+ usb-gadget-ether-prevent-oops-caused-by-error-interrupt.patch added to -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Fri, 21 Sep 2007 00:02:53 -0700

The patch titled
     usb-gadget-ether: Prevent oops caused by error interrupt race
has been added to the -mm tree.  Its filename is
     usb-gadget-ether-prevent-oops-caused-by-error-interrupt.patch

*** Remember to use Documentation/SubmitChecklist when testing your code ***

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

------------------------------------------------------
Subject: usb-gadget-ether: Prevent oops caused by error interrupt race
From: Benedikt Spranger <bene@xxxxxxxxxxxxx>

An USB error interrupt (e.g.  disconnect) nukes the pending requests for an
ethernet gadget device asynchronously.  This can race against
eth_start_xmit(), where we end up dereferencing the list head itself.

The nuke code is serialized against eth_start_xmit via dev->req_lock, but
we need to check the list for empty first instead of unconditionally
accessing dev->tx_reqs.next.

This is a long standing bug, which should be fixed in stable as well.

Signed-off-by: Benedikt Spranger <bene@xxxxxxxxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: David Brownell <david-b@xxxxxxxxxxx>
Cc: Greg KH <greg@xxxxxxxxx>
Cc: <stable@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 drivers/usb/gadget/ether.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

diff -puN drivers/usb/gadget/ether.c~usb-gadget-ether-prevent-oops-caused-by-error-interrupt drivers/usb/gadget/ether.c

--- a/drivers/usb/gadget/ether.c~usb-gadget-ether-prevent-oops-caused-by-error-interrupt
+++ a/drivers/usb/gadget/ether.c
@@ -1957,8 +1957,20 @@ static int eth_start_xmit (struct sk_buf
 	}
 
 	spin_lock_irqsave(&dev->req_lock, flags);
+	/*
+	 * dev->tx_reqs may be empty due to an error interrupt which
+	 * nuked all requests.
+	 */
+	if (list_empty(&dev->tx_reqs)) {
+		netif_stop_queue(net);
+		spin_unlock_irqrestore(&dev->req_lock, flags);
+		return 1;
+	}
+
 	req = container_of (dev->tx_reqs.next, struct usb_request, list);
 	list_del (&req->list);
+
+	/* last request in list: stop queue */
 	if (list_empty (&dev->tx_reqs))
 		netif_stop_queue (net);
 	spin_unlock_irqrestore(&dev->req_lock, flags);
_

Patches currently in -mm which might be from bene@xxxxxxxxxxxxx are

usb-gadget-ether-prevent-oops-caused-by-error-interrupt.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




