Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1998384imm;
        Thu, 24 May 2018 04:15:53 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZqIkhBBKIsAm7ztwciWDCM12PWnZYBLjYdJLCF2pBwwEmgQ/+T/R+TDN6D/GR22YziwAJwj
X-Received: by 2002:a63:4143:: with SMTP id o64-v6mr5525759pga.280.1527160553729;
        Thu, 24 May 2018 04:15:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527160553; cv=none;
        d=google.com; s=arc-20160816;
        b=k1cCpo3kdejdhHDFJlG0xqEOsJNsfS1zf+VMCmPfnUwcEZUwpEJ9UxSLKdtovBFWME
         dSvc5TkrC39lKtboh8j3ssyxJuuMDzP0sgae8ogZCUYVNpzwG0ww7T1Sb2rsuBEU1/k7
         Hurt2LWbXeoKDpF6KCjmRZrXiXBIrxjUaVReSpMuvSD6N5h9ZpYePZfWd4amZB9U3JOz
         FyZBKVekTskePj2t+LSdJP76QVU3tDX0C0XT7V3dnkpVMIUko3Xob0amw981Mezuhpz9
         6y7j7NiJ0WIjP/eDYE1FuYLKsFT03ls8F28Y16cz4tk6Z8N2gimHePkkNehbkhSP1IiB
         AUNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=5lXFr2sKYGFTV3YL0JOv0gHAXUGicH9l+BDfwR0F0AM=;
        b=QAXfQiZu7RUTNrFGZOMSm+3BAlYpJJf6YIgW65kdIHNGWOY0VUJJJ5Ye8kcuU9vBrp
         dF2i6aIW3lWS2GGBlu27pGbWdn1iej0HN9p6Dx0+BI5kq4p8PWJ0Blz/JsOKYm2ei5/V
         ybjMhQjxkElXuuI7Y+vRL/hVl4enU+N+VpllSo6wqgQE8x29ZocydafOvSvDXRZna/Ij
         ovoThc1liINW3kklpWu84DWhvtVSP2IGOPV+jvc59wVeYaFHLvnuFKhQRmCo4KNKnVIo
         z0uGPEuGxnTeWWQSRTXpRVUNj1Z4t4qI/lPnunviMBaCVYx65SdMGRKjHNvk5m7sxjyU
         jiTQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=RsJNhhwC;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id ay9-v6si22459007plb.259.2018.05.24.04.15.38;
        Thu, 24 May 2018 04:15:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=RsJNhhwC;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S968331AbeEXLOB (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Thu, 24 May 2018 07:14:01 -0400
Received: from mail.kernel.org ([198.145.29.99]:33698 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S968114AbeEXJyE (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 May 2018 05:54:04 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id A95ED20891;
        Thu, 24 May 2018 09:54:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1527155644;
        bh=GY/0xVVAlSS1fERM2LI2BifZy1dOb2KcM0bIaheMU9I=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=RsJNhhwCcJwTz1T3xTp5hIkvfvhzOZE0BYl+WDmO2BZXS3IlG2KbAAAFFX4sy2rnf
         yyFeCD3WEH38JL7DpgUhL9J+WwO25H7CxfHb2R/h5HBktD7l0A4zGA5KOSKTWn+aIc
         mv+aSNt9hFY8sWJEhveX/qP3a9HZxbhzasVrkSxw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Fredrik Noring <noring@nocrew.org>,
        Alan Stern <stern@rowland.harvard.edu>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 064/165] USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM
Date:   Thu, 24 May 2018 11:37:50 +0200
Message-Id: <20180524093624.613341312@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180524093621.979359379@linuxfoundation.org>
References: <20180524093621.979359379@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Fredrik Noring <noring@nocrew.org>

[ Upstream commit d6c931ea32dc08ac2665bb5f009f9c40ad1bbdb3 ]

Scatter-gather needs to be disabled when using dma_declare_coherent_memory
and HCD_LOCAL_MEM. Andrea Righi made the equivalent fix for EHCI drivers
in commit 4307a28eb01284 "USB: EHCI: fix NULL pointer dererence in HCDs
that use HCD_LOCAL_MEM".

The following NULL pointer WARN_ON_ONCE triggered with OHCI drivers:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 49 at drivers/usb/core/hcd.c:1379 hcd_alloc_coherent+0x4c/0xc8
Modules linked in:
CPU: 0 PID: 49 Comm: usb-storage Not tainted 4.15.0+ #1014
Stack : 00000000 00000000 805a78d2 0000003a 81f5c2cc 8053d367 804d77fc 00000031
        805a3a08 00000563 81ee9400 805a0000 00000000 10058c00 81f61b10 805c0000
        00000000 00000000 805a0000 00d9038e 00000004 803ee818 00000006 312e3420
        805c0000 00000000 00000073 81f61958 00000000 00000000 802eb380 804fd538
        00000009 00000563 81ee9400 805a0000 00000002 80056148 00000000 805a0000
        ...
Call Trace:
[<578af360>] show_stack+0x74/0x104
[<2f3702c6>] __warn+0x118/0x120
[<ae93fc9e>] warn_slowpath_null+0x44/0x58
[<a891a517>] hcd_alloc_coherent+0x4c/0xc8
[<3578fa36>] usb_hcd_map_urb_for_dma+0x4d8/0x534
[<110bc94c>] usb_hcd_submit_urb+0x82c/0x834
[<02eb5baf>] usb_sg_wait+0x14c/0x1a0
[<ccd09e85>] usb_stor_bulk_transfer_sglist.part.1+0xac/0x124
[<87a5c34c>] usb_stor_bulk_srb+0x40/0x60
[<ff1792ac>] usb_stor_Bulk_transport+0x160/0x37c
[<b9e2709c>] usb_stor_invoke_transport+0x3c/0x500
[<004754f4>] usb_stor_control_thread+0x258/0x28c
[<22edf42e>] kthread+0x134/0x13c
[<a419ffd0>] ret_from_kernel_thread+0x14/0x1c
---[ end trace bcdb825805eefdcc ]---

Signed-off-by: Fredrik Noring <noring@nocrew.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/ohci-hcd.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/ohci-hcd.c
+++ b/drivers/usb/host/ohci-hcd.c
@@ -446,7 +446,8 @@ static int ohci_init (struct ohci_hcd *o
 	struct usb_hcd *hcd = ohci_to_hcd(ohci);
 
 	/* Accept arbitrarily long scatter-gather lists */
-	hcd->self.sg_tablesize = ~0;
+	if (!(hcd->driver->flags & HCD_LOCAL_MEM))
+		hcd->self.sg_tablesize = ~0;
 
 	if (distrust_firmware)
 		ohci->flags |= OHCI_QUIRK_HUB_POWER;