usb: core: hcd: fix possible deadlock in rh control transfers

>From within the SCSI error handler memory allocations must not
trigger IO. Handling errors in UAS and the storage driver may
involve resetting a device. The thread doing the reset itself
relies on VM magic. However, that is insufficient, as resetting
a device involves resuming it. Resumption as well as resetting
involves conrol transfers to the parent of the device to be reset.
That may be a root hub. Hence usbcore must heed the flags passed
to usb_submit_urb() processing control transfers to root hubs.

The problem exist since the storage driver has been merged.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20260429094413.181038-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index 89221f1ce7694ff9bdb1b480faa3e24459585984..29c74ed40526a1eac9dda62e39c2f9270070312b 100644 (file)
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -448,7 +448,8 @@ rh_string(int id, struct usb_hcd const *hcd, u8 *data, unsigned len)
 
 
 /* Root hub control transfers execute synchronously */
-static int rh_call_control (struct usb_hcd *hcd, struct urb *urb)
+static int rh_call_control(struct usb_hcd *hcd,
+               struct urb *urb, gfp_t mem_flags)
 {
        struct usb_ctrlrequest *cmd;
        u16             typeReq, wValue, wIndex, wLength;
@@ -483,8 +484,8 @@ static int rh_call_control (struct usb_hcd *hcd, struct urb *urb)
         * tbuf should be at least as big as the
         * USB hub descriptor.
         */
-       tbuf_size =  max_t(u16, sizeof(struct usb_hub_descriptor), wLength);
-       tbuf = kzalloc(tbuf_size, GFP_KERNEL);
+       tbuf_size = max_t(u16, sizeof(struct usb_hub_descriptor), wLength);
+       tbuf = kzalloc(tbuf_size, mem_flags);
        if (!tbuf) {
                status = -ENOMEM;
                goto err_alloc;
@@ -809,12 +810,13 @@ static int rh_queue_status (struct usb_hcd *hcd, struct urb *urb)
        return retval;
 }
 
-static int rh_urb_enqueue (struct usb_hcd *hcd, struct urb *urb)
+static int rh_urb_enqueue(struct usb_hcd *hcd,
+               struct urb *urb, gfp_t mem_flags)
 {
        if (usb_endpoint_xfer_int(&urb->ep->desc))
                return rh_queue_status (hcd, urb);
        if (usb_endpoint_xfer_control(&urb->ep->desc))
-               return rh_call_control (hcd, urb);
+               return rh_call_control(hcd, urb, mem_flags);
        return -EINVAL;
 }
 
@@ -1535,7 +1537,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
         */
 
        if (is_root_hub(urb->dev)) {
-               status = rh_urb_enqueue(hcd, urb);
+               status = rh_urb_enqueue(hcd, urb, mem_flags);
        } else {
                status = map_urb_for_dma(hcd, urb, mem_flags);
                if (likely(status == 0)) {