[PATCH v1] usb: host: Fix possible kernel crash

From: Venu Byravarasu
Date: Mon Jul 09 2012 - 06:47:04 EST

Next message: David Rientjes: "Re: [PATCH] Documentation: talk about "Cc: stable@vger.kernel.org""
Previous message: David Rientjes: "Re: [PATCH] mm/hugetlb: split outis_hugetlb_entry_migration_or_hwpoison"
Next in thread: Alan Stern: "Re: [PATCH v1] usb: host: Fix possible kernel crash"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In functions itd_complete & sitd_complete, a pointer
by name stream may get dereferenced after freeing it, when
iso_stream_put is called with stream->refcount = 2.

Hence fixing it.

Signed-off-by: Venu Byravarasu <vbyravarasu@xxxxxxxxxx>
---
By mistake sent incorrect patch set number as v2 earlier.
Hence fixing it.

drivers/usb/host/ehci-sched.c | 16 ++++++++++------
1 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
index 33182c6..20d0c38 100644
--- a/drivers/usb/host/ehci-sched.c
+++ b/drivers/usb/host/ehci-sched.c
@@ -1715,6 +1715,7 @@ itd_complete (
struct ehci_iso_stream *stream = itd->stream;
struct usb_device *dev;
unsigned retval = false;
+ u32 stream_ref_count = 0;

/* for each uframe with a packet */
for (uframe = 0; uframe < 8; uframe++) {
@@ -1783,7 +1784,8 @@ itd_complete (
dev->devpath, stream->bEndpointAddress & 0x0f,
(stream->bEndpointAddress & USB_DIR_IN) ? "in" : "out");
}
- iso_stream_put (ehci, stream);
+ stream_ref_count = stream->refcount;
+ iso_stream_put(ehci, stream);

done:
itd->urb = NULL;
@@ -1797,7 +1799,7 @@ done:
* Move it to a safe place until a new frame starts.
*/
list_move(&itd->itd_list, &ehci->cached_itd_list);
- if (stream->refcount == 2) {
+ if (stream_ref_count == 3) {
/* If iso_stream_put() were called here, stream
* would be freed. Instead, just prevent reuse.
*/
@@ -1866,7 +1868,7 @@ done_not_linked:

done:
if (unlikely (status < 0))
- iso_stream_put (ehci, stream);
+ iso_stream_put(ehci, stream);
return status;
}

@@ -2127,6 +2129,7 @@ sitd_complete (
struct ehci_iso_stream *stream = sitd->stream;
struct usb_device *dev;
unsigned retval = false;
+ u32 stream_ref_count = 0;

urb_index = sitd->index;
desc = &urb->iso_frame_desc [urb_index];
@@ -2179,7 +2182,8 @@ sitd_complete (
dev->devpath, stream->bEndpointAddress & 0x0f,
(stream->bEndpointAddress & USB_DIR_IN) ? "in" : "out");
}
- iso_stream_put (ehci, stream);
+ stream_ref_count = stream->refcount;
+ iso_stream_put(ehci, stream);

done:
sitd->urb = NULL;
@@ -2193,7 +2197,7 @@ done:
* Move it to a safe place until a new frame starts.
*/
list_move(&sitd->sitd_list, &ehci->cached_sitd_list);
- if (stream->refcount == 2) {
+ if (stream_ref_count == 3) {
/* If iso_stream_put() were called here, stream
* would be freed. Instead, just prevent reuse.
*/
@@ -2259,7 +2263,7 @@ done_not_linked:

done:
if (status < 0)
- iso_stream_put (ehci, stream);
+ iso_stream_put(ehci, stream);
return status;
}

--
1.7.1.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Rientjes: "Re: [PATCH] Documentation: talk about "Cc: stable@vger.kernel.org""
Previous message: David Rientjes: "Re: [PATCH] mm/hugetlb: split outis_hugetlb_entry_migration_or_hwpoison"
Next in thread: Alan Stern: "Re: [PATCH v1] usb: host: Fix possible kernel crash"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]