On Fri, 18 May 2012, Huajun Li wrote: > There exist races in devio.c, below is one case, > and there are similar races in destroy_async() > and proc_unlinkurb(). Remove these races. > > > cancel_bulk_urbs() async_completed() > ------------------- ----------------------- > spin_unlock(&ps->lock); > > list_move_tail(&as->asynclist, > &ps->async_completed); > > wake_up(&ps->wait); > > Lead to free_async() be triggered, > then urb and 'as' will be freed. > > usb_unlink_urb(as->urb); > ===> refer to the freed 'as' > > > Signed-off-by: Huajun Li <huajun.li.lee@xxxxxxxxx> > Cc: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > Cc: Oncaphillis <oncaphillis@xxxxxxxx> Acked-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
