| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Nov 2019 12:49:08 -0800 (PST)
From: David Miller <davem@...emloft.net>
To: pmalani@...omium.org
Cc: hayeswang@...ltek.com, grundler@...omium.org,
netdev@...r.kernel.org, nic_swsd@...ltek.com
Subject: Re: [PATCH net] r8152: Re-order napi_disable in rtl8152_close
From: Prashant Malani <pmalani@...omium.org>
Date: Wed, 20 Nov 2019 11:40:21 -0800
> Both rtl_work_func_t() and rtl8152_close() call napi_disable().
> Since the two calls aren't protected by a lock, if the close
> function starts executing before the work function, we can get into a
> situation where the napi_disable() function is called twice in
> succession (first by rtl8152_close(), then by set_carrier()).
>
> In such a situation, the second call would loop indefinitely, since
> rtl8152_close() doesn't call napi_enable() to clear the NAPI_STATE_SCHED
> bit.
>
> The rtl8152_close() function in turn issues a
> cancel_delayed_work_sync(), and so it would wait indefinitely for the
> rtl_work_func_t() to complete. Since rtl8152_close() is called by a
> process holding rtnl_lock() which is requested by other processes, this
> eventually leads to a system deadlock and crash.
>
> Re-order the napi_disable() call to occur after the work function
> disabling and urb cancellation calls are issued.
>
> Change-Id: I6ef0b703fc214998a037a68f722f784e1d07815e
> Reported-by: http://crbug.com/1017928
> Signed-off-by: Prashant Malani <pmalani@...omium.org>
Applied and queued up for -stable, thanks.
Powered by blists - more mailing lists