Hi Pete, On Mon, Mar 17, 2008 at 11:48:07PM -0700, Pete Zaitcev wrote: > If a device was grabbed through evdev and then became disconnected, > we oops on close. This happens because input_release_device uses memory > which was freed. > > Fedora enabled evdev in X11 by default recently, and now anyone who > flips a KVM oopses when they log out (Fedora bug 436659). > Could you tell me what memory is freed? As far as I understand the the input_dev structure shold be pinned in memory by the driver core since we have this link: evdev->dev.parent = &input_dev->dev; This should guarantee that input_device is not gone until we call evdev_free which should be done way after the ungrab. What am I missing here? > Signed-off-by: Pete Zaitcev <zaitcev@xxxxxxxxxx> > > diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c > index 0727b0a..c0874a3 100644 > --- a/drivers/input/evdev.c > +++ b/drivers/input/evdev.c > @@ -155,7 +155,8 @@ static int evdev_ungrab(struct evdev *evdev, struct evdev_client *client) > > rcu_assign_pointer(evdev->grab, NULL); > synchronize_rcu(); > - input_release_device(&evdev->handle); > + if (evdev->exist) > + input_release_device(&evdev->handle); > > return 0; > } -- Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
