* [PATCH 1/3] igorplugusb: prevent use after free in probe error
@ 2022-05-12 12:33 Oliver Neukum
2022-05-12 12:33 ` [PATCH 2/3] igorplugusb: break cyclical race on disconnect Oliver Neukum
2022-05-12 12:33 ` [PATCH 3/3] igorplugusb: remove superfluous usb_unlink_urb() Oliver Neukum
0 siblings, 2 replies; 3+ messages in thread
From: Oliver Neukum @ 2022-05-12 12:33 UTC (permalink / raw)
To: linux-media, mchehab, sean; +Cc: Oliver Neukum
The timer uses the URB. Free it only after the timer
has been stopped.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/media/rc/igorplugusb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
index b46362da8623..1afba95409ff 100644
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -223,9 +223,9 @@ static int igorplugusb_probe(struct usb_interface *intf,
return 0;
fail:
- rc_free_device(ir->rc);
- usb_free_urb(ir->urb);
del_timer(&ir->timer);
+ usb_free_urb(ir->urb);
+ rc_free_device(ir->rc);
kfree(ir->buf_in);
return ret;
--
2.35.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/3] igorplugusb: break cyclical race on disconnect
2022-05-12 12:33 [PATCH 1/3] igorplugusb: prevent use after free in probe error Oliver Neukum
@ 2022-05-12 12:33 ` Oliver Neukum
2022-05-12 12:33 ` [PATCH 3/3] igorplugusb: remove superfluous usb_unlink_urb() Oliver Neukum
1 sibling, 0 replies; 3+ messages in thread
From: Oliver Neukum @ 2022-05-12 12:33 UTC (permalink / raw)
To: linux-media, mchehab, sean; +Cc: Oliver Neukum
The driver uses a timer, that may submit the URB and
the URB may start the timer. No simple order of killing
can break te cycle. Poison the URB before killing
the timer.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/media/rc/igorplugusb.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
index 1afba95409ff..b2245849f7aa 100644
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -126,7 +126,7 @@ static void igorplugusb_cmd(struct igorplugusb *ir, int cmd)
ir->request.bRequest = cmd;
ir->urb->transfer_flags = 0;
ret = usb_submit_urb(ir->urb, GFP_ATOMIC);
- if (ret)
+ if (ret && ret != -EPERM)
dev_err(ir->dev, "submit urb failed: %d", ret);
}
@@ -223,7 +223,9 @@ static int igorplugusb_probe(struct usb_interface *intf,
return 0;
fail:
+ usb_poison_urb(ir->urb);
del_timer(&ir->timer);
+ usb_unpoison_urb(ir->urb);
usb_free_urb(ir->urb);
rc_free_device(ir->rc);
kfree(ir->buf_in);
@@ -236,9 +238,10 @@ static void igorplugusb_disconnect(struct usb_interface *intf)
struct igorplugusb *ir = usb_get_intfdata(intf);
rc_unregister_device(ir->rc);
+ usb_poison_urb(ir->urb);
del_timer_sync(&ir->timer);
usb_set_intfdata(intf, NULL);
- usb_kill_urb(ir->urb);
+ usb_unpoison_urb(ir->urb);
usb_free_urb(ir->urb);
kfree(ir->buf_in);
}
--
2.35.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 3/3] igorplugusb: remove superfluous usb_unlink_urb()
2022-05-12 12:33 [PATCH 1/3] igorplugusb: prevent use after free in probe error Oliver Neukum
2022-05-12 12:33 ` [PATCH 2/3] igorplugusb: break cyclical race on disconnect Oliver Neukum
@ 2022-05-12 12:33 ` Oliver Neukum
1 sibling, 0 replies; 3+ messages in thread
From: Oliver Neukum @ 2022-05-12 12:33 UTC (permalink / raw)
To: linux-media, mchehab, sean; +Cc: Oliver Neukum
Calling that on yourself while the completion handler
is running is a NOP. Remove it.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/media/rc/igorplugusb.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
index b2245849f7aa..12ee5dd0a61a 100644
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -110,7 +110,6 @@ static void igorplugusb_callback(struct urb *urb)
case -ECONNRESET:
case -ENOENT:
case -ESHUTDOWN:
- usb_unlink_urb(urb);
return;
default:
dev_warn(ir->dev, "Error: urb status = %d\n", urb->status);
--
2.35.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-05-12 12:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-12 12:33 [PATCH 1/3] igorplugusb: prevent use after free in probe error Oliver Neukum
2022-05-12 12:33 ` [PATCH 2/3] igorplugusb: break cyclical race on disconnect Oliver Neukum
2022-05-12 12:33 ` [PATCH 3/3] igorplugusb: remove superfluous usb_unlink_urb() Oliver Neukum
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).