From: INSUN PYO <insun.pyo@samsung.com>
Date: Tue, 11 Sep 2018 04:27:06 +0000 (+0900)
Subject: Fix race condition between usb_host_destroy and fd_removed_cb
X-Git-Tag: submit/tizen/20180911.111949^2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=36c6d6bbb39d5f22f0ee18523635c6033a035dd3;p=platform%2Fcore%2Fapi%2Fusb-host.git

Fix race condition between usb_host_destroy and fd_removed_cb

fd_removed_cb is called by libusb_exit() -> usbi_io_exit() -> usbi_remove_poolfd() -> ctx->fd_removed_cb.

fd_removed_cb uses context->gio_channels and context->channel_list_lock.
So, you should not free and destroy it before calling libusb_exit().

Signed-off-by: INSUN PYO <insun.pyo@samsung.com>
Change-Id: I5fdde607d19be9e4df9214489f91e3d33f41eaf6
---

diff --git a/src/usb_host.c b/src/usb_host.c
index 410acc4..2247bf7 100755
--- a/src/usb_host.c
+++ b/src/usb_host.c
@@ -578,14 +578,15 @@ int usb_host_destroy(usb_host_context_h context)
 		fd = g_io_channel_unix_get_fd(ch->ch);
 		g_source_remove(ch->source_tag);
 		g_io_channel_unref(ch->ch);
+		context->gio_channels = g_list_delete_link(context->gio_channels, l);
 		l = next;
 		free(ch);
 		_I("removed fd %d", fd);
 	}
 
+	libusb_exit(context->lusb_ctx);
 	g_list_free(context->gio_channels);
 	pthread_mutex_destroy(&context->channel_list_lock);
-	libusb_exit(context->lusb_ctx);
 
 	free(context);
 	return USB_HOST_ERROR_NONE;