diff options
author | Stephane Grosjean <s.grosjean@peak-system.com> | 2019-07-05 15:32:16 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-08-16 10:13:50 +0200 |
commit | 27a4b8bbe931ef941705d34e3814b263be98b6e4 (patch) | |
tree | b8ea5bf0044e6d543a78f61936c57210f62518dc | |
parent | 709982a1422ce8d70f2d1967490bbf8f58c6577e (diff) | |
download | linux-stable-27a4b8bbe931ef941705d34e3814b263be98b6e4.tar.gz linux-stable-27a4b8bbe931ef941705d34e3814b263be98b6e4.tar.bz2 linux-stable-27a4b8bbe931ef941705d34e3814b263be98b6e4.zip |
can: peak_usb: fix potential double kfree_skb()
commit fee6a8923ae0d318a7f7950c6c6c28a96cea099b upstream.
When closing the CAN device while tx skbs are inflight, echo skb could
be released twice. By calling close_candev() before unlinking all
pending tx urbs, then the internal echo_skb[] array is fully and
correctly cleared before the USB write callback and, therefore,
can_get_echo_skb() are called, for each aborted URB.
Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/net/can/usb/peak_usb/pcan_usb_core.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c index 1ca76e03e965..d68c79f9a4b9 100644 --- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c +++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c @@ -594,16 +594,16 @@ static int peak_usb_ndo_stop(struct net_device *netdev) dev->state &= ~PCAN_USB_STATE_STARTED; netif_stop_queue(netdev); + close_candev(netdev); + + dev->can.state = CAN_STATE_STOPPED; + /* unlink all pending urbs and free used memory */ peak_usb_unlink_all_urbs(dev); if (dev->adapter->dev_stop) dev->adapter->dev_stop(dev); - close_candev(netdev); - - dev->can.state = CAN_STATE_STOPPED; - /* can set bus off now */ if (dev->adapter->dev_set_bus) { int err = dev->adapter->dev_set_bus(dev, 0); |