diff options
| author | Oliver Neukum <oliver@neukum.org> | 2009-07-08 19:09:23 +0200 | 
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-07-12 15:16:40 -0700 | 
| commit | 516a1a07f0219d6672fb6b8e49fb9d5d533c2e89 (patch) | |
| tree | 538650864da3032195afa77ea808d11ae78e7c4e /net/unix/sysctl_net_unix.c | |
| parent | 7bae0a070db4bc2761dd9515f450cdfa3f3f248c (diff) | |
USB: fix race leading to a write after kfree in usbfs
this fixes a race between async_completed() and proc_reapurbnonblock().
CPU A                   CPU B
spin_lock(&ps->lock);
list_move_tail(&as->asynclist, &ps->async_completed);
spin_unlock(&ps->lock);
                                if (!(as = async_getcompleted(ps)))
                                        return -EAGAIN;
                                return processcompl(as, (void __user * __user *)arg);
processcompl() calls free_async() which calls kfree(as)
as->status = urb->status;
if (as->signr) {
        sinfo.si_signo = as->signr;
        sinfo.si_errno = as->status;
        sinfo.si_code = SI_ASYNCIO;
        sinfo.si_addr = as->userurb;
        kill_pid_info_as_uid(as->signr, &sinfo, as->pid, as->uid,
                              as->euid, as->secid);
}
snoop(&urb->dev->dev, "urb complete\n");
snoop_urb(urb, as->userurb);
write after kfree
Signed-off-by: Oliver Neukum <oliver@neukum.org>
Diffstat (limited to 'net/unix/sysctl_net_unix.c')
0 files changed, 0 insertions, 0 deletions
