On Sunday 11 July 2010 16:09:03 Oliver Neukum wrote:
> Am Sonntag, 11. Juli 2010, 15:34:05 schrieb Arnd Bergmann:
> > @@ -265,22 +265,19 @@ static int hiddev_release(struct inode * inode, struct file * file)
> > static int hiddev_open(struct inode *inode, struct file *file)
> > {
> > struct hiddev_list *list;
> > - int res, i;
> > -
> > - /* See comment in hiddev_connect() for BKL explanation */
> > - lock_kernel();
> > - i = iminor(inode) - HIDDEV_MINOR_BASE;
> > + struct usb_interface *intf;
> > + struct hiddev *hiddev;
> > + int res;
> >
> > - if (i >= HIDDEV_MINORS || i < 0 || !hiddev_table[i])
> > + intf = usb_find_interface(&hiddev_driver, iminor(inode));
>
> What keeps the intf pointer valid after usb_find_interface() returns?
> This seems racy.
>
As far as I can tell, it can only go away if hiddev_disconnect
calls usb_deregister_dev, but that will block on minor_rwsem
and not actually remove the device until usb_open()
finishes.
Arnd
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
