From: Chris Boot <bootc@bootc.net>
To: Stefan Richter <stefanr@s5r6.in-berlin.de>,
linux1394-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org
Cc: Chris Boot <bootc@bootc.net>
Subject: [PATCH] firewire-sbp2: fix panic after rmmod with slow targets
Date: Mon, 22 Aug 2011 14:07:16 +0100 [thread overview]
Message-ID: <1314018436-9329-1-git-send-email-bootc@bootc.net> (raw)
If firewire-sbp2 starts a login to a target that doesn't complete ORBs
in a timely manner (and has to retry the login), and the module is
removed before the operation times out, you end up with a null-pointer
dereference and a kernel panic.
This happens because the code in sbp2_remove() just does a
sbp2_target_put(), assuming it will be the last remaining reference. If
there are jobs in the workqueue, this is not the case, and the module is
successfully unloaded while references still exist.
This patch cancels pending work for each unit in sbp2_remove(), which
hopefully means there are no extra references around that prevent us
from unloading. This fixes my crash.
Signed-off-by: Chris Boot <bootc@bootc.net>
---
drivers/firewire/sbp2.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/drivers/firewire/sbp2.c b/drivers/firewire/sbp2.c
index 41841a3..3867aaa 100644
--- a/drivers/firewire/sbp2.c
+++ b/drivers/firewire/sbp2.c
@@ -1198,6 +1198,11 @@ static int sbp2_remove(struct device *dev)
{
struct fw_unit *unit = fw_unit(dev);
struct sbp2_target *tgt = dev_get_drvdata(&unit->device);
+ struct sbp2_logical_unit *lu, *next;
+
+ list_for_each_entry_safe(lu, next, &tgt->lu_list, link) {
+ cancel_delayed_work_sync(&lu->work);
+ }
sbp2_target_put(tgt);
return 0;
--
1.7.5.4
next reply other threads:[~2011-08-22 13:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-22 13:07 Chris Boot [this message]
[not found] <1314017561-1976-1-git-send-email-bootc@bootc.net>
2011-08-22 14:35 ` [PATCH] firewire-sbp2: fix panic after rmmod with slow targets Stefan Richter
2011-08-22 20:38 ` Chris Boot
2011-08-22 22:38 ` Chris Boot
2011-08-22 20:43 ` Chris Boot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1314018436-9329-1-git-send-email-bootc@bootc.net \
--to=bootc@bootc.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux1394-devel@lists.sourceforge.net \
--cc=stefanr@s5r6.in-berlin.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox