Hi:

The kaweth driver does not delete the TX URB in kaweth_close().
As a result the TX URB may still be active in the USB subsystem.
If kaweth_open() is called quickly afterwards, the networking
layer could submit another packet before the existing TX URB has
completed.

This will cause kaweth_start_xmit to clobber the memory of the
existing TX URB.

The fix is to kill the TX URB in kaweth_close().

Signed-off-by: Herbert Xu <[EMAIL PROTECTED]>

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
diff --git a/drivers/usb/net/kaweth.c b/drivers/usb/net/kaweth.c
--- a/drivers/usb/net/kaweth.c
+++ b/drivers/usb/net/kaweth.c
@@ -699,6 +699,7 @@ static int kaweth_close(struct net_devic
 
        usb_kill_urb(kaweth->irq_urb);
        usb_kill_urb(kaweth->rx_urb);
+       usb_kill_urb(kaweth->tx_urb);
 
        flush_scheduled_work();
 

Reply via email to