Hi, there's a race condition between close and disconnect in that driver leading to a possible double kfree(). It can be prevented by use of a semaphore.
Regards Oliver You can import this changeset into BK by piping this whole message to: '| bk receive [path to repository]' or apply the patch as usual. =================================================================== [EMAIL PROTECTED], 2004-03-18 18:08:35+01:00, [EMAIL PROTECTED] - fix disconnect race ati_remote.c | 21 ++++++++++++++++++--- 1 files changed, 18 insertions(+), 3 deletions(-) diff -Nru a/drivers/usb/input/ati_remote.c b/drivers/usb/input/ati_remote.c --- a/drivers/usb/input/ati_remote.c Thu Mar 18 18:09:18 2004 +++ b/drivers/usb/input/ati_remote.c Thu Mar 18 18:09:18 2004 @@ -139,6 +139,9 @@ */ #define FILTER_TIME (HZ >> 4) +/* to protect disconnect and open/close */ +static DECLARE_MUTEX(ati_disc_open_lock); + struct ati_remote { struct input_dev idev; struct usb_device *udev; @@ -301,9 +304,11 @@ static int ati_remote_open(struct input_dev *inputdev) { struct ati_remote *ati_remote = inputdev->private; + int rv = 0; + down(&ati_disc_open_lock); if (ati_remote->open++) - return 0; + goto finish; /* On first open, submit the read urb which was set up previously. */ ati_remote->irq_urb->dev = ati_remote->udev; @@ -311,10 +316,13 @@ dev_err(&ati_remote->interface->dev, "%s: usb_submit_urb failed!\n", __FUNCTION__); ati_remote->open--; - return -EIO; + rv = -EIO; } - return 0; +finish: + up(&ati_disc_open_lock); + + return rv; } /* @@ -329,6 +337,8 @@ return; } + /* mutual exclusion to disconnect */ + down(&ati_disc_open_lock); if (ati_remote->open <= 0) dev_dbg(&ati_remote->interface->dev, "%s: Not open.\n", __FUNCTION__); else @@ -337,6 +347,8 @@ /* If still present, disconnect will call delete. */ if (!ati_remote->present && !ati_remote->open) ati_remote_delete(ati_remote); + + up(&ati_disc_open_lock); } /* @@ -805,12 +817,15 @@ input_unregister_device(&ati_remote->idev); + down(&ati_disc_open_lock); /* Mark device as unplugged */ ati_remote->present = 0; /* If device is still open, ati_remote_close will call delete. */ if (!ati_remote->open) ati_remote_delete(ati_remote); + + up(&ati_disc_open_lock); } /* =================================================================== This BitKeeper patch contains the following changesets: 1.1182 ## Wrapped with gzip_uu ## begin 664 bkpatch6241 M'XL(`+[764```[55?VO;,!#]V_H4!X71M<269/E'7#*ZM6$+VVCI6ABL(ZBV M$IO:4I#DM`-_^,D.=-UHTVZLMD%&=_?NW=/#WH$+(W3FJ;I:"XUVX(,R-O/< M>],[EMAIL PROTECTED]<*Z%,$%=R=:,J!\AEW7*;5Z""YK, M(WYXMV-_K$3FG4W?7WQZ>X;09`)')9=+\458F$R057K-Z\(<<EO62OI6<VD: M8;F?JZ:[2^THQM3=$4E"',4=B3%+NIP4A'!&1($I2V.&-O0.'YCC=RB&0Y*2 MB(YITD4)B6-T#,0G)[EMAIL PROTECTED]@RG61CM8Y)A#(]#PSZ!$4;OX/_.<H1R M&,&BNH6B,KF24N06-,\%^@@]YPB=_I([EMAIL PROTECTED] MORVU6'[O"MW/:X+67`657+4VX+:::]$H*_Q\([EMAIL PROTECTED];LQ8,;X2 M?,P6+.%BBV;/@N_/*,&[EMAIL PROTECTED]"PN+!/-OK!D>]X$3;#/;<B9SK2-K1&"=T<%W\ MI^7HLRR7PBA\(<]5TFI5M+D`#D8T?%4J+5PG6&FQ%M*Z[=Z'<"7LC1#ROC^Y M+$"MA`SR6IG!J</)G<!(WPR/<][I$X?X#UZ>[EMAIL PROTECTED],'>AJ6#<5P>I05[`3+6 MM<SA>'KD/DO3^>>+\^G7W9Y%7S7O<^>URJ]?'Z!+-`MQ"`1Y3A?0:[EMAIL PROTECTED]/NCW M6+]7J!NY^^K!PN,0QRYEMED\;ZD<N44E*U/V0<*&X+!XWH`[FLY.AE"R"27` [EMAIL PROTECTED]>J3/)?*TL*V6CEQ/+"1`D>>T:%K;\AK$;5ZWIE*R%^>>*$Z%+?2] M'FG<(VUI/4MQ\H0*LY2$/<HVF+N?15Z*_-JTS61,DBN14H9^`KF_F;[EMAIL PROTECTED] ` end ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ [EMAIL PROTECTED] To unsubscribe, use the last form field at: https://lists.sourceforge.net/lists/listinfo/linux-usb-devel