On Thu, 9 Oct 2014, Andre Wolokita wrote: > >>> Isn't this now a "use-after-free" issue? > >>> > >> > >> Are you referring to the subsequent call to wait event() on gs_closed()? > > > > Yes. > > > >> Testing the use-case with this patch applied seemed to work without any > >> issues. The ttyGS0 reference in /dev/ is gone after running modprobe -r > >> but I'm just a newbie, so I could be doing sometime horrible here. > > > > Hm, I dug into the tty core, it should be ok, but it just seems really > > odd, and bad-form to be doing something with port->port after calling a > > "destroy" function with it, don't you agree? > > I do. The call to wait_event() can be removed as we no longer care whether > gs_closed(port) is returning true - if it even can, having destroyed the > tty_port. Maybe you don't care whether gs_closed(port) returns true, but you should care about whether gs_closed() crashes -- which it might well do if it tries to access deallocated memory. Did you test your patch by unloading the module while there were pending opens? Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html