usbnet: fix skb traversing races during unlink(v2)
authorMing Lei <tom.leiming@gmail.com>
Thu, 26 Apr 2012 03:33:46 +0000 (11:33 +0800)
committerSimone Willett <swillett@nvidia.com>
Wed, 5 Sep 2012 00:10:35 +0000 (17:10 -0700)
commit6f61e5baa83ef8c75746eabe90be0588f6d86b37
tree78836aac6ca1b5317fa8789aa45e300afa4f0246
parent49553e9c6dd0ef9dac304adc69c676b0b000d31f
usbnet: fix skb traversing races during unlink(v2)

Commit 4231d47e6fe69f061f96c98c30eaf9fb4c14b96d(net/usbnet: avoid
recursive locking in usbnet_stop()) fixes the recursive locking
problem by releasing the skb queue lock before unlink, but may
cause skb traversing races:
- after URB is unlinked and the queue lock is released,
the refered skb and skb->next may be moved to done queue,
even be released
- in skb_queue_walk_safe, the next skb is still obtained
by next pointer of the last skb
- so maybe trigger oops or other problems

This patch extends the usage of entry->state to describe 'start_unlink'
state, so always holding the queue(rx/tx) lock to change the state if
the referd skb is in rx or tx queue because we need to know if the
refered urb has been started unlinking in unlink_urbs.

The other part of this patch is based on Huajun's patch:
always traverse from head of the tx/rx queue to get skb which is
to be unlinked but not been started unlinking.

Signed-off-by: Huajun Li <huajun.li.lee@gmail.com>
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Cc: Oliver Neukum <oneukum@suse.de>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 5b6e9bcdeb65634b4ad604eb4536404bbfc62cfa)

Bug 1040642

Change-Id: I1a8c248016529bebf71d540738ad4726cf3f59b7
Signed-off-by: Steve Lin <stlin@nvidia.com>
Reviewed-on: http://git-master/r/128693
GVS: Gerrit_Virtual_Submit
drivers/net/usb/usbnet.c
include/linux/usb/usbnet.h