| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Mar 2014 10:31:48 -0700 From: Grant Grundler <grundler@...gle.com> To: Julius Werner <jwerner@...omium.org> Cc: netdev <netdev@...r.kernel.org>, Freddy Xin <freddy@...x.com.tw>, "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>, Allan Chou <allan@...x.com.tw> Subject: Re: usbnet: driver_info->stop required to stop USB interrupts? On Mon, Mar 10, 2014 at 7:53 PM, Julius Werner <jwerner@...omium.org> wrote: > I think usbnet_stop() raced with the dev->bh tasklet, which by itself > might not be a problem (usbnet_stop() later kills the tasklet itself, > so it should expect that it can be running before that). The issue is > that it calls usbnet_terminate_urbs() before that, which temporarily > installs a waitqueue in dev->wait in order to be able to wait on the > tasklet to run and finish up some queues. The waiting itself looks > okay, but the access to 'dev->wait' is totally unprotected and can > race arbitrarily. I think in this case usbnet_bh() managed to succeed > it's dev->wait check just before usbnet_terminate_urbs() sets it back > to NULL. The latter then finishes and the waitqueue_t structure on its > stack gets overwritten by other functions halfway through the > wake_up() call in usbnet_bh(). Awesome - thanks Julius! :) FWIW, I've reproduced this on "Samsung Chromebook" (Exynos 5250) with AX88772 USB dongle using the instructions I posted before (ie bouncing the USB port with reload_asix script). cheers, grant [23231.533805] asix 3-1:1.0 eth0: link up, 1000Mbps, full-duplex, lpa 0xCDE1 [23235.755652] usbcore: deregistering interface driver asix [23235.761722] asix 3-1:1.0 eth0: unregister 'asix' usb-12110000.usb-1, ASIX AX88178 USB 2.0 Ethernet [23235.761763] Unable to handle kernel paging request at virtual address e24cb004 [23235.761771] pgd = ebf70000 [23235.761777] [e24cb004] *pgd=6241141e(bad) [23235.761792] Internal error: Oops: 8000000d [#1] SMP ARM [23235.761798] Modules linked in: asix(-) exynos_gsc v4l2_mem2mem isl29018(C) sbs_battery i2c_dev uinput mwifiex_sdio mwifiex btmrvl_sdio btmrvl s5p_mfc videobuf2_dma_contig rtc_s3c bluetooth zram(C) zsmalloc(C) fuse cfg80211 nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables uvcvideo videobuf2_core videobuf2_vmalloc videobuf2_memops usbnet joydev [last unloaded: asix] [23235.761898] CPU: 0 Tainted: G C (3.8.11 #25) [23235.761906] PC is at 0xe24cb004 [23235.761916] LR is at __wake_up_common+0x5c/0x88 [23235.761924] pc : [<e24cb004>] lr : [<c014f870>] psr: 80000093 [23235.761924] sp : ef0e3e10 ip : e24cb004 fp : ef0e3e3c [23235.761931] r10: e1a0c00d r9 : 00000000 r8 : 00000003 [23235.761938] r7 : 00000000 r6 : 00000001 r5 : e92d3ff4 r4 : eab13d14 [23235.761943] r3 : 00000000 r2 : 00000000 r1 : 00000003 r0 : c060d0f4 [23235.761951] Flags: Nzcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel [23235.761957] Control: 10c5387d Table: 6bf7006a DAC: 00000015 [23235.761964] Process ksoftirqd/0 (pid: 3, stack limit = 0xef0e2240) [23235.761970] Stack: (0xef0e3e10 to 0xef0e4000) [23235.761977] 3e00: 00000000 eab13d04 40000013 00000001 [23235.761986] 3e20: 00000003 00000000 00000100 3f6fdf7c ef0e3e6c ef0e3e40 c0151c30 c014f820 [23235.761994] 3e40: 00000000 ef0e3e50 c052861c edaddd40 00000000 edadde4c 00000000 00000000 [23235.762001] 3e60: ef0e3e8c ef0e3e70 bf00a0e4 c0151bf4 bf009fa4 edaddebc edaddec0 c084c790 [23235.762009] 3e80: ef0e3eb4 ef0e3e90 c012bcb4 bf009fb0 c012bc1c ef0e2038 00000009 c090209c [23235.762016] 3ea0: 00000006 c09790c0 ef0e3f04 ef0e3eb8 c012b348 c012bc28 c0934324 ef0e2000 [23235.762024] 3ec0: 00000001 ef0e2020 00000000 00000000 04208040 00000005 c0153f94 00000000 [23235.762032] 3ee0: c0934324 ef0e2000 00000001 ef0e2020 00000000 00000000 ef0e3f1c ef0e3f08 [23235.762039] 3f00: c012b48c c012b234 c012b44c ef0409c0 ef0e3f44 ef0e3f20 c014f22c c012b458 [23235.762046] 3f20: ef0dde48 00000000 ef0409c0 c014f0c0 00000000 00000000 ef0e3fac ef0e3f48 [23235.762054] 3f40: c01455b4 c014f0cc 00000001 00000000 ef0409c0 00000000 00030003 dead4ead [23235.762061] 3f60: ffffffff ffffffff ef0e3f68 ef0e3f68 00000000 00000000 dead4ead ffffffff [23235.762068] 3f80: ffffffff ef0e3f84 ef0e3f84 271ae517 ef0dde48 c01454ec 00000000 00000000 [23235.762075] 3fa0: 00000000 ef0e3fb0 c0106118 c01454f8 00000000 00000000 00000000 00000000 [23235.762082] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [23235.762089] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 f77e7f69 e1459824 [23235.762094] Backtrace: [23235.762107] [<c014f870>] (__wake_up_common+0x5c/0x88) from [<c0151c30>] (__wake_up+0x48/0x5c) [23235.762121] [<c0151c30>] (__wake_up+0x48/0x5c) from [<bf00a0e4>] (usbnet_bh+0x140/0x210 [usbnet]) [23235.762135] [<bf00a0e4>] (usbnet_bh+0x140/0x210 [usbnet]) from [<c012bcb4>] (tasklet_action+0x98/0xf4) [23235.762148] [<c012bcb4>] (tasklet_action+0x98/0xf4) from [<c012b348>] (__do_softirq+0x120/0x224) [23235.762160] [<c012b348>] (__do_softirq+0x120/0x224) from [<c012b48c>] (run_ksoftirqd+0x40/0x60) [23235.762170] [<c012b48c>] (run_ksoftirqd+0x40/0x60) from [<c014f22c>] (smpboot_thread_fn+0x16c/0x184) [23235.762180] [<c014f22c>] (smpboot_thread_fn+0x16c/0x184) from [<c01455b4>] (kthread+0xc8/0xd8) [23235.762191] [<c01455b4>] (kthread+0xc8/0xd8) from [<c0106118>] (ret_from_fork+0x14/0x20) [23235.762200] Code: 0000efe8 00003f15 0000eff0 00000000 (0000f004) [23235.762209] ---[ end trace 3ad68dc3731b37c5 ]--- [23235.766529] Kernel panic - not syncing: Fatal exception in interrupt [23235.766539] CPU1: stopping [23235.766546] Backtrace: [23235.766564] [<c010d3d0>] (unwind_backtrace+0x0/0x118) from [<c060936c>] (dump_stack+0x28/0x30) [23235.766577] [<c060936c>] (dump_stack+0x28/0x30) from [<c010bcb8>] (handle_IPI+0xf0/0x170) [23235.766588] [<c010bcb8>] (handle_IPI+0xf0/0x170) from [<c0100430>] (gic_handle_irq+0x68/0x70) [23235.766598] [<c0100430>] (gic_handle_irq+0x68/0x70) from [<c0105c80>] (__irq_svc+0x40/0x50) [23235.766605] Exception stack(0xeab13cf0 to 0xeab13d38) [23235.766612] 3ce0: 00000002 edaddec0 00000003 00000001 [23235.766620] 3d00: edaddebc edaddec0 bfa78744 edaddee0 00200200 00000000 00000000 eab13d4c [23235.766627] 3d20: 00000000 eab13d38 c012af58 c012af74 20000013 ffffffff [23235.766639] [<c0105c80>] (__irq_svc+0x40/0x50) from [<c012af74>] (tasklet_kill+0x6c/0x8c) [23235.766653] [<c012af74>] (tasklet_kill+0x6c/0x8c) from [<bf00a950>] (usbnet_stop+0x110/0x178 [usbnet]) [23235.766667] [<bf00a950>] (usbnet_stop+0x110/0x178 [usbnet]) from [<c0532298>] (__dev_close_many+0xa8/0xcc) [23235.766677] [<c0532298>] (__dev_close_many+0xa8/0xcc) from [<c05323c8>] (dev_close_many+0x98/0x118) [23235.766688] [<c05323c8>] (dev_close_many+0x98/0x118) from [<c0533fcc>] (rollback_registered_many+0xd4/0x204) [23235.766700] [<c0533fcc>] (rollback_registered_many+0xd4/0x204) from [<c05368f0>] (unregister_netdevice_queue+0x98/0xf4) [23235.766711] [<c05368f0>] (unregister_netdevice_queue+0x98/0xf4) from [<c0536974>] (unregister_netdev+0x28/0x30) [23235.766722] [<c0536974>] (unregister_netdev+0x28/0x30) from [<bf009610>] (usbnet_disconnect+0x8c/0xe4 [usbnet]) [23235.766739] [<bf009610>] (usbnet_disconnect+0x8c/0xe4 [usbnet]) from [<c0425328>] (usb_unbind_interface+0x70/0x170) [23235.766753] [<c0425328>] (usb_unbind_interface+0x70/0x170) from [<c03c727c>] (__device_release_driver+0xac/0xf8) [23235.766765] [<c03c727c>] (__device_release_driver+0xac/0xf8) from [<c03c78a4>] (driver_detach+0x94/0xbc) [23235.766775] [<c03c78a4>] (driver_detach+0x94/0xbc) from [<c03c6de4>] (bus_remove_driver+0x78/0xc4) [23235.766785] [<c03c6de4>] (bus_remove_driver+0x78/0xc4) from [<c03c7efc>] (driver_unregister+0x54/0x78) [23235.766796] [<c03c7efc>] (driver_unregister+0x54/0x78) from [<c0424780>] (usb_deregister+0x6c/0xd4) [23235.766807] [<c0424780>] (usb_deregister+0x6c/0xd4) from [<bfa7782c>] (cleanup_module+0x14/0x7e8 [asix]) [23235.766827] [<bfa7782c>] (cleanup_module+0x14/0x7e8 [asix]) from [<c0177cb0>] (sys_delete_module+0x1c4/0x254) [23235.766838] [<c0177cb0>] (sys_delete_module+0x1c4/0x254) from [<c0106080>] (ret_fast_syscall+0x0/0x30) [23235.766846] task_migration_notifier = c0936790 [23235.766855] page containing tmn: c0936770: 00000001 00000000 dead4ead ffffffff [23235.766863] page containing tmn: c0936780: ffffffff c0936784 c0936784 00000000 [23235.766871] page containing tmn: c0936790: 00000000 dead4ead ffffffff ffffffff [23235.766878] page containing tmn: c09367a0: 20202020 00000000 beab7861 c014f93c [23235.766886] page containing tmn: c09367b0: c014f918 00000000 00000000 00000000 [23235.766892] page containing tmn: c09367c0: 00000000 00000000 00000000 [23235.766907] CPU0 PC: <c011c830> exynos5_panic_notify+0x5c/0xb0 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists