summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorMathias Nyman <mathias.nyman@linux.intel.com>2017-12-21 14:06:13 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2017-12-27 15:24:27 +0100
commit052f71e25a7ecd80a9567b291df8ea333d9a8565 (patch)
tree9b54176a65005199ca70e259ebbbb20f490b78ee /drivers
parentMerge tag 'usb-serial-4.15-rc6' of https://git.kernel.org/pub/scm/linux/kerne... (diff)
downloadlinux-052f71e25a7ecd80a9567b291df8ea333d9a8565.tar.xz
linux-052f71e25a7ecd80a9567b291df8ea333d9a8565.zip
xhci: Fix xhci debugfs NULL pointer dereference in resume from hibernate
Free the virt_device and its debugfs_private member together. When resuming from hibernate the .free_dev callback unconditionally freed the debugfs_private member, but could leave virt_device intact. This triggered a NULL pointer dereference after resume when usbmuxd sent a USBDEVFS_SETCONFIGURATION ioctl to a device, trying to add a endpoint debugfs entry to a already freed debugfs_private pointer. Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver") Reported-by: Alexander Kappner <agk@godking.net> Tested-by: Alexander Kappner <agk@godking.net> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/usb/host/xhci.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 2424d3020ca3..da6dbe3ebd8b 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3525,8 +3525,6 @@ static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev)
struct xhci_slot_ctx *slot_ctx;
int i, ret;
- xhci_debugfs_remove_slot(xhci, udev->slot_id);
-
#ifndef CONFIG_USB_DEFAULT_PERSIST
/*
* We called pm_runtime_get_noresume when the device was attached.
@@ -3555,8 +3553,10 @@ static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev)
}
ret = xhci_disable_slot(xhci, udev->slot_id);
- if (ret)
+ if (ret) {
+ xhci_debugfs_remove_slot(xhci, udev->slot_id);
xhci_free_virt_device(xhci, udev->slot_id);
+ }
}
int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id)