From dd397dc9dddfa2149a1bbc9e52ac7d5630737cec Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Tue, 9 Dec 2008 15:14:37 +0100 Subject: p54usb: rewriting rx/tx routines to make use of usb_anchor's facilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Alan Stern found several flaws in p54usb's implementation and annotated: "usb_kill_urb() and similar routines do not expect an URB's completion routine to deallocate it.  This is almost obvious -- if the URB is deallocated before the completion routine returns then there's no way for usb_kill_urb to detect when the URB actually is complete." This patch addresses all known limitations in the old implementation and fixes khub's "use-after-freed" hang, when SLUB debug's poisoning option is enabled. Signed-off-by: Christian Lamparter Cc: stable@kernel.org Tested-by: Larry Finger Signed-off-by: John W. Linville --- drivers/net/wireless/p54/p54usb.h | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/net/wireless/p54/p54usb.h') diff --git a/drivers/net/wireless/p54/p54usb.h b/drivers/net/wireless/p54/p54usb.h index 5b8fe91379c3..54ee738bf2af 100644 --- a/drivers/net/wireless/p54/p54usb.h +++ b/drivers/net/wireless/p54/p54usb.h @@ -133,6 +133,7 @@ struct p54u_priv { spinlock_t lock; struct sk_buff_head rx_queue; + struct usb_anchor submitted; }; #endif /* P54USB_H */ -- cgit v1.2.3