diff options
| author | Alan Stern <stern@rowland.harvard.edu> | 2012-09-26 13:09:53 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-09-27 12:17:49 -0400 |
| commit | 0d00dc2611abbe6ad244d50569c2ee82ce42846c (patch) | |
| tree | 24f8d27cb2790c7574a678b6ddf1576ef3bceceb /drivers/usb/core | |
| parent | 01bb6501779ed0b6dc6c55be34b49eaa6306fdd8 (diff) | |
USB: Fix race condition when removing host controllers
This patch (as1607) fixes a race that can occur if a USB host
controller is removed while a process is reading the
/sys/kernel/debug/usb/devices file.
The usb_device_read() routine uses the bus->root_hub pointer to
determine whether or not the root hub is registered. The is not a
valid test, because the pointer is set before the root hub gets
registered and remains set even after the root hub is unregistered and
deallocated. As a result, usb_device_read() or usb_device_dump() can
access freed memory, causing an oops.
The patch changes the test to use the hcd->rh_registered flag, which
does get set and cleared at the appropriate times. It also makes sure
to hold the usb_bus_list_lock mutex while setting the flag, so that
usb_device_read() will become aware of new root hubs as soon as they
are registered.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Don Zickus <dzickus@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/core')
| -rw-r--r-- | drivers/usb/core/devices.c | 2 | ||||
| -rw-r--r-- | drivers/usb/core/hcd.c | 6 |
2 files changed, 3 insertions, 5 deletions
diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c index d95696584762..3440812b4a84 100644 --- a/drivers/usb/core/devices.c +++ b/drivers/usb/core/devices.c | |||
| @@ -624,7 +624,7 @@ static ssize_t usb_device_read(struct file *file, char __user *buf, | |||
| 624 | /* print devices for all busses */ | 624 | /* print devices for all busses */ |
| 625 | list_for_each_entry(bus, &usb_bus_list, bus_list) { | 625 | list_for_each_entry(bus, &usb_bus_list, bus_list) { |
| 626 | /* recurse through all children of the root hub */ | 626 | /* recurse through all children of the root hub */ |
| 627 | if (!bus->root_hub) | 627 | if (!bus_to_hcd(bus)->rh_registered) |
| 628 | continue; | 628 | continue; |
| 629 | usb_lock_device(bus->root_hub); | 629 | usb_lock_device(bus->root_hub); |
| 630 | ret = usb_device_dump(&buf, &nbytes, &skip_bytes, ppos, | 630 | ret = usb_device_dump(&buf, &nbytes, &skip_bytes, ppos, |
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c index bc84106ac057..75ba2091f9b4 100644 --- a/drivers/usb/core/hcd.c +++ b/drivers/usb/core/hcd.c | |||
| @@ -1011,10 +1011,7 @@ static int register_root_hub(struct usb_hcd *hcd) | |||
| 1011 | if (retval) { | 1011 | if (retval) { |
| 1012 | dev_err (parent_dev, "can't register root hub for %s, %d\n", | 1012 | dev_err (parent_dev, "can't register root hub for %s, %d\n", |
| 1013 | dev_name(&usb_dev->dev), retval); | 1013 | dev_name(&usb_dev->dev), retval); |
| 1014 | } | 1014 | } else { |
| 1015 | mutex_unlock(&usb_bus_list_lock); | ||
| 1016 | |||
| 1017 | if (retval == 0) { | ||
| 1018 | spin_lock_irq (&hcd_root_hub_lock); | 1015 | spin_lock_irq (&hcd_root_hub_lock); |
| 1019 | hcd->rh_registered = 1; | 1016 | hcd->rh_registered = 1; |
| 1020 | spin_unlock_irq (&hcd_root_hub_lock); | 1017 | spin_unlock_irq (&hcd_root_hub_lock); |
| @@ -1023,6 +1020,7 @@ static int register_root_hub(struct usb_hcd *hcd) | |||
| 1023 | if (HCD_DEAD(hcd)) | 1020 | if (HCD_DEAD(hcd)) |
| 1024 | usb_hc_died (hcd); /* This time clean up */ | 1021 | usb_hc_died (hcd); /* This time clean up */ |
| 1025 | } | 1022 | } |
| 1023 | mutex_unlock(&usb_bus_list_lock); | ||
| 1026 | 1024 | ||
| 1027 | return retval; | 1025 | return retval; |
| 1028 | } | 1026 | } |