Message ID | 1332422558-6633-1-git-send-email-tom.leiming@gmail.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Thu, Mar 22, 2012 at 09:22:38PM +0800, Ming Lei wrote: > URB unlinking is always racing with its completion and tx_complete > may be called before or during running usb_unlink_urb, so tx_complete > must not clear urb->dev since it will be used in unlink path, > otherwise invalid memory accesses or usb device leak may be caused > inside usb_unlink_urb. > > Cc: stable@kernel.org > Cc: Alan Stern <stern@rowland.harvard.edu> > Cc: Oliver Neukum <oliver@neukum.org> > Signed-off-by: Ming Lei <tom.leiming@gmail.com> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Date: Thu, 22 Mar 2012 07:36:07 -0700 > On Thu, Mar 22, 2012 at 09:22:38PM +0800, Ming Lei wrote: >> URB unlinking is always racing with its completion and tx_complete >> may be called before or during running usb_unlink_urb, so tx_complete >> must not clear urb->dev since it will be used in unlink path, >> otherwise invalid memory accesses or usb device leak may be caused >> inside usb_unlink_urb. >> >> Cc: stable@kernel.org >> Cc: Alan Stern <stern@rowland.harvard.edu> >> Cc: Oliver Neukum <oliver@neukum.org> >> Signed-off-by: Ming Lei <tom.leiming@gmail.com> > > Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index febfdce..62f8b5c 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1037,7 +1037,6 @@ static void tx_complete (struct urb *urb) } usb_autopm_put_interface_async(dev->intf); - urb->dev = NULL; entry->state = tx_done; defer_bh(dev, skb, &dev->txq); }
URB unlinking is always racing with its completion and tx_complete may be called before or during running usb_unlink_urb, so tx_complete must not clear urb->dev since it will be used in unlink path, otherwise invalid memory accesses or usb device leak may be caused inside usb_unlink_urb. Cc: stable@kernel.org Cc: Alan Stern <stern@rowland.harvard.edu> Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by: Ming Lei <tom.leiming@gmail.com> --- drivers/net/usb/usbnet.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-)