USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously

commit 2f86a96be0ccb1302b7eee7855dbee5ce4dc5dfb upstream.

There is race condition when two USB class drivers try to call
init_usb_class at the same time and leads to crash.
code path: probe->usb_register_dev->init_usb_class

To solve this, mutex locking has been added in init_usb_class() and
destroy_usb_class().

As pointed by Alan, removed "if (usb_class)" test from destroy_usb_class()
because usb_class can never be NULL there.

Signed-off-by: Ajay Kaher <ajay.kaher@samsung.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 7 insertions, 2 deletions

diff --git a/drivers/usb/core/file.c b/drivers/usb/core/file.c
index 822ced9639aa..422ce7b20d73 100644
--- a/drivers/usb/core/file.c
+++ b/drivers/usb/core/file.c
@@ -27,6 +27,7 @@
 #define MAX_USB_MINORS  256
 static const struct file_operations *usb_minors[MAX_USB_MINORS];
 static DECLARE_RWSEM(minor_rwsem);
+static DEFINE_MUTEX(init_usb_class_mutex);
 
 static int usb_open(struct inode *inode, struct file *file)
 {
@@ -109,8 +110,9 @@ static void release_usb_class(struct kref *kref)
 
 static void destroy_usb_class(void)
 {
-        if (usb_class)
-                kref_put(&usb_class->kref, release_usb_class);
+        mutex_lock(&init_usb_class_mutex);
+        kref_put(&usb_class->kref, release_usb_class);
+        mutex_unlock(&init_usb_class_mutex);
 }
 
 int usb_major_init(void)
@@ -171,7 +173,10 @@ int usb_register_dev(struct usb_interface *intf,
         if (intf->minor >= 0)
                 return -EADDRINUSE;
 
+        mutex_lock(&init_usb_class_mutex);
         retval = init_usb_class();
+        mutex_unlock(&init_usb_class_mutex);
+
         if (retval)
                 return retval;