Thank you so much for fixing the issue, Mathias! > I moved the max packet checks away from xhci_urb_enqueue() and fixed up the locking. > I can't trigger the original issue, but I tested it by setting incorrect initial max packet > size values. I added a 3-seconds delay within xhci_check_maxpacket(). When I saw the max packet size was being checked, I removed the USB device to trigger the race problem. [ 172.392813][ T1960] [khtsai] xhci_check_maxpacket, before, slot_id=2, devs[slot_id]=000000003cb76fec [ 174.290601][ T20] usb 2-1: USB disconnect, device number 2 [ 174.290608][ T20] usb 2-1.2: USB disconnect, device number 3 [ 174.297180][ T20] [khtsai] xhci_free_dev, ret=1 [ 174.305010][ T133] usb usb3: USB disconnect, device number 1 [ 174.316346][ T20] [khtsai] xhci_free_dev, ret=1 [ 175.458962][ T1960] [khtsai] xhci_check_maxpacket, after, slot_id=2, devs[slot_id]=0000000000000000 [ 175.460835][ T1960] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 > If you have the chance to test this with your setup I'd appreciate it. Sure, I will definitely help verify it. However, I believe the race problem won't happen as your patch already removes max packet checks from xhci_urb_enqueue() and also protects sections using the xhci->devs[slot_id] virtual device. > patches found here: > git://git.kernel.org/pub/scm/linux/kernel/git/mnyman/xhci.git fix_urb_enqueue_locking > https://git.kernel.org/pub/scm/linux/kernel/git/mnyman/xhci.git/log/?h=fix_urb_enqueue_locking I'll add them to this thread as well
