On Wed, Sep 28, 2016 at 12:29:35PM +0200, Ladislav Michl wrote: > On Wed, Sep 28, 2016 at 11:45:02AM +0200, Greg Kroah-Hartman wrote: > > If it is freed, why is a read even able to happen? Ah, ick, no proper > > reference counting is happening here :( > > > > Oh, no, wait, it is happening properly, it's just that it's not the > > lifespan that the devm_kzalloc() is attached to, so yes, the correct fix > > here is to revert that patch as it is incorrect. > > Well, reference counting is also suspicious as kref_get(&data->kref) in > probe function with comment "will reference data in int urb" gives no > clue why there's explicit reference. Also what if we add classic > error unwinding and leave usb_submit_urb to open time? But wait, this > driver allows multiple opens? Is it intentional? It could be done this > way (note patch is only for reference as there's nothing to prevent > multiple open and therefore multiple usb_submit_urb): Oh, I don't doubt there are problems here, luckily very few people actually use the driver in ways that could stress it :) I'll gladly take any fixup patches you might have for it, especially if you can test them as I don't have this type of hardware. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
