Commit 052f71e2 authored Dec 21, 2017 by Mathias Nyman Committed by Greg Kroah-Hartman Dec 27, 2017

xhci: Fix xhci debugfs NULL pointer dereference in resume from hibernate

Free the virt_device and its debugfs_private member together.

When resuming from hibernate the .free_dev callback unconditionally
freed the debugfs_private member, but could leave virt_device intact.

This triggered a NULL pointer dereference after resume when usbmuxd
sent a USBDEVFS_SETCONFIGURATION ioctl to a device, trying to add a
endpoint debugfs entry to a already freed debugfs_private pointer.

Fixes: 02b6fdc2 ("usb: xhci: Add debugfs interface for xHCI driver")
Reported-by: Alexander Kappner <agk@godking.net>
Tested-by: Alexander Kappner <agk@godking.net>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 66da1685

drivers/usb/host/xhci.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -3525,8 +3525,6 @@ static void xhci_free_dev(struct usb_hcd hcd, struct usb_device udev)
		struct xhci_slot_ctx *slot_ctx;
		int i, ret;

		xhci_debugfs_remove_slot(xhci, udev->slot_id);

		#ifndef CONFIG_USB_DEFAULT_PERSIST
		/*
		* We called pm_runtime_get_noresume when the device was attached.
		@@ -3555,9 +3553,11 @@ static void xhci_free_dev(struct usb_hcd hcd, struct usb_device udev)
		}

		ret = xhci_disable_slot(xhci, udev->slot_id);
		if (ret)
		if (ret) {
		xhci_debugfs_remove_slot(xhci, udev->slot_id);
		xhci_free_virt_device(xhci, udev->slot_id);
		}
		}

		int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id)
		{

Admin message