| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 28 Jun 2015 20:07:38 -0500
From: Reyad Attiyat <reyad.attiyat@...il.com>
To: akarwar@...vell.com, patila@...vell.com, kvalo@...eaurora.org,
bzhao@...vell.com
Cc: linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
Reyad Attiyat <reyad.attiyat@...il.com>
Subject: [PATCH] mwifiex: usb: Fix double add error when submitting rx urb
There is an error that can occur where the driver adds the same URB to USB submission list twice.
This happens since mwifiex_usb_submit_rem_rx can submit packets at same time as an rx urb complete callback.
This causes list corruption and is fixed by not setting the skb to NULL when submitting an rx packet.
[ 84.461242] WARNING: CPU: 1 PID: 748 at lib/list_debug.c:36 __list_add+0xcb/0xd0()
[ 84.461245] list_add double add: new=ffff8800c92b0c50, prev=ffff8800c92b0c50, next=ffff8800ced6c430.
[ 84.461247] Modules linked in: rfcomm fuse cmac nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack bnep iptable_mangle iptable_security iptable_raw btusb btintel bluetooth mwifiex_usb mwifiex x86_pkg_temp_thermal cfg80211 coretemp r8712u(C) kvm_intel kvm hid_sensor_als hid_sensor_incl_3d hid_sensor_rotation hid_sensor_magn_3d hid_sensor_accel_3d hid_sensor_gyro_3d hid_sensor_trigger hid_sensor_iio_common industrialio_triggered_buffer kfifo_buf rfkill iTCO_wdt industrialio iTCO_vendor_support
[ 84.461316] crc32_pclmul crc32c_intel ghash_clmulni_intel microcode snd_hda_codec_realtek vfat snd_hda_codec_generic fat snd_hda_codec_hdmi snd_hda_intel snd_hda_controller uvcvideo snd_hda_codec videobuf2_vmalloc videobuf2_memops snd_hwdep videobuf2_core snd_hda_core joydev v4l2_common videodev hid_sensor_hub snd_seq hid_multitouch media snd_seq_device snd_pcm snd_timer mei_me snd i2c_i801 lpc_ich mei soundcore tpm_infineon tpm_tis tpm i2c_hid i2c_designware_platform i2c_designware_core nfsd auth_rpcgss nfs_acl lockd grace sunrpc sch_fq_codel i915 i2c_algo_bit drm_kms_helper drm xhci_pci xhci_hcd ehci_pci sd_mod ehci_hcd video
[ 84.461383] CPU: 1 PID: 748 Comm: kworker/u9:0 Tainted: G C 4.1.0-rc5+ #163
[ 84.461386] Hardware name: Microsoft Corporation Surface Pro 2/Surface Pro 2, BIOS 2.05.0250 04/10/2015
[ 84.461396] Workqueue: MWIFIEX_RX_WORK_QUEUE mwifiex_rx_work_queue [mwifiex]
[ 84.461399] ffffffff81a8150e ffff8801174cf8e8 ffffffff817df830 0000000000000000
[ 84.461405] ffff8801174cf938 ffff8801174cf928 ffffffff810a54ba ffff8800c86bd750
[ 84.461410] ffff8800c92b0c50 ffff8800c92b0c50 ffff8800ced6c430 ffff88010c057178
[ 84.461416] Call Trace:
[ 84.461421] [<ffffffff817df830>] dump_stack+0x4f/0x7b
[ 84.461428] [<ffffffff810a54ba>] warn_slowpath_common+0x8a/0xc0
[ 84.461432] [<ffffffff810a5536>] warn_slowpath_fmt+0x46/0x50
[ 84.461436] [<ffffffff814109fb>] __list_add+0xcb/0xd0
[ 84.461442] [<ffffffff815c551a>] ? usb_hcd_link_urb_to_ep+0x2a/0xa0
[ 84.461446] [<ffffffff815c5570>] usb_hcd_link_urb_to_ep+0x80/0xa0
[ 84.461459] [<ffffffffa004318a>] prepare_transfer+0xaa/0x130 [xhci_hcd]
[ 84.461470] [<ffffffffa0044cf7>] xhci_queue_bulk_tx+0xb7/0x7a0 [xhci_hcd]
[ 84.461480] [<ffffffffa003b67f>] ? xhci_urb_enqueue+0x50f/0x660 [xhci_hcd]
[ 84.461489] [<ffffffffa003b67f>] ? xhci_urb_enqueue+0x50f/0x660 [xhci_hcd]
[ 84.461498] [<ffffffffa003b735>] xhci_urb_enqueue+0x5c5/0x660 [xhci_hcd]
[ 84.461503] [<ffffffff815c7ad3>] usb_hcd_submit_urb+0x93/0xa70
[ 84.461507] [<ffffffff8168dde8>] ? __alloc_skb+0x78/0x1f0
[ 84.461511] [<ffffffff8168d301>] ? __kmalloc_reserve.isra.26+0x31/0x90
[ 84.461515] [<ffffffff8168ddbc>] ? __alloc_skb+0x4c/0x1f0
[ 84.461519] [<ffffffff8168ddfc>] ? __alloc_skb+0x8c/0x1f0
[ 84.461523] [<ffffffff8168badd>] ? skb_dequeue+0x5d/0x80
[ 84.461527] [<ffffffff815c987e>] usb_submit_urb+0x42e/0x5f0
[ 84.461531] [<ffffffff816931d9>] ? __alloc_rx_skb+0x39/0x100
[ 84.461536] [<ffffffffa05aa372>] mwifiex_usb_submit_rx_urb+0xb2/0x170 [mwifiex_usb]
[ 84.461542] [<ffffffffa05aa5f5>] mwifiex_usb_submit_rem_rx_urbs+0x45/0x50 [mwifiex_usb]
[ 84.461550] [<ffffffffa07094be>] mwifiex_rx_work_queue+0x10e/0x140 [mwifiex]
[ 84.461556] [<ffffffff810c4429>] process_one_work+0x229/0x890
[ 84.461559] [<ffffffff810c438c>] ? process_one_work+0x18c/0x890
[ 84.461565] [<ffffffff810c4ae3>] worker_thread+0x53/0x470
[ 84.461569] [<ffffffff810c4a90>] ? process_one_work+0x890/0x890
[ 84.461572] [<ffffffff810cb162>] kthread+0xf2/0x110
[ 84.461577] [<ffffffff811031ad>] ? trace_hardirqs_on+0xd/0x10
[ 84.461581] [<ffffffff810cb070>] ? kthread_create_on_node+0x230/0x230
[ 84.461586] [<ffffffff817e9662>] ret_from_fork+0x42/0x70
[ 84.461590] [<ffffffff810cb070>] ? kthread_create_on_node+0x230/0x230
[ 84.461593] ---[ end trace 65103af5e6fb3444 ]---
Signed-off-by: Reyad Attiyat <reyad.attiyat@...il.com>
---
drivers/net/wireless/mwifiex/usb.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mwifiex/usb.c b/drivers/net/wireless/mwifiex/usb.c
index fd8027f..cd3ba76 100644
--- a/drivers/net/wireless/mwifiex/usb.c
+++ b/drivers/net/wireless/mwifiex/usb.c
@@ -235,9 +235,11 @@ setup_for_next:
if (card->rx_cmd_ep == context->ep) {
mwifiex_usb_submit_rx_urb(context, size);
} else {
- context->skb = NULL;
- if (atomic_read(&adapter->rx_pending) <= HIGH_RX_PENDING)
+ if (atomic_read(&adapter->rx_pending) <= HIGH_RX_PENDING){
mwifiex_usb_submit_rx_urb(context, size);
+ }else{
+ context->skb = NULL;
+ }
}
return;
--
2.4.3
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists