Message ID | 20160307.141100.1511700720120062677.davem@davemloft.net |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
On Mon, Mar 7, 2016 at 10:11 PM, David Miller <davem@davemloft.net> wrote: > From: Linus Torvalds <torvalds@linux-foundation.org> > Date: Mon, 7 Mar 2016 10:13:09 -0800 > >> On Sat, Mar 5, 2016 at 11:53 AM, Bjørn Mork <bjorn@mork.no> wrote: >>> >>> >>> Definitely. The patch is so obviously correct that we can only wonder how it was possible to miss it it the first place :) >>> >>> Will take a look to see if we could do a better job cleaning up in other places. >> >> What should I do for 4.5? Will there be a pull request for this, or >> should I just commit my cdc_ncm_bind() patch directly? > > Yes I plan to send you a pull request today with Oliver's fix. > > Assuming this is what you guys are referring to: > > commit 1666984c8625b3db19a9abc298931d35ab7bc64b > Author: Oliver Neukum <oneukum@suse.com> > Date: Mon Mar 7 11:31:10 2016 +0100 > > usbnet: cleanup after bind() in probe() > > In case bind() works, but a later error forces bailing > in probe() in error cases work and a timer may be scheduled. > They must be killed. This fixes an error case related to > the double free reported in > http://www.spinics.net/lists/netdev/msg367669.html > and needs to go on top of Linus' fix to cdc-ncm. > > Signed-off-by: Oliver Neukum <ONeukum@suse.com> > Signed-off-by: David S. Miller <davem@davemloft.net> Could you also add: Reported-by: Andrey Konovalov <andreyknvl@gmail.com> ? Thanks in advance. > > diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c > index 0b0ba7e..1079812 100644 > --- a/drivers/net/usb/usbnet.c > +++ b/drivers/net/usb/usbnet.c > @@ -1769,6 +1769,13 @@ out3: > if (info->unbind) > info->unbind (dev, udev); > out1: > + /* subdrivers must undo all they did in bind() if they > + * fail it, but we may fail later and a deferred kevent > + * may trigger an error resubmitting itself and, worse, > + * schedule a timer. So we kill it all just in case. > + */ > + cancel_work_sync(&dev->kevent); > + del_timer_sync(&dev->delay); > free_netdev(net); > out: > return status;
From: Andrey Konovalov <andreyknvl@gmail.com> Date: Mon, 7 Mar 2016 22:50:41 +0300 > On Mon, Mar 7, 2016 at 10:11 PM, David Miller <davem@davemloft.net> wrote: >> From: Linus Torvalds <torvalds@linux-foundation.org> >> Date: Mon, 7 Mar 2016 10:13:09 -0800 >> >>> On Sat, Mar 5, 2016 at 11:53 AM, Bjørn Mork <bjorn@mork.no> wrote: >>>> >>>> >>>> Definitely. The patch is so obviously correct that we can only wonder how it was possible to miss it it the first place :) >>>> >>>> Will take a look to see if we could do a better job cleaning up in other places. >>> >>> What should I do for 4.5? Will there be a pull request for this, or >>> should I just commit my cdc_ncm_bind() patch directly? >> >> Yes I plan to send you a pull request today with Oliver's fix. >> >> Assuming this is what you guys are referring to: >> >> commit 1666984c8625b3db19a9abc298931d35ab7bc64b >> Author: Oliver Neukum <oneukum@suse.com> >> Date: Mon Mar 7 11:31:10 2016 +0100 >> >> usbnet: cleanup after bind() in probe() >> >> In case bind() works, but a later error forces bailing >> in probe() in error cases work and a timer may be scheduled. >> They must be killed. This fixes an error case related to >> the double free reported in >> http://www.spinics.net/lists/netdev/msg367669.html >> and needs to go on top of Linus' fix to cdc-ncm. >> >> Signed-off-by: Oliver Neukum <ONeukum@suse.com> >> Signed-off-by: David S. Miller <davem@davemloft.net> > > Could you also add: > Reported-by: Andrey Konovalov <andreyknvl@gmail.com> > ? Sorry it's already committed to my tree and I can't redo the commit message once that happens since my tree has static history.
On Mon, 2016-03-07 at 22:50 +0300, Andrey Konovalov wrote: > Could you also add: > Reported-by: Andrey Konovalov <andreyknvl@gmail.com> Well, the exact bug you reported is fixed in Bjorn's patch the way Linus suggested. I'm fixing just a further race that would require an error condition on top of what you have seen. So I don't think your Reported-by would be totally appropriate. Regards Oliver
On Tue, Mar 8, 2016 at 12:39 AM, Oliver Neukum <oneukum@suse.com> wrote: > On Mon, 2016-03-07 at 22:50 +0300, Andrey Konovalov wrote: >> Could you also add: >> Reported-by: Andrey Konovalov <andreyknvl@gmail.com> > > Well, the exact bug you reported is fixed in Bjorn's > patch the way Linus suggested. I'm fixing just a further > race that would require an error condition on top > of what you have seen. > So I don't think your Reported-by would be totally > appropriate. Oh, OK, Sorry. I thought this was a part of the same fix. > > Regards > Oliver > >
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index 0b0ba7e..1079812 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1769,6 +1769,13 @@ out3: if (info->unbind) info->unbind (dev, udev); out1: + /* subdrivers must undo all they did in bind() if they + * fail it, but we may fail later and a deferred kevent + * may trigger an error resubmitting itself and, worse, + * schedule a timer. So we kill it all just in case. + */ + cancel_work_sync(&dev->kevent); + del_timer_sync(&dev->delay); free_netdev(net); out: return status;