firewire: ohci: prevent iso completion callbacks after context stop

To prevent the iso packet callback from being called after fw_iso_context_stop() has returned, make sure that the context's tasklet has finished executing before that. This fixes access-after-free bugs that have so far been observed only in the upcoming snd-firewire-speakers driver, but can theoretically also happen in the firedtv driver. Signed-off-by: N Clemens Ladisch <clemens@ladisch.de> Signed-off-by: N Stefan Richter <stefanr@s5r6.in-berlin.de>

firewire: ohci: prevent iso completion callbacks after context stop
To prevent the iso packet callback from being called after fw_iso_context_stop() has returned, make sure that the context's tasklet has finished executing before that. This fixes access-after-free bugs that have so far been observed only in the upcoming snd-firewire-speakers driver, but can theoretically also happen in the firedtv driver. Signed-off-by: N Clemens Ladisch <clemens@ladisch.de> Signed-off-by: N Stefan Richter <stefanr@s5r6.in-berlin.de>
e81cbebd · Clemens Ladisch · Stefan Richter · 5aaffc65 · e81cbebd
显示空白变更内容
内联并排

Showing with 1 addition and 0 deletion

drivers/firewire/ohci.c drivers/firewire/ohci.c +1 -0

未找到文件。
--- a/drivers/firewire/ohci.c
+++ b/drivers/firewire/ohci.c
@@ -2764,6 +2764,7 @@ static int ohci_stop_iso(struct fw_iso_context *base)
 	}
 	flush_writes(ohci);
 	context_stop(&ctx->context);
+	tasklet_kill(&ctx->context.tasklet);
 	return 0;
 }