usb: core : hub: Fix BOS 'NULL pointer' kernel panic

When a USB 3.0 mass storage device is disconnected in transporting state, storage device driver may handle it as a transport error and reset the device by invoking usb_reset_and_verify_device() and following could happen: in usb_reset_and_verify_device(): udev->bos = NULL; For U1/U2 enabled devices, driver will disable LPM, and in some conditions: from usb_unlocked_disable_lpm() --> usb_disable_lpm() --> usb_enable_lpm() udev->bos->ss_cap->bU1devExitLat; And it causes 'NULL pointer' and 'kernel panic': [ 157.976257] Unable to handle kernel NULL pointer dereference at virtual address 00000010 ... [ 158.026400] PC is at usb_enable_link_state+0x34/0x2e0 [ 158.031442] LR is at usb_enable_lpm+0x98/0xac ... [ 158.137368] [<ffffffc0006a1cac>] usb_enable_link_state+0x34/0x2e0 [ 158.143451] [<ffffffc0006a1fec>] usb_enable_lpm+0x94/0xac [ 158.148840] [<ffffffc0006a20e8>] usb_disable_lpm+0xa8/0xb4 ... [ 158.214954] Kernel panic - not syncing: Fatal exception This commit moves 'udev->bos = NULL' behind usb_unlocked_disable_lpm() to prevent from NULL pointer access. Issue can be reproduced by following setup: 1) A SS pen drive behind a SS hub connected to the host. 2) Transporting data between the pen drive and the host. 3) Abruptly disconnect hub and pen drive from host. 4) With a chance it crashes. Signed-off-by: Hans Yang <hansy@nvidia.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Hans Yang <hansy@nvidia.com> 2015-12-01 03:54:59 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-12-01 17:45:52 -0500
commit: 464ad8c43a9ead98c2b0eaed86bea727f2ad106e (patch)
tree: d06935a40a8ff2f96c2139acc0e845672695880f
parent: 33bd2dd03dd0bfa1130d11062a9e5f40d0cf1d3f (diff)
1 files changed, 8 insertions, 7 deletions
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index bdeadc112d29..585c3cb07da6 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5326,9 +5326,6 @@ static int usb_reset_and_verify_device(struct usb_device *udev)
        if (udev->usb2_hw_lpm_enabled == 1)
                usb_set_usb2_hardware_lpm(udev, 0);
-        bos = udev->bos;
-        udev->bos = NULL;
        /* Disable LPM and LTM while we reset the device and reinstall the alt
         * settings.  Device-initiated LPM settings, and system exit latency
         * settings are cleared when the device is reset, so we have to set
@@ -5337,15 +5334,18 @@ static int usb_reset_and_verify_device(struct usb_device *udev)
        ret = usb_unlocked_disable_lpm(udev);
        if (ret) {
                dev_err(&udev->dev, "%s Failed to disable LPM\n.", __func__);
-                goto re_enumerate;
+                goto re_enumerate_no_bos;
        }
        ret = usb_disable_ltm(udev);
        if (ret) {
                dev_err(&udev->dev, "%s Failed to disable LTM\n.",
                                __func__);
-                goto re_enumerate;
+                goto re_enumerate_no_bos;
        }
+        bos = udev->bos;
+        udev->bos = NULL;
        for (i = 0; i < SET_CONFIG_TRIES; ++i) {
                /* ep0 maxpacket size may change; let the HCD know about it.
@@ -5442,10 +5442,11 @@ done:
        return 0;
 re_enumerate:
-        /* LPM state doesn't matter when we're about to destroy the device. */
-        hub_port_logical_disconnect(parent_hub, port1);
        usb_release_bos_descriptor(udev);
        udev->bos = bos;
+re_enumerate_no_bos:
+        /* LPM state doesn't matter when we're about to destroy the device. */
+        hub_port_logical_disconnect(parent_hub, port1);
        return -ENODEV;
 }
author	Hans Yang <hansy@nvidia.com>	2015-12-01 03:54:59 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2015-12-01 17:45:52 -0500
commit	464ad8c43a9ead98c2b0eaed86bea727f2ad106e (patch)
tree	d06935a40a8ff2f96c2139acc0e845672695880f
parent	33bd2dd03dd0bfa1130d11062a9e5f40d0cf1d3f (diff)