[3.13.y.z extended stable] Patch "usb: xhci: Fix OOPS in xhci error handling code" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Wed Oct 8 22:14:12 UTC 2014 

This is a note to let you know that I have just added a patch titled

    usb: xhci: Fix OOPS in xhci error handling code

to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11.9.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From b4a8a127bc39bfdd52c7b88eb31ded445c9b4d6e Mon Sep 17 00:00:00 2001
From: Al Cooper <alcooperx at gmail.com>
Date: Thu, 11 Sep 2014 13:55:49 +0300
Subject: usb: xhci: Fix OOPS in xhci error handling code

commit 0eda06c7c17ae48d7db69beef57f6e2b20bc3c72 upstream.

The xhci driver will OOPS on resume from S2/S3 if dma_alloc_coherent()
is out of memory. This is a result of two things:
1. xhci_mem_cleanup() in xhci-mem.c free's xhci->lpm_command if
it's not NULL, but doesn't set it to NULL after the free.
2. xhci_mem_cleanup() is called twice on resume, once for normal
restart and once from xhci_mem_init() if dma_alloc_coherent() fails,
resulting in a free of xhci->lpm_command that has already been freed.
The fix is to set xhci->lpm_command to NULL after freeing it.

Signed-off-by: Al Cooper <alcooperx at gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman at linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/usb/host/xhci-mem.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index 837c333..06d0d1e 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1711,6 +1711,7 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)

 	if (xhci->lpm_command)
 		xhci_free_command(xhci, xhci->lpm_command);
+	xhci->lpm_command = NULL;
 	xhci->cmd_ring_reserved_trbs = 0;
 	if (xhci->cmd_ring)
 		xhci_ring_free(xhci, xhci->cmd_ring);
--
1.9.1

More information about the kernel-team mailing list