SAFE public projects git trees. - safe/jmp/linux-2.6/commit

author	Stefan Richter <stefanr@s5r6.in-berlin.de>
	Mon, 18 Jan 2010 21:36:49 +0000 (22:36 +0100)
committer	Stefan Richter <stefanr@s5r6.in-berlin.de>
	Mon, 1 Feb 2010 20:51:28 +0000 (21:51 +0100)
commit	110f82d7a2e0ff5a17617a9672f1ccb7e44bc0c6
tree	64387d5a82eccf8156b746a2c42c2e81e9d34b91	tree \| snapshot
parent	abe94c756c08d50566c09a65b9c7fe72f83071c5	commit \| diff

firewire: net: fix panic in fwnet_write_complete

In the transmit path of firewire-net (IPv4 over 1394), the following
race condition may occur:
  - The networking soft IRQ inserts a datagram into the 1394 async
    request transmit DMA.
  - The 1394 async transmit completion tasklet runs to finish cleaning
    up (unlink datagram from list of pending ones, release skb and
    outbound 1394 transaction object) --- before the networking soft IRQ
    had a chance to proceed and add the datagram to the list of pending
    datagrams.

This caused a panic in the 1394 async transmit completion tasklet when
it dereferenced unitialized list heads:
http://bugzilla.kernel.org/show_bug.cgi?id=15077

The fix is to add checks in the tx soft IRQ and in the tasklet to
determine which of these two is the last referrer to the transaction
object.  Then handle the cleanup of the object by the last referrer
rather than assuming that the tasklet is always the last one.

There is another similar race:  Between said tasklet and fwnet_close,
i.e. at ifdown.  However, that race is much less likely to occur in
practice and shall be fixed in a separate update.

Reported-by: Илья Басин <basinilya@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>