commit d835933436ac0d1e8f5b35fe809fd4e767e55d6e · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

usb: r8a66597-hcd: fix removed from an attached hub

fix the problem that when a USB hub is attached to the r8a66597-hcd and
a device is removed from that hub, it's likely that a kernel panic follows.

Reported-by: Markus Pietrek <Markus.Pietrek@emtrion.de>
Signed-off-by: Yoshihiro Shimoda <shimoda.yoshihiro@renesas.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

authored by Yoshihiro Shimoda and committed by Greg Kroah-Hartman 16 years ago d8359334 9ce669a8

+11 -5

1 changed file

expand all

unified split

drivers

usb

host

r8a66597-hcd.c

+11 -5

drivers/usb/host/r8a66597-hcd.c

··· 418 419 /* this function must be called with interrupt disabled */ 420 static void free_usb_address(struct r8a66597 *r8a66597, 421 - struct r8a66597_device *dev) 422 { 423 int port; 424 ··· 430 dev->state = USB_STATE_DEFAULT; 431 r8a66597->address_map &= ~(1 << dev->address); 432 dev->address = 0; 433 - dev_set_drvdata(&dev->udev->dev, NULL); 434 list_del(&dev->device_list); 435 kfree(dev); 436 ··· 1075 struct r8a66597_device *dev = r8a66597->root_hub[port].dev; 1076 1077 disable_r8a66597_pipe_all(r8a66597, dev); 1078 - free_usb_address(r8a66597, dev); 1079 1080 start_root_hub_sampling(r8a66597, port, 0); 1081 } ··· 2091 spin_lock_irqsave(&r8a66597->lock, flags); 2092 dev = get_r8a66597_device(r8a66597, addr); 2093 disable_r8a66597_pipe_all(r8a66597, dev); 2094 - free_usb_address(r8a66597, dev); 2095 put_child_connect_map(r8a66597, addr); 2096 spin_unlock_irqrestore(&r8a66597->lock, flags); 2097 } ··· 2234 rh->port |= (1 << USB_PORT_FEAT_RESET); 2235 2236 disable_r8a66597_pipe_all(r8a66597, dev); 2237 - free_usb_address(r8a66597, dev); 2238 2239 r8a66597_mdfy(r8a66597, USBRST, USBRST | UACT, 2240 get_dvstctr_reg(port));

··· 418 419 /* this function must be called with interrupt disabled */ 420 static void free_usb_address(struct r8a66597 *r8a66597, 421 + struct r8a66597_device *dev, int reset) 422 { 423 int port; 424 ··· 430 dev->state = USB_STATE_DEFAULT; 431 r8a66597->address_map &= ~(1 << dev->address); 432 dev->address = 0; 433 + /* 434 + * Only when resetting USB, it is necessary to erase drvdata. When 435 + * a usb device with usb hub is disconnect, "dev->udev" is already 436 + * freed on usb_desconnect(). So we cannot access the data. 437 + */ 438 + if (reset) 439 + dev_set_drvdata(&dev->udev->dev, NULL); 440 list_del(&dev->device_list); 441 kfree(dev); 442 ··· 1069 struct r8a66597_device *dev = r8a66597->root_hub[port].dev; 1070 1071 disable_r8a66597_pipe_all(r8a66597, dev); 1072 + free_usb_address(r8a66597, dev, 0); 1073 1074 start_root_hub_sampling(r8a66597, port, 0); 1075 } ··· 2085 spin_lock_irqsave(&r8a66597->lock, flags); 2086 dev = get_r8a66597_device(r8a66597, addr); 2087 disable_r8a66597_pipe_all(r8a66597, dev); 2088 + free_usb_address(r8a66597, dev, 0); 2089 put_child_connect_map(r8a66597, addr); 2090 spin_unlock_irqrestore(&r8a66597->lock, flags); 2091 } ··· 2228 rh->port |= (1 << USB_PORT_FEAT_RESET); 2229 2230 disable_r8a66597_pipe_all(r8a66597, dev); 2231 + free_usb_address(r8a66597, dev, 1); 2232 2233 r8a66597_mdfy(r8a66597, USBRST, USBRST | UACT, 2234 get_dvstctr_reg(port));