Firstly, .shutdown callback may touch a uninitialized hardware if dev->driver is set and .probe is not completed. Secondly, device_shutdown() may dereference a null pointer to cause oops when dev->driver is cleared after it is checked in device_shutdown(). So just hold device lock and its parent lock if it has to fix the races. Cc: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxxxxx> --- drivers/base/core.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/base/core.c b/drivers/base/core.c index 346be8b..cbc8bd2 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c @@ -1820,6 +1820,11 @@ void device_shutdown(void) list_del_init(&dev->kobj.entry); spin_unlock(&devices_kset->list_lock); + /*hold lock[s] to avoid races with .probe/.release*/ + if (dev->parent) + device_lock(dev->parent); + device_lock(dev); + /* Don't allow any more runtime suspends */ pm_runtime_get_noresume(dev); pm_runtime_barrier(dev); @@ -1831,6 +1836,9 @@ void device_shutdown(void) dev_dbg(dev, "shutdown\n"); dev->driver->shutdown(dev); } + device_unlock(dev); + if (dev->parent) + device_unlock(dev->parent); put_device(dev); spin_lock(&devices_kset->list_lock); -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
