diff options
| author | Ming Lei <ming.lei@canonical.com> | 2012-08-04 00:01:23 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-08-16 16:28:50 -0400 |
| commit | 0cfc1e1e7b5347b4b6df1212f365ce6620bdd98f (patch) | |
| tree | 4d976455cea5dc6055c132b0f9833b01afe5c285 /drivers/base | |
| parent | 2887b3959c8b2f6ed1f62ce95c0888aedb1ea84b (diff) | |
firmware loader: fix device lifetime
Callers of request_firmware* must hold the reference count of
@device, otherwise it is easy to trigger oops since the firmware
loader device is the child of @device.
This patch adds comments about the usage. In fact, most of drivers
call request_firmware* in its probe() or open(), so the constraint
should be reasonable and can be satisfied.
Also this patch holds the reference count of @device before
schedule_work() in request_firmware_nowait() to avoid that
the @device is released after request_firmware_nowait returns
and before the worker function is scheduled.
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/base')
| -rw-r--r-- | drivers/base/firmware_class.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c index fc119ce6fdb8..7d3a83bb1318 100644 --- a/drivers/base/firmware_class.c +++ b/drivers/base/firmware_class.c | |||
| @@ -742,6 +742,8 @@ err_put_dev: | |||
| 742 | * @name will be used as $FIRMWARE in the uevent environment and | 742 | * @name will be used as $FIRMWARE in the uevent environment and |
| 743 | * should be distinctive enough not to be confused with any other | 743 | * should be distinctive enough not to be confused with any other |
| 744 | * firmware image for this or any other device. | 744 | * firmware image for this or any other device. |
| 745 | * | ||
| 746 | * Caller must hold the reference count of @device. | ||
| 745 | **/ | 747 | **/ |
| 746 | int | 748 | int |
| 747 | request_firmware(const struct firmware **firmware_p, const char *name, | 749 | request_firmware(const struct firmware **firmware_p, const char *name, |
| @@ -823,6 +825,7 @@ static void request_firmware_work_func(struct work_struct *work) | |||
| 823 | 825 | ||
| 824 | out: | 826 | out: |
| 825 | fw_work->cont(fw, fw_work->context); | 827 | fw_work->cont(fw, fw_work->context); |
| 828 | put_device(fw_work->device); | ||
| 826 | 829 | ||
| 827 | module_put(fw_work->module); | 830 | module_put(fw_work->module); |
| 828 | kfree(fw_work); | 831 | kfree(fw_work); |
| @@ -841,6 +844,8 @@ static void request_firmware_work_func(struct work_struct *work) | |||
| 841 | * @cont: function will be called asynchronously when the firmware | 844 | * @cont: function will be called asynchronously when the firmware |
| 842 | * request is over. | 845 | * request is over. |
| 843 | * | 846 | * |
| 847 | * Caller must hold the reference count of @device. | ||
| 848 | * | ||
| 844 | * Asynchronous variant of request_firmware() for user contexts where | 849 | * Asynchronous variant of request_firmware() for user contexts where |
| 845 | * it is not possible to sleep for long time. It can't be called | 850 | * it is not possible to sleep for long time. It can't be called |
| 846 | * in atomic contexts. | 851 | * in atomic contexts. |
| @@ -869,6 +874,7 @@ request_firmware_nowait( | |||
| 869 | return -EFAULT; | 874 | return -EFAULT; |
| 870 | } | 875 | } |
| 871 | 876 | ||
| 877 | get_device(fw_work->device); | ||
| 872 | INIT_WORK(&fw_work->work, request_firmware_work_func); | 878 | INIT_WORK(&fw_work->work, request_firmware_work_func); |
| 873 | schedule_work(&fw_work->work); | 879 | schedule_work(&fw_work->work); |
| 874 | return 0; | 880 | return 0; |