lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090721171625.6e2c54e4@lxorguk.ukuu.org.uk>
Date:	Tue, 21 Jul 2009 17:16:25 +0100
From:	Alan Cox <alan@...rguk.ukuu.org.uk>
To:	Alan Stern <stern@...land.harvard.edu>
Cc:	Daniel Mack <daniel@...aq.de>,
	Kernel development list <linux-kernel@...r.kernel.org>,
	USB list <linux-usb@...r.kernel.org>
Subject: Re: [PATCH] [usb-serial] fix Ooops on uplug

> > If that is occuring then the bug is elsewhere. The hang up sequence
> > reconnects the user space to the hung up tty ops and no longer references
> > the hardware.
> 
> I got something similar with a pl2303 device, though not a crash.  I 
> plugged in the device, opened /dev/ttyUSB0, unplugged the device, then 
> tried to read from the open file descriptor.  The read provoked this:

That looks like it occurs after the read, however that trace shows the
close() method being called off sys_close() which in turn means a hang up
didn't occur when it was unplugged.

> This is only a lockdep warning, and I don't understand its
> significance.  Even worse, when I plugged in a USB flash drive
> afterward this appeared:

Looks like something freed the resources but didn't hang up when the
disconnect occurred

> So it looks like something really is wrong, some sort of 
> use-after-free.  Maybe a refcounting imbalance.

A tty getting destructed before it should have been would perhaps do some
of it but it doesn't explain how the close path got where it did.

What should be occurring is

	USB disconnect
		usb_serial_disconnect(interface)
		tty_hangup(tty)   [this is buggy and commented as such in
		the USB code as it should do it synchronously]

	tty_hangup()
	do_tty_hangup()

	file->f_ops = &hung_up_tty_ops;

		(so the USB close will never be called)

	ldisc hangup
	tty->ops->hangup (no-op on USB serial)

so the trace to me implies that the usb_serial_disconnect is not
happening. That in turn leads the close method to be called on a
disconnected port which in turn crashes stuff.

(and it also explains why Daniel's change although bogus stops the crash)


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ