git.fsl.cs.sunysb.edu Git - unionfs-2.6.39.y.git/commit

author	Oliver Neukum <oneukum@suse.de>
	Wed, 26 Mar 2014 13:32:51 +0000 (14:32 +0100)
committer	Jiri Slaby <jslaby@suse.cz>
	Fri, 18 Apr 2014 09:07:13 +0000 (11:07 +0200)
commit	0631987d442761501dc65c8ecb9a1267e0b2050d
tree	de2502b77c33892cc8edc2550a95b5bb98e11476	tree \| snapshot
parent	3552f3fcb4da06e0129eb4a66c31ad410ecbb9e4	commit \| diff

usbnet: include wait queue head in device structure

[ Upstream commit 14a0d635d18d0fb552dcc979d6d25106e6541f2e ]

This fixes a race which happens by freeing an object on the stack.
Quoting Julius:
> The issue is
> that it calls usbnet_terminate_urbs() before that, which temporarily
> installs a waitqueue in dev->wait in order to be able to wait on the
> tasklet to run and finish up some queues. The waiting itself looks
> okay, but the access to 'dev->wait' is totally unprotected and can
> race arbitrarily. I think in this case usbnet_bh() managed to succeed
> it's dev->wait check just before usbnet_terminate_urbs() sets it back
> to NULL. The latter then finishes and the waitqueue_t structure on its
> stack gets overwritten by other functions halfway through the
> wake_up() call in usbnet_bh().

The fix is to just not allocate the data structure on the stack.
As dev->wait is abused as a flag it also takes a runtime PM change
to fix this bug.

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Reported-by: Grant Grundler <grundler@google.com>
Tested-by: Grant Grundler <grundler@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>

drivers/net/usb/usbnet.c		diff \| blob \| history
include/linux/usb/usbnet.h		diff \| blob \| history