RE: [PROBLEM] usb hub malformed packets causes null pointer dereference

[Cornea, Alexandru]

Hello, 
   
    We verified the updated patch and everything seems to be ok. All 61 USB hub 
testcases pass.

Regards,
   /Alex

-----Original Message-----
From: Alan Stern [mailto:st...@rowland.harvard.edu] 
Sent: Tuesday, December 15, 2015 10:54 PM
To: Cornea, Alexandru <alexandru.cor...@intel.com>
Cc: linux-usb@vger.kernel.org; Maxim, Costel <costel.ma...@intel.com>; Moraru, 
Cristina <cristina.mor...@intel.com>
Subject: RE: [PROBLEM] usb hub malformed packets causes null pointer dereference

On Tue, 15 Dec 2015, Alan Stern wrote:

> On Tue, 15 Dec 2015, Cornea, Alexandru wrote:
> 
> > Hello,
> > Apologies for the late response. 
> > We tried the patch, and although the system does not crash anymore, another 
> > issue occurs.  
> > Depending on platform (Gigabyte GXBT, Galileo board), the USB port that is 
> > used for testing or all USB ports become blocked and cannot recognize new 
> > devices.  Also, soft shutdown / reboot seems to hang. 
> 
> 
> I can't figure out the problem from this trace.  Were there any other 
> tasks blocked like this one?
> 
> Please enable USB debugging (echo 'module usbcore =p' 
> > /sys/kernel/debug/dynamic_debug/control), run the test again, and 
> > post
> the resulting dmesg log.

Never mind, I found the mistake.  An updated patch is below.

Alan Stern



Index: usb-4.3/drivers/usb/core/hub.c
===================================================================
--- usb-4.3.orig/drivers/usb/core/hub.c
+++ usb-4.3/drivers/usb/core/hub.c
@@ -1031,10 +1031,20 @@ static void hub_activate(struct usb_hub
        unsigned delay;
 
        /* Continue a partial initialization */
-       if (type == HUB_INIT2)
-               goto init2;
-       if (type == HUB_INIT3)
+       if (type == HUB_INIT2 || type == HUB_INIT3) {
+               device_lock(hub->intfdev);
+
+               /* Was the hub disconnected while we were waiting? */
+               if (hub->disconnected) {
+                       device_unlock(hub->intfdev);
+                       kref_put(&hub->kref, hub_release);
+                       return;
+               }
+               if (type == HUB_INIT2)
+                       goto init2;
                goto init3;
+       }
+       kref_get(&hub->kref);
 
        /* The superspeed hub except for root hub has to use Hub Depth
         * value as an offset into the route string to locate the bits @@ 
-1232,6 +1242,7 @@ static void hub_activate(struct usb_hub
                        queue_delayed_work(system_power_efficient_wq,
                                        &hub->init_work,
                                        msecs_to_jiffies(delay));
+                       device_unlock(hub->intfdev);
                        return;         /* Continues at init3: below */
                } else {
                        msleep(delay);
@@ -1253,6 +1264,11 @@ static void hub_activate(struct usb_hub
        /* Allow autosuspend if it was suppressed */
        if (type <= HUB_INIT3)
                usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
+
+       if (type == HUB_INIT2 || type == HUB_INIT3)
+               device_unlock(hub->intfdev);
+
+       kref_put(&hub->kref, hub_release);
 }
 
 /* Implement the continuations for the delays above */

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html