From patchwork Thu Nov 13 02:33:34 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathy Vanhoef X-Patchwork-Id: 5293521 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 1E8CE9F440 for ; Thu, 13 Nov 2014 02:33:53 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 3EE4B201EF for ; Thu, 13 Nov 2014 02:33:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 74CDF201C0 for ; Thu, 13 Nov 2014 02:33:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753534AbaKMCde (ORCPT ); Wed, 12 Nov 2014 21:33:34 -0500 Received: from mail-wg0-f45.google.com ([74.125.82.45]:57540 "EHLO mail-wg0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753298AbaKMCdd (ORCPT ); Wed, 12 Nov 2014 21:33:33 -0500 Received: by mail-wg0-f45.google.com with SMTP id x12so15918805wgg.18 for ; Wed, 12 Nov 2014 18:33:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=xMFRSEllWOuryszVcCj0L9bGyg83K7t3esfaSI5CNBc=; b=wnjmbIlOl40WMFKgCsUTyXgFsAVrDqlYdO9xTXKhkbIidZmeoSYDRkN6v4WmEbQv5O k7vJB47jKEi9I8aJXegnMUck+PtJr5pNPv2zTntimvtq0Tlmh61xv2qQ+kkG8jTRsIB/ kVpXybaxWNvIQQeu6A6IZhVNBg7Xcl67tPtmyGdgOTGpMzweCH3uUInCbg2hekp2YCIY cufwwSD1D0eBgv8QnBj1kjHGJa5dkRfFkWdoZ8mfYaGEyMUwqUOgNk17yRXM1OxnvHoy yod3npjvuUq+Ib8zQ6K7hec/WN4iYk7GWexBP0wWPKafcdDpuRe3MlKqQ+bc8dvp60Kc Gg9g== X-Received: by 10.194.80.100 with SMTP id q4mr69120775wjx.15.1415846012128; Wed, 12 Nov 2014 18:33:32 -0800 (PST) Received: from [192.168.80.131] ([188.189.93.76]) by mx.google.com with ESMTPSA id nd20sm23815279wic.11.2014.11.12.18.33.30 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Nov 2014 18:33:31 -0800 (PST) Message-ID: <5464187E.5060208@gmail.com> Date: Wed, 12 Nov 2014 21:33:34 -0500 From: Mathy Vanhoef User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Icedove/31.2.0 MIME-Version: 1.0 To: brudley@broadcom.com, arend@broadcom.com, frankyl@broadcom.com, meuleman@broadcom.com, John Linville , pieterpg@broadcom.com, linux-wireless@vger.kernel.org, brcm80211-dev-list@broadcom.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] brcmfmac: kill URB when request timed out Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Kill the submitted URB in brcmf_usb_dl_cmd if the request timed out. This assures the URB is never submitted twice. It also prevents a possible use-after-free of the URB transfer buffer if a timeout occurs. Signed-off-by: Mathy Vanhoef Acked-by: Arend van Spriel --- For a discussion about this patch and the underlying problem, see the mails with as subject "[PATCH] brcmfmac: unlink URB when request timed out". drivers/net/wireless/brcm80211/brcmfmac/usb.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/brcm80211/brcmfmac/usb.c index 5265aa7..4572def 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c @@ -738,10 +738,12 @@ static int brcmf_usb_dl_cmd(struct brcmf_usbdev_info *devinfo, u8 cmd, goto finalize; } - if (!brcmf_usb_ioctl_resp_wait(devinfo)) + if (!brcmf_usb_ioctl_resp_wait(devinfo)) { + usb_kill_urb(devinfo->ctl_urb); ret = -ETIMEDOUT; - else + } else { memcpy(buffer, tmpbuf, buflen); + } finalize: kfree(tmpbuf);