Am Samstag, 27. September 2003 14:56 schrieb Luca Risolia:
Hi,
congratulations to the driver, it is looking good.
However, I've found one somewhat obscure bug.
This piece of code has a small race condition in the error case
on SMP.
If a submission fails after another URB has been transmitted
successfully, such an URB may be just executing its completion
handler. In this case usb_unlink_urb will fail and already freed
memory may be accessed.
> + /* Submit the URBs */
> + for (i = 0; i < W9968CF_URBS; i++) {
> + err = usb_submit_urb(cam->urb[i]);
> + if (err) {
> + for (j = i-1; j >= 0; j--)
> + usb_unlink_urb(cam->urb[j]);
> + DBG(1, "Couldn't send a transfer request to the "
> + "USB core (error #%d, %s).", err,
> + symbolic(urb_errlist, err))
> + goto free_urbs;
> + }
> + }
> +
Regards
Oliver
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
