On 07.12.2013 02:28, Oliver Hartkopp wrote: > Alexey Khoroshilov <khoroshi...@ispras.ru> schrieb: >> There is spare code with obvious misprint in ems_usb_start_xmit(): >> usb_free_urb() should be used to deallocate urb instead of >> usb_unanchor_urb(). >> >> Found by Linux Driver Verification project (linuxtesting.org). >> >> Signed-off-by: Alexey Khoroshilov <khoroshi...@ispras.ru> >> --- >> drivers/net/can/usb/ems_usb.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/net/can/usb/ems_usb.c >> b/drivers/net/can/usb/ems_usb.c >> index 5f9a7ad9b964..beae1ec255f4 100644 >> --- a/drivers/net/can/usb/ems_usb.c >> +++ b/drivers/net/can/usb/ems_usb.c >> @@ -798,7 +798,7 @@ static netdev_tx_t ems_usb_start_xmit(struct >> sk_buff *skb, struct net_device *ne >> * allowed (MAX_TX_URBS). >> */ >> if (!context) { >> - usb_unanchor_urb(urb); >> + usb_free_urb(urb); >> usb_free_coherent(dev->udev, size, buf, urb->transfer_dma); >> > looks like you are introducing a new use after free problem here ... > You are right. usb_free_urb(urb) should be one line below.
I will resend the patch with one more similar fix in the driver. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/