| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1489411184.28631.80.camel@edumazet-glaptop3.roam.corp.google.com>
Date: Mon, 13 Mar 2017 06:19:44 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: Petr Vorel <petr.vorel@...il.com>
Cc: netdev@...r.kernel.org, hayeswang@...ltek.com, davem@...emloft.net
Subject: Re: [PATCH 1/1] r8152: fix NULL pointer dereference in r8152_poll
On Mon, 2017-03-13 at 06:18 -0700, Eric Dumazet wrote:
> On Mon, 2017-03-13 at 13:47 +0100, Petr Vorel wrote:
> > commit 7489bdadb7d1 (r8152: check rx after napi is enabled) causes null
> > pointer dereference when using device as under root:
> >
> > # rmmod r8152 # or lsusb -v
> > NOHZ: local_softirq_pending 08
> > BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
> > IP: r8152_poll+0x125/0x570 [r8152]
> > PGD 89b4cf067
> > PUD 898ff2067
> > PMD 0
> > Oops: 0002 [#1] PREEMPT SMP
> >
> > Signed-off-by: Petr Vorel <petr.vorel@...il.com>
> > ---
> > NOTE: This is just a workaround, I suppose, there is better way how to fix that
> > (which allows keeping scheduling the napi for rx after napi_enable()).
> > ---
> > drivers/net/usb/r8152.c | 2 --
> > 1 file changed, 2 deletions(-)
> >
> > diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
> > index 986243c932cc..79c665a89a47 100644
> > --- a/drivers/net/usb/r8152.c
> > +++ b/drivers/net/usb/r8152.c
> > @@ -3703,8 +3703,6 @@ static int rtl8152_resume(struct usb_interface *intf)
> > napi_enable(&tp->napi);
> > clear_bit(SELECTIVE_SUSPEND, &tp->flags);
> > smp_mb__after_atomic();
> > - if (!list_empty(&tp->rx_done))
> > - napi_schedule(&tp->napi);
> > } else {
> > tp->rtl_ops.up(tp);
> > netif_carrier_off(tp->netdev);
>
>
> The proper work around is to enclose the napi_schedule() in a
> local_bh_enable()/local_bh_disable() pair.
Something like :
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 986243c932ccd6fe19c592805c1c63274f5e5555..b6bb1720c383946ea6142ec2f79f5b7a69031d7f 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -3703,8 +3703,10 @@ static int rtl8152_resume(struct usb_interface *intf)
napi_enable(&tp->napi);
clear_bit(SELECTIVE_SUSPEND, &tp->flags);
smp_mb__after_atomic();
+ local_bh_disable();
if (!list_empty(&tp->rx_done))
napi_schedule(&tp->napi);
+ local_bh_enable();
} else {
tp->rtl_ops.up(tp);
netif_carrier_off(tp->netdev);
Powered by blists - more mailing lists