diff options
| author | Oliver Neukum <oliver@neukum.org> | 2008-03-31 10:27:30 -0400 |
|---|---|---|
| committer | Jiri Kosina <jkosina@suse.cz> | 2008-04-22 05:34:58 -0400 |
| commit | 69626f23bce6521367ac1e6a2a6e8fba8f0a848a (patch) | |
| tree | 46342a02c79e0e69a1c1eed1239944c4f952b13c /include/linux | |
| parent | abdff0f7749a6696ba2a4238b675cbc55abcdb7a (diff) | |
HID: fix race between open() and disconnect() in usbhid
There is a window:
task A task B
spin_lock_irq(&usbhid->inlock); /* Sync with error handler */
usb_set_intfdata(intf, NULL);
spin_unlock_irq(&usbhid->inlock);
usb_kill_urb(usbhid->urbin);
usb_kill_urb(usbhid->urbout);
usb_kill_urb(usbhid->urbctrl);
del_timer_sync(&usbhid->io_retry);
cancel_work_sync(&usbhid->reset_work);
if (!hid->open++) {
res = usb_autopm_get_interface(usbhid->intf);
if (res < 0) {
hid->open--;
return -EIO;
}
}
if (hid_start_in(hid))
if (hid->claimed & HID_CLAIMED_INPUT)
hidinput_disconnect(hid);
in which an open() to an already disconnected device will submit an URB
to an undead device. In case disconnect() was called by an ioctl, this'll
oops. Fix by introducing a new flag and checking it in hid_start_in().
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/hid.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/hid.h b/include/linux/hid.h index fe4ac31eced2..d951ec411241 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h | |||
| @@ -424,6 +424,7 @@ struct hid_control_fifo { | |||
| 424 | #define HID_RESET_PENDING 4 | 424 | #define HID_RESET_PENDING 4 |
| 425 | #define HID_SUSPENDED 5 | 425 | #define HID_SUSPENDED 5 |
| 426 | #define HID_CLEAR_HALT 6 | 426 | #define HID_CLEAR_HALT 6 |
| 427 | #define HID_DISCONNECTED 7 | ||
| 427 | 428 | ||
| 428 | struct hid_input { | 429 | struct hid_input { |
| 429 | struct list_head list; | 430 | struct list_head list; |