linux/drivers/usb/core
Alan Stern 543d7784b0 USB: fix race between hub_disconnect and recursively_mark_NOTATTACHED
There is a race in the hub driver between hub_disconnect() and
recursively_mark_NOTATTACHED().  This race can be triggered if the
driver is unbound from a device at the same time as the bus's root hub
is removed.  When the race occurs, it can cause an oops:

BUG: unable to handle kernel NULL pointer dereference at 0000015c
IP: [<c16d5fb0>] recursively_mark_NOTATTACHED+0x20/0x60
Call Trace:
 [<c16d5fc4>] recursively_mark_NOTATTACHED+0x34/0x60
 [<c16d5fc4>] recursively_mark_NOTATTACHED+0x34/0x60
 [<c16d5fc4>] recursively_mark_NOTATTACHED+0x34/0x60
 [<c16d5fc4>] recursively_mark_NOTATTACHED+0x34/0x60
 [<c16d6082>] usb_set_device_state+0x92/0x120
 [<c16d862b>] usb_disconnect+0x2b/0x1a0
 [<c16dd4c0>] usb_remove_hcd+0xb0/0x160
 [<c19ca846>] ? _raw_spin_unlock_irqrestore+0x26/0x50
 [<c1704efc>] ehci_mid_remove+0x1c/0x30
 [<c1704f26>] ehci_mid_stop_host+0x16/0x30
 [<c16f7698>] penwell_otg_work+0xd28/0x3520
 [<c19c945b>] ? __schedule+0x39b/0x7f0
 [<c19cdb9d>] ? sub_preempt_count+0x3d/0x50
 [<c125e97d>] process_one_work+0x11d/0x3d0
 [<c19c7f4d>] ? mutex_unlock+0xd/0x10
 [<c125e0e5>] ? manage_workers.isra.24+0x1b5/0x270
 [<c125f009>] worker_thread+0xf9/0x320
 [<c19ca846>] ? _raw_spin_unlock_irqrestore+0x26/0x50
 [<c125ef10>] ? rescuer_thread+0x2b0/0x2b0
 [<c1264ac4>] kthread+0x94/0xa0
 [<c19d0f77>] ret_from_kernel_thread+0x1b/0x28
 [<c1264a30>] ? kthread_create_on_node+0xc0/0xc0

One problem is that recursively_mark_NOTATTACHED() uses the intfdata
value and hub->hdev->maxchild while hub_disconnect() is clearing them.
Another problem is that it uses hub->ports[i] while the port device is
being released.

To fix this race, we need to hold the device_state_lock while
hub_disconnect() changes the values.  (Note that usb_disconnect()
and hub_port_connect_change() already acquire this lock at similar
critical times during a USB device's life cycle.)  We also need to
remove the port devices after maxchild has been set to 0, instead of
before.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: "Du, Changbin" <changbinx.du@intel.com>
Tested-by: "Du, Changbin" <changbinx.du@intel.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-01-07 09:30:48 -08:00
..
Kconfig treewide: Fix typo in Kconfig 2013-10-14 15:23:02 +02:00
Makefile USB: core: remove CONFIG_USB_DEBUG usage 2013-12-21 16:01:00 -08:00
buffer.c usb: fix some scripts/kernel-doc warnings 2013-08-03 11:30:14 +08:00
config.c usb: core: get config and string descriptors for unauthorized devices 2013-12-09 13:27:32 -08:00
devices.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
devio.c drivers: usb: core: devio.c: Spaces to tabs for proc_control_compat() 2013-10-16 13:38:37 -07:00
driver.c usb: core: Remove superfluous name casts 2013-12-03 11:17:28 -08:00
endpoint.c USB: core: be specific about attribute permissions 2013-08-25 15:12:03 -07:00
file.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-11-13 15:34:18 +09:00
generic.c USB: avoid error messages when a device is disconnected 2013-03-28 11:05:52 -07:00
hcd-pci.c usb: hcd: move controller wakeup setting initialization to individual driver 2013-12-08 18:06:46 -08:00
hcd.c usb: hcd: move controller wakeup setting initialization to individual driver 2013-12-08 18:06:46 -08:00
hub.c USB: fix race between hub_disconnect and recursively_mark_NOTATTACHED 2014-01-07 09:30:48 -08:00
hub.h USB: global suspend and remote wakeup don't mix 2013-07-16 15:33:02 -07:00
message.c usb: Push USB2 LPM disable on disconnect into USB core. 2013-10-16 12:24:21 -07:00
notify.c usb: Add export.h for EXPORT_SYMBOL/THIS_MODULE where needed 2011-10-31 19:31:25 -04:00
otg_whitelist.h
port.c USB: core: be specific about attribute permissions 2013-08-25 15:12:03 -07:00
quirks.c Revert "USB: quirks: add touchscreen that is dazzeled by remote wakeup" 2013-12-08 18:07:38 -08:00
sysfs.c usb: Don't enable USB 2.0 Link PM by default. 2013-10-16 12:24:19 -07:00
urb.c USB: core: remove CONFIG_USB_DEBUG usage 2013-12-21 16:01:00 -08:00
usb-acpi.c ACPI: Eliminate the DEVICE_ACPI_HANDLE() macro 2013-11-14 23:17:21 +01:00
usb.c drivers: usb: core: {file,hub,sysfs,usb}.c: Whitespace fixes 2013-10-11 17:02:37 -07:00
usb.h usbcore: set lpm_capable field for LPM capable root hubs 2013-09-17 09:49:24 -07:00