From: Xinming Hu Date: Tue, 23 May 2017 07:12:31 +0000 (+0000) Subject: mwifiex: usb: kill urb before free its memory X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=42d1abb50ffc51c65e9cec735c8a9711296a05f7;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git mwifiex: usb: kill urb before free its memory we have observed host system hang when device firmware crash, stack trace show it was an use-after-free case: previous submitted urb will be holding in usbcore, and given back to device driver when device disconnected, while the urb have been freed in usb device disconnect handler. This patch kill the holding urb before free its memory. Signed-off-by: Xinming Hu Signed-off-by: Kalle Valo --- diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c index debd6216366a..9c3d654ae009 100644 --- a/drivers/net/wireless/marvell/mwifiex/usb.c +++ b/drivers/net/wireless/marvell/mwifiex/usb.c @@ -363,6 +363,7 @@ static void mwifiex_usb_free(struct usb_card_rec *card) for (i = 0; i < MWIFIEX_TX_DATA_PORT; i++) { port = &card->port[i]; for (j = 0; j < MWIFIEX_TX_DATA_URB; j++) { + usb_kill_urb(port->tx_data_list[j].urb); usb_free_urb(port->tx_data_list[j].urb); port->tx_data_list[j].urb = NULL; }