diff options
author | Oliver Neukum <oneukum@suse.de> | 2014-03-26 09:32:51 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-03-27 14:59:10 -0400 |
commit | 14a0d635d18d0fb552dcc979d6d25106e6541f2e (patch) | |
tree | 2fa1bce86903a0f841ab662eb85de4445bbfe398 /include/linux/usb | |
parent | 681daee2443291419c57cccb0671f5f94a839005 (diff) |
usbnet: include wait queue head in device structure
This fixes a race which happens by freeing an object on the stack.
Quoting Julius:
> The issue is
> that it calls usbnet_terminate_urbs() before that, which temporarily
> installs a waitqueue in dev->wait in order to be able to wait on the
> tasklet to run and finish up some queues. The waiting itself looks
> okay, but the access to 'dev->wait' is totally unprotected and can
> race arbitrarily. I think in this case usbnet_bh() managed to succeed
> it's dev->wait check just before usbnet_terminate_urbs() sets it back
> to NULL. The latter then finishes and the waitqueue_t structure on its
> stack gets overwritten by other functions halfway through the
> wake_up() call in usbnet_bh().
The fix is to just not allocate the data structure on the stack.
As dev->wait is abused as a flag it also takes a runtime PM change
to fix this bug.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Reported-by: Grant Grundler <grundler@google.com>
Tested-by: Grant Grundler <grundler@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux/usb')
-rw-r--r-- | include/linux/usb/usbnet.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/linux/usb/usbnet.h b/include/linux/usb/usbnet.h index e303eef94dd5..0662e98fef72 100644 --- a/include/linux/usb/usbnet.h +++ b/include/linux/usb/usbnet.h | |||
@@ -30,7 +30,7 @@ struct usbnet { | |||
30 | struct driver_info *driver_info; | 30 | struct driver_info *driver_info; |
31 | const char *driver_name; | 31 | const char *driver_name; |
32 | void *driver_priv; | 32 | void *driver_priv; |
33 | wait_queue_head_t *wait; | 33 | wait_queue_head_t wait; |
34 | struct mutex phy_mutex; | 34 | struct mutex phy_mutex; |
35 | unsigned char suspend_count; | 35 | unsigned char suspend_count; |
36 | unsigned char pkt_cnt, pkt_err; | 36 | unsigned char pkt_cnt, pkt_err; |