From patchwork Thu Mar 22 13:22:38 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ming Lei <tom.leiming@gmail.com>
X-Patchwork-Id: 148238
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id CBAA1B6EF4
	for <patchwork-incoming@ozlabs.org>;
	Fri, 23 Mar 2012 00:22:59 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1030301Ab2CVNW6 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 22 Mar 2012 09:22:58 -0400
Received: from mail-gy0-f174.google.com ([209.85.160.174]:41821 "EHLO
	mail-gy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751096Ab2CVNW4 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 22 Mar 2012 09:22:56 -0400
Received: by mail-gy0-f174.google.com with SMTP id r11so1706876ghr.19
	for <multiple recipients>; Thu, 22 Mar 2012 06:22:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer;
	bh=Ekr4d0ahwg03CDkt3yyIoVahDuEe+WkOWw1tWYQDknc=;
	b=F8QQny8U23jQhyKb9/ddHt3IW84VxB08apsYL7DDjq9S5e8pLO41wNR/xxb7cPKVEx
	5CTvtt0mRefcoLDxjD71fWg7Gin00TYyGPaCzsGTPkm+xUO6sliUef5mGpOdYYM1H+sL
	+LsQX2SKZpzSGik0vONB1LgKX8tVvxOoUOOXVD5xTESh+HrGMN2Js5c8OFYeB+TZS1M9
	RzZvx4Rv74XPv96oG17p6a/70QszyTCx0LP5o3n9tuiDQGdfellI0mI+2ccmSZe13aDr
	VvV34HzD8p0lRi+n3Am2cNuT7mKovgZMjD3QZrCxeZU5XmmYEAUPkOjvJrKEyEXEPMra
	zREA==
Received: by 10.68.73.225 with SMTP id o1mr20696283pbv.77.1332422575976;
	Thu, 22 Mar 2012 06:22:55 -0700 (PDT)
Received: from localhost ([113.97.238.210])
	by mx.google.com with ESMTPS id y2sm3821380pbe.67.2012.03.22.06.22.49
	(version=TLSv1/SSLv3 cipher=OTHER);
	Thu, 22 Mar 2012 06:22:55 -0700 (PDT)
From: Ming Lei <tom.leiming@gmail.com>
To: "David S. Miller" <davem@davemloft.net>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: netdev@vger.kernel.org, linux-usb@vger.kernel.org,
	Ming Lei <tom.leiming@gmail.com>, stable@kernel.org,
	Alan Stern <stern@rowland.harvard.edu>, Oliver Neukum <oliver@neukum.org>
Subject: [PATCH 2/2] usbnet: don't clear urb->dev in tx_complete
Date: Thu, 22 Mar 2012 21:22:38 +0800
Message-Id: <1332422558-6633-1-git-send-email-tom.leiming@gmail.com>
X-Mailer: git-send-email 1.7.9.1
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

URB unlinking is always racing with its completion and tx_complete
may be called before or during running usb_unlink_urb, so tx_complete
must not clear urb->dev since it will be used in unlink path,
otherwise invalid memory accesses or usb device leak may be caused
inside usb_unlink_urb.

Cc: stable@kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/usbnet.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index febfdce..62f8b5c 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1037,7 +1037,6 @@ static void tx_complete (struct urb *urb)
 	}
 
 	usb_autopm_put_interface_async(dev->intf);
-	urb->dev = NULL;
 	entry->state = tx_done;
 	defer_bh(dev, skb, &dev->txq);
 }