Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
USB: fix race leading to use after free in io_edgeport
usb_unlink_urb() is asynchronous, therefore an URB's buffer may not
be freed without waiting for the completion handler. This patch switches
to usb_kill_urb(), which is synchronous.
Thanks to Alan for making me look at the remaining users of usb_unlink_urb()
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Al Borchers <alborchers@steinerpoint.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
authored by Oliver Neukum and committed by Greg Kroah-Hartman 74ac07e8 5afeb104
+2
-2
drivers/usb/serial/io_edgeport.c
+2
-2
drivers/usb/serial/io_edgeport.c
···
3046
}
3047
/* free up our endpoint stuff */
3048
if (edge_serial->is_epic) {
3049
-
usb_unlink_urb(edge_serial->interrupt_read_urb);
3050
usb_free_urb(edge_serial->interrupt_read_urb);
3051
kfree(edge_serial->interrupt_in_buffer);
3052
3053
-
usb_unlink_urb(edge_serial->read_urb);
3054
usb_free_urb(edge_serial->read_urb);
3055
kfree(edge_serial->bulk_in_buffer);
3056
}
···
3046
}
3047
/* free up our endpoint stuff */
3048
if (edge_serial->is_epic) {
3049
+
usb_kill_urb(edge_serial->interrupt_read_urb);
3050
usb_free_urb(edge_serial->interrupt_read_urb);
3051
kfree(edge_serial->interrupt_in_buffer);
3052
3053
+
usb_kill_urb(edge_serial->read_urb);
3054
usb_free_urb(edge_serial->read_urb);
3055
kfree(edge_serial->bulk_in_buffer);
3056
}