Hi: The kaweth driver does not delete the TX URB in kaweth_close(). As a result the TX URB may still be active in the USB subsystem. If kaweth_open() is called quickly afterwards, the networking layer could submit another packet before the existing TX URB has completed.
This will cause kaweth_start_xmit to clobber the memory of the existing TX URB. The fix is to kill the TX URB in kaweth_close(). Signed-off-by: Herbert Xu <[EMAIL PROTECTED]> Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
diff --git a/drivers/usb/net/kaweth.c b/drivers/usb/net/kaweth.c --- a/drivers/usb/net/kaweth.c +++ b/drivers/usb/net/kaweth.c @@ -699,6 +699,7 @@ static int kaweth_close(struct net_devic usb_kill_urb(kaweth->irq_urb); usb_kill_urb(kaweth->rx_urb); + usb_kill_urb(kaweth->tx_urb); flush_scheduled_work();