tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

usb: r8a66597-hcd: fix removed from an attached hub

fix the problem that when a USB hub is attached to the r8a66597-hcd and
a device is removed from that hub, it's likely that a kernel panic follows.

Reported-by: Markus Pietrek <Markus.Pietrek@emtrion.de>
Signed-off-by: Yoshihiro Shimoda <shimoda.yoshihiro@renesas.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

authored by Yoshihiro Shimoda and committed by Greg Kroah-Hartman d8359334 9ce669a8

+11 -5
unified split
+11 -5
drivers/usb/host/r8a66597-hcd.c
··· 418 418 419 419 /* this function must be called with interrupt disabled */ 420 420 static void free_usb_address(struct r8a66597 *r8a66597, 421 - struct r8a66597_device *dev) 421 + struct r8a66597_device *dev, int reset) 422 422 { 423 423 int port; 424 424 ··· 430 430 dev->state = USB_STATE_DEFAULT; 431 431 r8a66597->address_map &= ~(1 << dev->address); 432 432 dev->address = 0; 433 - dev_set_drvdata(&dev->udev->dev, NULL); 433 + /* 434 + * Only when resetting USB, it is necessary to erase drvdata. When 435 + * a usb device with usb hub is disconnect, "dev->udev" is already 436 + * freed on usb_desconnect(). So we cannot access the data. 437 + */ 438 + if (reset) 439 + dev_set_drvdata(&dev->udev->dev, NULL); 434 440 list_del(&dev->device_list); 435 441 kfree(dev); 436 442 ··· 1075 1069 struct r8a66597_device *dev = r8a66597->root_hub[port].dev; 1076 1070 1077 1071 disable_r8a66597_pipe_all(r8a66597, dev); 1078 - free_usb_address(r8a66597, dev); 1072 + free_usb_address(r8a66597, dev, 0); 1079 1073 1080 1074 start_root_hub_sampling(r8a66597, port, 0); 1081 1075 } ··· 2091 2085 spin_lock_irqsave(&r8a66597->lock, flags); 2092 2086 dev = get_r8a66597_device(r8a66597, addr); 2093 2087 disable_r8a66597_pipe_all(r8a66597, dev); 2094 - free_usb_address(r8a66597, dev); 2088 + free_usb_address(r8a66597, dev, 0); 2095 2089 put_child_connect_map(r8a66597, addr); 2096 2090 spin_unlock_irqrestore(&r8a66597->lock, flags); 2097 2091 } ··· 2234 2228 rh->port |= (1 << USB_PORT_FEAT_RESET); 2235 2229 2236 2230 disable_r8a66597_pipe_all(r8a66597, dev); 2237 - free_usb_address(r8a66597, dev); 2231 + free_usb_address(r8a66597, dev, 1); 2238 2232 2239 2233 r8a66597_mdfy(r8a66597, USBRST, USBRST | UACT, 2240 2234 get_dvstctr_reg(port));