Re: [PATCH] USB: add USB test and measurement class driver

[Oliver Neukum]

Am Mittwoch 27 August 2008 02:05:01 schrieb Greg KH:
> +       intf = usb_find_interface(&usbtmc_driver, iminor(inode));
> +       if (!intf) {
> +               printk(KERN_ERR KBUILD_MODNAME
> +                      ": can not find device for minor %d", iminor(inode));
> +               return -ENODEV;
> +       }
> +
> +       data = usb_get_intfdata(intf);
> +       kref_get(&data->kref);
> +
> +       /* Store pointer in file structure's private data field */
> +       filp->private_data = data;
> +
> +       dev = &data->intf->dev;

> +static void usbtmc_delete(struct kref *kref)
> +{
> +       struct usbtmc_device_data *data = to_usbtmc_data(kref);
> +
> +       usb_put_dev(data->usb_dev);
> +       kfree(data->buffer);
> +       kfree(data);
> +}
> +

This is a race condition.

CPU A					CPU B
open()
usb_find_interface()
						disconnect()
						kref_put()
						usbtmc_delete()
						kfree()
kref_get()

You can write to free memory. You must use a static mutex for
mutual exclusion between open() and disconnect()

	Regards
		Oliver

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/