[PATCH] usb: hub: Fix crash after failure to read BOS descriptor

[PATCH] usb: hub: Fix crash after failure to read BOS descriptor

[Guenter Roeck]

If usb_get_bos_descriptor() returns an error, usb->bos will be NULL.
Nevertheless, it is dereferenced unconditionally in
hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set.
This results in a crash.

usb 5-1: unable to get BOS descriptor
...
Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = ffffffc00165f000
[00000008] *pgd=000000000174f003, *pud=000000000174f003,
		*pmd=0000000001750003, *pte=00e8000001751713
Internal error: Oops: 96000005 [#1] PREEMPT SMP
Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ]
CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G    B 4.4.52 #480
Hardware name: Google Kevin (DT)
Workqueue: events driver_set_config_work
task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000
PC is at hub_port_init+0xc3c/0xd10
LR is at hub_port_init+0xc3c/0xd10
...
Call trace:
[<ffffffc0007fbbfc>] hub_port_init+0xc3c/0xd10
[<ffffffc0007fbe2c>] usb_reset_and_verify_device+0x15c/0x82c
[<ffffffc0007fc5e0>] usb_reset_device+0xe4/0x298
[<ffffffbffc0e3fcc>] rtl8152_probe+0x84/0x9b0 [r8152]
[<ffffffc00080ca8c>] usb_probe_interface+0x244/0x2f8
[<ffffffc000774a24>] driver_probe_device+0x180/0x3b4
[<ffffffc000774e48>] __device_attach_driver+0xb4/0xe0
[<ffffffc000772168>] bus_for_each_drv+0xb4/0xe4
[<ffffffc0007747ec>] __device_attach+0xd0/0x158
[<ffffffc000775080>] device_initial_probe+0x24/0x30
[<ffffffc0007739d4>] bus_probe_device+0x50/0xe4
[<ffffffc000770bd0>] device_add+0x414/0x738
[<ffffffc000809fe8>] usb_set_configuration+0x89c/0x914
[<ffffffc00080a120>] driver_set_config_work+0xc0/0xf0
[<ffffffc000249bb8>] process_one_work+0x390/0x6b8
[<ffffffc00024abcc>] worker_thread+0x480/0x610
[<ffffffc000251a80>] kthread+0x164/0x178
[<ffffffc0002045d0>] ret_from_fork+0x10/0x40

Since we don't know anything about LPM capabilities without BOS descriptor,
don't attempt to enable LPM if it is not available.

Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...")
Cc: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
---
 drivers/usb/core/hub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index f0dd08198d74..5286bf67869a 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4275,7 +4275,7 @@ static void hub_set_initial_usb2_lpm_policy(struct usb_device *udev)
 	struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent);
 	int connect_type = USB_PORT_CONNECT_TYPE_UNKNOWN;
 
-	if (!udev->usb2_hw_lpm_capable)
+	if (!udev->usb2_hw_lpm_capable || !udev->bos)
 		return;
 
 	if (hub)
-- 
2.7.4

Re: [PATCH] usb: hub: Fix crash after failure to read BOS descriptor

[Mathias Nyman]

On 08.03.2017 20:19, Guenter Roeck wrote:
> If usb_get_bos_descriptor() returns an error, usb->bos will be NULL.
> Nevertheless, it is dereferenced unconditionally in
> hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set.
> This results in a crash.
>
> usb 5-1: unable to get BOS descriptor
> ...
> Unable to handle kernel NULL pointer dereference at virtual address 00000008
> pgd = ffffffc00165f000
> [00000008] *pgd=000000000174f003, *pud=000000000174f003,
> 		*pmd=0000000001750003, *pte=00e8000001751713
> Internal error: Oops: 96000005 [#1] PREEMPT SMP
> Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ]
> CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G    B 4.4.52 #480
> Hardware name: Google Kevin (DT)
> Workqueue: events driver_set_config_work
> task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000
> PC is at hub_port_init+0xc3c/0xd10
> LR is at hub_port_init+0xc3c/0xd10
> ...
> Call trace:
> [<ffffffc0007fbbfc>] hub_port_init+0xc3c/0xd10
> [<ffffffc0007fbe2c>] usb_reset_and_verify_device+0x15c/0x82c
> [<ffffffc0007fc5e0>] usb_reset_device+0xe4/0x298
> [<ffffffbffc0e3fcc>] rtl8152_probe+0x84/0x9b0 [r8152]
> [<ffffffc00080ca8c>] usb_probe_interface+0x244/0x2f8
> [<ffffffc000774a24>] driver_probe_device+0x180/0x3b4
> [<ffffffc000774e48>] __device_attach_driver+0xb4/0xe0
> [<ffffffc000772168>] bus_for_each_drv+0xb4/0xe4
> [<ffffffc0007747ec>] __device_attach+0xd0/0x158
> [<ffffffc000775080>] device_initial_probe+0x24/0x30
> [<ffffffc0007739d4>] bus_probe_device+0x50/0xe4
> [<ffffffc000770bd0>] device_add+0x414/0x738
> [<ffffffc000809fe8>] usb_set_configuration+0x89c/0x914
> [<ffffffc00080a120>] driver_set_config_work+0xc0/0xf0
> [<ffffffc000249bb8>] process_one_work+0x390/0x6b8
> [<ffffffc00024abcc>] worker_thread+0x480/0x610
> [<ffffffc000251a80>] kthread+0x164/0x178
> [<ffffffc0002045d0>] ret_from_fork+0x10/0x40
>
> Since we don't know anything about LPM capabilities without BOS descriptor,
> don't attempt to enable LPM if it is not available.
>
> Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...")
> Cc: Mathias Nyman <mathias.nyman@linux.intel.com>
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> ---

Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>