Hi David,

On Thu, May 3, 2012 at 9:04 AM, Ming Lei [off-list ref] wrote:

From a87ff961f0a5d50223bd084dfac4fe5ce84f3913 Mon Sep 17 00:00:00 2001
From: Ming Lei <redacted>
Date: Thu, 26 Apr 2012 11:33:46 +0800
Subject: [PATCH] usbnet: fix skb traversing races during unlink(v2)

Commit 4231d47e6fe69f061f96c98c30eaf9fb4c14b96d(net/usbnet: avoid
recursive locking in usbnet_stop()) fixes the recursive locking
problem by releasing the skb queue lock before unlink, but may
cause skb traversing races:
       - after URB is unlinked and the queue lock is released,
       the refered skb and skb->next may be moved to done queue,
       even be released
       - in skb_queue_walk_safe, the next skb is still obtained
       by next pointer of the last skb
       - so maybe trigger oops or other problems

This patch extends the usage of entry->state to describe 'start_unlink'
state, so always holding the queue(rx/tx) lock to change the state if
the referd skb is in rx or tx queue because we need to know if the
refered urb has been started unlinking in unlink_urbs.

The other part of this patch is based on Huajun's patch:
always traverse from head of the tx/rx queue to get skb which is
to be unlinked but not been started unlinking.

Signed-off-by: Huajun Li <redacted>
Signed-off-by: Ming Lei <redacted>
Cc: Oliver Neukum <redacted>
Cc: stable-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org
---
v2:
       - if the Rx URB has been marked as being unlink, just not resubmit it
       in complete handler, so usb_block_urb/usb_unblock_urb can be avoided,

Considered that this one(v2) doesn't depend on usb tree any more and looks
no one objects it, could you apply this one on your tree?

Thanks,
-- 
Ming Lei
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html