Re: [PATCH] Driver core: fix race in dev_driver_string

[Greg KH <gregkh@suse.de>]

On Fri, Dec 04, 2009 at 10:58:48PM +0100, Oliver Neukum wrote:
> Am Freitag, 4. Dezember 2009 22:36:22 schrieb Alan Stern:
> > > > Typically the driver would take a reference during open() and drop it
> > > > during close().
> > >
> > > 
> > > You can do that but then you must not do IO prior to open() or after
> > > close(). That is you must actually wait for IO to finish in close() and
> > > cannot prefill your buffers before open().
> > 
> > If open() or close() is called before disconnect() then you don't have 
> > to worry.
> > 
> > If close() is called after disconnect() there's nothing to wait for, 
> > because disconnect() should call usb_kill_urb() on all outstanding 
> > transfers (actually usbcore will do that for you).  Likewise with 
> > open().
> > 
> > The problem in this example stems from the fact that you are using
> > instance->dev at a time when you don't know that it is valid -- in
> > fact, you have good reason to believe it _isn't_ valid because
> > instance->disconnected is set.
> 
> OK, yes. It's a bad example. However this is tricky.
> 
> This is a bug then:
> 
> mutex_lock(...);
> 
> if (instance->error) {
> 	rv = instance->error;
> 	instance->error  = 0;
> 	dev_dbg(instance->dev,...);
> 	goto err_out;
> }
> 
> rv = -ENODEV;
> if (instance->disconnected)
> 	goto err_out;
> 
> > One approach is to set instance->dev to NULL in disconnect().  That
> > wouldn't do much good for your dev_dbg(), though.  A better solution is
> > to refcount the instance->dev pointer: Take a reference to the device
> > when setting instance->dev and drop it when clearing instance->dev (or
> > when instance is freed).
> 
> That would mean that I am forced to adopt refcounting just to print
> something. This seems very inelegant.

Don't print anything if you are disconnecting :)

thanks,

greg k-h