From: Greg KH <greg@kroah.com>
To: Russ Dill <russ.dill@gmail.com>
Cc: linux-kernel@vger.kernel.org,
Alan Stern <stern@rowland.harvard.edu>,
Jiri Kosina <jkosina@suse.cz>,
linux-usb@vger.kernel.org
Subject: Re: [PATCH] Close usb_find_interface race
Date: Wed, 18 Nov 2009 10:16:37 -0800 [thread overview]
Message-ID: <20091118181637.GA2330@kroah.com> (raw)
In-Reply-To: <1258567334-14846-1-git-send-email-Russ.Dill@gmail.com>
On Wed, Nov 18, 2009 at 11:02:13AM -0700, Russ Dill wrote:
> USB drivers that create character devices call usb_register_dev in their
> probe function. This associates the usb_interface device with that minor
> number and creates the character device and announces it to the world.
> However, the driver's probe function is called before the new
> usb_interface is added to the driver's klist_devices.
>
> This is a problem because userspace will respond to the character device
> creation announcement by opening the character device. The driver's open
> function will the call usb_find_interface to find the usb_interface
> associated with that minor number. usb_find_interface will walk the
> driver's list of devices and find the usb_interface with the matching
> minor number.
>
> Because the announcement happens before the usb_interface is added to the
> driver's klist_devices, a race condition exists. A straightforward fix
> is to walk the list of devices on usb_bus_type instead since the device
> is added to that list before the announcement occurs.
>
> bus_find_device calls get_device to bump the reference count on the found
> device. It is arguable that the reference count should be dropped by the
> caller of usb_find_interface instead of usb_find_interface, however,
> the current users of usb_find_interface do not expect this.
>
> Signed-off-by: Russ Dill <Russ.Dill@gmail.com>
> ---
> drivers/usb/core/usb.c | 30 +++++++++++-------------------
> 1 files changed, 11 insertions(+), 19 deletions(-)
Looks good, thanks for finding and fixing this. I'll queue it up.
greg k-h
next prev parent reply other threads:[~2009-11-18 18:19 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-17 21:06 Use of usb_find_interface in open is racy Russ Dill
2009-11-18 10:41 ` Jiri Kosina
2009-11-18 14:27 ` Oliver Neukum
2009-11-18 15:35 ` Alan Stern
2009-11-18 16:58 ` Russ Dill
2009-11-18 16:51 ` Russ Dill
2009-11-18 15:31 ` Alan Stern
2009-11-18 15:39 ` Greg KH
2009-11-18 17:01 ` Russ Dill
2009-11-18 18:02 ` [PATCH] Close usb_find_interface race Russ Dill
2009-11-18 18:16 ` Greg KH [this message]
2009-11-18 16:57 ` Use of usb_find_interface in open is racy Russ Dill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091118181637.GA2330@kroah.com \
--to=greg@kroah.com \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=russ.dill@gmail.com \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.