aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/usb
diff options
context:
space:
mode:
authorOliver Neukum <oliver@neukum.org>2009-07-08 13:09:23 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2009-07-12 18:16:40 -0400
commit516a1a07f0219d6672fb6b8e49fb9d5d533c2e89 (patch)
tree538650864da3032195afa77ea808d11ae78e7c4e /drivers/usb
parent7bae0a070db4bc2761dd9515f450cdfa3f3f248c (diff)
USB: fix race leading to a write after kfree in usbfs
this fixes a race between async_completed() and proc_reapurbnonblock(). CPU A CPU B spin_lock(&ps->lock); list_move_tail(&as->asynclist, &ps->async_completed); spin_unlock(&ps->lock); if (!(as = async_getcompleted(ps))) return -EAGAIN; return processcompl(as, (void __user * __user *)arg); processcompl() calls free_async() which calls kfree(as) as->status = urb->status; if (as->signr) { sinfo.si_signo = as->signr; sinfo.si_errno = as->status; sinfo.si_code = SI_ASYNCIO; sinfo.si_addr = as->userurb; kill_pid_info_as_uid(as->signr, &sinfo, as->pid, as->uid, as->euid, as->secid); } snoop(&urb->dev->dev, "urb complete\n"); snoop_urb(urb, as->userurb); write after kfree Signed-off-by: Oliver Neukum <oliver@neukum.org>
Diffstat (limited to 'drivers/usb')
-rw-r--r--drivers/usb/core/devio.c21
1 files changed, 17 insertions, 4 deletions
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 706f18156af8..46ca2af5ef1c 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -325,21 +325,34 @@ static void async_completed(struct urb *urb)
325 struct async *as = urb->context; 325 struct async *as = urb->context;
326 struct dev_state *ps = as->ps; 326 struct dev_state *ps = as->ps;
327 struct siginfo sinfo; 327 struct siginfo sinfo;
328 struct pid *pid = NULL;
329 uid_t uid = 0;
330 uid_t euid = 0;
331 u32 secid = 0;
332 int signr;
328 333
329 spin_lock(&ps->lock); 334 spin_lock(&ps->lock);
330 list_move_tail(&as->asynclist, &ps->async_completed); 335 list_move_tail(&as->asynclist, &ps->async_completed);
331 spin_unlock(&ps->lock);
332 as->status = urb->status; 336 as->status = urb->status;
333 if (as->signr) { 337 signr = as->signr;
338 if (signr) {
334 sinfo.si_signo = as->signr; 339 sinfo.si_signo = as->signr;
335 sinfo.si_errno = as->status; 340 sinfo.si_errno = as->status;
336 sinfo.si_code = SI_ASYNCIO; 341 sinfo.si_code = SI_ASYNCIO;
337 sinfo.si_addr = as->userurb; 342 sinfo.si_addr = as->userurb;
338 kill_pid_info_as_uid(as->signr, &sinfo, as->pid, as->uid, 343 pid = as->pid;
339 as->euid, as->secid); 344 uid = as->uid;
345 euid = as->euid;
346 secid = as->secid;
340 } 347 }
341 snoop(&urb->dev->dev, "urb complete\n"); 348 snoop(&urb->dev->dev, "urb complete\n");
342 snoop_urb(urb, as->userurb); 349 snoop_urb(urb, as->userurb);
350 spin_unlock(&ps->lock);
351
352 if (signr)
353 kill_pid_info_as_uid(sinfo.si_signo, &sinfo, pid, uid,
354 euid, secid);
355
343 wake_up(&ps->wait); 356 wake_up(&ps->wait);
344} 357}
345 358