3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann jwi@linux.ibm.com
commit c2780c1a3fb724560b1d44f7976e0de17bf153c7 upstream.
A card's close_dev work is scheduled on a driver-wide workqueue. If the card is removed and freed while the work is still active, this causes a use-after-free. So make sure that the work is completed before freeing the card.
Fixes: 0f54761d167f ("qeth: Support VEPA mode") Signed-off-by: Julian Wiedmann jwi@linux.ibm.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/net/qeth_core.h | 1 + drivers/s390/net/qeth_l2_main.c | 2 ++ drivers/s390/net/qeth_l3_main.c | 1 + 3 files changed, 4 insertions(+)
--- a/drivers/s390/net/qeth_core.h +++ b/drivers/s390/net/qeth_core.h @@ -18,6 +18,7 @@ #include <linux/bitops.h> #include <linux/seq_file.h> #include <linux/ethtool.h> +#include <linux/workqueue.h>
#include <net/ipv6.h> #include <net/if_inet6.h> --- a/drivers/s390/net/qeth_l2_main.c +++ b/drivers/s390/net/qeth_l2_main.c @@ -924,6 +924,7 @@ static void qeth_l2_remove_device(struct if (cgdev->state == CCWGROUP_ONLINE) qeth_l2_set_offline(cgdev);
+ cancel_work_sync(&card->close_dev_work); if (card->dev) { unregister_netdev(card->dev); free_netdev(card->dev); --- a/drivers/s390/net/qeth_l3_main.c +++ b/drivers/s390/net/qeth_l3_main.c @@ -3342,6 +3342,7 @@ static void qeth_l3_remove_device(struct if (cgdev->state == CCWGROUP_ONLINE) qeth_l3_set_offline(cgdev);
+ cancel_work_sync(&card->close_dev_work); if (card->dev) { unregister_netdev(card->dev); free_netdev(card->dev);