From: Ian Abbott Date: Wed, 11 Dec 2013 14:51:02 +0000 (+0000) Subject: staging/comedi: keep reference to class device after destroyed X-Git-Tag: firefly_0821_release~176^2~4489^2~262 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=8f988d8784e3fa4bb50dabeec516cd3fbdb4ea73;p=firefly-linux-kernel-4.4.55.git staging/comedi: keep reference to class device after destroyed When a dynamically allocated `struct comedi_device` gets automatically unconfigured by a call to `comedi_auto_unconfig()` from a lower-level driver's bus removal function (e.g. when a USB device is disconnected), the class device in `dev->class_dev` (where `dev` points to the `struct comedi_device`) is destroyed by a call to `device_destroy()` that matches a previous call to `device_create()`. However, if the `struct comedi_device` is still associated with an open file object, the now invalid `dev->class_dev` pointer may still be passed to `dev_printk()` (via `dev_dbg()` etc.), producing bogus output or worse. To fix this, call `get_device()` on the class device if `device_create()` was successful. Add a matching call to `put_device()` in `comedi_dev_kref_release()` when the `struct comedi_device` is freed. The calls to `dev_dbg()` etc. after the call to `device_destroy()` will still produce valid output, although the device will have been unregistered in sysfs. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index cdaef09c8993..6e5f538023c1 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -91,6 +91,7 @@ static void comedi_dev_kref_release(struct kref *kref) container_of(kref, struct comedi_device, refcount); mutex_destroy(&dev->mutex); + put_device(dev->class_dev); kfree(dev); } @@ -2514,7 +2515,7 @@ struct comedi_device *comedi_alloc_board_minor(struct device *hardware_device) csdev = device_create(comedi_class, hardware_device, MKDEV(COMEDI_MAJOR, i), NULL, "comedi%i", i); if (!IS_ERR(csdev)) - dev->class_dev = csdev; + dev->class_dev = get_device(csdev); /* Note: dev->mutex needs to be unlocked by the caller. */ return dev;