Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932900AbWLST2U (ORCPT ); Tue, 19 Dec 2006 14:28:20 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S932911AbWLST2U (ORCPT ); Tue, 19 Dec 2006 14:28:20 -0500 Received: from web32915.mail.mud.yahoo.com ([209.191.69.115]:43232 "HELO web32915.mail.mud.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S932900AbWLST2T (ORCPT ); Tue, 19 Dec 2006 14:28:19 -0500 X-Greylist: delayed 401 seconds by postgrey-1.27 at vger.kernel.org; Tue, 19 Dec 2006 14:28:19 EST DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=K12+MflD8Q8kyaum/X53NyINLCgi3GmNckrM5OabwnS8tMSWimz4mbmGQvE8/1r6qyCsbKDWQbSqFPquVGX6widk5ab1Yw5vW03YoAwpxxfd5KuJIOBP1C8PoGUNJLVrV1UYTJUcOEJam06rTrL+ZetXrLlr8ojfhKGRy+LMLco=; X-YMail-OSG: eHRx5_MVM1mjkO2Nkv0zsW0_0q9Bag8n1Hrz3kHnAKSaC4XHI2NvXHvSZ8YfuCTjxXiFYjJuhiQFRutLurRpLPBjbNCLGiUHOqof9pWKSjKshH0lqDV7PJQKLv9S7u12AkBI2AuLqISlXrc- Date: Tue, 19 Dec 2006 11:21:38 -0800 (PST) From: J Subject: Possible race condition in usb-serial.c To: linux-kernel@vger.kernel.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Message-ID: <247966.89742.qm@web32915.mail.mud.yahoo.com> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1604 Lines: 57 Hi, I read usb-serial.c code (in 2.6.19) and I cannot figure out how it is supposed to prevent race condition and premature deletion of usb_serial structure. I see that the code attempts to protect usb_serial by ref counting, but it does not appear to be correct. I am not 100% sure in my findings, so I will appreciate if somebody will double check. Suppose: A:->usb_serial_disconnect A: -> usb_serial_put (serial); A: -> kref_put A: if ((atomic_read(&kref->refcount) == 1) Suppose refcount is 1 A: -> release -> destroy_serial B: -> serial_open B: -> usb_serial_get_by_index B: serial = serial_table[index] B: -> kref_get(&serial->kref); A: -> return_serial(serial); A: serial_table[serial->minor + i] = NULL; A: -> kfree (serial); B: continue to use serial, which was already freed. So, I am missing something or the USB serial driver is broken? As I understand it, the correct use of ref counted pointers it to increment ref count of an object for each outstanding pointer to this object. But usb-serial.c keeps one or more pointers to usb_serial in serial_table, and does not increments the counter for any of them! Thank you John __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/