Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8838378imu;
        Sat, 29 Dec 2018 04:59:12 -0800 (PST)
X-Google-Smtp-Source: AFSGD/XRJeM4JTgNBuTJeS48HdX0heu0otWjC3Xuqn/TyCS8RwUsMCiSFGrx2H/OSmm+ao7C9wJ9
X-Received: by 2002:a62:140a:: with SMTP id 10mr31135062pfu.157.1546088352438;
        Sat, 29 Dec 2018 04:59:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546088352; cv=none;
        d=google.com; s=arc-20160816;
        b=FuypnfwOfrMWamC/X+2xPg5d1+AKhagLbW1H/hV2BJh94g2Jc5rh+GoK9YUibkJe2a
         UenOhAVUnulVq0bfU+jCT3LagDetvPhr7ho4NfLiFZhDsQfpl/4XMeVpPfSNMP0NWmlP
         5+Z1R2JeZuv2mRsuhzsMQTHRVui7/7mm5RoiYCq4Lgz6TLi5CAzMTdsu2lP4cG+FbMQ9
         B+sL24Wb33vQXqeB4Z+3CozOVSFhPkl3Co8Bja8/0AvESDNU9w3PnjYyqjlNuqkyT/Tx
         tDl1vnjI6y/Ma5rhV5aa4Jmp9JMiaB53pG6U5eFEHCZ8zHfvQJXyOnI3P877FjP80pR0
         qN1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:from:subject:cc:to:message-id:date;
        bh=KdDI2HYPOmAzgr3ZtIjtXYwNtpceebyUz5zE45BCnUk=;
        b=uqFVSYoOHQFXTDugGs6iP6uB5wwkCTXxxSiWC4UYt7w/1Jhramsid6CoIBBkyos6DS
         Hwr3aXmztdmyeg8f71HeRwB9mUxs1S493KiZ1t3WbrKGlxUkkVa7awusKKEXW9SuFPXP
         9hSkl2LvajYRKOiSnjRa7gaFHA0lZU7X585sOlYQuyeZU26jWUGkFSY3143HvIWVMaG8
         morJqCnho40bbpS/AceeEsxR9fXaZb6qSpnexDX3LG8ahRi81/6czw4vmzTQxGtcPd7I
         gOpIhhRh52hTG8VPK0zjhSuD1UWQQkfkDJIwL35EPXbbyGiDgctsreQcKuNfwjMxfJaq
         aI3g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i17si37586750pgk.233.2018.12.29.04.58.56;
        Sat, 29 Dec 2018 04:59:12 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728217AbeL2F1w (ORCPT <rfc822;noahbdev@gmail.com> + 99 others);
        Sat, 29 Dec 2018 00:27:52 -0500
Received: from shards.monkeyblade.net ([23.128.96.9]:40318 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725923AbeL2F1w (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 29 Dec 2018 00:27:52 -0500
Received: from localhost (unknown [IPv6:2601:601:9f80:35cd::cf9])
        (using TLSv1 with cipher AES256-SHA (256/256 bits))
        (Client did not present a certificate)
        (Authenticated sender: davem-davemloft)
        by shards.monkeyblade.net (Postfix) with ESMTPSA id AC5A61451513B;
        Fri, 28 Dec 2018 21:27:51 -0800 (PST)
Date:   Fri, 28 Dec 2018 21:27:51 -0800 (PST)
Message-Id: <20181228.212751.1498034981468762216.davem@davemloft.net>
To:     baijiaju1990@gmail.com
Cc:     isdn@linux-pingi.de, natechancellor@gmail.com,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] isdn: hisax: hfc_pci: Fix a possible concurrency
 use-after-free bug in HFCPCI_l1hw()
From:   David Miller <davem@davemloft.net>
In-Reply-To: <20181226140934.12903-1-baijiaju1990@gmail.com>
References: <20181226140934.12903-1-baijiaju1990@gmail.com>
X-Mailer: Mew version 6.8 on Emacs 26.1
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Fri, 28 Dec 2018 21:27:51 -0800 (PST)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Jia-Ju Bai <baijiaju1990@gmail.com>
Date: Wed, 26 Dec 2018 22:09:34 +0800

> In drivers/isdn/hisax/hfc_pci.c, the functions hfcpci_interrupt() and
> HFCPCI_l1hw() may be concurrently executed.
> 
> HFCPCI_l1hw()
>   line 1173: if (!cs->tx_skb)
> 
> hfcpci_interrupt()
>   line 942: spin_lock_irqsave();
>   line 1066: dev_kfree_skb_irq(cs->tx_skb);
> 
> Thus, a possible concurrency use-after-free bug may occur 
> in HFCPCI_l1hw().
> 
> To fix these bugs, the calls to spin_lock_irqsave() and
> spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the
> access to cs->tx_skb.
> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>

Applied.