From: Xinming Hu <huxinming820@gmail.com>
To: Linux Wireless <linux-wireless@vger.kernel.org>
Cc: Kalle Valo <kvalo@qca.qualcomm.com>,
Brian Norris <briannorris@google.com>,
Dmitry Torokhov <dtor@google.com>,
rajatja@google.com, Zhiyuan Yang <yangzy@marvell.com>,
Cathy Luo <cluo@marvell.com>, Xinming Hu <huxm@marvell.com>
Subject: [PATCH v2 2/6] mwifiex: usb: kill urb before free its memory
Date: Fri, 5 May 2017 12:08:16 +0000 [thread overview]
Message-ID: <1493986100-24509-2-git-send-email-huxinming820@gmail.com> (raw)
In-Reply-To: <1493986100-24509-1-git-send-email-huxinming820@gmail.com>
From: Xinming Hu <huxm@marvell.com>
we have observed host system hang when device firmware crash,
stack trace show it was an use-after-free case: previous submitted
urb will be holding in usbcore, and given back to device driver
when device disconnected, while the urb have been freed in usb
device disconnect handler. This patch kill the holding urb before
free its memory.
Signed-off-by: Xinming Hu <huxm@marvell.com>
---
v2: replace unnecessary sanity check with right handle of
pending urb (Arend)
---
drivers/net/wireless/marvell/mwifiex/usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c
index 2f7705c..5a760ec 100644
--- a/drivers/net/wireless/marvell/mwifiex/usb.c
+++ b/drivers/net/wireless/marvell/mwifiex/usb.c
@@ -363,6 +363,7 @@ static void mwifiex_usb_free(struct usb_card_rec *card)
for (i = 0; i < MWIFIEX_TX_DATA_PORT; i++) {
port = &card->port[i];
for (j = 0; j < MWIFIEX_TX_DATA_URB; j++) {
+ usb_kill_urb(port->tx_data_list[j].urb);
usb_free_urb(port->tx_data_list[j].urb);
port->tx_data_list[j].urb = NULL;
}
--
1.9.1
next prev parent reply other threads:[~2017-05-05 12:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-05 12:08 [PATCH v2 1/6] mwifiex: use variable interface header length Xinming Hu
2017-05-05 12:08 ` Xinming Hu [this message]
2017-05-05 12:08 ` [PATCH v2 3/6] mwifiex: usb: transmit aggregation packets Xinming Hu
2017-05-05 12:08 ` [PATCH v2 4/6] mwifiex: usb: add timer to flush " Xinming Hu
2017-05-05 12:08 ` [PATCH v2 5/6] mwifiex: do not aggregate tcp ack in usb tx aggregation queue Xinming Hu
2017-05-18 14:33 ` Kalle Valo
2017-05-19 9:05 ` Xinming Hu
2017-05-05 12:08 ` [PATCH v2 6/6] mwifiex: check next packet length for usb tx aggregation Xinming Hu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493986100-24509-2-git-send-email-huxinming820@gmail.com \
--to=huxinming820@gmail.com \
--cc=briannorris@google.com \
--cc=cluo@marvell.com \
--cc=dtor@google.com \
--cc=huxm@marvell.com \
--cc=kvalo@qca.qualcomm.com \
--cc=linux-wireless@vger.kernel.org \
--cc=rajatja@google.com \
--cc=yangzy@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).