From 64bddcc87b5a7a86c1f4bb2a43ab58ee59a4a00d Mon Sep 17 00:00:00 2001 From: "tom.leiming@gmail.com" Date: Thu, 22 Mar 2012 03:22:18 +0000 Subject: [PATCH] --- yaml --- r: 294679 b: refs/heads/master c: 0956a8c20b23d429e79ff86d4325583fc06f9eb4 h: refs/heads/master i: 294677: 6b8d50a0ade9c8c88d876d22e308b14f615a3c93 294675: 5248320e182705709fdce0ace31d9d15948052c0 294671: e461cae1a9d5428898e344fcae25569a14a45a7b v: v3 --- [refs] | 2 +- trunk/drivers/net/usb/usbnet.c | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/[refs] b/[refs] index 0abd24245f91..646532fa025c 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: 1265fd616782ef03b98fd19f65c2b47fcd4ea11f +refs/heads/master: 0956a8c20b23d429e79ff86d4325583fc06f9eb4 diff --git a/trunk/drivers/net/usb/usbnet.c b/trunk/drivers/net/usb/usbnet.c index 4b8b52ca09d8..febfdceeb9e5 100644 --- a/trunk/drivers/net/usb/usbnet.c +++ b/trunk/drivers/net/usb/usbnet.c @@ -589,6 +589,14 @@ static int unlink_urbs (struct usbnet *dev, struct sk_buff_head *q) entry = (struct skb_data *) skb->cb; urb = entry->urb; + /* + * Get reference count of the URB to avoid it to be + * freed during usb_unlink_urb, which may trigger + * use-after-free problem inside usb_unlink_urb since + * usb_unlink_urb is always racing with .complete + * handler(include defer_bh). + */ + usb_get_urb(urb); spin_unlock_irqrestore(&q->lock, flags); // during some PM-driven resume scenarios, // these (async) unlinks complete immediately @@ -597,6 +605,7 @@ static int unlink_urbs (struct usbnet *dev, struct sk_buff_head *q) netdev_dbg(dev->net, "unlink urb err, %d\n", retval); else count++; + usb_put_urb(urb); spin_lock_irqsave(&q->lock, flags); } spin_unlock_irqrestore (&q->lock, flags);