This is a note to let you know that I've just added the patch titled usb: hub: take hub->hdev reference when processing from eventlist to the 3.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: usb-hub-take-hub-hdev-reference-when-processing-from-eventlist.patch and it can be found in the queue-3.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From c605f3cdff53a743f6d875b76956b239deca1272 Mon Sep 17 00:00:00 2001 From: Joe Lawrence <joe.lawrence@xxxxxxxxxxx> Date: Wed, 10 Sep 2014 15:07:50 -0400 Subject: usb: hub: take hub->hdev reference when processing from eventlist From: Joe Lawrence <joe.lawrence@xxxxxxxxxxx> commit c605f3cdff53a743f6d875b76956b239deca1272 upstream. During surprise device hotplug removal tests, it was observed that hub_events may try to call usb_lock_device on a device that has already been freed. Protect the usb_device by taking out a reference (under the hub_event_lock) when hub_events pulls it off the list, returning the reference after hub_events is finished using it. Signed-off-by: Joe Lawrence <joe.lawrence@xxxxxxxxxxx> Suggested-by: David Bulkow <david.bulkow@xxxxxxxxxxx> for using kref Suggested-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> for placement Acked-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/core/hub.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -4764,9 +4764,10 @@ static void hub_events(void) hub = list_entry(tmp, struct usb_hub, event_list); kref_get(&hub->kref); + hdev = hub->hdev; + usb_get_dev(hdev); spin_unlock_irq(&hub_event_lock); - hdev = hub->hdev; hub_dev = hub->intfdev; intf = to_usb_interface(hub_dev); dev_dbg(hub_dev, "state %d ports %d chg %04x evt %04x\n", @@ -4979,6 +4980,7 @@ static void hub_events(void) usb_autopm_put_interface(intf); loop_disconnected: usb_unlock_device(hdev); + usb_put_dev(hdev); kref_put(&hub->kref, hub_release); } /* end while (1) */ Patches currently in stable-queue which might be from joe.lawrence@xxxxxxxxxxx are queue-3.14/usb-hub-take-hub-hdev-reference-when-processing-from-eventlist.patch queue-3.14/usb-ehci-unlink-qhs-even-after-the-controller-has-stopped.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html