diff options
author | Oliver Neukum | 2007-06-13 18:50:41 +0200 |
---|---|---|
committer | Greg Kroah-Hartman | 2007-06-25 23:38:06 -0700 |
commit | 74ac07e8b8209ba9429fa1a9afc07aa5ecef5af8 (patch) | |
tree | 113b8f6253ac3ece264c482ce16880e3ec6b2244 | |
parent | 5afeb104e7901168b21aad0437fb51dc620dfdd3 (diff) |
USB: fix race leading to use after free in io_edgeport
usb_unlink_urb() is asynchronous, therefore an URB's buffer may not
be freed without waiting for the completion handler. This patch switches
to usb_kill_urb(), which is synchronous.
Thanks to Alan for making me look at the remaining users of usb_unlink_urb()
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Al Borchers <alborchers@steinerpoint.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/usb/serial/io_edgeport.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 4807f960150b..056e1923c4de 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -3046,11 +3046,11 @@ static void edge_shutdown (struct usb_serial *serial) } /* free up our endpoint stuff */ if (edge_serial->is_epic) { - usb_unlink_urb(edge_serial->interrupt_read_urb); + usb_kill_urb(edge_serial->interrupt_read_urb); usb_free_urb(edge_serial->interrupt_read_urb); kfree(edge_serial->interrupt_in_buffer); - usb_unlink_urb(edge_serial->read_urb); + usb_kill_urb(edge_serial->read_urb); usb_free_urb(edge_serial->read_urb); kfree(edge_serial->bulk_in_buffer); } |