diff options
| author | Douglas Anderson <[email protected]> | 2016-01-28 18:19:55 -0800 |
|---|---|---|
| committer | Felipe Balbi <[email protected]> | 2016-03-04 15:14:40 +0200 |
| commit | 16e80218816488f016418717d23c660abe073a67 (patch) | |
| tree | 74dd155a1274bbc7eace92a76e7907c19d7ffddd /drivers/fpga/fpga-mgr.c | |
| parent | 098c1ef8fe6bcdfed7905cea1debdd3a0ff9a16f (diff) | |
usb: dwc2: host: Avoid use of chan->qh after qh freed
When poking around with USB devices with slub_debug enabled, I found
another obvious use after free. Turns out that in dwc2_hc_n_intr() I
was in a state when the contents of chan->qh was filled with 0x6b,
indicating that chan->qh was freed but chan still had a reference to
it.
Let's make sure that whenever we free qh we also make sure we remove a
reference from its channel.
The bug fixed here doesn't appear to be new--I believe I just got lucky
and happened to see it while stress testing.
Acked-by: John Youn <[email protected]>
Signed-off-by: Douglas Anderson <[email protected]>
Reviewed-by: Kever Yang <[email protected]>
Tested-by: Heiko Stuebner <[email protected]>
Tested-by: Stefan Wahren <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
Diffstat (limited to 'drivers/fpga/fpga-mgr.c')
0 files changed, 0 insertions, 0 deletions