Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754023Ab3FOGg2 (ORCPT ); Sat, 15 Jun 2013 02:36:28 -0400 Received: from nm23-vm0.access.bullet.mail.mud.yahoo.com ([66.94.236.141]:40773 "EHLO nm23-vm0.access.bullet.mail.mud.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751521Ab3FOGg1 (ORCPT ); Sat, 15 Jun 2013 02:36:27 -0400 X-Greylist: delayed 333 seconds by postgrey-1.27 at vger.kernel.org; Sat, 15 Jun 2013 02:36:26 EDT X-Yahoo-Newman-Id: 332084.47206.bm@smtp104.sbc.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: V7xr7TYVM1lKfpRwdB6iNBcyF0z16U9JH7eCUkleZ8agb.F EfOSNpiAeAP98oIjkX4xuULLkPymypKoP__SHq9IQh2vd2_9dlpOuzHLTiuq rzHd_8ZQCGPRJrhjmYW81jOCbpfo9VUX3FHE2H3Q3bHlZJ3cEdYG3xCzFCLm pu4CLJu4chnYZHKL08bCAS7eoEqVJdNCzRNl_SV_03tDj7hTkAiPvoTzzgXc Np75RJgtqq9q5R_ItHP.hESZSl1GQfz27UcAsUbf6WLiozgSX5nqeZPrST8Z qZE3IQ_OQDm2C6JEUhUKAd8MIuIh09.pFxKwbLhiEhm3fBqA0csoMSyoIi0n cOzQVRNWN4Bhj63Cgk_gNE27kiXT1x6AX8loSiYe4XlrAcNjKLaPQx5A7qzp n25tySnpba_.WswkCDUAbBpkFxmxfChqpsgTJawCDdYPlu7b2LwBwwChD46F Eu0f4FB5ke1dFIhsgYnIM_GZsMNq3egczgGbGbFvGTbCuBKPO3cSgtZdpFGX 8AWJjJV._rxdRMw-- X-Yahoo-SMTP: zfeO.4KswBCc_PdwTE8HfYDCQ1aNmIcSvQHkDP4uSDBNBSXeKQ-- X-Rocket-Received: from localhost (linux@108.223.40.66 with plain) by smtp104.sbc.mail.ne1.yahoo.com with SMTP; 15 Jun 2013 06:30:52 +0000 UTC Date: Fri, 14 Jun 2013 23:30:56 -0700 From: Guenter Roeck To: Ming Lei Cc: nirinA raseliarison , "linux-kernel@vger.kernel.org" , Francois Romieu , nic_swsd@realtek.com, Hayes Wang Subject: Re: BUG: unable to handle kernel NULL pointer dereference at 0000000000000040 Message-ID: <20130615063055.GA13766@roeck-us.net> References: <20130614154325.GA30105@roeck-us.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1464 Lines: 39 On Sat, Jun 15, 2013 at 10:32:14AM +0800, Ming Lei wrote: > On Sat, Jun 15, 2013 at 1:07 AM, nirinA raseliarison > wrote: > > > patch applied and no longer have the bug message when i > > reboot and wake up the ethernet controller. > > I am wondering if Guenter's patch can fix the race really, but I'd like to > see Guenter's explanation on his patch. > > The race should be caused by below: > > - request timeout triggered by internal timer > > - user space aborts the requests before the line in _request_firmware_load() > > fw_priv->buf = NULL > > which is run in timeout path > > - then the abort() called from firmware_loading_store() may use a freed fw buf > since the timeout path will free the fw buffer. > > Considered clearing 'fw_priv->buf' in _request_firmware_load()() isn't protected > by fw_lock now, so Guenter's patch can't avoid the race entirely. > I agree; my patch only protects one specific path, and was based on the observation that access to fw_priv->buf is protected elsewhwere in the code. My suspicion was that fw_priv->buf was freed while waiting for the mutex in firmware_loading_store(). Your patch is more comprehensive. Guenter -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/