aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOliver Neukum <oneukum@suse.de>2007-06-13 12:50:41 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2007-06-26 02:38:06 -0400
commit74ac07e8b8209ba9429fa1a9afc07aa5ecef5af8 (patch)
tree113b8f6253ac3ece264c482ce16880e3ec6b2244
parent5afeb104e7901168b21aad0437fb51dc620dfdd3 (diff)
USB: fix race leading to use after free in io_edgeport
usb_unlink_urb() is asynchronous, therefore an URB's buffer may not be freed without waiting for the completion handler. This patch switches to usb_kill_urb(), which is synchronous. Thanks to Alan for making me look at the remaining users of usb_unlink_urb() Signed-off-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: Al Borchers <alborchers@steinerpoint.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/usb/serial/io_edgeport.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index 4807f960150b..056e1923c4de 100644
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -3046,11 +3046,11 @@ static void edge_shutdown (struct usb_serial *serial)
3046 } 3046 }
3047 /* free up our endpoint stuff */ 3047 /* free up our endpoint stuff */
3048 if (edge_serial->is_epic) { 3048 if (edge_serial->is_epic) {
3049 usb_unlink_urb(edge_serial->interrupt_read_urb); 3049 usb_kill_urb(edge_serial->interrupt_read_urb);
3050 usb_free_urb(edge_serial->interrupt_read_urb); 3050 usb_free_urb(edge_serial->interrupt_read_urb);
3051 kfree(edge_serial->interrupt_in_buffer); 3051 kfree(edge_serial->interrupt_in_buffer);
3052 3052
3053 usb_unlink_urb(edge_serial->read_urb); 3053 usb_kill_urb(edge_serial->read_urb);
3054 usb_free_urb(edge_serial->read_urb); 3054 usb_free_urb(edge_serial->read_urb);
3055 kfree(edge_serial->bulk_in_buffer); 3055 kfree(edge_serial->bulk_in_buffer);
3056 } 3056 }