| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 May 2019 13:47:04 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: Jan.Kloetzke@...h.de
Cc: oneukum@...e.com, jan@...etzke.net, netdev@...r.kernel.org,
linux-usb@...r.kernel.org
Subject: Re: [PATCH v3] usbnet: fix kernel crash after disconnect
From: Kloetzke Jan <Jan.Kloetzke@...h.de>
Date: Tue, 21 May 2019 13:18:40 +0000
> When disconnecting cdc_ncm the kernel sporadically crashes shortly
> after the disconnect:
...
> The crash happens roughly 125..130ms after the disconnect. This
> correlates with the 'delay' timer that is started on certain USB tx/rx
> errors in the URB completion handler.
>
> The problem is a race of usbnet_stop() with usbnet_start_xmit(). In
> usbnet_stop() we call usbnet_terminate_urbs() to cancel all URBs in
> flight. This only makes sense if no new URBs are submitted
> concurrently, though. But the usbnet_start_xmit() can run at the same
> time on another CPU which almost unconditionally submits an URB. The
> error callback of the new URB will then schedule the timer after it was
> already stopped.
>
> The fix adds a check if the tx queue is stopped after the tx list lock
> has been taken. This should reliably prevent the submission of new URBs
> while usbnet_terminate_urbs() does its job. The same thing is done on
> the rx side even though it might be safe due to other flags that are
> checked there.
>
> Signed-off-by: Jan Klötzke <Jan.Kloetzke@...h.de>
Applied.
Powered by blists - more mailing lists