From: Greg Kroah-Hartman Date: Tue, 17 Jan 2017 13:12:14 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.9.5~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fb13cba2cee6d719cffc7d503ba1c76f8b5f772b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: i2c-fix-kernel-memory-disclosure-in-dev-interface.patch i2c-print-correct-device-invalid-address.patch input-elants_i2c-avoid-divide-by-0-errors-on-bad-touchscreen-data.patch mnt-protect-the-mountpoint-hashtable-with-mount_lock.patch vme-fix-wrong-pointer-utilization-in-ca91cx42_slave_get.patch xhci-fix-deadlock-at-host-remove-by-running-watchdog-correctly.patch --- diff --git a/queue-4.4/i2c-fix-kernel-memory-disclosure-in-dev-interface.patch b/queue-4.4/i2c-fix-kernel-memory-disclosure-in-dev-interface.patch new file mode 100644 index 00000000000..1ef5f9c75a5 --- /dev/null +++ b/queue-4.4/i2c-fix-kernel-memory-disclosure-in-dev-interface.patch @@ -0,0 +1,32 @@ +From 30f939feaeee23e21391cfc7b484f012eb189c3c Mon Sep 17 00:00:00 2001 +From: Vlad Tsyrklevich +Date: Mon, 9 Jan 2017 22:53:36 +0700 +Subject: i2c: fix kernel memory disclosure in dev interface + +From: Vlad Tsyrklevich + +commit 30f939feaeee23e21391cfc7b484f012eb189c3c upstream. + +i2c_smbus_xfer() does not always fill an entire block, allowing +kernel stack memory disclosure through the temp variable. Clear +it before it's read to. + +Signed-off-by: Vlad Tsyrklevich +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/i2c-dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -329,7 +329,7 @@ static noinline int i2cdev_ioctl_smbus(s + unsigned long arg) + { + struct i2c_smbus_ioctl_data data_arg; +- union i2c_smbus_data temp; ++ union i2c_smbus_data temp = {}; + int datasize, res; + + if (copy_from_user(&data_arg, diff --git a/queue-4.4/i2c-print-correct-device-invalid-address.patch b/queue-4.4/i2c-print-correct-device-invalid-address.patch new file mode 100644 index 00000000000..118ff057c81 --- /dev/null +++ b/queue-4.4/i2c-print-correct-device-invalid-address.patch @@ -0,0 +1,36 @@ +From 6f724fb3039522486fce2e32e4c0fbe238a6ab02 Mon Sep 17 00:00:00 2001 +From: John Garry +Date: Fri, 6 Jan 2017 19:02:57 +0800 +Subject: i2c: print correct device invalid address + +From: John Garry + +commit 6f724fb3039522486fce2e32e4c0fbe238a6ab02 upstream. + +In of_i2c_register_device(), when the check for +device address validity fails we print the info.addr, +which has not been assigned properly. + +Fix this by printing the actual invalid address. + +Signed-off-by: John Garry +Reviewed-by: Vladimir Zapolskiy +Signed-off-by: Wolfram Sang +Fixes: b4e2f6ac1281 ("i2c: apply DT flags when probing") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/i2c-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/i2c-core.c ++++ b/drivers/i2c/i2c-core.c +@@ -1400,7 +1400,7 @@ static struct i2c_client *of_i2c_registe + + if (i2c_check_addr_validity(addr, info.flags)) { + dev_err(&adap->dev, "of_i2c: invalid addr=%x on %s\n", +- info.addr, node->full_name); ++ addr, node->full_name); + return ERR_PTR(-EINVAL); + } + diff --git a/queue-4.4/input-elants_i2c-avoid-divide-by-0-errors-on-bad-touchscreen-data.patch b/queue-4.4/input-elants_i2c-avoid-divide-by-0-errors-on-bad-touchscreen-data.patch new file mode 100644 index 00000000000..7f276efa2a5 --- /dev/null +++ b/queue-4.4/input-elants_i2c-avoid-divide-by-0-errors-on-bad-touchscreen-data.patch @@ -0,0 +1,91 @@ +From 1c3415a06b1016a596bfe59e0cfee56c773aa958 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 5 Jan 2017 14:14:54 -0800 +Subject: Input: elants_i2c - avoid divide by 0 errors on bad touchscreen data + +From: Guenter Roeck + +commit 1c3415a06b1016a596bfe59e0cfee56c773aa958 upstream. + +The following crash may be seen if bad data is received from the +touchscreen. + +[ 2189.425150] elants_i2c i2c-ELAN0001:00: unknown packet ff ff ff ff +[ 2189.430738] divide error: 0000 [#1] PREEMPT SMP +[ 2189.434679] gsmi: Log Shutdown Reason 0x03 +[ 2189.434689] Modules linked in: ip6t_REJECT nf_reject_ipv6 rfcomm evdi +uinput uvcvideo cmac videobuf2_vmalloc videobuf2_memops snd_hda_codec_hdmi +i2c_dev videobuf2_core snd_soc_sst_cht_bsw_rt5645 snd_hda_intel +snd_intel_sst_acpi btusb btrtl btbcm btintel bluetooth snd_soc_sst_acpi +snd_hda_codec snd_intel_sst_core snd_hwdep snd_soc_sst_mfld_platform +snd_hda_core snd_soc_rt5645 memconsole_x86_legacy memconsole zram snd_soc_rl6231 +fuse ip6table_filter iwlmvm iwlwifi iwl7000_mac80211 cfg80211 iio_trig_sysfs +joydev cros_ec_sensors cros_ec_sensors_core industrialio_triggered_buffer +kfifo_buf industrialio snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq +snd_seq_device ppp_async ppp_generic slhc tun +[ 2189.434866] CPU: 0 PID: 106 Comm: irq/184-ELAN000 Tainted: G W +3.18.0-13101-g57e8190 #1 +[ 2189.434883] Hardware name: GOOGLE Ultima, BIOS Google_Ultima.7287.131.43 07/20/2016 +[ 2189.434898] task: ffff88017a0b6d80 ti: ffff88017a2bc000 task.ti: ffff88017a2bc000 +[ 2189.434913] RIP: 0010:[] [] elants_i2c_irq+0x190/0x200 +[ 2189.434937] RSP: 0018:ffff88017a2bfd98 EFLAGS: 00010293 +[ 2189.434948] RAX: 0000000000000000 RBX: ffff88017a967828 RCX: ffff88017a9678e8 +[ 2189.434962] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000000 +[ 2189.434975] RBP: ffff88017a2bfdd8 R08: 00000000000003e8 R09: 0000000000000000 +[ 2189.434989] R10: 0000000000000000 R11: 000000000044a2bd R12: ffff88017a991800 +[ 2189.435001] R13: ffffffffbe8a2a53 R14: ffff88017a0b6d80 R15: ffff88017a0b6d80 +[ 2189.435011] FS: 0000000000000000(0000) GS:ffff88017fc00000(0000) knlGS:0000000000000000 +[ 2189.435022] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 2189.435030] CR2: 00007f678d94b000 CR3: 000000003f41a000 CR4: 00000000001007f0 +[ 2189.435039] Stack: +[ 2189.435044] ffff88017a2bfda8 ffff88017a9678e8 646464647a2bfdd8 0000000006e09574 +[ 2189.435060] 0000000000000000 ffff88017a088b80 ffff88017a921000 ffffffffbe8a2a53 +[ 2189.435074] ffff88017a2bfe08 ffffffffbe8a2a73 ffff88017a0b6d80 0000000006e09574 +[ 2189.435089] Call Trace: +[ 2189.435101] [] ? irq_thread_dtor+0xa9/0xa9 +[ 2189.435112] [] irq_thread_fn+0x20/0x40 +[ 2189.435123] [] irq_thread+0x14e/0x222 +[ 2189.435135] [] ? __schedule+0x3b3/0x57a +[ 2189.435145] [] ? wake_threads_waitq+0x2d/0x2d +[ 2189.435156] [] ? irq_thread_fn+0x40/0x40 +[ 2189.435168] [] kthread+0x10e/0x116 +[ 2189.435178] [] ? __kthread_parkme+0x67/0x67 +[ 2189.435189] [] ret_from_fork+0x7c/0xb0 +[ 2189.435199] [] ? __kthread_parkme+0x67/0x67 +[ 2189.435208] Code: ff ff eb 73 0f b6 bb c1 00 00 00 83 ff 03 7e 13 49 8d 7c +24 20 ba 04 00 00 00 48 c7 c6 8a cd 21 bf eb 4d 0f b6 83 c2 00 00 00 99 ff +83 f8 37 75 15 48 6b f7 37 4c 8d a3 c4 00 00 00 4c 8d ac +[ 2189.435312] RIP [] elants_i2c_irq+0x190/0x200 +[ 2189.435323] RSP +[ 2189.435350] ---[ end trace f4945345a75d96dd ]--- +[ 2189.443841] Kernel panic - not syncing: Fatal exception +[ 2189.444307] Kernel Offset: 0x3d800000 from 0xffffffff81000000 + (relocation range: 0xffffffff80000000-0xffffffffbfffffff) +[ 2189.444519] gsmi: Log Shutdown Reason 0x02 + +The problem was seen with a 3.18 based kernel, but there is no reason +to believe that the upstream code is safe. + +Fixes: 66aee90088da2 ("Input: add support for Elan eKTH I2C touchscreens") +Signed-off-by: Guenter Roeck +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/elants_i2c.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/input/touchscreen/elants_i2c.c ++++ b/drivers/input/touchscreen/elants_i2c.c +@@ -905,9 +905,9 @@ static irqreturn_t elants_i2c_irq(int ir + + case QUEUE_HEADER_NORMAL: + report_count = ts->buf[FW_HDR_COUNT]; +- if (report_count > 3) { ++ if (report_count == 0 || report_count > 3) { + dev_err(&client->dev, +- "too large report count: %*ph\n", ++ "bad report count: %*ph\n", + HEADER_SIZE, ts->buf); + break; + } diff --git a/queue-4.4/mnt-protect-the-mountpoint-hashtable-with-mount_lock.patch b/queue-4.4/mnt-protect-the-mountpoint-hashtable-with-mount_lock.patch new file mode 100644 index 00000000000..fdf09af29a3 --- /dev/null +++ b/queue-4.4/mnt-protect-the-mountpoint-hashtable-with-mount_lock.patch @@ -0,0 +1,191 @@ +From 3895dbf8985f656675b5bde610723a29cbce3fa7 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Tue, 3 Jan 2017 14:18:43 +1300 +Subject: mnt: Protect the mountpoint hashtable with mount_lock + +From: Eric W. Biederman + +commit 3895dbf8985f656675b5bde610723a29cbce3fa7 upstream. + +Protecting the mountpoint hashtable with namespace_sem was sufficient +until a call to umount_mnt was added to mntput_no_expire. At which +point it became possible for multiple calls of put_mountpoint on +the same hash chain to happen on the same time. + +Kristen Johansen reported: +> This can cause a panic when simultaneous callers of put_mountpoint +> attempt to free the same mountpoint. This occurs because some callers +> hold the mount_hash_lock, while others hold the namespace lock. Some +> even hold both. +> +> In this submitter's case, the panic manifested itself as a GP fault in +> put_mountpoint() when it called hlist_del() and attempted to dereference +> a m_hash.pprev that had been poisioned by another thread. + +Al Viro observed that the simple fix is to switch from using the namespace_sem +to the mount_lock to protect the mountpoint hash table. + +I have taken Al's suggested patch moved put_mountpoint in pivot_root +(instead of taking mount_lock an additional time), and have replaced +new_mountpoint with get_mountpoint a function that does the hash table +lookup and addition under the mount_lock. The introduction of get_mounptoint +ensures that only the mount_lock is needed to manipulate the mountpoint +hashtable. + +d_set_mounted is modified to only set DCACHE_MOUNTED if it is not +already set. This allows get_mountpoint to use the setting of +DCACHE_MOUNTED to ensure adding a struct mountpoint for a dentry +happens exactly once. + +Fixes: ce07d891a089 ("mnt: Honor MNT_LOCKED when detaching mounts") +Reported-by: Krister Johansen +Suggested-by: Al Viro +Acked-by: Al Viro +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dcache.c | 7 ++++-- + fs/namespace.c | 64 ++++++++++++++++++++++++++++++++++++++++----------------- + 2 files changed, 50 insertions(+), 21 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1322,8 +1322,11 @@ int d_set_mounted(struct dentry *dentry) + } + spin_lock(&dentry->d_lock); + if (!d_unlinked(dentry)) { +- dentry->d_flags |= DCACHE_MOUNTED; +- ret = 0; ++ ret = -EBUSY; ++ if (!d_mountpoint(dentry)) { ++ dentry->d_flags |= DCACHE_MOUNTED; ++ ret = 0; ++ } + } + spin_unlock(&dentry->d_lock); + out: +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -743,26 +743,50 @@ static struct mountpoint *lookup_mountpo + return NULL; + } + +-static struct mountpoint *new_mountpoint(struct dentry *dentry) ++static struct mountpoint *get_mountpoint(struct dentry *dentry) + { +- struct hlist_head *chain = mp_hash(dentry); +- struct mountpoint *mp; ++ struct mountpoint *mp, *new = NULL; + int ret; + +- mp = kmalloc(sizeof(struct mountpoint), GFP_KERNEL); +- if (!mp) ++ if (d_mountpoint(dentry)) { ++mountpoint: ++ read_seqlock_excl(&mount_lock); ++ mp = lookup_mountpoint(dentry); ++ read_sequnlock_excl(&mount_lock); ++ if (mp) ++ goto done; ++ } ++ ++ if (!new) ++ new = kmalloc(sizeof(struct mountpoint), GFP_KERNEL); ++ if (!new) + return ERR_PTR(-ENOMEM); + ++ ++ /* Exactly one processes may set d_mounted */ + ret = d_set_mounted(dentry); +- if (ret) { +- kfree(mp); +- return ERR_PTR(ret); +- } + +- mp->m_dentry = dentry; +- mp->m_count = 1; +- hlist_add_head(&mp->m_hash, chain); +- INIT_HLIST_HEAD(&mp->m_list); ++ /* Someone else set d_mounted? */ ++ if (ret == -EBUSY) ++ goto mountpoint; ++ ++ /* The dentry is not available as a mountpoint? */ ++ mp = ERR_PTR(ret); ++ if (ret) ++ goto done; ++ ++ /* Add the new mountpoint to the hash table */ ++ read_seqlock_excl(&mount_lock); ++ new->m_dentry = dentry; ++ new->m_count = 1; ++ hlist_add_head(&new->m_hash, mp_hash(dentry)); ++ INIT_HLIST_HEAD(&new->m_list); ++ read_sequnlock_excl(&mount_lock); ++ ++ mp = new; ++ new = NULL; ++done: ++ kfree(new); + return mp; + } + +@@ -1557,11 +1581,11 @@ void __detach_mounts(struct dentry *dent + struct mount *mnt; + + namespace_lock(); ++ lock_mount_hash(); + mp = lookup_mountpoint(dentry); + if (IS_ERR_OR_NULL(mp)) + goto out_unlock; + +- lock_mount_hash(); + event++; + while (!hlist_empty(&mp->m_list)) { + mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list); +@@ -1571,9 +1595,9 @@ void __detach_mounts(struct dentry *dent + } + else umount_tree(mnt, UMOUNT_CONNECTED); + } +- unlock_mount_hash(); + put_mountpoint(mp); + out_unlock: ++ unlock_mount_hash(); + namespace_unlock(); + } + +@@ -1962,9 +1986,7 @@ retry: + namespace_lock(); + mnt = lookup_mnt(path); + if (likely(!mnt)) { +- struct mountpoint *mp = lookup_mountpoint(dentry); +- if (!mp) +- mp = new_mountpoint(dentry); ++ struct mountpoint *mp = get_mountpoint(dentry); + if (IS_ERR(mp)) { + namespace_unlock(); + mutex_unlock(&dentry->d_inode->i_mutex); +@@ -1983,7 +2005,11 @@ retry: + static void unlock_mount(struct mountpoint *where) + { + struct dentry *dentry = where->m_dentry; ++ ++ read_seqlock_excl(&mount_lock); + put_mountpoint(where); ++ read_sequnlock_excl(&mount_lock); ++ + namespace_unlock(); + mutex_unlock(&dentry->d_inode->i_mutex); + } +@@ -3055,9 +3081,9 @@ SYSCALL_DEFINE2(pivot_root, const char _ + touch_mnt_namespace(current->nsproxy->mnt_ns); + /* A moved mount should not expire automatically */ + list_del_init(&new_mnt->mnt_expire); ++ put_mountpoint(root_mp); + unlock_mount_hash(); + chroot_fs_refs(&root, &new); +- put_mountpoint(root_mp); + error = 0; + out4: + unlock_mount(old_mp); diff --git a/queue-4.4/series b/queue-4.4/series index cd6ea90332e..c5d1a44d2eb 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -20,3 +20,9 @@ usb-serial-ch341-fix-resume-after-reset.patch usb-serial-ch341-fix-open-error-handling.patch usb-serial-ch341-fix-control-message-error-handling.patch usb-serial-ch341-fix-open-and-resume-after-b0.patch +input-elants_i2c-avoid-divide-by-0-errors-on-bad-touchscreen-data.patch +i2c-print-correct-device-invalid-address.patch +i2c-fix-kernel-memory-disclosure-in-dev-interface.patch +xhci-fix-deadlock-at-host-remove-by-running-watchdog-correctly.patch +vme-fix-wrong-pointer-utilization-in-ca91cx42_slave_get.patch +mnt-protect-the-mountpoint-hashtable-with-mount_lock.patch diff --git a/queue-4.4/vme-fix-wrong-pointer-utilization-in-ca91cx42_slave_get.patch b/queue-4.4/vme-fix-wrong-pointer-utilization-in-ca91cx42_slave_get.patch new file mode 100644 index 00000000000..e62b10e847a --- /dev/null +++ b/queue-4.4/vme-fix-wrong-pointer-utilization-in-ca91cx42_slave_get.patch @@ -0,0 +1,46 @@ +From c8a6a09c1c617402cc9254b2bc8da359a0347d75 Mon Sep 17 00:00:00 2001 +From: Augusto Mecking Caringi +Date: Tue, 10 Jan 2017 10:45:00 +0000 +Subject: vme: Fix wrong pointer utilization in ca91cx42_slave_get +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Augusto Mecking Caringi + +commit c8a6a09c1c617402cc9254b2bc8da359a0347d75 upstream. + +In ca91cx42_slave_get function, the value pointed by vme_base pointer is +set through: + +*vme_base = ioread32(bridge->base + CA91CX42_VSI_BS[i]); + +So it must be dereferenced to be used in calculation of pci_base: + +*pci_base = (dma_addr_t)*vme_base + pci_offset; + +This bug was caught thanks to the following gcc warning: + +drivers/vme/bridges/vme_ca91cx42.c: In function ‘ca91cx42_slave_get’: +drivers/vme/bridges/vme_ca91cx42.c:467:14: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] +*pci_base = (dma_addr_t)vme_base + pci_offset; + +Signed-off-by: Augusto Mecking Caringi +Acked-By: Martyn Welch +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vme/bridges/vme_ca91cx42.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vme/bridges/vme_ca91cx42.c ++++ b/drivers/vme/bridges/vme_ca91cx42.c +@@ -467,7 +467,7 @@ static int ca91cx42_slave_get(struct vme + vme_bound = ioread32(bridge->base + CA91CX42_VSI_BD[i]); + pci_offset = ioread32(bridge->base + CA91CX42_VSI_TO[i]); + +- *pci_base = (dma_addr_t)vme_base + pci_offset; ++ *pci_base = (dma_addr_t)*vme_base + pci_offset; + *size = (unsigned long long)((vme_bound - *vme_base) + granularity); + + *enabled = 0; diff --git a/queue-4.4/xhci-fix-deadlock-at-host-remove-by-running-watchdog-correctly.patch b/queue-4.4/xhci-fix-deadlock-at-host-remove-by-running-watchdog-correctly.patch new file mode 100644 index 00000000000..f97afd24e4e --- /dev/null +++ b/queue-4.4/xhci-fix-deadlock-at-host-remove-by-running-watchdog-correctly.patch @@ -0,0 +1,81 @@ +From d6169d04097fd9ddf811e63eae4e5cd71e6666e2 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 11 Jan 2017 17:10:34 +0200 +Subject: xhci: fix deadlock at host remove by running watchdog correctly + +From: Mathias Nyman + +commit d6169d04097fd9ddf811e63eae4e5cd71e6666e2 upstream. + +If a URB is killed while the host is removed we can end up in a situation +where the hub thread takes the roothub device lock, and waits for +the URB to be given back by xhci-hcd, blocking the host remove code. + +xhci-hcd tries to stop the endpoint and give back the urb, but can't +as the host is removed from PCI bus at the same time, preventing the normal +way of giving back urb. + +Instead we need to rely on the stop command timeout function to give back +the urb. This xhci_stop_endpoint_command_watchdog() timeout function +used a XHCI_STATE_DYING flag to indicate if the timeout function is already +running, but later this flag has been taking into use in other places to +mark that xhci is dying. + +Remove checks for XHCI_STATE_DYING in xhci_urb_dequeue. We are still +checking that reading from pci state does not return 0xffffffff or that +host is not halted before trying to stop the endpoint. + +This whole area of stopping endpoints, giving back URBs, and the wathdog +timeout need rework, this fix focuses on solving a specific deadlock +issue that we can then send to stable before any major rework. + +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 11 ----------- + drivers/usb/host/xhci.c | 13 ------------- + 2 files changed, 24 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -913,17 +913,6 @@ void xhci_stop_endpoint_command_watchdog + spin_lock_irqsave(&xhci->lock, flags); + + ep->stop_cmds_pending--; +- if (xhci->xhc_state & XHCI_STATE_REMOVING) { +- spin_unlock_irqrestore(&xhci->lock, flags); +- return; +- } +- if (xhci->xhc_state & XHCI_STATE_DYING) { +- xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, +- "Stop EP timer ran, but another timer marked " +- "xHCI as DYING, exiting."); +- spin_unlock_irqrestore(&xhci->lock, flags); +- return; +- } + if (!(ep->stop_cmds_pending == 0 && (ep->ep_state & EP_HALT_PENDING))) { + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, + "Stop EP timer ran, but no command pending, " +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1569,19 +1569,6 @@ int xhci_urb_dequeue(struct usb_hcd *hcd + xhci_urb_free_priv(urb_priv); + return ret; + } +- if ((xhci->xhc_state & XHCI_STATE_DYING) || +- (xhci->xhc_state & XHCI_STATE_HALTED)) { +- xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, +- "Ep 0x%x: URB %p to be canceled on " +- "non-responsive xHCI host.", +- urb->ep->desc.bEndpointAddress, urb); +- /* Let the stop endpoint command watchdog timer (which set this +- * state) finish cleaning up the endpoint TD lists. We must +- * have caught it in the middle of dropping a lock and giving +- * back an URB. +- */ +- goto done; +- } + + ep_index = xhci_get_endpoint_index(&urb->ep->desc); + ep = &xhci->devs[urb->dev->slot_id]->eps[ep_index];