USB: fix race in HCD removal
This patch (as865) fixes a race in the HCD removal code discovered by
Milan Plzik. Arrival of an interrupt after the root hub was
unregistered could cause the root-hub status timer to start up, even
after it was supposed to have been shut down. The problem is fixed by
moving the del_timer_sync() call to after the HCD's stop() method, at
which time IRQ generation should be disabled.
Cc: Milan Plzik <milan.plzik@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index b26c19e..af7aed1 100644
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -544,6 +544,8 @@
unsigned long flags;
char buffer[4]; /* Any root hubs with > 31 ports? */
+ if (unlikely(!hcd->rh_registered))
+ return;
if (!hcd->uses_new_polling && !hcd->status_urb)
return;
@@ -1670,12 +1672,12 @@
usb_disconnect(&hcd->self.root_hub);
mutex_unlock(&usb_bus_list_lock);
- hcd->poll_rh = 0;
- del_timer_sync(&hcd->rh_timer);
-
hcd->driver->stop(hcd);
hcd->state = HC_STATE_HALT;
+ hcd->poll_rh = 0;
+ del_timer_sync(&hcd->rh_timer);
+
if (hcd->irq >= 0)
free_irq(hcd->irq, hcd);
usb_deregister_bus(&hcd->self);