From: J <jhnlmn@yahoo.com>
To: linux-kernel@vger.kernel.org
Subject: Possible race condition in usb-serial.c
Date: Tue, 19 Dec 2006 11:21:38 -0800 (PST) [thread overview]
Message-ID: <247966.89742.qm@web32915.mail.mud.yahoo.com> (raw)
Hi,
I read usb-serial.c code (in 2.6.19) and I cannot
figure out how it is
supposed to prevent race condition and premature
deletion of usb_serial
structure. I see that the code attempts to protect
usb_serial by ref
counting, but it does not appear to be correct. I am
not 100% sure in my
findings, so I will appreciate if somebody will double
check.
Suppose:
A:->usb_serial_disconnect
A: -> usb_serial_put (serial);
A: -> kref_put
A: if ((atomic_read(&kref->refcount) == 1)
Suppose refcount is 1
A: -> release -> destroy_serial
B: -> serial_open
B: -> usb_serial_get_by_index
B: serial = serial_table[index]
B: -> kref_get(&serial->kref);
A: -> return_serial(serial);
A: serial_table[serial->minor + i] = NULL;
A: -> kfree (serial);
B: continue to use serial, which was already freed.
So, I am missing something or the USB serial driver is
broken?
As I understand it, the correct use of ref counted
pointers it to increment
ref count of an object for each outstanding pointer to
this object. But
usb-serial.c keeps one or more pointers to usb_serial
in serial_table, and
does not increments the counter for any of them!
Thank you
John
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
next reply other threads:[~2006-12-19 19:28 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-19 19:21 J [this message]
2006-12-19 20:15 ` Possible race condition in usb-serial.c Oliver Neukum
2006-12-19 22:33 ` J
2006-12-20 9:47 ` Oliver Neukum
2006-12-20 15:10 ` [linux-usb-devel] " Alan Stern
2006-12-20 21:02 ` Oliver Neukum
2006-12-20 19:32 ` J
2006-12-20 20:43 ` Greg KH
2006-12-20 22:39 ` J
2006-12-20 22:52 ` Greg KH
2006-12-20 20:43 ` Oliver Neukum
2006-12-20 22:24 ` J
2006-12-22 18:14 ` Oliver Neukum
2006-12-22 19:08 ` J
2006-12-22 19:59 ` Oliver Neukum
2006-12-22 20:51 ` J
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=247966.89742.qm@web32915.mail.mud.yahoo.com \
--to=jhnlmn@yahoo.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.