diff options
| author | Mathias Nyman <mathias.nyman@linux.intel.com> | 2019-08-02 11:00:44 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-08-02 12:13:49 -0400 |
| commit | cb53c517285f8d2548d11422173ca8ec7b9c8f44 (patch) | |
| tree | 45314841b1f046e25d34477116b625ad990c0dd9 /drivers/usb/host | |
| parent | 783bda5e41acc71f98336e1a402c180f9748e5dc (diff) | |
xhci: Fix NULL pointer dereference at endpoint zero reset.
Usb core will reset the default control endpoint "ep0" before resetting
a device. if the endpoint has a valid pointer back to the usb device
then the xhci driver reset callback will try to clear the toggle for
the endpoint.
ep0 didn't use to have this pointer set as ep0 was always allocated
by default together with a xhci slot for the usb device. Other endpoints
got their usb device pointer set in xhci_add_endpoint()
This changed with commit ef513be0a905 ("usb: xhci: Add Clear_TT_Buffer")
which sets the pointer for any endpoint on a FS/LS device behind a
HS hub that halts, including ep0.
If xHC controller needs to be reset at resume, then all the xhci slots
will be lost. Slots will be reenabled and reallocated at device reset,
but unlike other endpoints the ep0 is reset before device reset, while
the xhci slot may still be invalid, causing NULL pointer dereference.
Fix it by checking that the endpoint has both a usb device pointer and
valid xhci slot before trying to clear the toggle.
This issue was not seen earlier as ep0 didn't use to have a valid usb
device pointer, and other endpoints were only reset after device reset
when xhci slots were properly reenabled.
Reported-by: Bob Gleitsmann <rjgleits@bellsouth.net>
Reported-by: Enric Balletbo Serra <eballetbo@gmail.com>
Fixes: ef513be0a905 ("usb: xhci: Add Clear_TT_Buffer")
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Tested-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
Link: https://lore.kernel.org/r/1564758044-24748-1-git-send-email-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/host')
| -rw-r--r-- | drivers/usb/host/xhci.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 248cd7a8b163..03d1e552769b 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c | |||
| @@ -3089,8 +3089,18 @@ static void xhci_endpoint_reset(struct usb_hcd *hcd, | |||
| 3089 | return; | 3089 | return; |
| 3090 | udev = (struct usb_device *) host_ep->hcpriv; | 3090 | udev = (struct usb_device *) host_ep->hcpriv; |
| 3091 | vdev = xhci->devs[udev->slot_id]; | 3091 | vdev = xhci->devs[udev->slot_id]; |
| 3092 | |||
| 3093 | /* | ||
| 3094 | * vdev may be lost due to xHC restore error and re-initialization | ||
| 3095 | * during S3/S4 resume. A new vdev will be allocated later by | ||
| 3096 | * xhci_discover_or_reset_device() | ||
| 3097 | */ | ||
| 3098 | if (!udev->slot_id || !vdev) | ||
| 3099 | return; | ||
| 3092 | ep_index = xhci_get_endpoint_index(&host_ep->desc); | 3100 | ep_index = xhci_get_endpoint_index(&host_ep->desc); |
| 3093 | ep = &vdev->eps[ep_index]; | 3101 | ep = &vdev->eps[ep_index]; |
| 3102 | if (!ep) | ||
| 3103 | return; | ||
| 3094 | 3104 | ||
| 3095 | /* Bail out if toggle is already being cleared by a endpoint reset */ | 3105 | /* Bail out if toggle is already being cleared by a endpoint reset */ |
| 3096 | if (ep->ep_state & EP_HARD_CLEAR_TOGGLE) { | 3106 | if (ep->ep_state & EP_HARD_CLEAR_TOGGLE) { |