From 20caa4fd629eb30220ef6c4973802123ecd8a01a Mon Sep 17 00:00:00 2001 From: Hemant Kumar Date: Mon, 3 Oct 2016 11:32:10 -0700 Subject: usb: host: Flush hub workqueue before stopping controller when xhci platform driver is removed with a usb device connected there is a possibility of race between xhci platform driver remove context and device disconnect hub event work context. This results into use after free: xhci_mem_clean() called from xhci_plat_remove() freeing the xhci virtual device when a structure member is being accessed by xhci_alloc_virt_device() after virtual device allocation as part of connect hub event. deadlock: Upon device disconnect if stop endpoint command remains pending xhci_mem_cleanup() frees xhci virtual device which also frees up endpoint stop_cmd_timer. udev->dev lock is held until cancelled urb is not given back to class driver. In a different context xhci platform remove calls usb_disconnect() on children of root hub which tries to acquire the same udev->dev lock this results into a dead lock condition. Fix issues by making sure hub events are flushed before xhci is stopped. Change-Id: I86d414bca17464d1dff3346ec668d8b3efec1652 Signed-off-by: Hemant Kumar --- drivers/usb/core/hcd.c | 3 +++ drivers/usb/core/hub.c | 6 ++++++ 2 files changed, 9 insertions(+) (limited to 'drivers/usb') diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c index 3df80c73b74a..ac0eb0939ecf 100644 --- a/drivers/usb/core/hcd.c +++ b/drivers/usb/core/hcd.c @@ -2990,6 +2990,9 @@ void usb_remove_hcd(struct usb_hcd *hcd) cancel_work_sync(&hcd->wakeup_work); #endif + /* handle any pending hub events before XHCI stops */ + usb_flush_hub_wq(); + mutex_lock(&usb_bus_list_lock); usb_disconnect(&rhdev); /* Sets rhdev to NULL */ mutex_unlock(&usb_bus_list_lock); diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 84df093639ac..269c1ee2da44 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -610,6 +610,12 @@ void usb_kick_hub_wq(struct usb_device *hdev) kick_hub_wq(hub); } +void usb_flush_hub_wq(void) +{ + flush_workqueue(hub_wq); +} +EXPORT_SYMBOL(usb_flush_hub_wq); + /* * Let the USB core know that a USB 3.0 device has sent a Function Wake Device * Notification, which indicates it had initiated remote wakeup. -- cgit v1.2.3