diff mbox series

[RFT] xhci: Fix null pointer dereference in resume if xhci has only one roothub

Message ID 20220609120336.831533-1-mathias.nyman@linux.intel.com
State Superseded
Headers show
Series [RFT] xhci: Fix null pointer dereference in resume if xhci has only one roothub | expand

Commit Message

Mathias Nyman June 9, 2022, 12:03 p.m. UTC
In the re-init path xhci_resume() passes 'hcd->primary_hcd' to hci_init(),
however this field isn't initialized by __usb_create_hcd() for a HCD
without secondary controller.

xhci_resume() is called once per xHC device, not per hcd, so the extra
checking for primary hcd can be removed.

Fixes: e0fe986972f5 ("usb: host: xhci-plat: prepare operation w/o shared hcd")
Reported-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
---
 drivers/usb/host/xhci.c | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

Comments

Matthias Kaehlcke June 9, 2022, 3:41 p.m. UTC | #1
On Thu, Jun 09, 2022 at 03:03:36PM +0300, Mathias Nyman wrote:
> In the re-init path xhci_resume() passes 'hcd->primary_hcd' to hci_init(),
> however this field isn't initialized by __usb_create_hcd() for a HCD
> without secondary controller.
> 
> xhci_resume() is called once per xHC device, not per hcd, so the extra
> checking for primary hcd can be removed.
> 
> Fixes: e0fe986972f5 ("usb: host: xhci-plat: prepare operation w/o shared hcd")
> Reported-by: Matthias Kaehlcke <mka@chromium.org>
> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
> ---
>  drivers/usb/host/xhci.c | 15 +++++----------
>  1 file changed, 5 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
> index f0ab63138016..9ac56e9ffc64 100644
> --- a/drivers/usb/host/xhci.c
> +++ b/drivers/usb/host/xhci.c
> @@ -1107,7 +1107,6 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
>  {
>  	u32			command, temp = 0;
>  	struct usb_hcd		*hcd = xhci_to_hcd(xhci);
> -	struct usb_hcd		*secondary_hcd;
>  	int			retval = 0;
>  	bool			comp_timer_running = false;
>  	bool			pending_portevent = false;
> @@ -1214,23 +1213,19 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
>  		 * first with the primary HCD, and then with the secondary HCD.
>  		 * If we don't do the same, the host will never be started.
>  		 */
> -		if (!usb_hcd_is_primary_hcd(hcd))
> -			secondary_hcd = hcd;
> -		else
> -			secondary_hcd = xhci->shared_hcd;
> -
>  		xhci_dbg(xhci, "Initialize the xhci_hcd\n");
> -		retval = xhci_init(hcd->primary_hcd);
> +		retval = xhci_init(hcd);
>  		if (retval)
>  			return retval;
>  		comp_timer_running = true;
>  
>  		xhci_dbg(xhci, "Start the primary HCD\n");

Is the log still correct? IIUC this now isn't necessarily the primary HCD.

> -		retval = xhci_run(hcd->primary_hcd);
> -		if (!retval && secondary_hcd) {
> +		retval = xhci_run(hcd);
> +		if (!retval && xhci->shared_hcd) {
>  			xhci_dbg(xhci, "Start the secondary HCD\n");

ditto

> -			retval = xhci_run(secondary_hcd);
> +			retval = xhci_run(xhci->shared_hcd);
>  		}
> +
>  		hcd->state = HC_STATE_SUSPENDED;
>  		if (xhci->shared_hcd)
>  			xhci->shared_hcd->state = HC_STATE_SUSPENDED;

Tested-by: Matthias Kaehlcke <mka@chromium.org>
Mathias Nyman June 10, 2022, 8:17 a.m. UTC | #2
*On 9.6.2022 18.41, Matthias Kaehlcke wrote:
> On Thu, Jun 09, 2022 at 03:03:36PM +0300, Mathias Nyman wrote:
>> In the re-init path xhci_resume() passes 'hcd->primary_hcd' to hci_init(),
>> however this field isn't initialized by __usb_create_hcd() for a HCD
>> without secondary controller.
>>
>> xhci_resume() is called once per xHC device, not per hcd, so the extra
>> checking for primary hcd can be removed.
>>
>> Fixes: e0fe986972f5 ("usb: host: xhci-plat: prepare operation w/o shared hcd")
>> Reported-by: Matthias Kaehlcke <mka@chromium.org>
>> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
>> ---
>>   drivers/usb/host/xhci.c | 15 +++++----------
>>   1 file changed, 5 insertions(+), 10 deletions(-)
>>
>> diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
>> index f0ab63138016..9ac56e9ffc64 100644
>> --- a/drivers/usb/host/xhci.c
>> +++ b/drivers/usb/host/xhci.c
>> @@ -1107,7 +1107,6 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
>>   {
>>   	u32			command, temp = 0;
>>   	struct usb_hcd		*hcd = xhci_to_hcd(xhci);
>> -	struct usb_hcd		*secondary_hcd;
>>   	int			retval = 0;
>>   	bool			comp_timer_running = false;
>>   	bool			pending_portevent = false;
>> @@ -1214,23 +1213,19 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
>>   		 * first with the primary HCD, and then with the secondary HCD.
>>   		 * If we don't do the same, the host will never be started.
>>   		 */
>> -		if (!usb_hcd_is_primary_hcd(hcd))
>> -			secondary_hcd = hcd;
>> -		else
>> -			secondary_hcd = xhci->shared_hcd;
>> -
>>   		xhci_dbg(xhci, "Initialize the xhci_hcd\n");
>> -		retval = xhci_init(hcd->primary_hcd);
>> +		retval = xhci_init(hcd);
>>   		if (retval)
>>   			return retval;
>>   		comp_timer_running = true;
>>   
>>   		xhci_dbg(xhci, "Start the primary HCD\n");
> 
> Is the log still correct? IIUC this now isn't necessarily the primary HCD.

It's still correct as this is always the xhci->main_hcd, the one that is created first.
There could be a better word than "primary", but my brain is accustomed to seeing this
line while debugging.


> 
>> -		retval = xhci_run(hcd->primary_hcd);
>> -		if (!retval && secondary_hcd) {
>> +		retval = xhci_run(hcd);
>> +		if (!retval && xhci->shared_hcd) {
>>   			xhci_dbg(xhci, "Start the secondary HCD\n");
> 
> ditto

same, always xhci->shared_hcd, the one that is created second.

> 
>> -			retval = xhci_run(secondary_hcd);
>> +			retval = xhci_run(xhci->shared_hcd);
>>   		}
>> +
>>   		hcd->state = HC_STATE_SUSPENDED;
>>   		if (xhci->shared_hcd)
>>   			xhci->shared_hcd->state = HC_STATE_SUSPENDED;
> 
> Tested-by: Matthias Kaehlcke <mka@chromium.org>

Thanks for testing
-Mathias
diff mbox series

Patch

diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index f0ab63138016..9ac56e9ffc64 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1107,7 +1107,6 @@  int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
 {
 	u32			command, temp = 0;
 	struct usb_hcd		*hcd = xhci_to_hcd(xhci);
-	struct usb_hcd		*secondary_hcd;
 	int			retval = 0;
 	bool			comp_timer_running = false;
 	bool			pending_portevent = false;
@@ -1214,23 +1213,19 @@  int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
 		 * first with the primary HCD, and then with the secondary HCD.
 		 * If we don't do the same, the host will never be started.
 		 */
-		if (!usb_hcd_is_primary_hcd(hcd))
-			secondary_hcd = hcd;
-		else
-			secondary_hcd = xhci->shared_hcd;
-
 		xhci_dbg(xhci, "Initialize the xhci_hcd\n");
-		retval = xhci_init(hcd->primary_hcd);
+		retval = xhci_init(hcd);
 		if (retval)
 			return retval;
 		comp_timer_running = true;
 
 		xhci_dbg(xhci, "Start the primary HCD\n");
-		retval = xhci_run(hcd->primary_hcd);
-		if (!retval && secondary_hcd) {
+		retval = xhci_run(hcd);
+		if (!retval && xhci->shared_hcd) {
 			xhci_dbg(xhci, "Start the secondary HCD\n");
-			retval = xhci_run(secondary_hcd);
+			retval = xhci_run(xhci->shared_hcd);
 		}
+
 		hcd->state = HC_STATE_SUSPENDED;
 		if (xhci->shared_hcd)
 			xhci->shared_hcd->state = HC_STATE_SUSPENDED;