lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20070922191806.A2F59C2308@adsl-69-226-248-13.dsl.pltn13.pacbell.net>
Date:	Sat, 22 Sep 2007 12:18:06 -0700
From:	David Brownell <david-b@...bell.net>
To:	tglx@...utronix.de
Cc:	stable@...nel.org, linux-kernel@...r.kernel.org,
	bene@...utronix.de, akpm@...l.org
Subject: Re: [PATCH] usb-gadget-ether: Prevent oops caused by error interrupt 
 race -V2 (comments update)

I think you misread my comment.  Those requests are **NOT** pending!!
So this update has a *MORE* incorrect description of the issue. 

That's just the freelist ... it's a fairly conventional model whereby
there's a pool of "free" request slots which can be issued.  When the
pool empties, the TX queue shuts down until one of the requests which
is pending in the hardware completes, and makes a slot free.

The problem you're addressing is that there's a small window where a
disconnect IRQ can shut down the TX queue (and empty that freelist)
after upper layers in the network stack started a transmission on
an active (pre-disconnect) TX queue.

That problem is *NOT* related to any pending requests at all!!

NAK...


> From tglx@...utronix.de  Sat Sep 22 10:51:00 2007
> Subject: [PATCH] usb-gadget-ether: Prevent oops caused by error interrupt
> 	race -V2 (comments update)
> From: Thomas Gleixner <tglx@...utronix.de>
> Date: Sat, 22 Sep 2007 19:41:01 +0200
>
> From: Benedikt Spranger <bene@...utronix.de>
>  
> eth_start_xmit() can race against a disconnect interrupt in the gadget
> device driver, which nukes all pending request. Right now we access the
> pending request list unconditionally and dereference the request list
> head itself in such a case, which results in an Oops.
>
> Check whether the list is empty before actually dereferencing
> dev->tx_reqs.next. Also add a comment for the second list_empty check
> further down to avoid confusion.
>
> Long standing bug. Patch should be applied to stable as well.
>
> Signed-off-by: Benedikt Spranger <bene@...utronix.de>
> Signed-off-by: Thomas Gleixner <tglx@...utronix.de>
>
> diff --git a/drivers/usb/gadget/ether.c b/drivers/usb/gadget/ether.c
> index 593e235..f2a7bd5 100644
> ...
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ