linux/drivers/usb/core
Herbert Xu f7410ced7f USB: Move hcd free_dev call into usb_disconnect to fix oops
USB: Move hcd free_dev call into usb_disconnect

I found a way to oops the kernel:

1. Open a USB device through devio.
2. Remove the hcd module in the host kernel.
3. Close the devio file descriptor.

The problem is that closing the file descriptor does usb_release_dev
as it is the last reference.  usb_release_dev then tries to invoke
the hcd free_dev function (or rather dereferencing the hcd driver
struct).  This causes an oops as the hcd driver has already been
unloaded so the struct is gone.

This patch tries to fix this by bringing the free_dev call earlier
and into usb_disconnect.  I have verified that repeating the
above steps no longer crashes with this patch applied.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-02 14:54:13 -08:00
..
Kconfig USB: convert to the runtime PM framework 2010-03-02 14:54:12 -08:00
Makefile USB: add the usbfs devices file to debugfs 2009-06-15 21:44:43 -07:00
buffer.c USB: pass mem_flags to dma_alloc_coherent 2009-04-23 14:15:28 -07:00
config.c USB: Fix SS endpoint companion descriptor parsing. 2009-09-23 06:46:18 -07:00
devices.c USB: Don't use GFP_KERNEL while we cannot reset a storage device 2010-01-20 15:24:34 -08:00
devio.c USB: change locking for device-level autosuspend 2010-03-02 14:54:08 -08:00
driver.c USB: convert to the runtime PM framework 2010-03-02 14:54:12 -08:00
endpoint.c PM: Allow USB devices to suspend/resume asynchronously 2010-02-26 20:39:12 +01:00
file.c USB: fix possible null deref in init_usb_class() 2009-12-11 11:55:22 -08:00
generic.c USB: Convert a dev_info to a dev_dbg 2009-12-11 11:55:13 -08:00
hcd-pci.c USB: implement non-tree resume ordering constraints for PCI host controllers 2010-02-26 20:39:12 +01:00
hcd.c USB: convert to the runtime PM framework 2010-03-02 14:54:12 -08:00
hcd.h USB: Move hcd free_dev call into usb_disconnect to fix oops 2010-03-02 14:54:13 -08:00
hub.c USB: Move hcd free_dev call into usb_disconnect to fix oops 2010-03-02 14:54:13 -08:00
hub.h USB: fix the clear_tt_buffer interface 2009-07-12 15:16:38 -07:00
inode.c const: mark remaining super_operations const 2009-09-22 07:17:24 -07:00
message.c USB: convert to the runtime PM framework 2010-03-02 14:54:12 -08:00
notify.c USB : correct comments in usb/core/notify.c 2008-02-01 14:34:44 -08:00
otg_whitelist.h USB: fix codingstyle issues in drivers/usb/core/*.h 2008-02-01 14:35:07 -08:00
quirks.c USB: change handling of negative autosuspend delays 2010-03-02 14:54:11 -08:00
sysfs.c USB: change handling of negative autosuspend delays 2010-03-02 14:54:11 -08:00
urb.c USB: rename USB_SPEED_VARIABLE to USB_SPEED_WIRELESS 2010-03-02 14:53:36 -08:00
usb.c USB: Move hcd free_dev call into usb_disconnect to fix oops 2010-03-02 14:54:13 -08:00
usb.h USB: convert to the runtime PM framework 2010-03-02 14:54:12 -08:00