linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH net-next,1/1] hyperv: Move wait completion msg code into rndis_filter_halt_device()
@ 2012-08-03 19:32 Haiyang Zhang
  2012-08-03 23:52 ` David Miller
  0 siblings, 1 reply; 3+ messages in thread
From: Haiyang Zhang @ 2012-08-03 19:32 UTC (permalink / raw)
  To: davem, netdev; +Cc: haiyangz, kys, olaf, jasowang, linux-kernel, devel

We need to wait for send_completion msg before put_rndis_request() at
the end of rndis_filter_halt_device(). Otherwise, netvsc_send_completion()
may reference freed memory which is overwritten, and cause panic.

Reported-by: Long Li <longli@microsoft.com>
Reported-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
---
 drivers/net/hyperv/netvsc.c       |    7 -------
 drivers/net/hyperv/rndis_filter.c |   11 +++++++++++
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
index 6cee291..4a1a5f5 100644
--- a/drivers/net/hyperv/netvsc.c
+++ b/drivers/net/hyperv/netvsc.c
@@ -383,13 +383,6 @@ int netvsc_device_remove(struct hv_device *device)
 	unsigned long flags;
 
 	net_device = hv_get_drvdata(device);
-	spin_lock_irqsave(&device->channel->inbound_lock, flags);
-	net_device->destroy = true;
-	spin_unlock_irqrestore(&device->channel->inbound_lock, flags);
-
-	/* Wait for all send completions */
-	wait_event(net_device->wait_drain,
-		   atomic_read(&net_device->num_outstanding_sends) == 0);
 
 	netvsc_disconnect_vsp(net_device);
 
diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
index e5d6146..1e88a10 100644
--- a/drivers/net/hyperv/rndis_filter.c
+++ b/drivers/net/hyperv/rndis_filter.c
@@ -718,6 +718,9 @@ static void rndis_filter_halt_device(struct rndis_device *dev)
 {
 	struct rndis_request *request;
 	struct rndis_halt_request *halt;
+	struct netvsc_device *nvdev = dev->net_dev;
+	struct hv_device *hdev = nvdev->dev;
+	ulong flags;
 
 	/* Attempt to do a rndis device halt */
 	request = get_rndis_request(dev, RNDIS_MSG_HALT,
@@ -735,6 +738,14 @@ static void rndis_filter_halt_device(struct rndis_device *dev)
 	dev->state = RNDIS_DEV_UNINITIALIZED;
 
 cleanup:
+	spin_lock_irqsave(&hdev->channel->inbound_lock, flags);
+	nvdev->destroy = true;
+	spin_unlock_irqrestore(&hdev->channel->inbound_lock, flags);
+
+	/* Wait for all send completions */
+	wait_event(nvdev->wait_drain,
+		atomic_read(&nvdev->num_outstanding_sends) == 0);
+
 	if (request)
 		put_rndis_request(dev, request);
 	return;
-- 
1.7.4.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH net-next,1/1] hyperv: Move wait completion msg code into rndis_filter_halt_device()
  2012-08-03 19:32 [PATCH net-next,1/1] hyperv: Move wait completion msg code into rndis_filter_halt_device() Haiyang Zhang
@ 2012-08-03 23:52 ` David Miller
  2012-08-05 19:16   ` Haiyang Zhang
  0 siblings, 1 reply; 3+ messages in thread
From: David Miller @ 2012-08-03 23:52 UTC (permalink / raw)
  To: haiyangz; +Cc: netdev, kys, olaf, jasowang, linux-kernel, devel

From: Haiyang Zhang <haiyangz@microsoft.com>
Date: Fri,  3 Aug 2012 12:32:18 -0700

> We need to wait for send_completion msg before put_rndis_request() at
> the end of rndis_filter_halt_device(). Otherwise, netvsc_send_completion()
> may reference freed memory which is overwritten, and cause panic.
> 
> Reported-by: Long Li <longli@microsoft.com>
> Reported-by: Jason Wang <jasowang@redhat.com>
> Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>

This is a bug fix, so applied to 'net'.  Please target your patches
properly.

Don't just be afraid that I'll reject the patch if you target it
at 'net', and therefore just target everything at 'net-next'.  That
is certainly worse.



^ permalink raw reply	[flat|nested] 3+ messages in thread
* RE: [PATCH net-next,1/1] hyperv: Move wait completion msg code into rndis_filter_halt_device()
  2012-08-03 23:52 ` David Miller
@ 2012-08-05 19:16   ` Haiyang Zhang
  0 siblings, 0 replies; 3+ messages in thread
From: Haiyang Zhang @ 2012-08-05 19:16 UTC (permalink / raw)
  To: David Miller; +Cc: netdev, KY Srinivasan, olaf, jasowang, linux-kernel, devel



> -----Original Message-----
> From: David Miller [mailto:davem@davemloft.net]
> Sent: Friday, August 03, 2012 7:52 PM
> To: Haiyang Zhang
> Cc: netdev@vger.kernel.org; KY Srinivasan; olaf@aepfle.de;
> jasowang@redhat.com; linux-kernel@vger.kernel.org;
> devel@linuxdriverproject.org
> Subject: Re: [PATCH net-next,1/1] hyperv: Move wait completion msg code
> into rndis_filter_halt_device()
> 
> From: Haiyang Zhang <haiyangz@microsoft.com>
> Date: Fri,  3 Aug 2012 12:32:18 -0700
> 
> > We need to wait for send_completion msg before put_rndis_request() at
> > the end of rndis_filter_halt_device(). Otherwise,
> > netvsc_send_completion() may reference freed memory which is
> overwritten, and cause panic.
> >
> > Reported-by: Long Li <longli@microsoft.com>
> > Reported-by: Jason Wang <jasowang@redhat.com>
> > Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
> 
> This is a bug fix, so applied to 'net'.  Please target your patches properly.
> 
> Don't just be afraid that I'll reject the patch if you target it at 'net', and
> therefore just target everything at 'net-next'.  That is certainly worse.

I see. 

Thanks,
- Haiyang


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-08-05 19:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-08-03 19:32 [PATCH net-next,1/1] hyperv: Move wait completion msg code into rndis_filter_halt_device() Haiyang Zhang
2012-08-03 23:52 ` David Miller
2012-08-05 19:16   ` Haiyang Zhang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).