lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

USB: fix race leading to use after free in io_edgeport

Browse Source 
usb_unlink_urb() is asynchronous, therefore an URB's buffer may not
be freed without waiting for the completion handler. This patch switches
to usb_kill_urb(), which is synchronous.
Thanks to Alan for making me look at the remaining users of usb_unlink_urb()


Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Al Borchers <alborchers@steinerpoint.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Oliver Neukum
2007-06-13 18:50:41 +02:00
committed by Greg Kroah-Hartman
parent 5afeb104e7
commit 74ac07e8b8
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/usb/serial/io_edgeport.c
View File

@@ -3046,11 +3046,11 @@ static void edge_shutdown (struct usb_serial *serial)
} }
/* free up our endpoint stuff */ /* free up our endpoint stuff */
if (edge_serial->is_epic) { if (edge_serial->is_epic) {
usb_unlink_urb(edge_serial->interrupt_read_urb); usb_kill_urb(edge_serial->interrupt_read_urb);
usb_free_urb(edge_serial->interrupt_read_urb); usb_free_urb(edge_serial->interrupt_read_urb);
kfree(edge_serial->interrupt_in_buffer); kfree(edge_serial->interrupt_in_buffer);
usb_unlink_urb(edge_serial->read_urb); usb_kill_urb(edge_serial->read_urb);
usb_free_urb(edge_serial->read_urb); usb_free_urb(edge_serial->read_urb);
kfree(edge_serial->bulk_in_buffer); kfree(edge_serial->bulk_in_buffer);
} }