On Wed, Apr 11, 2001, Tim Jansen <[EMAIL PROTECTED]> wrote:
> On Wednesday 11 April 2001 20:04, you wrote:
> > > When the device is disconnected in usb_disconnect() the usb_device struct
> > > is freed, but no one prevents code that already has a pointer to it to
> > > access it.
> > Drivers storing the usb_device pointer are required to do that
> > safely.
>
> But how can this work without locks?
> Lets assume that on CPU 1 a process calls ioctl on a device node and the
> driver uses the usb_device pointer in the fops function to respond.
> While this function is running the user unplugs the device and CPU 2 runs
> usb_disconnect() that frees the usb_device that is used on CPU 1. In this
> situation CPU 1 would use an illegal pointer after usb_disconnect() has run,
> or is there any code that makes usb_disconnect (or its callers) wait for the
> ioctl function to finish?
Actually, there is a race condition in there, but I think it's different
than you think.
We use reference counting for most of the structures we use. The ioctl
(or usbdevfs) should increment the reference count on the device when
the application open's the device.
When usb_disconnect gets called, it'll decrement the reference count and
won't free the memory for the structure.
However, this doesn't apply to the data in the structure. There is still
a race when anything modifies data in the structure.
Thankfully, usb_free_dev and not usb_disconnect free all of the
descriptors. Weird things could happen if someone changes the
configuration mid stream, or is walking the children (only for hubs).
Not perfect, but it atleast covers the most common cases.
JE
_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
http://lists.sourceforge.net/lists/listinfo/linux-usb-devel
