On Tue, 15 May 2012, Huajun Li wrote: > Alan, > Will below race condition cause the problem? > > cancel_bulk_urbs() async_completed() > ------------------------------ ---------------------------------- > spin_unlock(&ps->lock); > > list_move_tail(&as->asynclist, &ps->async_completed); > wake_up(&ps->wait); > then lead to free_async() be triggered, > and the urb and 'as' be freed. > > usb_unlink_urb(as->urb); > ===> refer to the freed 'as' You are right. In fact, there are similar races in destroy_async() and proc_unlinkurb(). Would you like to fix all three? Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
