USB: fix race leading to use after free in io_edgeport

usb_unlink_urb() is asynchronous, therefore an URB's buffer may not be freed without waiting for the completion handler. This patch switches to usb_kill_urb(), which is synchronous. Thanks to Alan for making me look at the remaining users of usb_unlink_urb() Signed-off-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: Al Borchers <alborchers@steinerpoint.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

USB: fix race leading to use after free in io_edgeport
usb_unlink_urb() is asynchronous, therefore an URB's buffer may not be freed without waiting for the completion handler. This patch switches to usb_kill_urb(), which is synchronous. Thanks to Alan for making me look at the remaining users of usb_unlink_urb() Signed-off-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: Al Borchers <alborchers@steinerpoint.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
74ac07e8 · Oliver Neukum · Greg Kroah-Hartman · 5afeb104 · 74ac07e8
Commit 74ac07e8 authored Jun 13, 2007 by Oliver Neukum Committed by Greg Kroah-Hartman Jun 25, 2007
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

drivers/usb/serial/io_edgeport.c drivers/usb/serial/io_edgeport.c +2 -2

No files found.
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -3046,11 +3046,11 @@ static void edge_shutdown (struct usb_serial *serial)
 	}
 	/* free up our endpoint stuff */
 	if (edge_serial->is_epic) {
-		usb_unlink_urb(edge_serial->interrupt_read_urb);
+		usb_kill_urb(edge_serial->interrupt_read_urb);
 		usb_free_urb(edge_serial->interrupt_read_urb);
 		kfree(edge_serial->interrupt_in_buffer);

-		usb_unlink_urb(edge_serial->read_urb);
+		usb_kill_urb(edge_serial->read_urb);
 		usb_free_urb(edge_serial->read_urb);
 		kfree(edge_serial->bulk_in_buffer);
 	}