From 74ac07e8b8209ba9429fa1a9afc07aa5ecef5af8 Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Wed, 13 Jun 2007 18:50:41 +0200 Subject: USB: fix race leading to use after free in io_edgeport usb_unlink_urb() is asynchronous, therefore an URB's buffer may not be freed without waiting for the completion handler. This patch switches to usb_kill_urb(), which is synchronous. Thanks to Alan for making me look at the remaining users of usb_unlink_urb() Signed-off-by: Oliver Neukum Signed-off-by: Al Borchers Signed-off-by: Greg Kroah-Hartman --- drivers/usb/serial/io_edgeport.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 4807f960150..056e1923c4d 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -3046,11 +3046,11 @@ static void edge_shutdown (struct usb_serial *serial) } /* free up our endpoint stuff */ if (edge_serial->is_epic) { - usb_unlink_urb(edge_serial->interrupt_read_urb); + usb_kill_urb(edge_serial->interrupt_read_urb); usb_free_urb(edge_serial->interrupt_read_urb); kfree(edge_serial->interrupt_in_buffer); - usb_unlink_urb(edge_serial->read_urb); + usb_kill_urb(edge_serial->read_urb); usb_free_urb(edge_serial->read_urb); kfree(edge_serial->bulk_in_buffer); } -- cgit v1.2.3