From: J <jhnlmn@yahoo.com>
To: linux-kernel@vger.kernel.org
Subject: Possible race condition in usb-serial.c
Date: Tue, 19 Dec 2006 11:21:38 -0800 (PST) [thread overview]
Message-ID: <247966.89742.qm@web32915.mail.mud.yahoo.com> (raw)
Hi,
I read usb-serial.c code (in 2.6.19) and I cannot
figure out how it is
supposed to prevent race condition and premature
deletion of usb_serial
structure. I see that the code attempts to protect
usb_serial by ref
counting, but it does not appear to be correct. I am
not 100% sure in my
findings, so I will appreciate if somebody will double
check.
Suppose:
A:->usb_serial_disconnect
A: -> usb_serial_put (serial);
A: -> kref_put
A: if ((atomic_read(&kref->refcount) == 1)
Suppose refcount is 1
A: -> release -> destroy_serial
B: -> serial_open
B: -> usb_serial_get_by_index
B: serial = serial_table[index]
B: -> kref_get(&serial->kref);
A: -> return_serial(serial);
A: serial_table[serial->minor + i] = NULL;
A: -> kfree (serial);
B: continue to use serial, which was already freed.
So, I am missing something or the USB serial driver is
broken?
As I understand it, the correct use of ref counted
pointers it to increment
ref count of an object for each outstanding pointer to
this object. But
usb-serial.c keeps one or more pointers to usb_serial
in serial_table, and
does not increments the counter for any of them!
Thank you
John
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
next reply other threads:[~2006-12-19 19:28 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-19 19:21 J [this message]
2006-12-19 20:15 ` Possible race condition in usb-serial.c Oliver Neukum
2006-12-19 22:33 ` J
2006-12-20 9:47 ` Oliver Neukum
2006-12-20 15:10 ` [linux-usb-devel] " Alan Stern
2006-12-20 21:02 ` Oliver Neukum
2006-12-20 19:32 ` J
2006-12-20 20:43 ` Oliver Neukum
2006-12-20 22:24 ` J
2006-12-22 18:14 ` Oliver Neukum
2006-12-22 19:08 ` J
2006-12-22 19:59 ` Oliver Neukum
2006-12-22 20:51 ` J
2006-12-20 20:43 ` Greg KH
2006-12-20 22:39 ` J
2006-12-20 22:52 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=247966.89742.qm@web32915.mail.mud.yahoo.com \
--to=jhnlmn@yahoo.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox