Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Linux: Kernel

[PATCH net-next,1/1] hyperv: Move wait completion msg code into rndis_filter_halt_device()

  

 
Linux kernel RSS feed   Index | Next | Previous | View Threaded


haiyangz at microsoft

Aug 3, 2012, 12:20 PM

Post #1 of 3 (66 views)
Permalink
[PATCH net-next,1/1] hyperv: Move wait completion msg code into rndis_filter_halt_device()
We need to wait for send_completion msg before put_rndis_request() at
the end of rndis_filter_halt_device(). Otherwise, netvsc_send_completion()
may reference freed memory which is overwritten, and cause panic.

Reported-by: Long Li <longli [at] microsoft>
Reported-by: Jason Wang <jasowang [at] redhat>
Signed-off-by: Haiyang Zhang <haiyangz [at] microsoft>
---
drivers/net/hyperv/netvsc.c | 7 -------
drivers/net/hyperv/rndis_filter.c | 11 +++++++++++
2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
index 6cee291..4a1a5f5 100644
--- a/drivers/net/hyperv/netvsc.c
+++ b/drivers/net/hyperv/netvsc.c
@@ -383,13 +383,6 @@ int netvsc_device_remove(struct hv_device *device)
unsigned long flags;

net_device = hv_get_drvdata(device);
- spin_lock_irqsave(&device->channel->inbound_lock, flags);
- net_device->destroy = true;
- spin_unlock_irqrestore(&device->channel->inbound_lock, flags);
-
- /* Wait for all send completions */
- wait_event(net_device->wait_drain,
- atomic_read(&net_device->num_outstanding_sends) == 0);

netvsc_disconnect_vsp(net_device);

diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
index e5d6146..1e88a10 100644
--- a/drivers/net/hyperv/rndis_filter.c
+++ b/drivers/net/hyperv/rndis_filter.c
@@ -718,6 +718,9 @@ static void rndis_filter_halt_device(struct rndis_device *dev)
{
struct rndis_request *request;
struct rndis_halt_request *halt;
+ struct netvsc_device *nvdev = dev->net_dev;
+ struct hv_device *hdev = nvdev->dev;
+ ulong flags;

/* Attempt to do a rndis device halt */
request = get_rndis_request(dev, RNDIS_MSG_HALT,
@@ -735,6 +738,14 @@ static void rndis_filter_halt_device(struct rndis_device *dev)
dev->state = RNDIS_DEV_UNINITIALIZED;

cleanup:
+ spin_lock_irqsave(&hdev->channel->inbound_lock, flags);
+ nvdev->destroy = true;
+ spin_unlock_irqrestore(&hdev->channel->inbound_lock, flags);
+
+ /* Wait for all send completions */
+ wait_event(nvdev->wait_drain,
+ atomic_read(&nvdev->num_outstanding_sends) == 0);
+
if (request)
put_rndis_request(dev, request);
return;
--
1.7.4.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


davem at davemloft

Aug 3, 2012, 4:52 PM

Post #2 of 3 (60 views)
Permalink
Re: [PATCH net-next,1/1] hyperv: Move wait completion msg code into rndis_filter_halt_device() [In reply to]
From: Haiyang Zhang <haiyangz [at] microsoft>
Date: Fri, 3 Aug 2012 12:32:18 -0700

> We need to wait for send_completion msg before put_rndis_request() at
> the end of rndis_filter_halt_device(). Otherwise, netvsc_send_completion()
> may reference freed memory which is overwritten, and cause panic.
>
> Reported-by: Long Li <longli [at] microsoft>
> Reported-by: Jason Wang <jasowang [at] redhat>
> Signed-off-by: Haiyang Zhang <haiyangz [at] microsoft>

This is a bug fix, so applied to 'net'. Please target your patches
properly.

Don't just be afraid that I'll reject the patch if you target it
at 'net', and therefore just target everything at 'net-next'. That
is certainly worse.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


haiyangz at microsoft

Aug 5, 2012, 12:16 PM

Post #3 of 3 (58 views)
Permalink
RE: [PATCH net-next,1/1] hyperv: Move wait completion msg code into rndis_filter_halt_device() [In reply to]
> -----Original Message-----
> From: David Miller [mailto:davem [at] davemloft]
> Sent: Friday, August 03, 2012 7:52 PM
> To: Haiyang Zhang
> Cc: netdev [at] vger; KY Srinivasan; olaf [at] aepfle;
> jasowang [at] redhat; linux-kernel [at] vger;
> devel [at] linuxdriverproject
> Subject: Re: [PATCH net-next,1/1] hyperv: Move wait completion msg code
> into rndis_filter_halt_device()
>
> From: Haiyang Zhang <haiyangz [at] microsoft>
> Date: Fri, 3 Aug 2012 12:32:18 -0700
>
> > We need to wait for send_completion msg before put_rndis_request() at
> > the end of rndis_filter_halt_device(). Otherwise,
> > netvsc_send_completion() may reference freed memory which is
> overwritten, and cause panic.
> >
> > Reported-by: Long Li <longli [at] microsoft>
> > Reported-by: Jason Wang <jasowang [at] redhat>
> > Signed-off-by: Haiyang Zhang <haiyangz [at] microsoft>
>
> This is a bug fix, so applied to 'net'. Please target your patches properly.
>
> Don't just be afraid that I'll reject the patch if you target it at 'net', and
> therefore just target everything at 'net-next'. That is certainly worse.

I see.

Thanks,
- Haiyang

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Linux kernel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.