[PATCH] p54usb: fix usb_kill_urb hang with slub_debug=P

From: Christian Lamparter
Date: Fri Dec 05 2008 - 09:48:00 EST

Next message: Duane Griffin: "Checking link targets are NULL-terminated"
Previous message: Stephen Rothwell: "linux-next: no treee for 20081205"
Next in thread: Larry Finger: "Re: [PATCH] p54usb: fix usb_kill_urb hang with slub_debug=P"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This patch fixes a problem identified by Johannes Berg.

It looks like this is a classic case of "use-after-freed".
A module which should reproduce the problem on
any other USB device can be found right here:
http://kerneltrap.org/mailarchive/linux-usb/2008/12/4/4317064

Tested-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
Signed-off-by: Christian Lamparter <chunkeey@xxxxxx>
CC: stable@xxxxxxxxxxxxxxx
---
diff --git a/drivers/net/wireless/p54/p54usb.c b/drivers/net/wireless/p54/p54usb.c
index 3444f52..0b9a922 100644
--- a/drivers/net/wireless/p54/p54usb.c
+++ b/drivers/net/wireless/p54/p54usb.c
@@ -209,7 +209,14 @@ static void p54u_free_urbs(struct ieee80211_hw *dev)
if (!info->urb)
continue;

+ /*
+ * usb_get_urb and usb_free_urb are part of a temporary
+ * workaround. Otherwise we get a pretty bad freeze,
+ * if SLUB's poisoning debug option is enabled.
+ */
+ usb_get_urb(info->urb);
usb_kill_urb(info->urb);
+ usb_free_urb(info->urb);
kfree_skb(skb);
}
}

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Duane Griffin: "Checking link targets are NULL-terminated"
Previous message: Stephen Rothwell: "linux-next: no treee for 20081205"
Next in thread: Larry Finger: "Re: [PATCH] p54usb: fix usb_kill_urb hang with slub_debug=P"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]