diff options
author | Oliver Neukum <oneukum@suse.de> | 2007-06-13 12:50:41 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2007-06-26 02:38:06 -0400 |
commit | 74ac07e8b8209ba9429fa1a9afc07aa5ecef5af8 (patch) | |
tree | 113b8f6253ac3ece264c482ce16880e3ec6b2244 | |
parent | 5afeb104e7901168b21aad0437fb51dc620dfdd3 (diff) |
USB: fix race leading to use after free in io_edgeport
usb_unlink_urb() is asynchronous, therefore an URB's buffer may not
be freed without waiting for the completion handler. This patch switches
to usb_kill_urb(), which is synchronous.
Thanks to Alan for making me look at the remaining users of usb_unlink_urb()
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Al Borchers <alborchers@steinerpoint.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/usb/serial/io_edgeport.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 4807f960150b..056e1923c4de 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c | |||
@@ -3046,11 +3046,11 @@ static void edge_shutdown (struct usb_serial *serial) | |||
3046 | } | 3046 | } |
3047 | /* free up our endpoint stuff */ | 3047 | /* free up our endpoint stuff */ |
3048 | if (edge_serial->is_epic) { | 3048 | if (edge_serial->is_epic) { |
3049 | usb_unlink_urb(edge_serial->interrupt_read_urb); | 3049 | usb_kill_urb(edge_serial->interrupt_read_urb); |
3050 | usb_free_urb(edge_serial->interrupt_read_urb); | 3050 | usb_free_urb(edge_serial->interrupt_read_urb); |
3051 | kfree(edge_serial->interrupt_in_buffer); | 3051 | kfree(edge_serial->interrupt_in_buffer); |
3052 | 3052 | ||
3053 | usb_unlink_urb(edge_serial->read_urb); | 3053 | usb_kill_urb(edge_serial->read_urb); |
3054 | usb_free_urb(edge_serial->read_urb); | 3054 | usb_free_urb(edge_serial->read_urb); |
3055 | kfree(edge_serial->bulk_in_buffer); | 3055 | kfree(edge_serial->bulk_in_buffer); |
3056 | } | 3056 | } |