| Message ID | 20210304152455.3685-6-penguin-kernel@I-love.SAKURA.ne.jp |
|---|---|
| State | New |
| Headers | show |
| Series | usb: usbip: serialize attach/detach operations | expand |
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index 3209b5ddd30c..326182bf062d 100644 --- a/drivers/usb/usbip/vhci_hcd.c +++ b/drivers/usb/usbip/vhci_hcd.c @@ -1072,12 +1072,6 @@ static void vhci_device_reset(struct usbip_device *ud) usb_put_dev(vdev->udev); vdev->udev = NULL; - - if (ud->tcp_socket) { - sockfd_put(ud->tcp_socket); - ud->tcp_socket = NULL; - ud->sockfd = -1; - } ud->status = VDEV_ST_NULL; spin_unlock_irqrestore(&ud->lock, flags);
Since ud->tcp_{tx,rx} depend on ud->tcp_socket != NULL whereas ud->tcp_socket and ud->tcp_{tx,rx} are assigned at the same time, it is never safe to reset ud->tcp_socket from vhci_device_reset() without calling kthread_stop_put() from vhci_shutdown_connection(). And actually, this assignment had been a dead code because any event which involves USBIP_EH_RESET also involves USBIP_EH_SHUTDOWN. Tested-by: syzbot <syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --- drivers/usb/usbip/vhci_hcd.c | 6 ------ 1 file changed, 6 deletions(-)