• Oliver Neukum's avatar
    usbnet: include wait queue head in device structure · 0631987d
    Oliver Neukum authored
    [ Upstream commit 14a0d635 ]
    
    This fixes a race which happens by freeing an object on the stack.
    Quoting Julius:
    > The issue is
    > that it calls usbnet_terminate_urbs() before that, which temporarily
    > installs a waitqueue in dev->wait in order to be able to wait on the
    > tasklet to run and finish up some queues. The waiting itself looks
    > okay, but the access to 'dev->wait' is totally unprotected and can
    > race arbitrarily. I think in this case usbnet_bh() managed to succeed
    > it's dev->wait check just before usbnet_terminate_urbs() sets it back
    > to NULL. The latter then finishes and the waitqueue_t structure on its
    > stack gets overwritten by other functions halfway through the
    > wake_up() call in usbnet_bh().
    
    The fix is to just not allocate the data structure on the stack.
    As dev->wait is abused as a flag it also takes a runtime PM change
    to fix this bug.
    Signed-off-by: default avatarOliver Neukum <oneukum@suse.de>
    Reported-by: default avatarGrant Grundler <grundler@google.com>
    Tested-by: default avatarGrant Grundler <grundler@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
    0631987d
usbnet.c 54 KB