[patch] Crash on evdev disconnect.

From: Zephaniah E. Hull
Date: Mon Aug 07 2006 - 11:57:04 EST

While trying to figure out the best way to handle an odd mouse, I found
that we oopsed when doing a rmmod on usbhid while someone had a USB
device open through evdev.

We try to loop through evdev->list, calling kill_fasync on each member,
however by the time we try to get the next pointer, we have already
freed the member and poisoned the next/last.

The fix is fairly simple, and if nobody objects I think we should try
and get this into -stable too.

Signed-off-by: "Zephaniah E. Hull" <warp@xxxxxxxxxxx>

diff -ur linux-test/drivers/input/evdev.c linux-2.6/drivers/input/evdev.c
--- linux-test/drivers/input/evdev.c 2006-07-24 23:36:01.000000000 -0400
+++ linux-2.6/drivers/input/evdev.c 2006-08-07 11:41:13.000000000 -0400
@@ -659,7 +659,7 @@
static void evdev_disconnect(struct input_handle *handle)
struct evdev *evdev = handle->private;
- struct evdev_list *list;
+ struct evdev_list *list, *next;

sysfs_remove_link(&input_class.subsys.kset.kobj, evdev->name);
@@ -669,7 +669,7 @@
if (evdev->open) {
- list_for_each_entry(list, &evdev->list, node)
+ list_for_each_entry_safe(list, next, &evdev->list, node)
kill_fasync(&list->fasync, SIGIO, POLL_HUP);
} else

1024D/E65A7801 Zephaniah E. Hull <warp@xxxxxxxxxxx>
92ED 94E4 B1E6 3624 226D 5727 4453 008B E65A 7801
CCs of replies from mailing lists are requested.

"Sir," barked one of those useless aristocratic generals to William
Howard Russell, the great Times war correspondent, "I do not like what
you write." "Then, sir," retorted Russell, "I suggest you do not do what
I write about."

Attachment: signature.asc
Description: Digital signature