This is a note to let you know that I've just added the patch titled xhci: Fix null pointer dereference when host dies to the 5.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: xhci-fix-null-pointer-dereference-when-host-dies.patch and it can be found in the queue-5.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From a2bc47c43e70cf904b1af49f76d572326c08bca7 Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman@xxxxxxxxxxxxxxx> Date: Mon, 16 Jan 2023 16:22:12 +0200 Subject: xhci: Fix null pointer dereference when host dies From: Mathias Nyman <mathias.nyman@xxxxxxxxxxxxxxx> commit a2bc47c43e70cf904b1af49f76d572326c08bca7 upstream. Make sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race and cause null pointer dereference when host suddenly dies. Usb core may call xhci_free_dev() which frees the xhci->devs[slot_id] virt device at the same time that xhci_kill_endpoint_urbs() tries to loop through all the device's endpoints, checking if there are any cancelled urbs left to give back. hold the xhci spinlock while freeing the virt device Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Mathias Nyman <mathias.nyman@xxxxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20230116142216.1141605-4-mathias.nyman@xxxxxxxxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/host/xhci.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -3909,6 +3909,7 @@ static void xhci_free_dev(struct usb_hcd struct xhci_hcd *xhci = hcd_to_xhci(hcd); struct xhci_virt_device *virt_dev; struct xhci_slot_ctx *slot_ctx; + unsigned long flags; int i, ret; /* @@ -3937,7 +3938,11 @@ static void xhci_free_dev(struct usb_hcd } virt_dev->udev = NULL; xhci_disable_slot(xhci, udev->slot_id); + + spin_lock_irqsave(&xhci->lock, flags); xhci_free_virt_device(xhci, udev->slot_id); + spin_unlock_irqrestore(&xhci->lock, flags); + } int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id) Patches currently in stable-queue which might be from mathias.nyman@xxxxxxxxxxxxxxx are queue-5.4/usb-acpi-add-helper-to-check-port-lpm-capability-using-acpi-_dsm.patch queue-5.4/xhci-fix-null-pointer-dereference-when-host-dies.patch queue-5.4/xhci-pci-set-the-dma-max_seg_size.patch queue-5.4/usb-xhci-check-endpoint-is-valid-before-dereferencing-it.patch queue-5.4/xhci-add-update_hub_device-override-for-pci-xhci-hosts.patch queue-5.4/xhci-detect-lpm-incapable-xhc-usb3-roothub-ports-from-acpi-tables.patch queue-5.4/xhci-add-a-flag-to-disable-usb3-lpm-on-a-xhci-root-port-level.patch