Google Git
Sign in
kernel / pub / scm / linux / kernel / git / stable / stable-queue / d6c57ae70007cfe8c59b8fc1918a18c71e14066c / . / releases / 3.2.14 / usbnet-don-t-clear-urb-dev-in-tx_complete.patch
blob: 3876c331582d696ac9e8c569744549fe4de42ca8 [file] [log] [blame]
From 5d5440a835710d09f0ef18da5000541ec98b537a Mon Sep 17 00:00:00 2001
From: "tom.leiming@gmail.com" <tom.leiming@gmail.com>
Date: Thu, 22 Mar 2012 03:22:38 +0000
Subject: usbnet: don't clear urb->dev in tx_complete
From: "tom.leiming@gmail.com" <tom.leiming@gmail.com>
commit 5d5440a835710d09f0ef18da5000541ec98b537a upstream.
URB unlinking is always racing with its completion and tx_complete
may be called before or during running usb_unlink_urb, so tx_complete
must not clear urb->dev since it will be used in unlink path,
otherwise invalid memory accesses or usb device leak may be caused
inside usb_unlink_urb.
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/usbnet.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1037,7 +1037,6 @@ static void tx_complete (struct urb *urb
}
usb_autopm_put_interface_async(dev->intf);
- urb->dev = NULL;
entry->state = tx_done;
defer_bh(dev, skb, &dev->txq);
}