aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPete Zaitcev <zaitcev@redhat.com>2006-05-03 03:16:00 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2006-05-09 02:43:55 -0400
commit77ef6c4d6e23653a79eedacdd6d1d0da7083e59c (patch)
tree5dd68fb616175ffcf2939beaef8ed06a43179173
parent436f5762bcd4929825a0725d4bc78337e6fc0d8f (diff)
[PATCH] USB: ub oops in block_uevent
In kernel 2.6.16, if a mounted storage device is removed, an oops happens because ub supplies an interface device (and kobject) to the block layer, but neglects to pin it. And apparently, the block layer expects its users to pin device structures. The code in ub was broken this way for years. But the bug was exposed only by 2.6.16 when it started to call block_uevent on close, which traverses device structures (kobjects actually). Signed-off-by: Pete Zaitcev <zaitcev@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/block/ub.c18
1 files changed, 10 insertions, 8 deletions
diff --git a/drivers/block/ub.c b/drivers/block/ub.c
index f73446f580df..c688c25992e4 100644
--- a/drivers/block/ub.c
+++ b/drivers/block/ub.c
@@ -536,6 +536,9 @@ static void ub_cleanup(struct ub_dev *sc)
536 kfree(lun); 536 kfree(lun);
537 } 537 }
538 538
539 usb_set_intfdata(sc->intf, NULL);
540 usb_put_intf(sc->intf);
541 usb_put_dev(sc->dev);
539 kfree(sc); 542 kfree(sc);
540} 543}
541 544
@@ -2221,7 +2224,12 @@ static int ub_probe(struct usb_interface *intf,
2221 // sc->ifnum = intf->cur_altsetting->desc.bInterfaceNumber; 2224 // sc->ifnum = intf->cur_altsetting->desc.bInterfaceNumber;
2222 usb_set_intfdata(intf, sc); 2225 usb_set_intfdata(intf, sc);
2223 usb_get_dev(sc->dev); 2226 usb_get_dev(sc->dev);
2224 // usb_get_intf(sc->intf); /* Do we need this? */ 2227 /*
2228 * Since we give the interface struct to the block level through
2229 * disk->driverfs_dev, we have to pin it. Otherwise, block_uevent
2230 * oopses on close after a disconnect (kernels 2.6.16 and up).
2231 */
2232 usb_get_intf(sc->intf);
2225 2233
2226 snprintf(sc->name, 12, DRV_NAME "(%d.%d)", 2234 snprintf(sc->name, 12, DRV_NAME "(%d.%d)",
2227 sc->dev->bus->busnum, sc->dev->devnum); 2235 sc->dev->bus->busnum, sc->dev->devnum);
@@ -2286,7 +2294,7 @@ static int ub_probe(struct usb_interface *intf,
2286 2294
2287err_dev_desc: 2295err_dev_desc:
2288 usb_set_intfdata(intf, NULL); 2296 usb_set_intfdata(intf, NULL);
2289 // usb_put_intf(sc->intf); 2297 usb_put_intf(sc->intf);
2290 usb_put_dev(sc->dev); 2298 usb_put_dev(sc->dev);
2291 kfree(sc); 2299 kfree(sc);
2292err_core: 2300err_core:
@@ -2461,12 +2469,6 @@ static void ub_disconnect(struct usb_interface *intf)
2461 * and no URBs left in transit. 2469 * and no URBs left in transit.
2462 */ 2470 */
2463 2471
2464 usb_set_intfdata(intf, NULL);
2465 // usb_put_intf(sc->intf);
2466 sc->intf = NULL;
2467 usb_put_dev(sc->dev);
2468 sc->dev = NULL;
2469
2470 ub_put(sc); 2472 ub_put(sc);
2471} 2473}
2472 2474