From: Pavel Kubelun Date: Mon, 28 Nov 2016 12:21:42 +0000 (+0300) Subject: net: ar8216: hold ar8xxx_dev_list_lock during use_count-- X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=eb049d3777ce6e50ae830a41f9308c270cb26858;p=librecmc%2Flibrecmc.git net: ar8216: hold ar8xxx_dev_list_lock during use_count-- Import from https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c3fd96a7b87da23979d8569ce45447f8419ca303%5E%21/#F0 Signed-off-by: Pavel Kubelun CHROMIUM: drivers: ar8216: hold ar8xxx_dev_list_lock during use_count-- It is possible for the remove() callback to run twice in parallel, which could result into --use_count returning only 1 in both cases and the rest of the unregistration path to never be reached. This case has never been observed in practice, but we will fix preventively to make the code more robust. BUG=chrome-os-partner:33096 TEST=none Change-Id: If09abe27fdb2037f514f8674418bafaab3cbdef6 Signed-off-by: Mathieu Olivari Reviewed-on: https://chromium-review.googlesource.com/232870 Reviewed-by: Matthias Kaehlcke Reviewed-by: Toshi Kikuchi Tested-by: Toshi Kikuchi --- diff --git a/target/linux/generic/files/drivers/net/phy/ar8216.c b/target/linux/generic/files/drivers/net/phy/ar8216.c index 7398d7e273..d575043629 100644 --- a/target/linux/generic/files/drivers/net/phy/ar8216.c +++ b/target/linux/generic/files/drivers/net/phy/ar8216.c @@ -2241,10 +2241,14 @@ ar8xxx_phy_remove(struct phy_device *phydev) return; phydev->priv = NULL; - if (--priv->use_count > 0) - return; mutex_lock(&ar8xxx_dev_list_lock); + + if (--priv->use_count > 0) { + mutex_unlock(&ar8xxx_dev_list_lock); + return; + } + list_del(&priv->list); mutex_unlock(&ar8xxx_dev_list_lock); @@ -2294,4 +2298,3 @@ ar8xxx_exit(void) module_init(ar8xxx_init); module_exit(ar8xxx_exit); MODULE_LICENSE("GPL"); -