[PATCH 4.9 06/18] wimax/i2400m: Fix potential urb refcnt leak

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Xiyu Yang <xiyuyang19@fudan.edu.cn>,
	Xin Tan <tanxin.ctf@gmail.com>,
	"David S. Miller" <davem@davemloft.net>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 06/18] wimax/i2400m: Fix potential urb refcnt leak
Date: Fri,  8 May 2020 14:35:09 +0200	[thread overview]
Message-ID: <20200508123032.466947258@linuxfoundation.org> (raw)
In-Reply-To: <20200508123030.497793118@linuxfoundation.org>

From: Xiyu Yang <xiyuyang19@fudan.edu.cn>

[ Upstream commit 7717cbec172c3554d470023b4020d5781961187e ]

i2400mu_bus_bm_wait_for_ack() invokes usb_get_urb(), which increases the
refcount of the "notif_urb".

When i2400mu_bus_bm_wait_for_ack() returns, local variable "notif_urb"
becomes invalid, so the refcount should be decreased to keep refcount
balanced.

The issue happens in all paths of i2400mu_bus_bm_wait_for_ack(), which
forget to decrease the refcnt increased by usb_get_urb(), causing a
refcnt leak.

Fix this issue by calling usb_put_urb() before the
i2400mu_bus_bm_wait_for_ack() returns.

Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wimax/i2400m/usb-fw.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wimax/i2400m/usb-fw.c b/drivers/net/wimax/i2400m/usb-fw.c
index e74664b84925e..4e4167976acf6 100644
--- a/drivers/net/wimax/i2400m/usb-fw.c
+++ b/drivers/net/wimax/i2400m/usb-fw.c
@@ -354,6 +354,7 @@ ssize_t i2400mu_bus_bm_wait_for_ack(struct i2400m *i2400m,
 		usb_autopm_put_interface(i2400mu->usb_iface);
 	d_fnend(8, dev, "(i2400m %p ack %p size %zu) = %ld\n",
 		i2400m, ack, ack_size, (long) result);
+	usb_put_urb(&notif_urb);
 	return result;
 
 error_exceeded:
-- 
2.20.1

next prev parent reply	other threads:[~2020-05-08 13:03 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-08 12:35 [PATCH 4.9 00/18] 4.9.223-rc1 review Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 01/18] vhost: vsock: kick send_pkt worker once device is started Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 02/18] powerpc/pci/of: Parse unassigned resources Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 03/18] iio:ad7797: Use correct attribute_group Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 04/18] selftests/ipc: Fix test failure seen after initial test run Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 05/18] ASoC: sgtl5000: Fix VAG power-on handling Greg Kroah-Hartman
2020-05-08 12:35 ` Greg Kroah-Hartman [this message]
2020-05-08 12:35 ` [PATCH 4.9 07/18] net: stmmac: Fix sub-second increment Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 08/18] cifs: protect updating server->dstaddr with a spinlock Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 09/18] scripts/config: allow colons in option strings for sed Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 10/18] net: dsa: b53: Rework ARL bin logic Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 11/18] lib/mpi: Fix building for powerpc with clang Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 12/18] net: bcmgenet: suppress warnings on failed Rx SKB allocations Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 13/18] net: systemport: " Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 14/18] xprtrdma: Fix backchannel allocation of extra rpcrdma_reps Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 15/18] MIPS: perf: Remove incorrect odd/even counter handling for I6400 Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 16/18] sctp: Fix SHUTDOWN CTSN Ack in the peer restart case Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 17/18] ALSA: hda: Match both PCI ID and SSID for driver blacklist Greg Kroah-Hartman
2020-05-08 12:35 ` [PATCH 4.9 18/18] mac80211: add ieee80211_is_any_nullfunc() Greg Kroah-Hartman
2020-05-08 21:33 ` [PATCH 4.9 00/18] 4.9.223-rc1 review Guenter Roeck
2020-05-09  9:22 ` Naresh Kamboju
2020-05-11 17:13 ` shuah

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e74664b84925 dfblob:4e4167976acf )
 OR (
bs:"[PATCH 4.9 06/18] wimax/i2400m: Fix potential urb refcnt leak" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200508123032.466947258@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tanxin.ctf@gmail.com \
    --cc=xiyuyang19@fudan.edu.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.