| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d7c05cd827d3487d8376db0fe30baace@realtek.com>
Date: Thu, 21 Nov 2019 02:13:38 +0000
From: Hayes Wang <hayeswang@...ltek.com>
To: Prashant Malani <pmalani@...omium.org>
CC: "grundler@...omium.org" <grundler@...omium.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
nic_swsd <nic_swsd@...ltek.com>
Subject: RE: [PATCH net] r8152: Re-order napi_disable in rtl8152_close
Prashant Malani [mailto:pmalani@...omium.org]
> Sent: Thursday, November 21, 2019 3:40 AM
> Both rtl_work_func_t() and rtl8152_close() call napi_disable().
> Since the two calls aren't protected by a lock, if the close
> function starts executing before the work function, we can get into a
> situation where the napi_disable() function is called twice in
> succession (first by rtl8152_close(), then by set_carrier()).
>
> In such a situation, the second call would loop indefinitely, since
> rtl8152_close() doesn't call napi_enable() to clear the NAPI_STATE_SCHED
> bit.
>
> The rtl8152_close() function in turn issues a
> cancel_delayed_work_sync(), and so it would wait indefinitely for the
> rtl_work_func_t() to complete. Since rtl8152_close() is called by a
> process holding rtnl_lock() which is requested by other processes, this
> eventually leads to a system deadlock and crash.
>
> Re-order the napi_disable() call to occur after the work function
> disabling and urb cancellation calls are issued.
>
> Change-Id: I6ef0b703fc214998a037a68f722f784e1d07815e
> Reported-by: http://crbug.com/1017928
> Signed-off-by: Prashant Malani <pmalani@...omium.org>
Acked-by: Hayes Wang <hayeswang@...ltek.com>
Thanks
Best Regards,
Hayes
Powered by blists - more mailing lists