Ming Lei <tom.leiming@xxxxxxxxx> writes:
> On Sat, Jun 23, 2012 at 11:32 AM, Ming Lei <tom.leiming@xxxxxxxxx> wrote:
>> On Fri, Jun 22, 2012 at 5:11 PM, Bjørn Mork <bjorn@xxxxxxx> wrote:
>>
>>>
>>> Reported-by: Marius Bjørnstad Kotsbak <marius.kotsbak@xxxxxxxxx>
>>> Cc: <stable@xxxxxxxxxxxxxxx> # v3.4
>>> Signed-off-by: Bjørn Mork <bjorn@xxxxxxx>
>>> ---
>>> drivers/net/usb/qmi_wwan.c | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
>>> index 3767a12..b01960f 100644
>>> --- a/drivers/net/usb/qmi_wwan.c
>>> +++ b/drivers/net/usb/qmi_wwan.c
>>> @@ -197,6 +197,10 @@ err:
>>> static int qmi_wwan_cdc_wdm_manage_power(struct usb_interface *intf, int on)
>>> {
>>> struct usbnet *dev = usb_get_intfdata(intf);
>>> +
>>> + /* can be called while disconnecting */
>>> + if (!dev)
>>> + return 0;
>>> return qmi_wwan_manage_power(dev, on);
>>> }
>>
>
> Considered there isn't any protection between usbnet_disconnet and
> wdm_open/wdm_close, you patch still doesn't work on the race, see
> below:
>
> + if (!dev)
> + return 0;
>
> -> usbnet_disconnect() is triggered and completed here, so
> dev may point to a freed usbnet instance.
> return qmi_wwan_manage_power(dev, on);
usbnet_disconnect() cannot continue to the point where it frees the
netdev before wdm_open/wdm_close has completed, because it waits for
qmi_wwan_unbind which waits for wdm_disconnect. And wdm_disconnect
takes the both read and write mutexes.
So I do not think there is any race there.
Bjørn
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
