The report-query is blocking, so when user-space destroys a device we have to wake up any blocking kernel context that is currently in the report-cb. We used some broken correlation between @report_done and @running so far. Replace it by a much more obvious use. We now wake up the report-cb if either @report_done or @running is set. wake_up() and wait_event() serve as implicit barriers (as they always do) so no need to use smp_rmb/wmb directly. Note that @report_done is never reset by anyone but the report-cb, thus it cannot flip twice while we wait for it. And whenever we set @running, we afterwards synchronously remove the HID device. Therefore, we wait for all report-cbs to finish before we return. This way, @running can never flip to true while we wait for it. Signed-off-by: David Herrmann <dh.herrmann@xxxxxxxxx> --- drivers/hid/uhid.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c index 0cb92e3..16af4d3 100644 --- a/drivers/hid/uhid.c +++ b/drivers/hid/uhid.c @@ -172,13 +172,9 @@ static int uhid_hid_get_raw(struct hid_device *hid, unsigned char rnum, spin_unlock_irqrestore(&uhid->qlock, flags); ret = wait_event_interruptible_timeout(uhid->report_wait, - atomic_read(&uhid->report_done), 5 * HZ); + atomic_read(&uhid->report_done) || !uhid->running, + 5 * HZ); - /* - * Make sure "uhid->running" is cleared on shutdown before - * "uhid->report_done" is set. - */ - smp_rmb(); if (!ret || !uhid->running) { ret = -EIO; } else if (ret < 0) { @@ -493,10 +489,7 @@ static int uhid_dev_destroy(struct uhid_device *uhid) if (!uhid->running) return -EINVAL; - /* clear "running" before setting "report_done" */ uhid->running = false; - smp_wmb(); - atomic_set(&uhid->report_done, 1); wake_up_interruptible(&uhid->report_wait); hid_destroy_device(uhid->hid); -- 2.0.3 -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html