[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060807155916.GE5472@aehallh.com>
Date: Mon, 7 Aug 2006 11:59:17 -0400
From: "Zephaniah E. Hull" <warp@...allh.com>
To: dtor_core@...ritech.net
Cc: linux-input@...ey.karlin.mff.cuni.cz, linux-kernel@...r.kernel.org
Subject: [patch] Crash on evdev disconnect.
While trying to figure out the best way to handle an odd mouse, I found
that we oopsed when doing a rmmod on usbhid while someone had a USB
device open through evdev.
We try to loop through evdev->list, calling kill_fasync on each member,
however by the time we try to get the next pointer, we have already
freed the member and poisoned the next/last.
The fix is fairly simple, and if nobody objects I think we should try
and get this into -stable too.
Signed-off-by: "Zephaniah E. Hull" <warp@...allh.com>
diff -ur linux-test/drivers/input/evdev.c linux-2.6/drivers/input/evdev.c
--- linux-test/drivers/input/evdev.c 2006-07-24 23:36:01.000000000 -0400
+++ linux-2.6/drivers/input/evdev.c 2006-08-07 11:41:13.000000000 -0400
@@ -659,7 +659,7 @@
static void evdev_disconnect(struct input_handle *handle)
{
struct evdev *evdev = handle->private;
- struct evdev_list *list;
+ struct evdev_list *list, *next;
sysfs_remove_link(&input_class.subsys.kset.kobj, evdev->name);
class_device_destroy(&input_class,
@@ -669,7 +669,7 @@
if (evdev->open) {
input_close_device(handle);
wake_up_interruptible(&evdev->wait);
- list_for_each_entry(list, &evdev->list, node)
+ list_for_each_entry_safe(list, next, &evdev->list, node)
kill_fasync(&list->fasync, SIGIO, POLL_HUP);
} else
evdev_free(evdev);
--
1024D/E65A7801 Zephaniah E. Hull <warp@...allh.com>
92ED 94E4 B1E6 3624 226D 5727 4453 008B E65A 7801
CCs of replies from mailing lists are requested.
"Sir," barked one of those useless aristocratic generals to William
Howard Russell, the great Times war correspondent, "I do not like what
you write." "Then, sir," retorted Russell, "I suggest you do not do what
I write about."
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists