USB: Move hcd free_dev call into usb_disconnect to fix oops

commit f7410ced7f931bb1ad79d1336412cf7b7a33cb14 upstream. USB: Move hcd free_dev call into usb_disconnect I found a way to oops the kernel: 1. Open a USB device through devio. 2. Remove the hcd module in the host kernel. 3. Close the devio file descriptor. The problem is that closing the file descriptor does usb_release_dev as it is the last reference. usb_release_dev then tries to invoke the hcd free_dev function (or rather dereferencing the hcd driver struct). This causes an oops as the hcd driver has already been unloaded so the struct is gone. This patch tries to fix this by bringing the free_dev call earlier and into usb_disconnect. I have verified that repeating the above steps no longer crashes with this patch applied. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Herbert Xu <herbert@gondor.apana.org.au> 2010-01-10 04:15:03 -0500
committer: Greg Kroah-Hartman <gregkh@suse.de> 2010-03-15 12:06:57 -0400
commit: be3da032d675cee5156260354182fee760834898 (patch)
tree: aca30d00a64dd8979fce5d5aeeaf78e7d5469220 /drivers
parent: a5061d0d9c23a6952b7138fa35d0d43523ff22d2 (diff)
3 files changed, 13 insertions, 4 deletions
diff --git a/drivers/usb/core/hcd.h b/drivers/usb/core/hcd.h
index bbe2b924aae8..89613a744236 100644
--- a/drivers/usb/core/hcd.h
+++ b/drivers/usb/core/hcd.h
@@ -248,7 +248,7 @@ struct hc_driver {
        /* xHCI specific functions */
                /* Called by usb_alloc_dev to alloc HC device structures */
        int     (*alloc_dev)(struct usb_hcd *, struct usb_device *);
-                /* Called by usb_release_dev to free HC device structures */
+                /* Called by usb_disconnect to free HC device structures */
        void    (*free_dev)(struct usb_hcd *, struct usb_device *);
        /* Bandwidth computation functions */
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 35cc8b9ba1f5..9cc0abae7923 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1554,6 +1554,15 @@ static inline void usb_stop_pm(struct usb_device *udev)
 #endif
+static void hub_free_dev(struct usb_device *udev)
+{
+        struct usb_hcd *hcd = bus_to_hcd(udev->bus);
+        /* Root hubs aren't real devices, so don't free HCD resources */
+        if (hcd->driver->free_dev && udev->parent)
+                hcd->driver->free_dev(hcd, udev);
+}
 /**
 * usb_disconnect - disconnect a device (usbcore-internal)
 * @pdev: pointer to device being disconnected
@@ -1624,6 +1633,8 @@ void usb_disconnect(struct usb_device **pdev)
        usb_stop_pm(udev);
+        hub_free_dev(udev);
        put_device(&udev->dev);
 }
@@ -3191,6 +3202,7 @@ loop_disable:
 loop:
                usb_ep0_reinit(udev);
                release_address(udev);
+                hub_free_dev(udev);
                usb_put_dev(udev);
                if ((status == -ENOTCONN) || (status == -ENOTSUPP))
                        break;
diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
index 0daff0d968ba..ced0776b9ee9 100644
--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
@@ -228,9 +228,6 @@ static void usb_release_dev(struct device *dev)
        hcd = bus_to_hcd(udev->bus);
        usb_destroy_configuration(udev);
-        /* Root hubs aren't real devices, so don't free HCD resources */
-        if (hcd->driver->free_dev && udev->parent)
-                hcd->driver->free_dev(hcd, udev);
        usb_put_hcd(hcd);
        kfree(udev->product);
        kfree(udev->manufacturer);
author	Herbert Xu <herbert@gondor.apana.org.au>	2010-01-10 04:15:03 -0500
committer	Greg Kroah-Hartman <gregkh@suse.de>	2010-03-15 12:06:57 -0400
commit	be3da032d675cee5156260354182fee760834898 (patch)
tree	aca30d00a64dd8979fce5d5aeeaf78e7d5469220 /drivers
parent	a5061d0d9c23a6952b7138fa35d0d43523ff22d2 (diff)