Thanks for reporting, Tony. It was remiss of me. There is another BOS free operation in label re_enumerate. This cause a double-free of BOS. USB2 doesn't have BOS desc, so you cannot reproduce it.
I am on a travel. It is appreciated if you can help try below fix.
Hi, Greg, I will commit a final patch once returned from travel.
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5501,8 +5501,10 @@ done:
return 0;
re_enumerate:
- usb_release_bos_descriptor(udev);
- udev->bos = bos;
+ if (udev->bos != bos) {
+ usb_release_bos_descriptor(udev);
+ udev->bos = bos;
+ }
Best Regards,
Du, Changbin
> On Fri, Feb 19, 2016 at 09:39:57AM -0500, Tony Battersby wrote:
> > This upstream commit is causing an oops:
> > d8f00cd685f5 ("usb: hub: do not clear BOS field during reset device")
> >
> > This patch has already been included in several -stable kernels. Here
> > are the affected kernels:
> > 4.5.0-rc4 (current git)
> > 4.4.2
> > 4.3.6 (currently in review)
> > 4.1.18
> > 3.18.27
> > 3.14.61
> >
> > How to reproduce the problem:
> > Boot kernel with slub debugging enabled (otherwise memory corruption
> > will cause random oopses later instead of immediately)
> > Plug in USB 3.0 disk to xhci USB 3.0 port
> > dd if=/dev/sdc of=/dev/null bs=65536
> > (where /dev/sdc is the USB 3.0 disk)
> > Unplug USB cable while dd is still going
> > Oops is immediate:
>
> Not good, thanks for letting us know. I've now reverted this and will
> get the fix into 4.5-rc6.
>
> greg k-h
0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch
Description: 0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch
