On Wed, Mar 21, 2012 at 9:04 AM, Ming Lei <tom.leiming@xxxxxxxxx> wrote: > On Tue, Mar 20, 2012 at 5:40 PM, Ming Lei <tom.leiming@xxxxxxxxx> wrote: >> Hi, >> >> On Mon, Mar 19, 2012 at 11:12 PM, Dave Jones <davej@xxxxxxxxxx> wrote: >>> We've had two reports of this use after free in Fedora now recently.. >> >> Could you provide output of 'dmesg' and 'lsusb -v' from the reported machine? > > Looks I have figured out why your problem is triggered. > > If the URB being unlinked is freed before usb_put_dev > inside usb_hcd_unlink_urb, the use-after-free will be triggered. > And the below patch[1] should fix the problem. > > Also there is another bug in tx_complete() of usbnet, the line below > > urb->dev = NULL; > > should be removed to avoid possible oops or memory leak in unlink path. > > Please test the patch if you can reproduce the problem. > > [1], > diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c > index 59681f0..4f4e028 100644 > --- a/drivers/net/usb/usbnet.c > +++ b/drivers/net/usb/usbnet.c > @@ -592,7 +592,9 @@ static int unlink_urbs (struct usbnet *dev, struct > sk_buff_head *q) > spin_unlock_irqrestore(&q->lock, flags); > // during some PM-driven resume scenarios, > // these (async) unlinks complete immediately > + local_bh_disable(); > retval = usb_unlink_urb (urb); > + local_bh_enable(); Looks it is a general issue about usb_hcd_unlink_urb. Alan, how about increasing URB reference count before calling unlink1 inside usb_hcd_unlink_urb to fix this kind of problem? Thanks, -- Ming Lei -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
