LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Stefan Richter <stefanr@s5r6.in-berlin.de>
To: Linus Torvalds <torvalds@linux-foundation.org>,
	Andrew Morton <akpm@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, linux1394-devel@lists.sourceforge.net
Subject: [GIT PULL] FireWire update
Date: Thu, 20 Mar 2008 18:28:56 +0100 (CET)	[thread overview]
Message-ID: <tkrat.2374baeb26921d92@s5r6.in-berlin.de> (raw)
In-Reply-To: <tkrat.b05a30e97b4f9820@s5r6.in-berlin.de>

Linus, please pull from the for-linus branch at

    git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6.git for-linus

to receive the following update for the firewire subsystem.

 drivers/firewire/fw-transaction.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

Stefan Richter (1):
      firewire: fix panic in handle_at_packet


commit 10a4c735515a5afc317abe4d697a4c95f6d9d764
Author: Stefan Richter <stefanr@s5r6.in-berlin.de>
Date:   Sun Mar 16 00:56:41 2008 +0100

    firewire: fix panic in handle_at_packet
    
    This fixes a use-after-free bug in the handling of split transactions.
    The AT DMA handler of the request was occasionally executed after the
    AR DMA handler of the response.  The AT DMA handler then accessed an
    already freed packet.
    
    Reported by Johannes Berg.
    http://bugzilla.kernel.org/show_bug.cgi?id=9617
    
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Tested-by: Johannes Berg <johannes@sipsolutions.net>
    Signed-off-by: Jarod Wilson <jwilson@redhat.com>

diff --git a/drivers/firewire/fw-transaction.c b/drivers/firewire/fw-transaction.c
index 99529e5..e6f1bda 100644
--- a/drivers/firewire/fw-transaction.c
+++ b/drivers/firewire/fw-transaction.c
@@ -736,6 +736,12 @@ fw_core_handle_response(struct fw_card *card, struct fw_packet *p)
 		break;
 	}
 
+	/*
+	 * The response handler may be executed while the request handler
+	 * is still pending.  Cancel the request handler.
+	 */
+	card->driver->cancel_packet(card, &t->packet);
+
 	t->callback(card, rcode, data, data_length, t->callback_data);
 }
 EXPORT_SYMBOL(fw_core_handle_response);


Thanks,
-- 
Stefan Richter
-=====-==--- --== =-=--
http://arcgraph.de/sr/


  parent reply	other threads:[~2008-03-20 17:29 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-01-30 22:53 [GIT PULL] FireWire updates post 2.6.24 Stefan Richter
2008-01-30 22:55 ` Stefan Richter
2008-02-02 13:05 ` [GIT PULL] IEEE 1394 regression fix Stefan Richter
2008-02-25 17:58   ` [GIT PULL] FireWire updates Stefan Richter
2008-02-25 18:00     ` Stefan Richter
2008-03-02 12:47     ` Stefan Richter
2008-03-02 12:49       ` Stefan Richter
2008-03-14 18:07       ` Stefan Richter
2008-03-14 18:08         ` Stefan Richter
2008-03-20 17:28         ` Stefan Richter [this message]
2008-03-27 20:37           ` [GIT PULL] FireWire update Stefan Richter
2008-03-31  8:46             ` Stefan Richter
  -- strict thread matches above, loose matches on Subject: below --
2011-07-11 13:42 [git pull] " Stefan Richter
2008-06-27 19:05 [GIT PULL] firewire update Stefan Richter
2007-12-10 21:25 [GIT PULL] FireWire update Stefan Richter
     [not found] ` <59ad55d30712110818u2717b329j80778ec7cc290988@mail.gmail.com>
2007-12-11 17:40   ` Stefan Richter
2007-11-07  1:20 Stefan Richter
2007-11-04 13:41 Stefan Richter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=tkrat.2374baeb26921d92@s5r6.in-berlin.de \
    --to=stefanr@s5r6.in-berlin.de \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux1394-devel@lists.sourceforge.net \
    --cc=torvalds@linux-foundation.org \
    --subject='Re: [GIT PULL] FireWire update' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).