• Herbert Xu's avatar
    USB: Move hcd free_dev call into usb_disconnect to fix oops · f7410ced
    Herbert Xu authored
    USB: Move hcd free_dev call into usb_disconnect
    
    I found a way to oops the kernel:
    
    1. Open a USB device through devio.
    2. Remove the hcd module in the host kernel.
    3. Close the devio file descriptor.
    
    The problem is that closing the file descriptor does usb_release_dev
    as it is the last reference.  usb_release_dev then tries to invoke
    the hcd free_dev function (or rather dereferencing the hcd driver
    struct).  This causes an oops as the hcd driver has already been
    unloaded so the struct is gone.
    
    This patch tries to fix this by bringing the free_dev call earlier
    and into usb_disconnect.  I have verified that repeating the
    above steps no longer crashes with this patch applied.
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Cc: stable <stable@kernel.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
    f7410ced
hcd.h 19.3 KB