linux/drivers
Stefan Richter 110f82d7a2 firewire: net: fix panic in fwnet_write_complete
In the transmit path of firewire-net (IPv4 over 1394), the following
race condition may occur:
  - The networking soft IRQ inserts a datagram into the 1394 async
    request transmit DMA.
  - The 1394 async transmit completion tasklet runs to finish cleaning
    up (unlink datagram from list of pending ones, release skb and
    outbound 1394 transaction object) --- before the networking soft IRQ
    had a chance to proceed and add the datagram to the list of pending
    datagrams.

This caused a panic in the 1394 async transmit completion tasklet when
it dereferenced unitialized list heads:
http://bugzilla.kernel.org/show_bug.cgi?id=15077

The fix is to add checks in the tx soft IRQ and in the tasklet to
determine which of these two is the last referrer to the transaction
object.  Then handle the cleanup of the object by the last referrer
rather than assuming that the tasklet is always the last one.

There is another similar race:  Between said tasklet and fwnet_close,
i.e. at ifdown.  However, that race is much less likely to occur in
practice and shall be fixed in a separate update.

Reported-by: Илья Басин <basinilya@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-01 21:51:28 +01:00
..
accessibility
acpi Merge branch 'bugzilla-14954' into release 2010-01-20 01:26:22 -05:00
amba
ata libata: retry FS IOs even if it has failed with AC_ERR_INVALID 2010-01-20 14:25:11 -05:00
atm
auxdisplay
base Revert "sysdev: fix prototype for memory_sysdev_class show/store functions" 2010-01-20 15:02:13 -08:00
block drbd: Allow online resizing of DRBD devices while peer not reachable (needs to be explicitly forced) 2010-01-12 10:02:46 +01:00
bluetooth Bluetooth: Prevent ill-timed autosuspend in USB driver 2009-12-17 12:12:49 -08:00
cdrom
char tty: fix race in tty_fasync 2010-01-20 15:03:31 -08:00
clocksource cs5535: add a generic clock event MFGPT driver 2009-12-15 08:53:28 -08:00
connector
cpufreq Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu 2009-12-14 09:58:24 -08:00
cpuidle drivers/cpuidle/governors/menu.c: fix undefined reference to `__udivdi3' 2010-01-11 09:34:07 -08:00
crypto Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu 2009-12-14 09:58:24 -08:00
dca
dio
dma Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx 2009-12-30 13:46:29 -08:00
edac edac: i5000_edac critical fix panic out of bounds 2010-01-16 12:15:38 -08:00
eisa
firewire firewire: net: fix panic in fwnet_write_complete 2010-02-01 21:51:28 +01:00
firmware firmware: only allow EDD on x86 2009-12-15 08:53:34 -08:00
gpio gpio: adp5588-gpio: new driver for ADP5588 GPIO expanders 2010-01-11 09:34:07 -08:00
gpu drm/i915: Selectively enable self-reclaim 2010-01-27 09:26:43 -08:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2010-01-13 16:10:13 -08:00
hwmon hwmon: (fschmd) Fix a memleak on multiple opens of /dev/watchdog 2010-01-25 15:00:50 +01:00
i2c i2c: imx: call ioremap only after request_mem_region 2010-01-24 15:25:57 +00:00
ide
idle cpumask: convert drivers/idle/i7300_idle.c to cpumask_var_t 2009-12-17 11:43:25 +10:30
ieee1394 firewire, ieee1394: update Kconfig help 2009-12-29 19:58:17 +01:00
ieee802154
infiniband Fix failure exit in ipathfs 2010-01-26 22:22:27 -05:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2010-01-29 11:15:32 -08:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-01-12 20:53:29 -08:00
leds leds: leds-pwm: Set led_classdev max_brightness 2009-12-17 11:42:34 +00:00
lguest lguest: fix bug in setting guest GDT entry 2010-01-04 12:33:33 -08:00
macintosh powerpc/macintosh: Make Open Firmware device id constant 2010-01-15 13:26:04 +11:00
mca
md DM: Fix device mapper topology stacking 2010-01-11 14:29:20 +01:00
media Merge branch 'mantis' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6 2010-01-18 14:07:07 -08:00
memstick
message [SCSI] mptsas: Fix issue with chain pools allocation on katmai 2010-01-17 12:16:17 -06:00
mfd mfd: Fix asic3 build 2010-01-29 21:03:09 +01:00
misc Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2009-12-17 16:38:48 -08:00
mmc mfd: tmio_mmc hardware abstraction for CNF area 2010-01-18 12:30:27 +01:00
mtd Merge branch 'for-linus' of git://git.infradead.org/ubi-2.6 2010-01-28 12:57:50 -08:00
net virtio_net: Make delayed refill more reliable 2010-01-25 15:51:01 -08:00
nubus
of
oprofile Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu 2009-12-14 09:58:24 -08:00
parisc parisc: Fixup last users of irq_chip->typename 2009-12-16 03:48:56 +00:00
parport parport_pc.c: use correct length in strncmp 2009-12-16 07:20:12 -08:00
pci PCI: fix nested spinlock hang in aer_inject 2010-01-25 10:42:52 -08:00
pcmcia Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci-2.6 2009-12-30 13:13:24 -08:00
platform Merge branch 'misc' into release 2010-01-20 01:23:27 -05:00
pnp Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6 2009-12-16 12:33:19 -08:00
power pmu_battery: Fix battery full reporting 2009-12-18 03:51:29 +03:00
pps
ps3
rapidio
regulator regulator: wm831x_reg_read() failure unnoticed in wm831x_aldo_get_mode() 2009-12-17 10:27:30 +00:00
rtc rtc_cmos: convert shutdown to new pnp_driver->shutdown 2010-01-11 09:34:07 -08:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6 2010-01-27 09:54:08 -08:00
sbus bbc_envctrl: Clean up properly if kthread_run() fails. 2010-01-04 15:31:10 -08:00
scsi [SCSI] aic79xx: check for non-NULL scb in ahd_handle_nonpkt_busfree 2010-01-17 12:48:12 -06:00
serial fmvj18x_cs: add new id (Panasonic lan & modem card) 2010-01-23 01:08:52 -08:00
sfi
sh
sn ioc3/ioc4: fix error path on driver registration 2009-12-15 08:53:27 -08:00
spi Merge branch 'next-spi' of git://git.secretlab.ca/git/linux-2.6 2009-12-17 15:59:05 -08:00
ssb
staging Staging: hv: fix smp problems in the hyperv core code 2010-01-20 15:05:26 -08:00
tc
telephony
thermal Merge branch 'misc-2.6.33' into release 2009-12-16 14:22:32 -05:00
uio const: constify remaining dev_pm_ops 2009-12-15 08:53:25 -08:00
usb USB: isp1362: fix build failure on ARM systems via irq_flags cleanup 2010-01-20 15:24:36 -08:00
uwb
video revert "drivers/video/s3c-fb.c: fix clock setting for Samsung SoC Framebuffer" 2010-01-16 12:15:40 -08:00
virtio virtio: fix section mismatch warnings 2010-01-16 12:15:39 -08:00
vlynq
w1
watchdog [WATCHDOG] sbc_fitpc2_wdt: fix I/O space access technique. 2010-01-25 19:48:49 +00:00
xen xen: fix hang on suspend. 2010-01-13 10:01:35 +00:00
zorro
Kconfig firewire, ieee1394: update Kconfig help 2009-12-29 19:58:17 +01:00
Makefile