[SRU] [B/C] [PATCH 0/1] Fix null pointer dereference when xHCI gets unplugged

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU] [B/C] [PATCH 0/1] Fix null pointer dereference when xHCI gets unplugged

Kai-Heng Feng
BugLink: https://bugs.launchpad.net/bugs/1768852

[Impact]
When unplugging the Thunderbolt 3 cable from the TBT controller, kernel
oops.

[Test]
The user confirms this patch works.

[Fix]
tty_unregister_driver may be called more than 1 time in some
hotplug cases,it will cause the kernel oops. This patch checked
dbc_tty_driver to make sure it is unregistered only 1 time.

[Regression Potential]
Low. The change is to guard against null pointer, so it's the correct
behavior.

Zhengjun Xing (1):
  xhci: Fix Kernel oops in xhci dbgtty

 drivers/usb/host/xhci-dbgtty.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU] [B/C] [PATCH 1/1] xhci: Fix Kernel oops in xhci dbgtty

Kai-Heng Feng
From: Zhengjun Xing <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1768852

tty_unregister_driver may be called more than 1 time in some
hotplug cases,it will cause the kernel oops. This patch checked
dbc_tty_driver to make sure it is unregistered only 1 time.

[  175.741404] BUG: unable to handle kernel NULL pointer dereference at 0000000000000034
[  175.742309] IP: tty_unregister_driver+0x9/0x70
[  175.743148] PGD 0 P4D 0
[  175.743981] Oops: 0000 [#1] SMP PTI
[  175.753904] RIP: 0010:tty_unregister_driver+0x9/0x70
[  175.754817] RSP: 0018:ffffa8ff831d3bb0 EFLAGS: 00010246
[  175.755753] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  175.756685] RDX: ffff92089c616000 RSI: ffffe64fe1b26080 RDI: 0000000000000000
[  175.757608] RBP: ffff92086c988230 R08: 000000006c982701 R09: 00000001801e0016
[  175.758533] R10: ffffa8ff831d3b48 R11: ffff92086c982100 R12: ffff92086c98827c
[  175.759462] R13: ffff92086c988398 R14: 0000000000000060 R15: ffff92089c5e9b40
[  175.760401] FS:  0000000000000000(0000) GS:ffff9208a0100000(0000) knlGS:0000000000000000
[  175.761334] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  175.762270] CR2: 0000000000000034 CR3: 000000011800a003 CR4: 00000000003606e0
[  175.763225] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  175.764164] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  175.765091] Call Trace:
[  175.766014]  xhci_dbc_tty_unregister_driver+0x11/0x30
[  175.766960]  xhci_dbc_exit+0x2a/0x40
[  175.767889]  xhci_stop+0x57/0x1c0
[  175.768824]  usb_remove_hcd+0x100/0x250
[  175.769708]  usb_hcd_pci_remove+0x68/0x130
[  175.770574]  pci_device_remove+0x3b/0xc0
[  175.771435]  device_release_driver_internal+0x157/0x230
[  175.772343]  pci_stop_bus_device+0x74/0xa0
[  175.773205]  pci_stop_bus_device+0x2b/0xa0
[  175.774061]  pci_stop_bus_device+0x2b/0xa0
[  175.774907]  pci_stop_bus_device+0x2b/0xa0
[  175.775741]  pci_stop_bus_device+0x2b/0xa0
[  175.776618]  pci_stop_bus_device+0x2b/0xa0
[  175.777452]  pci_stop_bus_device+0x2b/0xa0
[  175.778273]  pci_stop_bus_device+0x2b/0xa0
[  175.779092]  pci_stop_bus_device+0x2b/0xa0
[  175.779908]  pci_stop_bus_device+0x2b/0xa0
[  175.780750]  pci_stop_bus_device+0x2b/0xa0
[  175.781543]  pci_stop_and_remove_bus_device+0xe/0x20
[  175.782338]  pciehp_unconfigure_device+0xb8/0x160
[  175.783128]  pciehp_disable_slot+0x4f/0xd0
[  175.783920]  pciehp_power_thread+0x82/0xa0
[  175.784766]  process_one_work+0x147/0x3c0
[  175.785564]  worker_thread+0x4a/0x440
[  175.786376]  kthread+0xf8/0x130
[  175.787174]  ? rescuer_thread+0x360/0x360
[  175.787964]  ? kthread_associate_blkcg+0x90/0x90
[  175.788798]  ret_from_fork+0x35/0x40

Cc: <[hidden email]> # 4.16
Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver")
Signed-off-by: Zhengjun Xing <[hidden email]>
Tested-by: Christian Kellner <[hidden email]>
Reviewed-by: Christian Kellner <[hidden email]>
Signed-off-by: Mathias Nyman <[hidden email]>
Signed-off-by: Greg Kroah-Hartman <[hidden email]>
(cherry picked from commit 7fc65d4c2ba9e5006c629669146c6876b65aa233)
Signed-off-by: Kai-Heng Feng <[hidden email]>
---
 drivers/usb/host/xhci-dbgtty.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c
index 48811d72a94c..f64307fcaca0 100644
--- a/drivers/usb/host/xhci-dbgtty.c
+++ b/drivers/usb/host/xhci-dbgtty.c
@@ -318,9 +318,11 @@ int xhci_dbc_tty_register_driver(struct xhci_hcd *xhci)
 
 void xhci_dbc_tty_unregister_driver(void)
 {
- tty_unregister_driver(dbc_tty_driver);
- put_tty_driver(dbc_tty_driver);
- dbc_tty_driver = NULL;
+ if (dbc_tty_driver) {
+ tty_unregister_driver(dbc_tty_driver);
+ put_tty_driver(dbc_tty_driver);
+ dbc_tty_driver = NULL;
+ }
 }
 
 static void dbc_rx_push(unsigned long _port)
--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[Acked] [SRU] [B/C] [PATCH 1/1] xhci: Fix Kernel oops in xhci dbgtty

Andy Whitcroft-3
On Mon, May 14, 2018 at 04:21:20PM +0800, Kai-Heng Feng wrote:

> From: Zhengjun Xing <[hidden email]>
>
> BugLink: https://bugs.launchpad.net/bugs/1768852
>
> tty_unregister_driver may be called more than 1 time in some
> hotplug cases,it will cause the kernel oops. This patch checked
> dbc_tty_driver to make sure it is unregistered only 1 time.
>
> [  175.741404] BUG: unable to handle kernel NULL pointer dereference at 0000000000000034
> [  175.742309] IP: tty_unregister_driver+0x9/0x70
> [  175.743148] PGD 0 P4D 0
> [  175.743981] Oops: 0000 [#1] SMP PTI
> [  175.753904] RIP: 0010:tty_unregister_driver+0x9/0x70
> [  175.754817] RSP: 0018:ffffa8ff831d3bb0 EFLAGS: 00010246
> [  175.755753] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> [  175.756685] RDX: ffff92089c616000 RSI: ffffe64fe1b26080 RDI: 0000000000000000
> [  175.757608] RBP: ffff92086c988230 R08: 000000006c982701 R09: 00000001801e0016
> [  175.758533] R10: ffffa8ff831d3b48 R11: ffff92086c982100 R12: ffff92086c98827c
> [  175.759462] R13: ffff92086c988398 R14: 0000000000000060 R15: ffff92089c5e9b40
> [  175.760401] FS:  0000000000000000(0000) GS:ffff9208a0100000(0000) knlGS:0000000000000000
> [  175.761334] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  175.762270] CR2: 0000000000000034 CR3: 000000011800a003 CR4: 00000000003606e0
> [  175.763225] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [  175.764164] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [  175.765091] Call Trace:
> [  175.766014]  xhci_dbc_tty_unregister_driver+0x11/0x30
> [  175.766960]  xhci_dbc_exit+0x2a/0x40
> [  175.767889]  xhci_stop+0x57/0x1c0
> [  175.768824]  usb_remove_hcd+0x100/0x250
> [  175.769708]  usb_hcd_pci_remove+0x68/0x130
> [  175.770574]  pci_device_remove+0x3b/0xc0
> [  175.771435]  device_release_driver_internal+0x157/0x230
> [  175.772343]  pci_stop_bus_device+0x74/0xa0
> [  175.773205]  pci_stop_bus_device+0x2b/0xa0
> [  175.774061]  pci_stop_bus_device+0x2b/0xa0
> [  175.774907]  pci_stop_bus_device+0x2b/0xa0
> [  175.775741]  pci_stop_bus_device+0x2b/0xa0
> [  175.776618]  pci_stop_bus_device+0x2b/0xa0
> [  175.777452]  pci_stop_bus_device+0x2b/0xa0
> [  175.778273]  pci_stop_bus_device+0x2b/0xa0
> [  175.779092]  pci_stop_bus_device+0x2b/0xa0
> [  175.779908]  pci_stop_bus_device+0x2b/0xa0
> [  175.780750]  pci_stop_bus_device+0x2b/0xa0
> [  175.781543]  pci_stop_and_remove_bus_device+0xe/0x20
> [  175.782338]  pciehp_unconfigure_device+0xb8/0x160
> [  175.783128]  pciehp_disable_slot+0x4f/0xd0
> [  175.783920]  pciehp_power_thread+0x82/0xa0
> [  175.784766]  process_one_work+0x147/0x3c0
> [  175.785564]  worker_thread+0x4a/0x440
> [  175.786376]  kthread+0xf8/0x130
> [  175.787174]  ? rescuer_thread+0x360/0x360
> [  175.787964]  ? kthread_associate_blkcg+0x90/0x90
> [  175.788798]  ret_from_fork+0x35/0x40
>
> Cc: <[hidden email]> # 4.16
> Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver")
> Signed-off-by: Zhengjun Xing <[hidden email]>
> Tested-by: Christian Kellner <[hidden email]>
> Reviewed-by: Christian Kellner <[hidden email]>
> Signed-off-by: Mathias Nyman <[hidden email]>
> Signed-off-by: Greg Kroah-Hartman <[hidden email]>
> (cherry picked from commit 7fc65d4c2ba9e5006c629669146c6876b65aa233)
> Signed-off-by: Kai-Heng Feng <[hidden email]>
> ---
>  drivers/usb/host/xhci-dbgtty.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c
> index 48811d72a94c..f64307fcaca0 100644
> --- a/drivers/usb/host/xhci-dbgtty.c
> +++ b/drivers/usb/host/xhci-dbgtty.c
> @@ -318,9 +318,11 @@ int xhci_dbc_tty_register_driver(struct xhci_hcd *xhci)
>  
>  void xhci_dbc_tty_unregister_driver(void)
>  {
> - tty_unregister_driver(dbc_tty_driver);
> - put_tty_driver(dbc_tty_driver);
> - dbc_tty_driver = NULL;
> + if (dbc_tty_driver) {
> + tty_unregister_driver(dbc_tty_driver);
> + put_tty_driver(dbc_tty_driver);
> + dbc_tty_driver = NULL;
> + }
>  }
>  
>  static void dbc_rx_push(unsigned long _port)
> --
> 2.17.0
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Clean cherry-pick, looks to do what is claimed.  Seems safe enough.
Acked-by: Andy Whitcroft <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU] [B/C] [PATCH 0/1] Fix null pointer dereference when xHCI gets unplugged

AceLan Kao
In reply to this post by Kai-Heng Feng
Acked-By: AceLan Kao <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED[Bionic]: [SRU] [B/C] [PATCH 0/1] Fix null pointer dereference when xHCI gets unplugged

Kleber Souza
In reply to this post by Kai-Heng Feng
On 05/14/18 10:21, Kai-Heng Feng wrote:

> BugLink: https://bugs.launchpad.net/bugs/1768852
>
> [Impact]
> When unplugging the Thunderbolt 3 cable from the TBT controller, kernel
> oops.
>
> [Test]
> The user confirms this patch works.
>
> [Fix]
> tty_unregister_driver may be called more than 1 time in some
> hotplug cases,it will cause the kernel oops. This patch checked
> dbc_tty_driver to make sure it is unregistered only 1 time.
>
> [Regression Potential]
> Low. The change is to guard against null pointer, so it's the correct
> behavior.
>
> Zhengjun Xing (1):
>   xhci: Fix Kernel oops in xhci dbgtty
>
>  drivers/usb/host/xhci-dbgtty.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
>

Applied to bionic/master-next branch.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team