<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/usb/core/hcd.c, branch linux-3.18.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>USB: Increment wakeup count on remote wakeup.</title>
<updated>2018-05-02T14:59:54+00:00</updated>
<author>
<name>Ravi Chandra Sadineni</name>
<email>ravisadineni@chromium.org</email>
</author>
<published>2018-04-20T18:08:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9dfbd45c4f91d648ffac99eeceb0af35307cb026'/>
<id>9dfbd45c4f91d648ffac99eeceb0af35307cb026</id>
<content type='text'>
commit 83a62c51ba7b3c0bf45150c4eac7aefc6c785e94 upstream.

On chromebooks we depend on wakeup count to identify the wakeup source.
But currently USB devices do not increment the wakeup count when they
trigger the remote wake. This patch addresses the same.

Resume condition is reported differently on USB 2.0 and USB 3.0 devices.

On USB 2.0 devices, a wake capable device, if wake enabled, drives
resume signal to indicate a remote wake (USB 2.0 spec section 7.1.7.7).
The upstream facing port then sets C_PORT_SUSPEND bit and reports a
port change event (USB 2.0 spec section 11.24.2.7.2.3). Thus if a port
has resumed before driving the resume signal from the host and
C_PORT_SUSPEND is set, then the device attached to the given port might
be the reason for the last system wakeup. Increment the wakeup count for
the same.

On USB 3.0 devices, a function may signal that it wants to exit from device
suspend by sending a Function Wake Device Notification to the host (USB3.0
spec section 8.5.6.4) Thus on receiving the Function Wake, increment the
wakeup count.

Signed-off-by: Ravi Chandra Sadineni &lt;ravisadineni@chromium.org&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 83a62c51ba7b3c0bf45150c4eac7aefc6c785e94 upstream.

On chromebooks we depend on wakeup count to identify the wakeup source.
But currently USB devices do not increment the wakeup count when they
trigger the remote wake. This patch addresses the same.

Resume condition is reported differently on USB 2.0 and USB 3.0 devices.

On USB 2.0 devices, a wake capable device, if wake enabled, drives
resume signal to indicate a remote wake (USB 2.0 spec section 7.1.7.7).
The upstream facing port then sets C_PORT_SUSPEND bit and reports a
port change event (USB 2.0 spec section 11.24.2.7.2.3). Thus if a port
has resumed before driving the resume signal from the host and
C_PORT_SUSPEND is set, then the device attached to the given port might
be the reason for the last system wakeup. Increment the wakeup count for
the same.

On USB 3.0 devices, a function may signal that it wants to exit from device
suspend by sending a Function Wake Device Notification to the host (USB3.0
spec section 8.5.6.4) Thus on receiving the Function Wake, increment the
wakeup count.

Signed-off-by: Ravi Chandra Sadineni &lt;ravisadineni@chromium.org&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>usb: hcd: initialize hcd-&gt;flags to 0 when rm hcd</title>
<updated>2017-11-15T09:04:12+00:00</updated>
<author>
<name>William wu</name>
<email>wulf@rock-chips.com</email>
</author>
<published>2017-01-13T03:04:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3bd646aed6821f667deac3c08019db12d96b9a3a'/>
<id>3bd646aed6821f667deac3c08019db12d96b9a3a</id>
<content type='text'>
[ Upstream commit 76b8db0d480e8045e1a1902fc9ab143b3b9ef115 ]

On some platforms(e.g. rk3399 board), we can call hcd_add/remove
consecutively without calling usb_put_hcd/usb_create_hcd in between,
so hcd-&gt;flags can be stale.

If the HC dies due to whatever reason then without this patch we get
the below error on next hcd_add.

[173.296154] xhci-hcd xhci-hcd.2.auto: HC died; cleaning up
[173.296209] xhci-hcd xhci-hcd.2.auto: xHCI Host Controller
[173.296762] xhci-hcd xhci-hcd.2.auto: new USB bus registered, assigned bus number 6
[173.296931] usb usb6: We don't know the algorithms for LPM for this host, disabling LPM.
[173.297179] usb usb6: New USB device found, idVendor=1d6b, idProduct=0003
[173.297203] usb usb6: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[173.297222] usb usb6: Product: xHCI Host Controller
[173.297240] usb usb6: Manufacturer: Linux 4.4.21 xhci-hcd
[173.297257] usb usb6: SerialNumber: xhci-hcd.2.auto
[173.298680] hub 6-0:1.0: USB hub found
[173.298749] hub 6-0:1.0: 1 port detected
[173.299382] rockchip-dwc3 usb@fe800000: USB HOST connected
[173.395418] hub 5-0:1.0: activate --&gt; -19
[173.603447] irq 228: nobody cared (try booting with the "irqpoll" option)
[173.603493] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.21 #9
[173.603513] Hardware name: Google Kevin (DT)
[173.603531] Call trace:
[173.603568] [&lt;ffffffc0002087dc&gt;] dump_backtrace+0x0/0x160
[173.603596] [&lt;ffffffc00020895c&gt;] show_stack+0x20/0x28
[173.603623] [&lt;ffffffc0004b28a8&gt;] dump_stack+0x90/0xb0
[173.603650] [&lt;ffffffc00027347c&gt;] __report_bad_irq+0x48/0xe8
[173.603674] [&lt;ffffffc0002737cc&gt;] note_interrupt+0x1e8/0x28c
[173.603698] [&lt;ffffffc000270a38&gt;] handle_irq_event_percpu+0x1d4/0x25c
[173.603722] [&lt;ffffffc000270b0c&gt;] handle_irq_event+0x4c/0x7c
[173.603748] [&lt;ffffffc00027456c&gt;] handle_fasteoi_irq+0xb4/0x124
[173.603777] [&lt;ffffffc00026fe3c&gt;] generic_handle_irq+0x30/0x44
[173.603804] [&lt;ffffffc0002701a8&gt;] __handle_domain_irq+0x90/0xbc
[173.603827] [&lt;ffffffc0002006f4&gt;] gic_handle_irq+0xcc/0x188
...
[173.604500] [&lt;ffffffc000203700&gt;] el1_irq+0x80/0xf8
[173.604530] [&lt;ffffffc000261388&gt;] cpu_startup_entry+0x38/0x3cc
[173.604558] [&lt;ffffffc00090f7d8&gt;] rest_init+0x8c/0x94
[173.604585] [&lt;ffffffc000e009ac&gt;] start_kernel+0x3d0/0x3fc
[173.604607] [&lt;0000000000b16000&gt;] 0xb16000
[173.604622] handlers:
[173.604648] [&lt;ffffffc000642084&gt;] usb_hcd_irq
[173.604673] Disabling IRQ #228

Signed-off-by: William wu &lt;wulf@rock-chips.com&gt;
Acked-by: Roger Quadros &lt;rogerq@ti.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 76b8db0d480e8045e1a1902fc9ab143b3b9ef115 ]

On some platforms(e.g. rk3399 board), we can call hcd_add/remove
consecutively without calling usb_put_hcd/usb_create_hcd in between,
so hcd-&gt;flags can be stale.

If the HC dies due to whatever reason then without this patch we get
the below error on next hcd_add.

[173.296154] xhci-hcd xhci-hcd.2.auto: HC died; cleaning up
[173.296209] xhci-hcd xhci-hcd.2.auto: xHCI Host Controller
[173.296762] xhci-hcd xhci-hcd.2.auto: new USB bus registered, assigned bus number 6
[173.296931] usb usb6: We don't know the algorithms for LPM for this host, disabling LPM.
[173.297179] usb usb6: New USB device found, idVendor=1d6b, idProduct=0003
[173.297203] usb usb6: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[173.297222] usb usb6: Product: xHCI Host Controller
[173.297240] usb usb6: Manufacturer: Linux 4.4.21 xhci-hcd
[173.297257] usb usb6: SerialNumber: xhci-hcd.2.auto
[173.298680] hub 6-0:1.0: USB hub found
[173.298749] hub 6-0:1.0: 1 port detected
[173.299382] rockchip-dwc3 usb@fe800000: USB HOST connected
[173.395418] hub 5-0:1.0: activate --&gt; -19
[173.603447] irq 228: nobody cared (try booting with the "irqpoll" option)
[173.603493] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.21 #9
[173.603513] Hardware name: Google Kevin (DT)
[173.603531] Call trace:
[173.603568] [&lt;ffffffc0002087dc&gt;] dump_backtrace+0x0/0x160
[173.603596] [&lt;ffffffc00020895c&gt;] show_stack+0x20/0x28
[173.603623] [&lt;ffffffc0004b28a8&gt;] dump_stack+0x90/0xb0
[173.603650] [&lt;ffffffc00027347c&gt;] __report_bad_irq+0x48/0xe8
[173.603674] [&lt;ffffffc0002737cc&gt;] note_interrupt+0x1e8/0x28c
[173.603698] [&lt;ffffffc000270a38&gt;] handle_irq_event_percpu+0x1d4/0x25c
[173.603722] [&lt;ffffffc000270b0c&gt;] handle_irq_event+0x4c/0x7c
[173.603748] [&lt;ffffffc00027456c&gt;] handle_fasteoi_irq+0xb4/0x124
[173.603777] [&lt;ffffffc00026fe3c&gt;] generic_handle_irq+0x30/0x44
[173.603804] [&lt;ffffffc0002701a8&gt;] __handle_domain_irq+0x90/0xbc
[173.603827] [&lt;ffffffc0002006f4&gt;] gic_handle_irq+0xcc/0x188
...
[173.604500] [&lt;ffffffc000203700&gt;] el1_irq+0x80/0xf8
[173.604530] [&lt;ffffffc000261388&gt;] cpu_startup_entry+0x38/0x3cc
[173.604558] [&lt;ffffffc00090f7d8&gt;] rest_init+0x8c/0x94
[173.604585] [&lt;ffffffc000e009ac&gt;] start_kernel+0x3d0/0x3fc
[173.604607] [&lt;0000000000b16000&gt;] 0xb16000
[173.604622] handlers:
[173.604648] [&lt;ffffffc000642084&gt;] usb_hcd_irq
[173.604673] Disabling IRQ #228

Signed-off-by: William wu &lt;wulf@rock-chips.com&gt;
Acked-by: Roger Quadros &lt;rogerq@ti.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: hcd: Mark secondary HCD as dead if the primary one died</title>
<updated>2017-08-16T20:35:31+00:00</updated>
<author>
<name>Rafael J. Wysocki</name>
<email>rafael.j.wysocki@intel.com</email>
</author>
<published>2017-07-25T21:58:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0e3eac98b84c9492ce289f63e78babe9f46db762'/>
<id>0e3eac98b84c9492ce289f63e78babe9f46db762</id>
<content type='text'>
commit cd5a6a4fdaba150089af2afc220eae0fef74878a upstream.

Make usb_hc_died() clear the HCD_FLAG_RH_RUNNING flag for the shared
HCD and set HCD_FLAG_DEAD for it, in analogy with what is done for
the primary one.

Among other thigs, this prevents check_root_hub_suspended() from
returning -EBUSY for dead HCDs which helps to work around system
suspend issues in some situations.

This actually fixes occasional suspend failures on one of my test
machines.

Suggested-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Rafael J. Wysocki &lt;rafael.j.wysocki@intel.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cd5a6a4fdaba150089af2afc220eae0fef74878a upstream.

Make usb_hc_died() clear the HCD_FLAG_RH_RUNNING flag for the shared
HCD and set HCD_FLAG_DEAD for it, in analogy with what is done for
the primary one.

Among other thigs, this prevents check_root_hub_suspended() from
returning -EBUSY for dead HCDs which helps to work around system
suspend issues in some situations.

This actually fixes occasional suspend failures on one of my test
machines.

Suggested-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Rafael J. Wysocki &lt;rafael.j.wysocki@intel.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>usb: core: fix potential memory leak in error path during hcd creation</title>
<updated>2017-06-26T05:10:52+00:00</updated>
<author>
<name>Anton Bondarenko</name>
<email>anton.bondarenko.sama@gmail.com</email>
</author>
<published>2017-05-06T23:53:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=18700c3c531baa32e42a12e40501dc6223811dc4'/>
<id>18700c3c531baa32e42a12e40501dc6223811dc4</id>
<content type='text'>
commit 1a744d2eb76aaafb997fda004ae3ae62a1538f85 upstream.

Free memory allocated for address0_mutex if allocation of bandwidth_mutex
failed.

Fixes: feb26ac31a2a ("usb: core: hub: hub_port_init lock controller instead of bus")

Signed-off-by: Anton Bondarenko &lt;anton.bondarenko.sama@gmail.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1a744d2eb76aaafb997fda004ae3ae62a1538f85 upstream.

Free memory allocated for address0_mutex if allocation of bandwidth_mutex
failed.

Fixes: feb26ac31a2a ("usb: core: hub: hub_port_init lock controller instead of bus")

Signed-off-by: Anton Bondarenko &lt;anton.bondarenko.sama@gmail.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>USB: core: replace %p with %pK</title>
<updated>2017-05-25T12:17:56+00:00</updated>
<author>
<name>Vamsi Krishna Samavedam</name>
<email>vskrishn@codeaurora.org</email>
</author>
<published>2017-05-16T12:38:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2c128b70e4802fd8c999337e0aaa072d562bb92f'/>
<id>2c128b70e4802fd8c999337e0aaa072d562bb92f</id>
<content type='text'>
commit 2f964780c03b73de269b08d12aff96a9618d13f3 upstream.

Format specifier %p can leak kernel addresses while not valuing the
kptr_restrict system settings. When kptr_restrict is set to (1), kernel
pointers printed using the %pK format specifier will be replaced with
Zeros. Debugging Note : &amp;pK prints only Zeros as address. If you need
actual address information, write 0 to kptr_restrict.

echo 0 &gt; /proc/sys/kernel/kptr_restrict

[Found by poking around in a random vendor kernel tree, it would be nice
if someone would actually send these types of patches upstream - gkh]

Signed-off-by: Vamsi Krishna Samavedam &lt;vskrishn@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2f964780c03b73de269b08d12aff96a9618d13f3 upstream.

Format specifier %p can leak kernel addresses while not valuing the
kptr_restrict system settings. When kptr_restrict is set to (1), kernel
pointers printed using the %pK format specifier will be replaced with
Zeros. Debugging Note : &amp;pK prints only Zeros as address. If you need
actual address information, write 0 to kptr_restrict.

echo 0 &gt; /proc/sys/kernel/kptr_restrict

[Found by poking around in a random vendor kernel tree, it would be nice
if someone would actually send these types of patches upstream - gkh]

Signed-off-by: Vamsi Krishna Samavedam &lt;vskrishn@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>USB: fix linked-list corruption in rh_call_control()</title>
<updated>2017-04-18T05:55:54+00:00</updated>
<author>
<name>Alan Stern</name>
<email>stern@rowland.harvard.edu</email>
</author>
<published>2017-03-24T17:38:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0eccbfbc3078d4dbb981e0f6b78846eeedd2613b'/>
<id>0eccbfbc3078d4dbb981e0f6b78846eeedd2613b</id>
<content type='text'>
commit 1633682053a7ee8058e10c76722b9b28e97fb73f upstream.

Using KASAN, Dmitry found a bug in the rh_call_control() routine: If
buffer allocation fails, the routine returns immediately without
unlinking its URB from the control endpoint, eventually leading to
linked-list corruption.

This patch fixes the problem by jumping to the end of the routine
(where the URB is unlinked) when an allocation failure occurs.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Reported-and-tested-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1633682053a7ee8058e10c76722b9b28e97fb73f upstream.

Using KASAN, Dmitry found a bug in the rh_call_control() routine: If
buffer allocation fails, the routine returns immediately without
unlinking its URB from the control endpoint, eventually leading to
linked-list corruption.

This patch fixes the problem by jumping to the end of the routine
(where the URB is unlinked) when an allocation failure occurs.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Reported-and-tested-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>USB: don't free bandwidth_mutex too early</title>
<updated>2016-07-12T12:47:15+00:00</updated>
<author>
<name>Alan Stern</name>
<email>stern@rowland.harvard.edu</email>
</author>
<published>2016-06-27T14:23:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0c0ad079718231c754af426fccdfe35526c88d5d'/>
<id>0c0ad079718231c754af426fccdfe35526c88d5d</id>
<content type='text'>
[ Upstream commit ab2a4bf83902c170d29ba130a8abb5f9d90559e1 ]

The USB core contains a bug that can show up when a USB-3 host
controller is removed.  If the primary (USB-2) hcd structure is
released before the shared (USB-3) hcd, the core will try to do a
double-free of the common bandwidth_mutex.

The problem was described in graphical form by Chung-Geol Kim, who
first reported it:

=================================================
     At *remove USB(3.0) Storage
     sequence &lt;1&gt; --&gt; &lt;5&gt; ((Problem Case))
=================================================
                                  VOLD
------------------------------------|------------
                                 (uevent)
                            ________|_________
                           |&lt;1&gt;               |
                           |dwc3_otg_sm_work  |
                           |usb_put_hcd       |
                           |peer_hcd(kref=2)|
                           |__________________|
                            ________|_________
                           |&lt;2&gt;               |
                           |New USB BUS #2    |
                           |                  |
                           |peer_hcd(kref=1)  |
                           |                  |
                         --(Link)-bandXX_mutex|
                         | |__________________|
                         |
    ___________________  |
   |&lt;3&gt;                | |
   |dwc3_otg_sm_work   | |
   |usb_put_hcd        | |
   |primary_hcd(kref=1)| |
   |___________________| |
    _________|_________  |
   |&lt;4&gt;                | |
   |New USB BUS #1     | |
   |hcd_release        | |
   |primary_hcd(kref=0)| |
   |                   | |
   |bandXX_mutex(free) |&lt;-
   |___________________|
                               (( VOLD ))
                            ______|___________
                           |&lt;5&gt;               |
                           |      SCSI        |
                           |usb_put_hcd       |
                           |peer_hcd(kref=0)  |
                           |*hcd_release      |
                           |bandXX_mutex(free*)|&lt;- double free
                           |__________________|

=================================================

This happens because hcd_release() frees the bandwidth_mutex whenever
it sees a primary hcd being released (which is not a very good idea
in any case), but in the course of releasing the primary hcd, it
changes the pointers in the shared hcd in such a way that the shared
hcd will appear to be primary when it gets released.

This patch fixes the problem by changing hcd_release() so that it
deallocates the bandwidth_mutex only when the _last_ hcd structure
referencing it is released.  The patch also removes an unnecessary
test, so that when an hcd is released, both the shared_hcd and
primary_hcd pointers in the hcd's peer will be cleared.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Reported-by: Chung-Geol Kim &lt;chunggeol.kim@samsung.com&gt;
Tested-by: Chung-Geol Kim &lt;chunggeol.kim@samsung.com&gt;
CC: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit ab2a4bf83902c170d29ba130a8abb5f9d90559e1 ]

The USB core contains a bug that can show up when a USB-3 host
controller is removed.  If the primary (USB-2) hcd structure is
released before the shared (USB-3) hcd, the core will try to do a
double-free of the common bandwidth_mutex.

The problem was described in graphical form by Chung-Geol Kim, who
first reported it:

=================================================
     At *remove USB(3.0) Storage
     sequence &lt;1&gt; --&gt; &lt;5&gt; ((Problem Case))
=================================================
                                  VOLD
------------------------------------|------------
                                 (uevent)
                            ________|_________
                           |&lt;1&gt;               |
                           |dwc3_otg_sm_work  |
                           |usb_put_hcd       |
                           |peer_hcd(kref=2)|
                           |__________________|
                            ________|_________
                           |&lt;2&gt;               |
                           |New USB BUS #2    |
                           |                  |
                           |peer_hcd(kref=1)  |
                           |                  |
                         --(Link)-bandXX_mutex|
                         | |__________________|
                         |
    ___________________  |
   |&lt;3&gt;                | |
   |dwc3_otg_sm_work   | |
   |usb_put_hcd        | |
   |primary_hcd(kref=1)| |
   |___________________| |
    _________|_________  |
   |&lt;4&gt;                | |
   |New USB BUS #1     | |
   |hcd_release        | |
   |primary_hcd(kref=0)| |
   |                   | |
   |bandXX_mutex(free) |&lt;-
   |___________________|
                               (( VOLD ))
                            ______|___________
                           |&lt;5&gt;               |
                           |      SCSI        |
                           |usb_put_hcd       |
                           |peer_hcd(kref=0)  |
                           |*hcd_release      |
                           |bandXX_mutex(free*)|&lt;- double free
                           |__________________|

=================================================

This happens because hcd_release() frees the bandwidth_mutex whenever
it sees a primary hcd being released (which is not a very good idea
in any case), but in the course of releasing the primary hcd, it
changes the pointers in the shared hcd in such a way that the shared
hcd will appear to be primary when it gets released.

This patch fixes the problem by changing hcd_release() so that it
deallocates the bandwidth_mutex only when the _last_ hcd structure
referencing it is released.  The patch also removes an unnecessary
test, so that when an hcd is released, both the shared_hcd and
primary_hcd pointers in the hcd's peer will be cleared.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Reported-by: Chung-Geol Kim &lt;chunggeol.kim@samsung.com&gt;
Tested-by: Chung-Geol Kim &lt;chunggeol.kim@samsung.com&gt;
CC: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: core: hub: hub_port_init lock controller instead of bus</title>
<updated>2016-06-03T15:30:30+00:00</updated>
<author>
<name>Chris Bainbridge</name>
<email>chris.bainbridge@gmail.com</email>
</author>
<published>2016-04-25T12:48:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=42798984faa3d1a83cfc4f4a5ab99f13e6782ef9'/>
<id>42798984faa3d1a83cfc4f4a5ab99f13e6782ef9</id>
<content type='text'>
[ Upstream commit feb26ac31a2a5cb88d86680d9a94916a6343e9e6 ]

The XHCI controller presents two USB buses to the system - one for USB2
and one for USB3. The hub init code (hub_port_init) is reentrant but
only locks one bus per thread, leading to a race condition failure when
two threads attempt to simultaneously initialise a USB2 and USB3 device:

[    8.034843] xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
[   13.183701] usb 3-3: device descriptor read/all, error -110

On a test system this failure occurred on 6% of all boots.

The call traces at the point of failure are:

Call Trace:
 [&lt;ffffffff81b9bab7&gt;] schedule+0x37/0x90
 [&lt;ffffffff817da7cd&gt;] usb_kill_urb+0x8d/0xd0
 [&lt;ffffffff8111e5e0&gt;] ? wake_up_atomic_t+0x30/0x30
 [&lt;ffffffff817dafbe&gt;] usb_start_wait_urb+0xbe/0x150
 [&lt;ffffffff817db10c&gt;] usb_control_msg+0xbc/0xf0
 [&lt;ffffffff817d07de&gt;] hub_port_init+0x51e/0xb70
 [&lt;ffffffff817d4697&gt;] hub_event+0x817/0x1570
 [&lt;ffffffff810f3e6f&gt;] process_one_work+0x1ff/0x620
 [&lt;ffffffff810f3dcf&gt;] ? process_one_work+0x15f/0x620
 [&lt;ffffffff810f4684&gt;] worker_thread+0x64/0x4b0
 [&lt;ffffffff810f4620&gt;] ? rescuer_thread+0x390/0x390
 [&lt;ffffffff810fa7f5&gt;] kthread+0x105/0x120
 [&lt;ffffffff810fa6f0&gt;] ? kthread_create_on_node+0x200/0x200
 [&lt;ffffffff81ba183f&gt;] ret_from_fork+0x3f/0x70
 [&lt;ffffffff810fa6f0&gt;] ? kthread_create_on_node+0x200/0x200

Call Trace:
 [&lt;ffffffff817fd36d&gt;] xhci_setup_device+0x53d/0xa40
 [&lt;ffffffff817fd87e&gt;] xhci_address_device+0xe/0x10
 [&lt;ffffffff817d047f&gt;] hub_port_init+0x1bf/0xb70
 [&lt;ffffffff811247ed&gt;] ? trace_hardirqs_on+0xd/0x10
 [&lt;ffffffff817d4697&gt;] hub_event+0x817/0x1570
 [&lt;ffffffff810f3e6f&gt;] process_one_work+0x1ff/0x620
 [&lt;ffffffff810f3dcf&gt;] ? process_one_work+0x15f/0x620
 [&lt;ffffffff810f4684&gt;] worker_thread+0x64/0x4b0
 [&lt;ffffffff810f4620&gt;] ? rescuer_thread+0x390/0x390
 [&lt;ffffffff810fa7f5&gt;] kthread+0x105/0x120
 [&lt;ffffffff810fa6f0&gt;] ? kthread_create_on_node+0x200/0x200
 [&lt;ffffffff81ba183f&gt;] ret_from_fork+0x3f/0x70
 [&lt;ffffffff810fa6f0&gt;] ? kthread_create_on_node+0x200/0x200

Which results from the two call chains:

hub_port_init
 usb_get_device_descriptor
  usb_get_descriptor
   usb_control_msg
    usb_internal_control_msg
     usb_start_wait_urb
      usb_submit_urb / wait_for_completion_timeout / usb_kill_urb

hub_port_init
 hub_set_address
  xhci_address_device
   xhci_setup_device

Mathias Nyman explains the current behaviour violates the XHCI spec:

 hub_port_reset() will end up moving the corresponding xhci device slot
 to default state.

 As hub_port_reset() is called several times in hub_port_init() it
 sounds reasonable that we could end up with two threads having their
 xhci device slots in default state at the same time, which according to
 xhci 4.5.3 specs still is a big no no:

 "Note: Software shall not transition more than one Device Slot to the
  Default State at a time"

 So both threads fail at their next task after this.
 One fails to read the descriptor, and the other fails addressing the
 device.

Fix this in hub_port_init by locking the USB controller (instead of an
individual bus) to prevent simultaneous initialisation of both buses.

Fixes: 638139eb95d2 ("usb: hub: allow to process more usb hub events in parallel")
Link: https://lkml.org/lkml/2016/2/8/312
Link: https://lkml.org/lkml/2016/2/4/748
Signed-off-by: Chris Bainbridge &lt;chris.bainbridge@gmail.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Acked-by: Mathias Nyman &lt;mathias.nyman@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit feb26ac31a2a5cb88d86680d9a94916a6343e9e6 ]

The XHCI controller presents two USB buses to the system - one for USB2
and one for USB3. The hub init code (hub_port_init) is reentrant but
only locks one bus per thread, leading to a race condition failure when
two threads attempt to simultaneously initialise a USB2 and USB3 device:

[    8.034843] xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
[   13.183701] usb 3-3: device descriptor read/all, error -110

On a test system this failure occurred on 6% of all boots.

The call traces at the point of failure are:

Call Trace:
 [&lt;ffffffff81b9bab7&gt;] schedule+0x37/0x90
 [&lt;ffffffff817da7cd&gt;] usb_kill_urb+0x8d/0xd0
 [&lt;ffffffff8111e5e0&gt;] ? wake_up_atomic_t+0x30/0x30
 [&lt;ffffffff817dafbe&gt;] usb_start_wait_urb+0xbe/0x150
 [&lt;ffffffff817db10c&gt;] usb_control_msg+0xbc/0xf0
 [&lt;ffffffff817d07de&gt;] hub_port_init+0x51e/0xb70
 [&lt;ffffffff817d4697&gt;] hub_event+0x817/0x1570
 [&lt;ffffffff810f3e6f&gt;] process_one_work+0x1ff/0x620
 [&lt;ffffffff810f3dcf&gt;] ? process_one_work+0x15f/0x620
 [&lt;ffffffff810f4684&gt;] worker_thread+0x64/0x4b0
 [&lt;ffffffff810f4620&gt;] ? rescuer_thread+0x390/0x390
 [&lt;ffffffff810fa7f5&gt;] kthread+0x105/0x120
 [&lt;ffffffff810fa6f0&gt;] ? kthread_create_on_node+0x200/0x200
 [&lt;ffffffff81ba183f&gt;] ret_from_fork+0x3f/0x70
 [&lt;ffffffff810fa6f0&gt;] ? kthread_create_on_node+0x200/0x200

Call Trace:
 [&lt;ffffffff817fd36d&gt;] xhci_setup_device+0x53d/0xa40
 [&lt;ffffffff817fd87e&gt;] xhci_address_device+0xe/0x10
 [&lt;ffffffff817d047f&gt;] hub_port_init+0x1bf/0xb70
 [&lt;ffffffff811247ed&gt;] ? trace_hardirqs_on+0xd/0x10
 [&lt;ffffffff817d4697&gt;] hub_event+0x817/0x1570
 [&lt;ffffffff810f3e6f&gt;] process_one_work+0x1ff/0x620
 [&lt;ffffffff810f3dcf&gt;] ? process_one_work+0x15f/0x620
 [&lt;ffffffff810f4684&gt;] worker_thread+0x64/0x4b0
 [&lt;ffffffff810f4620&gt;] ? rescuer_thread+0x390/0x390
 [&lt;ffffffff810fa7f5&gt;] kthread+0x105/0x120
 [&lt;ffffffff810fa6f0&gt;] ? kthread_create_on_node+0x200/0x200
 [&lt;ffffffff81ba183f&gt;] ret_from_fork+0x3f/0x70
 [&lt;ffffffff810fa6f0&gt;] ? kthread_create_on_node+0x200/0x200

Which results from the two call chains:

hub_port_init
 usb_get_device_descriptor
  usb_get_descriptor
   usb_control_msg
    usb_internal_control_msg
     usb_start_wait_urb
      usb_submit_urb / wait_for_completion_timeout / usb_kill_urb

hub_port_init
 hub_set_address
  xhci_address_device
   xhci_setup_device

Mathias Nyman explains the current behaviour violates the XHCI spec:

 hub_port_reset() will end up moving the corresponding xhci device slot
 to default state.

 As hub_port_reset() is called several times in hub_port_init() it
 sounds reasonable that we could end up with two threads having their
 xhci device slots in default state at the same time, which according to
 xhci 4.5.3 specs still is a big no no:

 "Note: Software shall not transition more than one Device Slot to the
  Default State at a time"

 So both threads fail at their next task after this.
 One fails to read the descriptor, and the other fails addressing the
 device.

Fix this in hub_port_init by locking the USB controller (instead of an
individual bus) to prevent simultaneous initialisation of both buses.

Fixes: 638139eb95d2 ("usb: hub: allow to process more usb hub events in parallel")
Link: https://lkml.org/lkml/2016/2/8/312
Link: https://lkml.org/lkml/2016/2/4/748
Signed-off-by: Chris Bainbridge &lt;chris.bainbridge@gmail.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Acked-by: Mathias Nyman &lt;mathias.nyman@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: fix use-after-free bug in usb_hcd_unlink_urb()</title>
<updated>2015-03-06T22:53:00+00:00</updated>
<author>
<name>Alan Stern</name>
<email>stern@rowland.harvard.edu</email>
</author>
<published>2015-01-30T17:58:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7a0c5e127978f870250579a7dc46293a0dd249ea'/>
<id>7a0c5e127978f870250579a7dc46293a0dd249ea</id>
<content type='text'>
commit c99197902da284b4b723451c1471c45b18537cde upstream.

The usb_hcd_unlink_urb() routine in hcd.c contains two possible
use-after-free errors.  The dev_dbg() statement at the end of the
routine dereferences urb and urb-&gt;dev even though both structures may
have been deallocated.

This patch fixes the problem by storing urb-&gt;dev in a local variable
(avoiding the dereference of urb) and moving the dev_dbg() up before
the usb_put_dev() call.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Reported-by: Joe Lawrence &lt;joe.lawrence@stratus.com&gt;
Tested-by: Joe Lawrence &lt;joe.lawrence@stratus.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;greg@kroah.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c99197902da284b4b723451c1471c45b18537cde upstream.

The usb_hcd_unlink_urb() routine in hcd.c contains two possible
use-after-free errors.  The dev_dbg() statement at the end of the
routine dereferences urb and urb-&gt;dev even though both structures may
have been deallocated.

This patch fixes the problem by storing urb-&gt;dev in a local variable
(avoiding the dereference of urb) and moving the dev_dbg() up before
the usb_put_dev() call.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Reported-by: Joe Lawrence &lt;joe.lawrence@stratus.com&gt;
Tested-by: Joe Lawrence &lt;joe.lawrence@stratus.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;greg@kroah.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>usb: Do not allow usb_alloc_streams on unconfigured devices</title>
<updated>2014-11-03T23:26:15+00:00</updated>
<author>
<name>Hans de Goede</name>
<email>hdegoede@redhat.com</email>
</author>
<published>2014-10-01T09:29:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=90a646c770c50cc206ceba0d7b50453c46c13c36'/>
<id>90a646c770c50cc206ceba0d7b50453c46c13c36</id>
<content type='text'>
This commit fixes the following oops:

[10238.622067] scsi host3: uas_eh_bus_reset_handler start
[10240.766164] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd
[10245.779365] usb 3-4: device descriptor read/8, error -110
[10245.883331] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd
[10250.897603] usb 3-4: device descriptor read/8, error -110
[10251.058200] BUG: unable to handle kernel NULL pointer dereference at  0000000000000040
[10251.058244] IP: [&lt;ffffffff815ac6e1&gt;] xhci_check_streams_endpoint+0x91/0x140
&lt;snip&gt;
[10251.059473] Call Trace:
[10251.059487]  [&lt;ffffffff815aca6c&gt;] xhci_calculate_streams_and_bitmask+0xbc/0x130
[10251.059520]  [&lt;ffffffff815aeb5f&gt;] xhci_alloc_streams+0x10f/0x5a0
[10251.059548]  [&lt;ffffffff810a4685&gt;] ? check_preempt_curr+0x75/0xa0
[10251.059575]  [&lt;ffffffff810a46dc&gt;] ? ttwu_do_wakeup+0x2c/0x100
[10251.059601]  [&lt;ffffffff810a49e6&gt;] ? ttwu_do_activate.constprop.111+0x66/0x70
[10251.059635]  [&lt;ffffffff815779ab&gt;] usb_alloc_streams+0xab/0xf0
[10251.059662]  [&lt;ffffffffc0616b48&gt;] uas_configure_endpoints+0x128/0x150 [uas]
[10251.059694]  [&lt;ffffffffc0616bac&gt;] uas_post_reset+0x3c/0xb0 [uas]
[10251.059722]  [&lt;ffffffff815727d9&gt;] usb_reset_device+0x1b9/0x2a0
[10251.059749]  [&lt;ffffffffc0616f42&gt;] uas_eh_bus_reset_handler+0xb2/0x190 [uas]
[10251.059781]  [&lt;ffffffff81514293&gt;] scsi_try_bus_reset+0x53/0x110
[10251.059808]  [&lt;ffffffff815163b7&gt;] scsi_eh_bus_reset+0xf7/0x270
&lt;snip&gt;

The problem is the following call sequence (simplified):

1) usb_reset_device
2)  usb_reset_and_verify_device
2)   hub_port_init
3)    hub_port_finish_reset
3)     xhci_discover_or_reset_device
        This frees xhci-&gt;devs[slot_id]-&gt;eps[ep_index].ring for all eps but 0
4)    usb_get_device_descriptor
       This fails
5)   hub_port_init fails
6)  usb_reset_and_verify_device fails, does not restore device config
7)  uas_post_reset
8)   xhci_alloc_streams
      NULL deref on the free-ed ring

This commit fixes this by not allowing usb_alloc_streams to continue if
the device is not configured.

Note that we do allow usb_free_streams to continue after a (logical)
disconnect, as it is necessary to explicitly free the streams at the xhci
controller level.

Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede &lt;hdegoede@redhat.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This commit fixes the following oops:

[10238.622067] scsi host3: uas_eh_bus_reset_handler start
[10240.766164] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd
[10245.779365] usb 3-4: device descriptor read/8, error -110
[10245.883331] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd
[10250.897603] usb 3-4: device descriptor read/8, error -110
[10251.058200] BUG: unable to handle kernel NULL pointer dereference at  0000000000000040
[10251.058244] IP: [&lt;ffffffff815ac6e1&gt;] xhci_check_streams_endpoint+0x91/0x140
&lt;snip&gt;
[10251.059473] Call Trace:
[10251.059487]  [&lt;ffffffff815aca6c&gt;] xhci_calculate_streams_and_bitmask+0xbc/0x130
[10251.059520]  [&lt;ffffffff815aeb5f&gt;] xhci_alloc_streams+0x10f/0x5a0
[10251.059548]  [&lt;ffffffff810a4685&gt;] ? check_preempt_curr+0x75/0xa0
[10251.059575]  [&lt;ffffffff810a46dc&gt;] ? ttwu_do_wakeup+0x2c/0x100
[10251.059601]  [&lt;ffffffff810a49e6&gt;] ? ttwu_do_activate.constprop.111+0x66/0x70
[10251.059635]  [&lt;ffffffff815779ab&gt;] usb_alloc_streams+0xab/0xf0
[10251.059662]  [&lt;ffffffffc0616b48&gt;] uas_configure_endpoints+0x128/0x150 [uas]
[10251.059694]  [&lt;ffffffffc0616bac&gt;] uas_post_reset+0x3c/0xb0 [uas]
[10251.059722]  [&lt;ffffffff815727d9&gt;] usb_reset_device+0x1b9/0x2a0
[10251.059749]  [&lt;ffffffffc0616f42&gt;] uas_eh_bus_reset_handler+0xb2/0x190 [uas]
[10251.059781]  [&lt;ffffffff81514293&gt;] scsi_try_bus_reset+0x53/0x110
[10251.059808]  [&lt;ffffffff815163b7&gt;] scsi_eh_bus_reset+0xf7/0x270
&lt;snip&gt;

The problem is the following call sequence (simplified):

1) usb_reset_device
2)  usb_reset_and_verify_device
2)   hub_port_init
3)    hub_port_finish_reset
3)     xhci_discover_or_reset_device
        This frees xhci-&gt;devs[slot_id]-&gt;eps[ep_index].ring for all eps but 0
4)    usb_get_device_descriptor
       This fails
5)   hub_port_init fails
6)  usb_reset_and_verify_device fails, does not restore device config
7)  uas_post_reset
8)   xhci_alloc_streams
      NULL deref on the free-ed ring

This commit fixes this by not allowing usb_alloc_streams to continue if
the device is not configured.

Note that we do allow usb_free_streams to continue after a (logical)
disconnect, as it is necessary to explicitly free the streams at the xhci
controller level.

Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede &lt;hdegoede@redhat.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
