diff options
| author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2010-01-18 22:36:49 +0100 | 
|---|---|---|
| committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2010-02-01 21:51:28 +0100 | 
| commit | 110f82d7a2e0ff5a17617a9672f1ccb7e44bc0c6 (patch) | |
| tree | 64387d5a82eccf8156b746a2c42c2e81e9d34b91 /kernel/workqueue.c | |
| parent | abe94c756c08d50566c09a65b9c7fe72f83071c5 (diff) | |
firewire: net: fix panic in fwnet_write_complete
In the transmit path of firewire-net (IPv4 over 1394), the following
race condition may occur:
  - The networking soft IRQ inserts a datagram into the 1394 async
    request transmit DMA.
  - The 1394 async transmit completion tasklet runs to finish cleaning
    up (unlink datagram from list of pending ones, release skb and
    outbound 1394 transaction object) --- before the networking soft IRQ
    had a chance to proceed and add the datagram to the list of pending
    datagrams.
This caused a panic in the 1394 async transmit completion tasklet when
it dereferenced unitialized list heads:
http://bugzilla.kernel.org/show_bug.cgi?id=15077
The fix is to add checks in the tx soft IRQ and in the tasklet to
determine which of these two is the last referrer to the transaction
object.  Then handle the cleanup of the object by the last referrer
rather than assuming that the tasklet is always the last one.
There is another similar race:  Between said tasklet and fwnet_close,
i.e. at ifdown.  However, that race is much less likely to occur in
practice and shall be fixed in a separate update.
Reported-by: Илья Басин <basinilya@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'kernel/workqueue.c')
0 files changed, 0 insertions, 0 deletions
