From 87802b3d7a85bcc46407ae92caf8fed9254b32d9 Mon Sep 17 00:00:00 2001 From: Mathias Nyman Date: Thu, 21 Dec 2017 15:06:13 +0200 Subject: [PATCH] UPSTREAM: xhci: Fix xhci debugfs NULL pointer dereference in resume from hibernate Free the virt_device and its debugfs_private member together. When resuming from hibernate the .free_dev callback unconditionally freed the debugfs_private member, but could leave virt_device intact. This triggered a NULL pointer dereference after resume when usbmuxd sent a USBDEVFS_SETCONFIGURATION ioctl to a device, trying to add a endpoint debugfs entry to a already freed debugfs_private pointer. Change-Id: Ib0ed39ee0f82f3f5c3af5c46949a6a5f6dfe190d Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver") Reported-by: Alexander Kappner Tested-by: Alexander Kappner Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: William Wu --- drivers/usb/host/xhci.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 6fd20d69c508..257f1ea66d89 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -3611,8 +3611,6 @@ void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev) int i, ret; struct xhci_command *command; - xhci_debugfs_remove_slot(xhci, udev->slot_id); - command = xhci_alloc_command(xhci, false, false, GFP_KERNEL); if (!command) return; @@ -3646,6 +3644,8 @@ void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev) del_timer_sync(&virt_dev->eps[i].stop_cmd_timer); } + xhci_debugfs_remove_slot(xhci, udev->slot_id); + spin_lock_irqsave(&xhci->lock, flags); virt_dev->udev = NULL;