From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Date: Thu, 22 Mar 2012 07:35:53 -0700 > On Thu, Mar 22, 2012 at 09:22:18PM +0800, Ming Lei wrote: >> Commit 4231d47e6fe69f061f96c98c30eaf9fb4c14b96d(net/usbnet: avoid >> recursive locking in usbnet_stop()) fixes the recursive locking >> problem by releasing the skb queue lock, but it makes usb_unlink_urb >> racing with defer_bh, and the URB to being unlinked may be freed before >> or during calling usb_unlink_urb, so use-after-free problem may be >> triggerd inside usb_unlink_urb. >> >> The patch fixes the use-after-free problem by increasing URB >> reference count with skb queue lock held before calling >> usb_unlink_urb, so the URB won't be freed until return from >> usb_unlink_urb. >> >> Cc: stable@xxxxxxxxxx >> Cc: Sebastian Andrzej Siewior <bigeasy@xxxxxxxxxxxxx> >> Cc: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> >> Cc: Oliver Neukum <oliver@xxxxxxxxxx> >> Reported-by: Dave Jones <davej@xxxxxxxxxx> >> Signed-off-by: Ming Lei <tom.leiming@xxxxxxxxx> > > Acked-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Applied. -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
