From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org, greg@kroah.com
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
Pete Zaitcev <zaitcev@redhat.com>,
linux-usb-devel@lists.sourceforge.net,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [PATCH 03/22] USB: ub oops in block_uevent
Date: Wed, 17 May 2006 00:00:03 -0700 [thread overview]
Message-ID: <20060517221353.122609000@sous-sol.org> (raw)
In-Reply-To: 20060517221312.227391000@sous-sol.org
[-- Attachment #1: usb-ub-oops-in-block_uevent.patch --]
[-- Type: text/plain, Size: 2110 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
In kernel 2.6.16, if a mounted storage device is removed, an oops happens
because ub supplies an interface device (and kobject) to the block layer,
but neglects to pin it. And apparently, the block layer expects its users
to pin device structures.
The code in ub was broken this way for years. But the bug was exposed only
by 2.6.16 when it started to call block_uevent on close, which traverses
device structures (kobjects actually).
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
drivers/block/ub.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--- linux-2.6.16.16.orig/drivers/block/ub.c
+++ linux-2.6.16.16/drivers/block/ub.c
@@ -704,6 +704,9 @@ static void ub_cleanup(struct ub_dev *sc
kfree(lun);
}
+ usb_set_intfdata(sc->intf, NULL);
+ usb_put_intf(sc->intf);
+ usb_put_dev(sc->dev);
kfree(sc);
}
@@ -2428,7 +2431,12 @@ static int ub_probe(struct usb_interface
// sc->ifnum = intf->cur_altsetting->desc.bInterfaceNumber;
usb_set_intfdata(intf, sc);
usb_get_dev(sc->dev);
- // usb_get_intf(sc->intf); /* Do we need this? */
+ /*
+ * Since we give the interface struct to the block level through
+ * disk->driverfs_dev, we have to pin it. Otherwise, block_uevent
+ * oopses on close after a disconnect (kernels 2.6.16 and up).
+ */
+ usb_get_intf(sc->intf);
snprintf(sc->name, 12, DRV_NAME "(%d.%d)",
sc->dev->bus->busnum, sc->dev->devnum);
@@ -2509,7 +2517,7 @@ static int ub_probe(struct usb_interface
err_diag:
err_dev_desc:
usb_set_intfdata(intf, NULL);
- // usb_put_intf(sc->intf);
+ usb_put_intf(sc->intf);
usb_put_dev(sc->dev);
kfree(sc);
err_core:
@@ -2688,12 +2696,6 @@ static void ub_disconnect(struct usb_int
*/
device_remove_file(&sc->intf->dev, &dev_attr_diag);
- usb_set_intfdata(intf, NULL);
- // usb_put_intf(sc->intf);
- sc->intf = NULL;
- usb_put_dev(sc->dev);
- sc->dev = NULL;
-
ub_put(sc);
}
--
next prev parent reply other threads:[~2006-05-17 22:14 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-17 22:13 [PATCH 00/22] -stable review Chris Wright
2006-05-17 7:00 ` [PATCH 01/22] md: Avoid oops when attempting to fix read errors on raid10 Chris Wright
2006-05-17 7:00 ` [PATCH 02/22] [PATCH] via-rhine: zero pad short packets on Rhine I ethernet cards Chris Wright
2006-05-17 7:00 ` Chris Wright [this message]
2006-05-17 7:00 ` [PATCH 04/22] [PATCH] fs/locks.c: Fix sys_flock() race Chris Wright
2006-05-17 7:00 ` [PATCH 05/22] [PATCH] smbfs: Fix slab corruption in samba error path Chris Wright
2006-05-17 7:00 ` [PATCH 06/22] [PATCH] fs/compat.c: fix if (a |= b ) typo Chris Wright
2006-05-17 7:00 ` [PATCH 07/22] [PATCH] smbus unhiding kills thermal management Chris Wright
2006-05-18 20:53 ` Jean Delvare
2006-05-18 21:11 ` [stable] " Greg KH
2006-05-17 7:00 ` [PATCH 08/22] [PATCH] scx200_acb: Fix resource name use after free Chris Wright
2006-05-17 7:00 ` [PATCH 09/22] [PATCH] Netfilter: do_add_counters race, possible oops or info leak (CVE-2006-0039) Chris Wright
2006-05-17 7:00 ` [PATCH 10/22] [PATCH] TG3: ethtool always report port is TP Chris Wright
2006-05-17 7:00 ` [PATCH 11/22] [PATCH] selinux: check for failed kmalloc in security_sid_to_context() Chris Wright
2006-05-17 7:00 ` [PATCH 12/22] PCI: correctly allocate return buffers for osc calls Chris Wright
2006-05-17 7:00 ` [PATCH 13/22] [PATCH] [BLOCK] limit request_fn recursion Chris Wright
2006-05-17 7:00 ` [PATCH 14/22] [PATCH] [Cardman 40x0] Fix udev device creation Chris Wright
2006-05-17 22:42 ` Harald Welte
2006-05-17 7:00 ` [PATCH 15/22] [PATCH] PCI quirk: VIA IRQ fixup should only run for VIA southbridges Chris Wright
2006-05-17 7:00 ` [PATCH 16/22] [PATCH] VIA quirk fixup, additional PCI IDs Chris Wright
2006-05-17 7:00 ` [PATCH 17/22] [PATCH] i386/x86_64: Force pci=noacpi on HP XW9300 Chris Wright
2006-05-17 22:16 ` Andi Kleen
2006-05-17 22:25 ` Greg KH
2006-05-17 22:36 ` Chris Wright
2006-05-17 7:00 ` [PATCH 18/22] [PATCH] Remove cond_resched in gather_stats() Chris Wright
2006-05-17 7:00 ` [PATCH 19/22] [PATCH] add migratepage address space op to shmem Chris Wright
2006-05-17 7:00 ` [PATCH 20/22] [PATCH] page migration: Fix fallback behavior for dirty pages Chris Wright
2006-05-17 7:00 ` [PATCH 21/22] [PATCH] Fix ptrace_attach()/ptrace_traceme()/de_thread() race Chris Wright
2006-05-17 7:00 ` [PATCH 22/22] [PATCH] ptrace_attach: fix possible deadlock schenario with irqs Chris Wright
2006-05-17 22:23 ` [PATCH 00/22] -stable review Linus Torvalds
2006-05-17 22:36 ` Chris Wright
2006-05-17 22:41 ` [stable] " Greg KH
2006-05-18 9:15 ` Michael Tokarev
2006-05-18 17:40 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060517221353.122609000@sous-sol.org \
--to=chrisw@sous-sol.org \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=greg@kroah.com \
--cc=gregkh@suse.de \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb-devel@lists.sourceforge.net \
--cc=rdunlap@xenotime.net \
--cc=stable@kernel.org \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=zaitcev@redhat.com \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox