On Tue, 7 Dec 2010, Jun Nie wrote:
> From 109b59f272890bcc662f1bdf22175eba489f4a48 Mon Sep 17 00:00:00 2001
> From: Jun Nie <njun@xxxxxxxxxxx>
> Date: Tue, 7 Dec 2010 14:00:55 +0800
> Subject: [PATCH] usb: fix stream reference after it is freed
>
> Signed-off-by: Jun Nie <njun@xxxxxxxxxxx>
> ---
> drivers/usb/host/ehci-sched.c | 18 ++++++++++++++----
> 1 files changed, 14 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
> index d9f78eb..cc92d13 100644
> --- a/drivers/usb/host/ehci-sched.c
> +++ b/drivers/usb/host/ehci-sched.c
> @@ -1685,6 +1685,7 @@ itd_complete (
> struct ehci_iso_stream *stream = itd->stream;
> struct usb_device *dev;
> unsigned retval = false;
> + unsigned stream_freed = 0;
>
> /* for each uframe with a packet */
> for (uframe = 0; uframe < 8; uframe++) {
> @@ -1748,6 +1749,8 @@ itd_complete (
> dev->devpath, stream->bEndpointAddress & 0x0f,
> (stream->bEndpointAddress & USB_DIR_IN) ? "in" : "out");
> }
> + if (1 == stream->refcount)
> + stream_freed = 1;
> iso_stream_put (ehci, stream);
This change is wrong for two reasons. First, an iso_stream is freed
when its refcount drops to 1, not 0 (I know this makes no sense, but
that's how the code works). Second, it's impossible for refcount to be
equal either to 1 or 2 at this point, since there still are references
from both the itd and the URB.
None of the other changes in this patch are needed either.
Alan Stern
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
