From patchwork Fri May 8 12:32:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 226267 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ADA5BC47254 for ; Fri, 8 May 2020 12:42:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8F59924970 for ; Fri, 8 May 2020 12:42:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588941776; bh=npQORT7k6BMBnV/iE7pXMc6qEQG52l4MhZvVTTh3GjI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=MZS224OwQ6vyRRvLuQyMk/ulK4lSc1l/XOMazB4bdwoinEfJAt0BU5RAAMmAVJIum 0qOjx/xMlwXDd/MaZypc8P6YZ86fnrCmpkpqe9jNQvF2jIZT4642BWPjbUubAW4UgR sHrZ60f+nX+H7ZLzk6jc93lFG+nlimuG/DK8TMVw= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728270AbgEHMmy (ORCPT ); Fri, 8 May 2020 08:42:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:40116 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728974AbgEHMmr (ORCPT ); Fri, 8 May 2020 08:42:47 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9B3FE2495F; Fri, 8 May 2020 12:42:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588941766; bh=npQORT7k6BMBnV/iE7pXMc6qEQG52l4MhZvVTTh3GjI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WLmZWhuAMrButpr3zZrByVNqlGS6D2gpRZ2lc6AjuU6fcVWYcW2rRANgWpgNpC+lW OueJznmLxkXTzEcW56tymNmSe4+nrFKQcxveYjHAMyBwur38LGS8e0ME2vCiTMQwH6 dWaZF6by4CHk9qYj/IP58TFtvUvrZTGH8uOE8lUM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xiyu Yang , Xin Tan , "David S. Miller" , Sasha Levin Subject: [PATCH 4.4 163/312] wimax/i2400m: Fix potential urb refcnt leak Date: Fri, 8 May 2020 14:32:34 +0200 Message-Id: <20200508123135.919151248@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200508123124.574959822@linuxfoundation.org> References: <20200508123124.574959822@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Xiyu Yang [ Upstream commit 7717cbec172c3554d470023b4020d5781961187e ] i2400mu_bus_bm_wait_for_ack() invokes usb_get_urb(), which increases the refcount of the "notif_urb". When i2400mu_bus_bm_wait_for_ack() returns, local variable "notif_urb" becomes invalid, so the refcount should be decreased to keep refcount balanced. The issue happens in all paths of i2400mu_bus_bm_wait_for_ack(), which forget to decrease the refcnt increased by usb_get_urb(), causing a refcnt leak. Fix this issue by calling usb_put_urb() before the i2400mu_bus_bm_wait_for_ack() returns. Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/wimax/i2400m/usb-fw.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wimax/i2400m/usb-fw.c b/drivers/net/wimax/i2400m/usb-fw.c index e74664b84925e..4e4167976acf6 100644 --- a/drivers/net/wimax/i2400m/usb-fw.c +++ b/drivers/net/wimax/i2400m/usb-fw.c @@ -354,6 +354,7 @@ ssize_t i2400mu_bus_bm_wait_for_ack(struct i2400m *i2400m, usb_autopm_put_interface(i2400mu->usb_iface); d_fnend(8, dev, "(i2400m %p ack %p size %zu) = %ld\n", i2400m, ack, ack_size, (long) result); + usb_put_urb(¬if_urb); return result; error_exceeded: