projects
/
GitHub
/
LineageOS
/
android_kernel_samsung_universal7580.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
b1f524e
)
hso: fix a use after free condition
author
Greg KH
<greg@kroah.com>
Fri, 8 Jul 2011 03:45:25 +0000
(
03:45
+0000)
committer
David S. Miller
<davem@davemloft.net>
Fri, 8 Jul 2011 16:07:59 +0000
(09:07 -0700)
This needs to go to netdev:
From: Octavian Purdila <octavian.purdila@intel.com>
In hso_free_net_device hso_net pointer is freed and then used to
cleanup urb pools. Catched with SLAB_DEBUG during S3 resume:
[ 95.824442] Pid: 389, comm: khubd Tainted: G C
2.6.36greenridge-01400-g423cf13
-dirty #154 Type2 - Board Product Name1/OakTrail
[ 95.824442] EIP: 0060:[<
c1151551
>] EFLAGS:
00010202
CPU: 0
[ 95.824442] EIP is at kref_put+0x29/0x42
[ 95.824442] EAX:
6b6b6b6b
EBX:
6b6b6b6b
ECX:
c2806b40
EDX:
00000037
[ 95.824442] ESI:
c1258d56
EDI:
edd3d128
EBP:
ee8cde0c
ESP:
ee8cde04
[ 95.824442] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[ 95.824442] Process khubd (pid: 389, ti=
ee8cc000
task=
ee95ed10
task.ti=
ee8cc000
)
[ 95.824442] Stack:
[ 95.824442]
edd07020
00000000
ee8cde14
c1258b77
ee8cde38
ef933a44
ef93572b
ef935dec
[ 95.824442] <0>
0000099a
6b6b6b6b
00000000
ee2da748
edd3e0c0
ee8cde54
ef933b9f
ee3b53f8
[ 95.824442] <0>
00000002
ee2da748
ee2da764
ef936658
ee8cde60
ef933d0c
ee2da748
ee8cde84
[ 95.824442] Call Trace:
[ 95.824442] [<
c1258b77
>] ? usb_free_urb+0x11/0x13
[ 95.824442] [<
ef933a44
>] ? hso_free_net_device+0x81/0xd8 [hso]
[ 95.824442] [<
ef933b9f
>] ? hso_free_interface+0x104/0x111 [hso]
[ 95.824442] [<
ef933d0c
>] ? hso_disconnect+0xb/0x18 [hso]
[ 95.824442] [<
c125b7f1
>] ? usb_unbind_interface+0x44/0x14a
[ 95.824442] [<
c11e56e8
>] ? __device_release_driver+0x6f/0xb1
[ 95.824442] [<
c11e57c7
>] ? device_release_driver+0x18/0x23
[ 95.824442] [<
c11e4e92
>] ? bus_remove_device+0x8a/0xa1
[ 95.824442] [<
c11e3970
>] ? device_del+0x129/0x163
[ 95.824442] [<
c11e2dc0
>] ? put_device+0xf/0x11
[ 95.824442] [<
c11e39bc
>] ? device_unregister+0x12/0x15
[ 95.824442] [<
c125915f
>] ? usb_disable_device+0x90/0xf0
[ 95.824442] [<
c125544f
>] ? usb_disconnect+0x6d/0xf8
[ 95.824442] [<
c1255f91
>] ? hub_thread+0x3fc/0xc57
[ 95.824442] [<
c1048526
>] ? autoremove_wake_function+0x0/0x2f
[ 95.824442] [<
c102529d
>] ? complete+0x34/0x3e
[ 95.824442] [<
c1255b95
>] ? hub_thread+0x0/0xc57
[ 95.824442] [<
c10481fc
>] ? kthread+0x63/0x68
[ 95.824442] [<
c1048199
>] ? kthread+0x0/0x68
[ 95.824442] [<
c1002d76
>] ? kernel_thread_helper+0x6/0x10
Signed-off-by: Octavian Purdila <octavian.purdila@intel.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/usb/hso.c
patch
|
blob
|
blame
|
history
diff --git
a/drivers/net/usb/hso.c
b/drivers/net/usb/hso.c
index 387ca43f26f4c3942e098702b55d39dbca325a90..304fe78ff60e3b287b608fb4b19bafacb915e315 100644
(file)
--- a/
drivers/net/usb/hso.c
+++ b/
drivers/net/usb/hso.c
@@
-2421,10
+2421,8
@@
static void hso_free_net_device(struct hso_device *hso_dev)
remove_net_device(hso_net->parent);
- if (hso_net->net)
{
+ if (hso_net->net)
unregister_netdev(hso_net->net);
- free_netdev(hso_net->net);
- }
/* start freeing */
for (i = 0; i < MUX_BULK_RX_BUF_COUNT; i++) {
@@
-2436,6
+2434,9
@@
static void hso_free_net_device(struct hso_device *hso_dev)
kfree(hso_net->mux_bulk_tx_buf);
hso_net->mux_bulk_tx_buf = NULL;
+ if (hso_net->net)
+ free_netdev(hso_net->net);
+
kfree(hso_dev);
}