Hi,
I was about to write a usb driver (port my old one) based on the
usb-skeleton.c example in the 2.6.0-test11 source. I either found a bug
or overlooked something...
The problem occurs in the following scenario: some usb-device is plugged
in, two clients open the corresponding file, the device gets unplugged,
one client releases its file handle, thereby executing the following
code:
--dev->open; // dev->open is set to 1 now
if (!dev->present) { // this is the case
up (&dev->sem);
skel_delete (dev); // so our dev struct gets deleted
return 0;
}
Now when the second client releases its file handle, it executes:
dev = (struct usb_skel *)file->private_data;
which finds the old pointer to memory already freed in skel_delete. This
could become ugly, right?
As far as I can see, this might be fixed by replacing the line (in
skel_release)
if (!dev->present) {
with something like
if (!dev->present && !dev->open) {
.
regards,
Axel.
(I am not on linux-usb-devel so please reply to my address as well,
thanks.)
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
