev->usb2_hw_lpm_capable) |
| + if (!udev->usb2_hw_lpm_capable || !udev->bos) |
| return; |
| |
| if (hub) |
| -- |
| 2.12.0 |
| |