From patchwork Fri Jul 8 13:45:25 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 103848 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id E6608B6F74 for ; Fri, 8 Jul 2011 23:49:48 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751681Ab1GHNtU (ORCPT ); Fri, 8 Jul 2011 09:49:20 -0400 Received: from out5.smtp.messagingengine.com ([66.111.4.29]:55625 "EHLO out5.smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751763Ab1GHNtL (ORCPT ); Fri, 8 Jul 2011 09:49:11 -0400 Received: from compute5.internal (compute5.nyi.mail.srv.osa [10.202.2.45]) by gateway1.messagingengine.com (Postfix) with ESMTP id EAFDA20BD5; Fri, 8 Jul 2011 09:49:10 -0400 (EDT) Received: from frontend1.messagingengine.com ([10.202.2.160]) by compute5.internal (MEProxy); Fri, 08 Jul 2011 09:49:10 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=messagingengine.com; h=date:from:to:cc:subject:message-id:mime-version:content-type; s=smtpout; bh=91nFcegq7eTyNE/942fuT2xKtWs=; b=p43NemTcnOiRZi+dFG1eITtFdOn/Yof6OldxnMeJaGnUwWXnEvrhoJhpaHEFgUZM99XK2wAeDOklDxIy7BmDvTvdIZbDab5pF7T0ONHsVzbScq6dFcO7gy/ewk4mOyx8zkv6CgLzsp5wIqcmr3I6jmyUJlo0bHtFz9zPOZZ8jr8= X-Sasl-enc: DuhtRTrIclhlw9OavjkmVbS5STiidkfp09mydQuJVSvh 1310132950 Received: from localhost (c-76-121-69-168.hsd1.wa.comcast.net [76.121.69.168]) by mail.messagingengine.com (Postfix) with ESMTPSA id 6E0D74095C5; Fri, 8 Jul 2011 09:49:10 -0400 (EDT) Date: Fri, 8 Jul 2011 06:45:25 -0700 From: Greg KH To: Alan Cox , netdev@vger.kernel.org Cc: j.dumon@option.com, linux-usb@vger.kernel.org Subject: [PATCH] hso: fix a use after free condition Message-ID: <20110708134525.GA5069@kroah.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This needs to go to netdev: From: Octavian Purdila In hso_free_net_device hso_net pointer is freed and then used to cleanup urb pools. Catched with SLAB_DEBUG during S3 resume: [ 95.824442] Pid: 389, comm: khubd Tainted: G C 2.6.36greenridge-01400-g423cf13-dirty #154 Type2 - Board Product Name1/OakTrail [ 95.824442] EIP: 0060:[] EFLAGS: 00010202 CPU: 0 [ 95.824442] EIP is at kref_put+0x29/0x42 [ 95.824442] EAX: 6b6b6b6b EBX: 6b6b6b6b ECX: c2806b40 EDX: 00000037 [ 95.824442] ESI: c1258d56 EDI: edd3d128 EBP: ee8cde0c ESP: ee8cde04 [ 95.824442] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 [ 95.824442] Process khubd (pid: 389, ti=ee8cc000 task=ee95ed10 task.ti=ee8cc000) [ 95.824442] Stack: [ 95.824442] edd07020 00000000 ee8cde14 c1258b77 ee8cde38 ef933a44 ef93572b ef935dec [ 95.824442] <0> 0000099a 6b6b6b6b 00000000 ee2da748 edd3e0c0 ee8cde54 ef933b9f ee3b53f8 [ 95.824442] <0> 00000002 ee2da748 ee2da764 ef936658 ee8cde60 ef933d0c ee2da748 ee8cde84 [ 95.824442] Call Trace: [ 95.824442] [] ? usb_free_urb+0x11/0x13 [ 95.824442] [] ? hso_free_net_device+0x81/0xd8 [hso] [ 95.824442] [] ? hso_free_interface+0x104/0x111 [hso] [ 95.824442] [] ? hso_disconnect+0xb/0x18 [hso] [ 95.824442] [] ? usb_unbind_interface+0x44/0x14a [ 95.824442] [] ? __device_release_driver+0x6f/0xb1 [ 95.824442] [] ? device_release_driver+0x18/0x23 [ 95.824442] [] ? bus_remove_device+0x8a/0xa1 [ 95.824442] [] ? device_del+0x129/0x163 [ 95.824442] [] ? put_device+0xf/0x11 [ 95.824442] [] ? device_unregister+0x12/0x15 [ 95.824442] [] ? usb_disable_device+0x90/0xf0 [ 95.824442] [] ? usb_disconnect+0x6d/0xf8 [ 95.824442] [] ? hub_thread+0x3fc/0xc57 [ 95.824442] [] ? autoremove_wake_function+0x0/0x2f [ 95.824442] [] ? complete+0x34/0x3e [ 95.824442] [] ? hub_thread+0x0/0xc57 [ 95.824442] [] ? kthread+0x63/0x68 [ 95.824442] [] ? kthread+0x0/0x68 [ 95.824442] [] ? kernel_thread_helper+0x6/0x10 Signed-off-by: Octavian Purdila Signed-off-by: Alan Cox --- drivers/net/usb/hso.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ----- End forwarded message ----- -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c index 387ca43..304fe78 100644 --- a/drivers/net/usb/hso.c +++ b/drivers/net/usb/hso.c @@ -2421,10 +2421,8 @@ static void hso_free_net_device(struct hso_device *hso_dev) remove_net_device(hso_net->parent); - if (hso_net->net) { + if (hso_net->net) unregister_netdev(hso_net->net); - free_netdev(hso_net->net); - } /* start freeing */ for (i = 0; i < MUX_BULK_RX_BUF_COUNT; i++) { @@ -2436,6 +2434,9 @@ static void hso_free_net_device(struct hso_device *hso_dev) kfree(hso_net->mux_bulk_tx_buf); hso_net->mux_bulk_tx_buf = NULL; + if (hso_net->net) + free_netdev(hso_net->net); + kfree(hso_dev); }