Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752582AbcD0CxO (ORCPT <rfc822;w@1wt.eu>);
	Tue, 26 Apr 2016 22:53:14 -0400
Received: from mga09.intel.com ([134.134.136.24]:10751 "EHLO mga09.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751980AbcD0CxL convert rfc822-to-8bit (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 26 Apr 2016 22:53:11 -0400
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.24,539,1455004800"; 
   d="scan'208";a="940974485"
From: "Du, Changbin" <changbin.du@intel.com>
To: Greg KH <gregkh@linuxfoundation.org>
CC: "stern@rowland.harvard.edu" <stern@rowland.harvard.edu>,
        "baolu.lu@linux.intel.com" <baolu.lu@linux.intel.com>,
        "chasemetzger15@gmail.com" <chasemetzger15@gmail.com>,
        "balbi@ti.com" <balbi@ti.com>, "kborer@gmail.com" <kborer@gmail.com>,
        "mjg59@coreos.com" <mjg59@coreos.com>,
        "jun.li@freescale.com" <jun.li@freescale.com>,
        "Robert.Schlabbach@gmx.net" <Robert.Schlabbach@gmx.net>,
        "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "tonyb@cybernetics.com" <tonyb@cybernetics.com>,
        "joe.lawrence@stratus.com" <joe.lawrence@stratus.com>
Subject: RE: [PATCH] usb: hub: fix panic caused by NULL bos pointer during
 reset device
Thread-Topic: [PATCH] usb: hub: fix panic caused by NULL bos pointer during
 reset device
Thread-Index: AQHReRyJlwu4gBs9OUuRbv21ZihX4J+cmhiAgADQ/VA=
Date: Wed, 27 Apr 2016 02:53:06 +0000
Message-ID: <0C18FE92A7765D4EB9EE5D38D86A563A05D1D704@SHSMSX103.ccr.corp.intel.com>
References: <1457428517-3099-1-git-send-email-changbin.du@intel.com>
 <20160426221601.GA23085@kroah.com>
In-Reply-To: <20160426221601.GA23085@kroah.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ctpclassification: CTP_IC
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiOWMxOTEwOTItMmI3Zi00NTI4LWFhNWItMWM1MDZiNTAwN2E2IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6Ijd5amdPbUo0ZEhHMVMxU1dabmZFUVFYZmh5eE9mNUxiYWVMejJKdTBwYTg9In0=
x-originating-ip: [10.239.127.40]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8BIT
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2275
Lines: 58

> On Tue, Mar 08, 2016 at 05:15:17PM +0800, changbin.du@intel.com wrote:
> > From: "Du, Changbin" <changbin.du@intel.com>
> >
> > This is a reworked patch based on reverted commit d8f00cd685f5 ("usb:
> > hub: do not clear BOS field during reset device").
> >
> > The privious one caused double mem-free if run to re_enumerate label.
> > New patch title changed to distinguish from old one. And I have tested
> > it with memory debugging options.
> >
> > In function usb_reset_and_verify_device, the old BOS descriptor may
> > still be used before allocating a new one. (usb_disable_lpm function
> > uses it under the situation that it fails at usb_disable_link_state.)
> > So we cannot set the udev->bos to NULL before that, just keep what it
> > was. It will be overwrite when allocating a new one.
> >
> > How to reproduce:
> > 1. connect one usb3 hub to xhci port.
> > 2. connect several lpm-capable super-speed usb disk to the hub.
> > 3. copy big files to the usb disks.
> > 4. disconnect the hub and repeat step 1-4.
> >
> > Crash log:
> > BUG: unable to handle kernel NULL pointer dereference at
> > 0000000000000010
> > IP: [<ffffffff8171f98d>] usb_enable_link_state+0x2d/0x2f0
> > Call Trace:
> > [<ffffffff8171ed5b>] ? usb_set_lpm_timeout+0x12b/0x140
> > [<ffffffff8171fcd1>] usb_enable_lpm+0x81/0xa0
> > [<ffffffff8171fdd8>] usb_disable_lpm+0xa8/0xc0
> > [<ffffffff8171fe1c>] usb_unlocked_disable_lpm+0x2c/0x50
> > [<ffffffff81723933>] usb_reset_and_verify_device+0xc3/0x710
> > [<ffffffff8172c4ed>] ? usb_sg_wait+0x13d/0x190
> > [<ffffffff81724743>] usb_reset_device+0x133/0x280
> > [<ffffffff8179ccd1>] usb_stor_port_reset+0x61/0x70
> > [<ffffffff8179cd68>] usb_stor_invoke_transport+0x88/0x520
> >
> > Signed-off-by: Du, Changbin <changbin.du@intel.com>
> > ---
> >  drivers/usb/core/hub.c | 14 +++++++++-----
> >  1 file changed, 9 insertions(+), 5 deletions(-)
> 
> Is this patch still needed?  I thought we had some other fix in this
> area...
> 
> confused,
> 
> greg k-h
> 

Hi, Greg k-h,
Sorry for it confused you. This patch still need. This is same fix with
previous commit d8f00cd685f5 ("usb: hub: do not clear BOS field
during reset device"). But d8f00cd685f5 is buggy and reverted. This
new patch should be the final fix.

Best Regards,
Du, Changbin