mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-11-27 01:11:31 +00:00
14a0d635d1
This fixes a race which happens by freeing an object on the stack. Quoting Julius: > The issue is > that it calls usbnet_terminate_urbs() before that, which temporarily > installs a waitqueue in dev->wait in order to be able to wait on the > tasklet to run and finish up some queues. The waiting itself looks > okay, but the access to 'dev->wait' is totally unprotected and can > race arbitrarily. I think in this case usbnet_bh() managed to succeed > it's dev->wait check just before usbnet_terminate_urbs() sets it back > to NULL. The latter then finishes and the waitqueue_t structure on its > stack gets overwritten by other functions halfway through the > wake_up() call in usbnet_bh(). The fix is to just not allocate the data structure on the stack. As dev->wait is abused as a flag it also takes a runtime PM change to fix this bug. Signed-off-by: Oliver Neukum <oneukum@suse.de> Reported-by: Grant Grundler <grundler@google.com> Tested-by: Grant Grundler <grundler@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| asix.h | ||
| asix_common.c | ||
| asix_devices.c | ||
| ax88172a.c | ||
| ax88179_178a.c | ||
| catc.c | ||
| cdc-phonet.c | ||
| cdc_eem.c | ||
| cdc_ether.c | ||
| cdc_mbim.c | ||
| cdc_ncm.c | ||
| cdc_subset.c | ||
| cx82310_eth.c | ||
| dm9601.c | ||
| gl620a.c | ||
| hso.c | ||
| huawei_cdc_ncm.c | ||
| int51x1.c | ||
| ipheth.c | ||
| kalmia.c | ||
| kaweth.c | ||
| Kconfig | ||
| lg-vl600.c | ||
| Makefile | ||
| mcs7830.c | ||
| net1080.c | ||
| pegasus.c | ||
| pegasus.h | ||
| plusb.c | ||
| qmi_wwan.c | ||
| r8152.c | ||
| rndis_host.c | ||
| rtl8150.c | ||
| sierra_net.c | ||
| smsc75xx.c | ||
| smsc75xx.h | ||
| smsc95xx.c | ||
| smsc95xx.h | ||
| sr9700.c | ||
| sr9700.h | ||
| sr9800.c | ||
| sr9800.h | ||
| usbnet.c | ||
| zaurus.c | ||