Am Donnerstag, 26. April 2012, 20:18:00 schrieb Bjørn Mork: > Oliver Neukum <oliver@xxxxxxxxxx> writes: > > Am Donnerstag, 26. April 2012, 18:30:39 schrieb Bjørn Mork: > > > >> So nothing from the wdm_disconnect() call. But that is expected, isn't > >> it? We don't disconnect from the device here. > > > > Now you confuse me. I thought the oops happens when the disconnect after > > a write. > > Eh, yes. Sorry for that confusion. The userspace application closes > the character device file, so we do call wdm_release. But the driver does > not disconnect from the USB device, so we do not call wdm_disconnect. > > So the events leading to the crash are > > open(file, RW + NONBLOCK) > write(file) > write(file) > close(file) > > where the two writes are colliding. Quite possibly with read's > interleaved here, but I don't think they are relevant for the result. > Hold your guns! I am an idiot. wdm_write() does this: desc->outbuf = buf = kmalloc(count, GFP_KERNEL); without a lock. The consequences should be obvious. Regards Oliver -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
