All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/3] igorplugusb: prevent use after free in probe error
@ 2022-05-12 12:33 Oliver Neukum
  2022-05-12 12:33 ` [PATCH 2/3] igorplugusb: break cyclical race on disconnect Oliver Neukum
  2022-05-12 12:33 ` [PATCH 3/3] igorplugusb: remove superfluous usb_unlink_urb() Oliver Neukum
  0 siblings, 2 replies; 3+ messages in thread
From: Oliver Neukum @ 2022-05-12 12:33 UTC (permalink / raw)
  To: linux-media, mchehab, sean; +Cc: Oliver Neukum

The timer uses the URB. Free it only after the timer
has been stopped.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/rc/igorplugusb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
index b46362da8623..1afba95409ff 100644
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -223,9 +223,9 @@ static int igorplugusb_probe(struct usb_interface *intf,
 
 	return 0;
 fail:
-	rc_free_device(ir->rc);
-	usb_free_urb(ir->urb);
 	del_timer(&ir->timer);
+	usb_free_urb(ir->urb);
+	rc_free_device(ir->rc);
 	kfree(ir->buf_in);
 
 	return ret;
-- 
2.35.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH 2/3] igorplugusb: break cyclical race on disconnect
  2022-05-12 12:33 [PATCH 1/3] igorplugusb: prevent use after free in probe error Oliver Neukum
@ 2022-05-12 12:33 ` Oliver Neukum
  2022-05-12 12:33 ` [PATCH 3/3] igorplugusb: remove superfluous usb_unlink_urb() Oliver Neukum
  1 sibling, 0 replies; 3+ messages in thread
From: Oliver Neukum @ 2022-05-12 12:33 UTC (permalink / raw)
  To: linux-media, mchehab, sean; +Cc: Oliver Neukum

The driver uses a timer, that may submit the URB and
the URB may start the timer. No simple order of killing
can break te cycle. Poison the URB before killing
the timer.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/rc/igorplugusb.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
index 1afba95409ff..b2245849f7aa 100644
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -126,7 +126,7 @@ static void igorplugusb_cmd(struct igorplugusb *ir, int cmd)
 	ir->request.bRequest = cmd;
 	ir->urb->transfer_flags = 0;
 	ret = usb_submit_urb(ir->urb, GFP_ATOMIC);
-	if (ret)
+	if (ret && ret != -EPERM)
 		dev_err(ir->dev, "submit urb failed: %d", ret);
 }
 
@@ -223,7 +223,9 @@ static int igorplugusb_probe(struct usb_interface *intf,
 
 	return 0;
 fail:
+	usb_poison_urb(ir->urb);
 	del_timer(&ir->timer);
+	usb_unpoison_urb(ir->urb);
 	usb_free_urb(ir->urb);
 	rc_free_device(ir->rc);
 	kfree(ir->buf_in);
@@ -236,9 +238,10 @@ static void igorplugusb_disconnect(struct usb_interface *intf)
 	struct igorplugusb *ir = usb_get_intfdata(intf);
 
 	rc_unregister_device(ir->rc);
+	usb_poison_urb(ir->urb);
 	del_timer_sync(&ir->timer);
 	usb_set_intfdata(intf, NULL);
-	usb_kill_urb(ir->urb);
+	usb_unpoison_urb(ir->urb);
 	usb_free_urb(ir->urb);
 	kfree(ir->buf_in);
 }
-- 
2.35.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH 3/3] igorplugusb: remove superfluous usb_unlink_urb()
  2022-05-12 12:33 [PATCH 1/3] igorplugusb: prevent use after free in probe error Oliver Neukum
  2022-05-12 12:33 ` [PATCH 2/3] igorplugusb: break cyclical race on disconnect Oliver Neukum
@ 2022-05-12 12:33 ` Oliver Neukum
  1 sibling, 0 replies; 3+ messages in thread
From: Oliver Neukum @ 2022-05-12 12:33 UTC (permalink / raw)
  To: linux-media, mchehab, sean; +Cc: Oliver Neukum

Calling that on yourself while the completion handler
is running is a NOP. Remove it.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/rc/igorplugusb.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
index b2245849f7aa..12ee5dd0a61a 100644
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -110,7 +110,6 @@ static void igorplugusb_callback(struct urb *urb)
 	case -ECONNRESET:
 	case -ENOENT:
 	case -ESHUTDOWN:
-		usb_unlink_urb(urb);
 		return;
 	default:
 		dev_warn(ir->dev, "Error: urb status = %d\n", urb->status);
-- 
2.35.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-05-12 12:34 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-12 12:33 [PATCH 1/3] igorplugusb: prevent use after free in probe error Oliver Neukum
2022-05-12 12:33 ` [PATCH 2/3] igorplugusb: break cyclical race on disconnect Oliver Neukum
2022-05-12 12:33 ` [PATCH 3/3] igorplugusb: remove superfluous usb_unlink_urb() Oliver Neukum

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.