Commit ecb5febb authored Jan 20, 2016 by Mayank Rana

usb: hcd: Fix double free with bandwidth_mutex on cable disconnect



Roothub's (udev->dev) can  be asynchronously suspended due to
power.async_suspend is set to true i.e. at time of system suspend and
resume, these devices' (usb1 and usb2) kobject count is decremented
and incremented respectively. hcd_release() API expects that shared_hcd
is being released first before hcd. Due to additional reference count
at time of system resume, it results into hcd_release() is called
first with hcd (primary) and then shared_hcd. With this,
usb_hcd_is_primary_hcd() API is returning true for both hcd and
shared_hcd which results into double free of bandwidth_mutex. Fix this
issue by identifying hcd to release bandwidth_mutex without depending
on which order hcd_release() is called with hcd and share_hcd.

CRs-Fixed: 955531
Change-Id: I6bfcfd54525fa6472bd848d4c112fff0c9462355
Signed-off-by: Mayank Rana <mrana@codeaurora.org>

parent ee098af9

drivers/usb/core/hcd.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2524,7 +2524,7 @@ static void hcd_release(struct kref *kref)
		struct usb_hcd *hcd = container_of (kref, struct usb_hcd, kref);

		mutex_lock(&usb_port_peer_mutex);
		if (usb_hcd_is_primary_hcd(hcd))
		if (hcd->primary_hcd == hcd)
		kfree(hcd->bandwidth_mutex);
		if (hcd->shared_hcd) {
		struct usb_hcd *peer = hcd->shared_hcd;