https://github.com/torvalds/linux
Revision 14a0d635d18d0fb552dcc979d6d25106e6541f2e authored by Oliver Neukum on 26 March 2014, 13:32:51 UTC, committed by David S. Miller on 27 March 2014, 18:59:10 UTC
This fixes a race which happens by freeing an object on the stack. Quoting Julius: > The issue is > that it calls usbnet_terminate_urbs() before that, which temporarily > installs a waitqueue in dev->wait in order to be able to wait on the > tasklet to run and finish up some queues. The waiting itself looks > okay, but the access to 'dev->wait' is totally unprotected and can > race arbitrarily. I think in this case usbnet_bh() managed to succeed > it's dev->wait check just before usbnet_terminate_urbs() sets it back > to NULL. The latter then finishes and the waitqueue_t structure on its > stack gets overwritten by other functions halfway through the > wake_up() call in usbnet_bh(). The fix is to just not allocate the data structure on the stack. As dev->wait is abused as a flag it also takes a runtime PM change to fix this bug. Signed-off-by: Oliver Neukum <oneukum@suse.de> Reported-by: Grant Grundler <grundler@google.com> Tested-by: Grant Grundler <grundler@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 681daee
Tip revision: 14a0d635d18d0fb552dcc979d6d25106e6541f2e authored by Oliver Neukum on 26 March 2014, 13:32:51 UTC
usbnet: include wait queue head in device structure
usbnet: include wait queue head in device structure
Tip revision: 14a0d63
| File | Mode | Size |
|---|---|---|
| partitions | ||
| Kconfig | -rw-r--r-- | 3.6 KB |
| Kconfig.iosched | -rw-r--r-- | 1.6 KB |
| Makefile | -rw-r--r-- | 844 bytes |
| blk-cgroup.c | -rw-r--r-- | 28.8 KB |
| blk-cgroup.h | -rw-r--r-- | 16.7 KB |
| blk-core.c | -rw-r--r-- | 87.8 KB |
| blk-exec.c | -rw-r--r-- | 3.4 KB |
| blk-flush.c | -rw-r--r-- | 15.1 KB |
| blk-integrity.c | -rw-r--r-- | 11.7 KB |
| blk-ioc.c | -rw-r--r-- | 10.2 KB |
| blk-iopoll.c | -rw-r--r-- | 5.9 KB |
| blk-lib.c | -rw-r--r-- | 7.3 KB |
| blk-map.c | -rw-r--r-- | 8.3 KB |
| blk-merge.c | -rw-r--r-- | 14.1 KB |
| blk-mq-cpu.c | -rw-r--r-- | 1.4 KB |
| blk-mq-cpumap.c | -rw-r--r-- | 2.3 KB |
| blk-mq-sysfs.c | -rw-r--r-- | 9.5 KB |
| blk-mq-tag.c | -rw-r--r-- | 4.7 KB |
| blk-mq-tag.h | -rw-r--r-- | 894 bytes |
| blk-mq.c | -rw-r--r-- | 32.4 KB |
| blk-mq.h | -rw-r--r-- | 1.4 KB |
| blk-settings.c | -rw-r--r-- | 26.4 KB |
| blk-softirq.c | -rw-r--r-- | 4.4 KB |
| blk-sysfs.c | -rw-r--r-- | 16.1 KB |
| blk-tag.c | -rw-r--r-- | 9.8 KB |
| blk-throttle.c | -rw-r--r-- | 45.9 KB |
| blk-timeout.c | -rw-r--r-- | 5.1 KB |
| blk.h | -rw-r--r-- | 7.8 KB |
| bsg-lib.c | -rw-r--r-- | 6.0 KB |
| bsg.c | -rw-r--r-- | 23.6 KB |
| cfq-iosched.c | -rw-r--r-- | 119.8 KB |
| cmdline-parser.c | -rw-r--r-- | 4.9 KB |
| compat_ioctl.c | -rw-r--r-- | 20.8 KB |
| deadline-iosched.c | -rw-r--r-- | 11.3 KB |
| elevator.c | -rw-r--r-- | 24.1 KB |
| genhd.c | -rw-r--r-- | 44.1 KB |
| ioctl.c | -rw-r--r-- | 10.7 KB |
| noop-iosched.c | -rw-r--r-- | 2.7 KB |
| partition-generic.c | -rw-r--r-- | 14.0 KB |
| scsi_ioctl.c | -rw-r--r-- | 19.2 KB |
Computing file changes ...
