diff options
| author | Joe Lawrence <joe.lawrence@stratus.com> | 2014-09-10 15:07:50 -0400 |
|---|---|---|
| committer | Zefan Li <lizefan@huawei.com> | 2014-12-01 18:02:29 +0800 |
| commit | 7decb190e8fc2b655586934431b4b61723998e47 (patch) | |
| tree | 6a9b822fb2c79ba3e11255089ece71c7631c7e55 | |
| parent | dd3d82185d61b31589d5d9d99dda3d1877d0241c (diff) | |
usb: hub: take hub->hdev reference when processing from eventlist
commit c605f3cdff53a743f6d875b76956b239deca1272 upstream.
During surprise device hotplug removal tests, it was observed that
hub_events may try to call usb_lock_device on a device that has already
been freed. Protect the usb_device by taking out a reference (under the
hub_event_lock) when hub_events pulls it off the list, returning the
reference after hub_events is finished using it.
Signed-off-by: Joe Lawrence <joe.lawrence@stratus.com>
Suggested-by: David Bulkow <david.bulkow@stratus.com> for using kref
Suggested-by: Alan Stern <stern@rowland.harvard.edu> for placement
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zefan Li <lizefan@huawei.com>
| -rw-r--r-- | drivers/usb/core/hub.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index e0d4d901e99d..62a9e44bfef6 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -3729,9 +3729,10 @@ static void hub_events(void) hub = list_entry(tmp, struct usb_hub, event_list); kref_get(&hub->kref); + hdev = hub->hdev; + usb_get_dev(hdev); spin_unlock_irq(&hub_event_lock); - hdev = hub->hdev; hub_dev = hub->intfdev; intf = to_usb_interface(hub_dev); dev_dbg(hub_dev, "state %d ports %d chg %04x evt %04x\n", @@ -3946,6 +3947,7 @@ static void hub_events(void) usb_autopm_put_interface(intf); loop_disconnected: usb_unlock_device(hdev); + usb_put_dev(hdev); kref_put(&hub->kref, hub_release); } /* end while (1) */ |