linux/drivers/usb/core
Alan Stern ab2a4bf839 USB: don't free bandwidth_mutex too early
The USB core contains a bug that can show up when a USB-3 host
controller is removed.  If the primary (USB-2) hcd structure is
released before the shared (USB-3) hcd, the core will try to do a
double-free of the common bandwidth_mutex.

The problem was described in graphical form by Chung-Geol Kim, who
first reported it:

=================================================
     At *remove USB(3.0) Storage
     sequence <1> --> <5> ((Problem Case))
=================================================
                                  VOLD
------------------------------------|------------
                                 (uevent)
                            ________|_________
                           |<1>               |
                           |dwc3_otg_sm_work  |
                           |usb_put_hcd       |
                           |peer_hcd(kref=2)|
                           |__________________|
                            ________|_________
                           |<2>               |
                           |New USB BUS #2    |
                           |                  |
                           |peer_hcd(kref=1)  |
                           |                  |
                         --(Link)-bandXX_mutex|
                         | |__________________|
                         |
    ___________________  |
   |<3>                | |
   |dwc3_otg_sm_work   | |
   |usb_put_hcd        | |
   |primary_hcd(kref=1)| |
   |___________________| |
    _________|_________  |
   |<4>                | |
   |New USB BUS #1     | |
   |hcd_release        | |
   |primary_hcd(kref=0)| |
   |                   | |
   |bandXX_mutex(free) |<-
   |___________________|
                               (( VOLD ))
                            ______|___________
                           |<5>               |
                           |      SCSI        |
                           |usb_put_hcd       |
                           |peer_hcd(kref=0)  |
                           |*hcd_release      |
                           |bandXX_mutex(free*)|<- double free
                           |__________________|

=================================================

This happens because hcd_release() frees the bandwidth_mutex whenever
it sees a primary hcd being released (which is not a very good idea
in any case), but in the course of releasing the primary hcd, it
changes the pointers in the shared hcd in such a way that the shared
hcd will appear to be primary when it gets released.

This patch fixes the problem by changing hcd_release() so that it
deallocates the bandwidth_mutex only when the _last_ hcd structure
referencing it is released.  The patch also removes an unnecessary
test, so that when an hcd is released, both the shared_hcd and
primary_hcd pointers in the hcd's peer will be cleared.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Chung-Geol Kim <chunggeol.kim@samsung.com>
Tested-by: Chung-Geol Kim <chunggeol.kim@samsung.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-06-27 08:39:39 -07:00
..
buffer.c usb: core: buffer: avoid NULL pointer dereferrence 2016-04-28 12:35:36 -07:00
config.c usb: fix regression in SuperSpeed endpoint descriptor parsing 2016-03-30 21:57:58 -07:00
devices.c usb: core: rename mutex usb_bus_list_lock to usb_bus_idr_lock 2016-02-06 21:55:57 -08:00
devio.c USB: usbfs: fix potential infoleak in devio 2016-05-03 14:32:07 -07:00
driver.c USB: leave LPM alone if possible when binding/unbinding interface drivers 2016-05-03 14:32:07 -07:00
endpoint.c usb: endpoint: convert spaces to tabs 2015-08-14 16:50:36 -07:00
file.c usb: core: use kbasename() instead of open-coded variant 2016-01-24 20:37:47 -08:00
generic.c staging: usbip: convert usbip-host driver to usb_device_driver 2014-02-07 10:54:30 -08:00
hcd-pci.c usb: hcd: out of bounds access in for_each_companion 2016-04-13 12:06:18 -07:00
hcd.c USB: don't free bandwidth_mutex too early 2016-06-27 08:39:39 -07:00
hub.c usb: core: hub: hub_port_init lock controller instead of bus 2016-04-28 12:40:46 -07:00
hub.h usb: Support USB 3.1 extended port status request 2016-01-24 20:16:52 -08:00
Kconfig usb: kconfig: fix warning of select USB_OTG 2015-11-19 16:31:42 -08:00
Makefile USB: core: let USB device know device node 2016-03-05 12:05:01 -08:00
message.c drivers: usb: core: Minimize irq disabling in usb_sg_cancel() 2016-04-26 15:21:41 -07:00
notify.c usb: Add export.h for EXPORT_SYMBOL/THIS_MODULE where needed 2011-10-31 19:31:25 -04:00
of.c USB: core: let USB device know device node 2016-03-05 12:05:01 -08:00
otg_whitelist.h usb: otg_whitelist: remove whitespace 2015-08-14 16:50:36 -07:00
port.c Revert "USB / PM: Allow USB devices to remain runtime-suspended when sleeping" 2016-05-02 08:44:31 -07:00
quirks.c usb: quirks: Add no-lpm quirk for Acer C120 LED Projector 2016-06-01 14:56:24 -07:00
sysfs.c usb: no locking for reading descriptors in sysfs 2016-02-03 13:29:12 -08:00
urb.c usb: define USB_SPEED_SUPER_PLUS speed for SuperSpeedPlus USB3.1 devices 2016-01-24 20:16:52 -08:00
usb-acpi.c usb: find internal hub tier mismatch via acpi 2014-05-27 16:38:52 -07:00
usb.c Merge 4.6-rc7 into usb-next 2016-05-09 09:29:13 +02:00
usb.h usb: define USB_SPEED_SUPER_PLUS speed for SuperSpeedPlus USB3.1 devices 2016-01-24 20:16:52 -08:00