lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Tue, 21 May 2019 13:47:04 -0700 (PDT)
From:   David Miller <>
Subject: Re: [PATCH v3] usbnet: fix kernel crash after disconnect

From: Kloetzke Jan <>
Date: Tue, 21 May 2019 13:18:40 +0000

> When disconnecting cdc_ncm the kernel sporadically crashes shortly
> after the disconnect:
> The crash happens roughly 125..130ms after the disconnect. This
> correlates with the 'delay' timer that is started on certain USB tx/rx
> errors in the URB completion handler.
> The problem is a race of usbnet_stop() with usbnet_start_xmit(). In
> usbnet_stop() we call usbnet_terminate_urbs() to cancel all URBs in
> flight. This only makes sense if no new URBs are submitted
> concurrently, though. But the usbnet_start_xmit() can run at the same
> time on another CPU which almost unconditionally submits an URB. The
> error callback of the new URB will then schedule the timer after it was
> already stopped.
> The fix adds a check if the tx queue is stopped after the tx list lock
> has been taken. This should reliably prevent the submission of new URBs
> while usbnet_terminate_urbs() does its job. The same thing is done on
> the rx side even though it might be safe due to other flags that are
> checked there.
> Signed-off-by: Jan Klötzke <>


Powered by blists - more mailing lists