diff options
| author | [email protected] <[email protected]> | 2012-03-22 03:22:18 +0000 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2012-03-22 23:32:34 +0000 |
| commit | 0956a8c20b23d429e79ff86d4325583fc06f9eb4 (patch) | |
| tree | 65adc5a7fc8b19ca046ba661692a75a65fd04e88 /lib/string_helpers.c | |
| parent | xfrm: Access the replay notify functions via the registered callbacks (diff) | |
| download | kernel-0956a8c20b23d429e79ff86d4325583fc06f9eb4.tar.gz kernel-0956a8c20b23d429e79ff86d4325583fc06f9eb4.zip | |
usbnet: increase URB reference count before usb_unlink_urb
Commit 4231d47e6fe69f061f96c98c30eaf9fb4c14b96d(net/usbnet: avoid
recursive locking in usbnet_stop()) fixes the recursive locking
problem by releasing the skb queue lock, but it makes usb_unlink_urb
racing with defer_bh, and the URB to being unlinked may be freed before
or during calling usb_unlink_urb, so use-after-free problem may be
triggerd inside usb_unlink_urb.
The patch fixes the use-after-free problem by increasing URB
reference count with skb queue lock held before calling
usb_unlink_urb, so the URB won't be freed until return from
usb_unlink_urb.
Cc: [email protected]
Cc: Sebastian Andrzej Siewior <[email protected]>
Cc: Alan Stern <[email protected]>
Cc: Oliver Neukum <[email protected]>
Reported-by: Dave Jones <[email protected]>
Signed-off-by: Ming Lei <[email protected]>
Acked-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'lib/string_helpers.c')
0 files changed, 0 insertions, 0 deletions