releases/4.10.7/usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch

   1 From 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc Mon Sep 17 00:00:00 2001
   2 From: Guenter Roeck <linux@roeck-us.net>
   3 Date: Wed, 8 Mar 2017 10:19:36 -0800
   4 Subject: usb: hub: Fix crash after failure to read BOS descriptor
   5
   6 From: Guenter Roeck <linux@roeck-us.net>
   7
   8 commit 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc upstream.
   9
  10 If usb_get_bos_descriptor() returns an error, usb->bos will be NULL.
  11 Nevertheless, it is dereferenced unconditionally in
  12 hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set.
  13 This results in a crash.
  14
  15 usb 5-1: unable to get BOS descriptor
  16 ...
  17 Unable to handle kernel NULL pointer dereference at virtual address 00000008
  18 pgd = ffffffc00165f000
  19 [00000008] *pgd=000000000174f003, *pud=000000000174f003,
  20                 *pmd=0000000001750003, *pte=00e8000001751713
  21 Internal error: Oops: 96000005 [#1] PREEMPT SMP
  22 Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ]
  23 CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G    B 4.4.52 #480
  24 Hardware name: Google Kevin (DT)
  25 Workqueue: events driver_set_config_work
  26 task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000
  27 PC is at hub_port_init+0xc3c/0xd10
  28 LR is at hub_port_init+0xc3c/0xd10
  29 ...
  30 Call trace:
  31 [<ffffffc0007fbbfc>] hub_port_init+0xc3c/0xd10
  32 [<ffffffc0007fbe2c>] usb_reset_and_verify_device+0x15c/0x82c
  33 [<ffffffc0007fc5e0>] usb_reset_device+0xe4/0x298
  34 [<ffffffbffc0e3fcc>] rtl8152_probe+0x84/0x9b0 [r8152]
  35 [<ffffffc00080ca8c>] usb_probe_interface+0x244/0x2f8
  36 [<ffffffc000774a24>] driver_probe_device+0x180/0x3b4
  37 [<ffffffc000774e48>] __device_attach_driver+0xb4/0xe0
  38 [<ffffffc000772168>] bus_for_each_drv+0xb4/0xe4
  39 [<ffffffc0007747ec>] __device_attach+0xd0/0x158
  40 [<ffffffc000775080>] device_initial_probe+0x24/0x30
  41 [<ffffffc0007739d4>] bus_probe_device+0x50/0xe4
  42 [<ffffffc000770bd0>] device_add+0x414/0x738
  43 [<ffffffc000809fe8>] usb_set_configuration+0x89c/0x914
  44 [<ffffffc00080a120>] driver_set_config_work+0xc0/0xf0
  45 [<ffffffc000249bb8>] process_one_work+0x390/0x6b8
  46 [<ffffffc00024abcc>] worker_thread+0x480/0x610
  47 [<ffffffc000251a80>] kthread+0x164/0x178
  48 [<ffffffc0002045d0>] ret_from_fork+0x10/0x40
  49
  50 Since we don't know anything about LPM capabilities without BOS descriptor,
  51 don't attempt to enable LPM if it is not available.
  52
  53 Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...")
  54 Cc: Mathias Nyman <mathias.nyman@linux.intel.com>
  55 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
  56 Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
  57 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  58
  59 ---
  60  drivers/usb/core/hub.c |    2 +-
  61  1 file changed, 1 insertion(+), 1 deletion(-)
  62
  63 --- a/drivers/usb/core/hub.c
  64 +++ b/drivers/usb/core/hub.c
  65 @@ -4275,7 +4275,7 @@ static void hub_set_initial_usb2_lpm_pol
  66         struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent);
  67         int connect_type = USB_PORT_CONNECT_TYPE_UNKNOWN;
  68
  69 -       if (!udev->usb2_hw_lpm_capable)
  70 +       if (!udev->usb2_hw_lpm_capable || !udev->bos)
  71                 return;
  72
  73         if (hub)