[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1586940080-70052-1-git-send-email-xiyuyang19@fudan.edu.cn>
Date: Wed, 15 Apr 2020 16:41:20 +0800
From: Xiyu Yang <xiyuyang19@...an.edu.cn>
To: Inaky Perez-Gonzalez <inaky.perez-gonzalez@...el.com>,
linux-wimax@...el.com, "David S. Miller" <davem@...emloft.net>,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: yuanxzhang@...an.edu.cn, kjlu@....edu,
Xiyu Yang <xiyuyang19@...an.edu.cn>,
Xin Tan <tanxin.ctf@...il.com>
Subject: [PATCH] wimax/i2400m: Fix potential urb refcnt leak
i2400mu_bus_bm_wait_for_ack() invokes usb_get_urb(), which increases the
refcount of the "notif_urb".
When i2400mu_bus_bm_wait_for_ack() returns, local variable "notif_urb"
becomes invalid, so the refcount should be decreased to keep refcount
balanced.
The issue happens in all paths of i2400mu_bus_bm_wait_for_ack(), which
forget to decrease the refcnt increased by usb_get_urb(), causing a
refcnt leak.
Fix this issue by calling usb_put_urb() before the
i2400mu_bus_bm_wait_for_ack() returns.
Signed-off-by: Xiyu Yang <xiyuyang19@...an.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@...il.com>
---
drivers/net/wimax/i2400m/usb-fw.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wimax/i2400m/usb-fw.c b/drivers/net/wimax/i2400m/usb-fw.c
index 529ebca1e9e1..1f7709d24f35 100644
--- a/drivers/net/wimax/i2400m/usb-fw.c
+++ b/drivers/net/wimax/i2400m/usb-fw.c
@@ -354,6 +354,7 @@ ssize_t i2400mu_bus_bm_wait_for_ack(struct i2400m *i2400m,
usb_autopm_put_interface(i2400mu->usb_iface);
d_fnend(8, dev, "(i2400m %p ack %p size %zu) = %ld\n",
i2400m, ack, ack_size, (long) result);
+ usb_put_urb(¬if_urb);
return result;
error_exceeded:
--
2.7.4
Powered by blists - more mailing lists