From: "Zephaniah E. Hull" <warp@aehallh.com>
To: dtor_core@ameritech.net
Cc: linux-input@atrey.karlin.mff.cuni.cz, linux-kernel@vger.kernel.org
Subject: [patch] Crash on evdev disconnect.
Date: Mon, 7 Aug 2006 11:59:17 -0400 [thread overview]
Message-ID: <20060807155916.GE5472@aehallh.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1717 bytes --]
While trying to figure out the best way to handle an odd mouse, I found
that we oopsed when doing a rmmod on usbhid while someone had a USB
device open through evdev.
We try to loop through evdev->list, calling kill_fasync on each member,
however by the time we try to get the next pointer, we have already
freed the member and poisoned the next/last.
The fix is fairly simple, and if nobody objects I think we should try
and get this into -stable too.
Signed-off-by: "Zephaniah E. Hull" <warp@aehallh.com>
diff -ur linux-test/drivers/input/evdev.c linux-2.6/drivers/input/evdev.c
--- linux-test/drivers/input/evdev.c 2006-07-24 23:36:01.000000000 -0400
+++ linux-2.6/drivers/input/evdev.c 2006-08-07 11:41:13.000000000 -0400
@@ -659,7 +659,7 @@
static void evdev_disconnect(struct input_handle *handle)
{
struct evdev *evdev = handle->private;
- struct evdev_list *list;
+ struct evdev_list *list, *next;
sysfs_remove_link(&input_class.subsys.kset.kobj, evdev->name);
class_device_destroy(&input_class,
@@ -669,7 +669,7 @@
if (evdev->open) {
input_close_device(handle);
wake_up_interruptible(&evdev->wait);
- list_for_each_entry(list, &evdev->list, node)
+ list_for_each_entry_safe(list, next, &evdev->list, node)
kill_fasync(&list->fasync, SIGIO, POLL_HUP);
} else
evdev_free(evdev);
--
1024D/E65A7801 Zephaniah E. Hull <warp@aehallh.com>
92ED 94E4 B1E6 3624 226D 5727 4453 008B E65A 7801
CCs of replies from mailing lists are requested.
"Sir," barked one of those useless aristocratic generals to William
Howard Russell, the great Times war correspondent, "I do not like what
you write." "Then, sir," retorted Russell, "I suggest you do not do what
I write about."
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next reply other threads:[~2006-08-07 15:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-07 15:59 Zephaniah E. Hull [this message]
2006-08-07 17:35 ` [patch] Crash on evdev disconnect Dmitry Torokhov
2006-08-07 18:10 ` Zephaniah E. Hull
2006-08-07 19:04 ` Dmitry Torokhov
2006-08-07 19:41 ` Zephaniah E. Hull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060807155916.GE5472@aehallh.com \
--to=warp@aehallh.com \
--cc=dtor_core@ameritech.net \
--cc=linux-input@atrey.karlin.mff.cuni.cz \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox