From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Huajun Li <huajun.li.lee@gmail.com>,
Ming Lei <tom.leiming@gmail.com>, Oliver Neukum <oneukum@suse.de>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 23/54] usbnet: fix skb traversing races during unlink(v2)
Date: Fri, 18 May 2012 14:16:22 -0700 [thread overview]
Message-ID: <20120518211601.569045687@linuxfoundation.org> (raw)
In-Reply-To: <20120518212656.GA4992@kroah.com>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <tom.leiming@gmail.com>
commit 5b6e9bcdeb65634b4ad604eb4536404bbfc62cfa upstream.
Commit 4231d47e6fe69f061f96c98c30eaf9fb4c14b96d(net/usbnet: avoid
recursive locking in usbnet_stop()) fixes the recursive locking
problem by releasing the skb queue lock before unlink, but may
cause skb traversing races:
- after URB is unlinked and the queue lock is released,
the refered skb and skb->next may be moved to done queue,
even be released
- in skb_queue_walk_safe, the next skb is still obtained
by next pointer of the last skb
- so maybe trigger oops or other problems
This patch extends the usage of entry->state to describe 'start_unlink'
state, so always holding the queue(rx/tx) lock to change the state if
the referd skb is in rx or tx queue because we need to know if the
refered urb has been started unlinking in unlink_urbs.
The other part of this patch is based on Huajun's patch:
always traverse from head of the tx/rx queue to get skb which is
to be unlinked but not been started unlinking.
Signed-off-by: Huajun Li <huajun.li.lee@gmail.com>
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Cc: Oliver Neukum <oneukum@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/usbnet.c | 54 +++++++++++++++++++++++++++++++--------------
include/linux/usb/usbnet.h | 3 +-
2 files changed, 40 insertions(+), 17 deletions(-)
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -277,17 +277,32 @@ int usbnet_change_mtu (struct net_device
}
EXPORT_SYMBOL_GPL(usbnet_change_mtu);
+/* The caller must hold list->lock */
+static void __usbnet_queue_skb(struct sk_buff_head *list,
+ struct sk_buff *newsk, enum skb_state state)
+{
+ struct skb_data *entry = (struct skb_data *) newsk->cb;
+
+ __skb_queue_tail(list, newsk);
+ entry->state = state;
+}
+
/*-------------------------------------------------------------------------*/
/* some LK 2.4 HCDs oopsed if we freed or resubmitted urbs from
* completion callbacks. 2.5 should have fixed those bugs...
*/
-static void defer_bh(struct usbnet *dev, struct sk_buff *skb, struct sk_buff_head *list)
+static enum skb_state defer_bh(struct usbnet *dev, struct sk_buff *skb,
+ struct sk_buff_head *list, enum skb_state state)
{
unsigned long flags;
+ enum skb_state old_state;
+ struct skb_data *entry = (struct skb_data *) skb->cb;
spin_lock_irqsave(&list->lock, flags);
+ old_state = entry->state;
+ entry->state = state;
__skb_unlink(skb, list);
spin_unlock(&list->lock);
spin_lock(&dev->done.lock);
@@ -295,6 +310,7 @@ static void defer_bh(struct usbnet *dev,
if (dev->done.qlen == 1)
tasklet_schedule(&dev->bh);
spin_unlock_irqrestore(&dev->done.lock, flags);
+ return old_state;
}
/* some work can't be done in tasklets, so we use keventd
@@ -335,7 +351,6 @@ static int rx_submit (struct usbnet *dev
entry = (struct skb_data *) skb->cb;
entry->urb = urb;
entry->dev = dev;
- entry->state = rx_start;
entry->length = 0;
usb_fill_bulk_urb (urb, dev->udev, dev->in,
@@ -367,7 +382,7 @@ static int rx_submit (struct usbnet *dev
tasklet_schedule (&dev->bh);
break;
case 0:
- __skb_queue_tail (&dev->rxq, skb);
+ __usbnet_queue_skb(&dev->rxq, skb, rx_start);
}
} else {
netif_dbg(dev, ifdown, dev->net, "rx: stopped\n");
@@ -418,16 +433,17 @@ static void rx_complete (struct urb *urb
struct skb_data *entry = (struct skb_data *) skb->cb;
struct usbnet *dev = entry->dev;
int urb_status = urb->status;
+ enum skb_state state;
skb_put (skb, urb->actual_length);
- entry->state = rx_done;
+ state = rx_done;
entry->urb = NULL;
switch (urb_status) {
/* success */
case 0:
if (skb->len < dev->net->hard_header_len) {
- entry->state = rx_cleanup;
+ state = rx_cleanup;
dev->net->stats.rx_errors++;
dev->net->stats.rx_length_errors++;
netif_dbg(dev, rx_err, dev->net,
@@ -466,7 +482,7 @@ static void rx_complete (struct urb *urb
"rx throttle %d\n", urb_status);
}
block:
- entry->state = rx_cleanup;
+ state = rx_cleanup;
entry->urb = urb;
urb = NULL;
break;
@@ -477,17 +493,18 @@ block:
// FALLTHROUGH
default:
- entry->state = rx_cleanup;
+ state = rx_cleanup;
dev->net->stats.rx_errors++;
netif_dbg(dev, rx_err, dev->net, "rx status %d\n", urb_status);
break;
}
- defer_bh(dev, skb, &dev->rxq);
+ state = defer_bh(dev, skb, &dev->rxq, state);
if (urb) {
if (netif_running (dev->net) &&
- !test_bit (EVENT_RX_HALT, &dev->flags)) {
+ !test_bit (EVENT_RX_HALT, &dev->flags) &&
+ state != unlink_start) {
rx_submit (dev, urb, GFP_ATOMIC);
return;
}
@@ -573,16 +590,23 @@ EXPORT_SYMBOL_GPL(usbnet_purge_paused_rx
static int unlink_urbs (struct usbnet *dev, struct sk_buff_head *q)
{
unsigned long flags;
- struct sk_buff *skb, *skbnext;
+ struct sk_buff *skb;
int count = 0;
spin_lock_irqsave (&q->lock, flags);
- skb_queue_walk_safe(q, skb, skbnext) {
+ while (!skb_queue_empty(q)) {
struct skb_data *entry;
struct urb *urb;
int retval;
- entry = (struct skb_data *) skb->cb;
+ skb_queue_walk(q, skb) {
+ entry = (struct skb_data *) skb->cb;
+ if (entry->state != unlink_start)
+ goto found;
+ }
+ break;
+found:
+ entry->state = unlink_start;
urb = entry->urb;
/*
@@ -1033,8 +1057,7 @@ static void tx_complete (struct urb *urb
}
usb_autopm_put_interface_async(dev->intf);
- entry->state = tx_done;
- defer_bh(dev, skb, &dev->txq);
+ (void) defer_bh(dev, skb, &dev->txq, tx_done);
}
/*-------------------------------------------------------------------------*/
@@ -1087,7 +1110,6 @@ netdev_tx_t usbnet_start_xmit (struct sk
entry = (struct skb_data *) skb->cb;
entry->urb = urb;
entry->dev = dev;
- entry->state = tx_start;
entry->length = length;
usb_fill_bulk_urb (urb, dev->udev, dev->out,
@@ -1146,7 +1168,7 @@ netdev_tx_t usbnet_start_xmit (struct sk
break;
case 0:
net->trans_start = jiffies;
- __skb_queue_tail (&dev->txq, skb);
+ __usbnet_queue_skb(&dev->txq, skb, tx_start);
if (dev->txq.qlen >= TX_QLEN (dev))
netif_stop_queue (net);
}
--- a/include/linux/usb/usbnet.h
+++ b/include/linux/usb/usbnet.h
@@ -191,7 +191,8 @@ extern void usbnet_cdc_status(struct usb
enum skb_state {
illegal = 0,
tx_start, tx_done,
- rx_start, rx_done, rx_cleanup
+ rx_start, rx_done, rx_cleanup,
+ unlink_start
};
struct skb_data { /* skb->cb is one of these */
next prev parent reply other threads:[~2012-05-18 23:03 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-18 21:26 [ 00/54] 3.0.32-stable review Greg KH
2012-05-18 21:16 ` [ 01/54] smsc95xx: mark link down on startup and let PHY interrupt deal with carrier changes Greg KH
2012-05-18 21:16 ` [ 02/54] xen/pte: Fix crashes when trying to see non-existent PGD/PMD/PUD/PTEs Greg KH
2012-05-18 21:16 ` [ 03/54] xen/pci: dont use PCI BIOS service for configuration space accesses Greg KH
2012-05-18 21:16 ` [ 04/54] percpu, x86: dont use PMD_SIZE as embedded atom_size on 32bit Greg KH
2012-05-18 21:16 ` [ 05/54] asm-generic: Use __BITS_PER_LONG in statfs.h Greg KH
2012-05-18 21:16 ` [ 06/54] Fix __read_seqcount_begin() to use ACCESS_ONCE for sequence value read Greg KH
2012-05-18 21:16 ` [ 07/54] ARM: 7410/1: Add extra clobber registers for assembly in kernel_execve Greg KH
2012-05-18 21:16 ` [ 08/54] ARM: 7414/1: SMP: prevent use of the console when using idmap_pgd Greg KH
2012-05-18 21:16 ` [ 09/54] regulator: Fix the logic to ensure new voltage setting in valid range Greg KH
2012-05-18 21:16 ` [ 10/54] ARM: orion5x: Fix GPIO enable bits for MPP9 Greg KH
2012-05-18 21:16 ` [ 11/54] asix: Fix tx transfer padding for full-speed USB Greg KH
2012-05-18 21:16 ` [ 12/54] netem: fix possible skb leak Greg KH
2012-05-18 21:16 ` [ 13/54] net: In unregister_netdevice_notifier unregister the netdevices Greg KH
2012-05-21 17:35 ` Herton Ronaldo Krzesinski
2012-05-27 0:13 ` Greg KH
2012-05-27 0:18 ` David Miller
2012-05-27 0:22 ` Greg KH
2012-05-18 21:16 ` [ 14/54] net: l2tp: unlock socket lock before returning from l2tp_ip_sendmsg Greg KH
2012-05-18 21:16 ` [ 15/54] sky2: propogate rx hash when packet is copied Greg KH
2012-05-18 21:16 ` [ 16/54] sky2: fix receive length error in mixed non-VLAN/VLAN traffic Greg KH
2012-05-18 21:16 ` [ 17/54] tg3: Avoid panic from reserved statblk field access Greg KH
2012-05-18 21:16 ` [ 18/54] sungem: Fix WakeOnLan Greg KH
2012-05-18 21:16 ` [ 19/54] tcp: change tcp_adv_win_scale and tcp_rmem[2] Greg KH
2012-05-18 21:16 ` [ 20/54] sony-laptop: Enable keyboard backlight by default Greg KH
2012-05-18 21:16 ` [ 21/54] ALSA: echoaudio: Remove incorrect part of assertion Greg KH
2012-05-18 21:16 ` [ 22/54] ALSA: HDA: Lessen CPU usage when waiting for chip to respond Greg KH
2012-05-18 21:16 ` Greg KH [this message]
2012-05-18 21:16 ` [ 24/54] namespaces, pid_ns: fix leakage on fork() failure Greg KH
2012-05-18 21:16 ` [ 25/54] sparc64: Do not clobber %g2 in xcall_fetch_glob_regs() Greg KH
2012-05-18 21:16 ` [ 26/54] ARM: prevent VM_GROWSDOWN mmaps extending below FIRST_USER_ADDRESS Greg KH
2012-05-18 21:16 ` [ 27/54] media: rc: Postpone ISR registration Greg KH
2012-05-18 21:16 ` [ 28/54] cdc_ether: Ignore bogus union descriptor for RNDIS devices Greg KH
2012-05-18 21:16 ` [ 29/54] cdc_ether: add Novatel USB551L device IDs for FLAG_WWAN Greg KH
2012-05-18 21:16 ` [ 30/54] percpu: pcpu_embed_first_chunk() should free unused parts after all allocs are complete Greg KH
2012-05-18 21:16 ` [ 31/54] kmemleak: Fix the kmemleak tracking of the percpu areas with !SMP Greg KH
2012-05-19 13:27 ` Christoph Biedl
2012-05-19 14:46 ` Greg KH
2012-05-19 15:45 ` Christoph Biedl
2012-05-19 21:45 ` Catalin Marinas
2012-05-18 21:16 ` [ 32/54] hugetlb: prevent BUG_ON in hugetlb_fault() -> hugetlb_cow() Greg KH
2012-05-18 21:16 ` [ 33/54] mm: nobootmem: fix sign extend problem in __free_pages_memory() Greg KH
2012-05-18 21:16 ` [ 34/54] jffs2: Fix lock acquisition order bug in gc path Greg KH
2012-05-18 21:16 ` [ 35/54] arch/tile: apply commit 74fca9da0 to the compat signal handling as well Greg KH
2012-05-18 21:16 ` [ 36/54] crypto: mv_cesa requires on CRYPTO_HASH to build Greg KH
2012-05-18 21:16 ` [ 37/54] MD: Add del_timer_sync to mddev_suspend (fix nasty panic) Greg KH
2012-05-18 21:16 ` [ 38/54] tcp: do_tcp_sendpages() must try to push data out on oom conditions Greg KH
2012-05-18 21:16 ` [ 39/54] init: dont try mounting device as nfs root unless type fully matches Greg KH
2012-05-18 21:16 ` [ 40/54] ext4: avoid deadlock on sync-mounted FS w/o journal Greg KH
2012-05-18 21:16 ` [ 41/54] NFSv4: Revalidate uid/gid after open Greg KH
2012-05-18 21:16 ` [ 42/54] memcg: free spare array to avoid memory leak Greg KH
2012-05-18 21:16 ` [ 43/54] compat: Fix RT signal mask corruption via sigprocmask Greg KH
2012-05-18 21:16 ` [ 44/54] ext3: Fix error handling on inode bitmap corruption Greg KH
2012-05-18 21:16 ` [ 45/54] ext4: fix " Greg KH
2012-05-18 21:16 ` [ 46/54] ACPI / PM: Add Sony Vaio VPCCW29FX to nonvs blacklist Greg KH
2012-05-18 21:16 ` [ 47/54] SCSI: hpsa: Add IRQF_SHARED back in for the non-MSI(X) interrupt handler Greg KH
2012-05-18 21:16 ` [ 48/54] wake up s_wait_unfrozen when ->freeze_fs fails Greg KH
2012-05-18 21:16 ` [ 49/54] pch_gpio: Support new device LAPIS Semiconductor ML7831 IOH Greg KH
2012-05-18 21:16 ` [ 50/54] pch_gbe: fixed the issue which receives an unnecessary packet Greg KH
2012-05-18 21:16 ` [ 51/54] pch_gbe: support ML7831 IOH Greg KH
2012-05-18 21:16 ` [ 52/54] pch_gbe: Fixed the issue on which PC was frozen when link was downed Greg KH
2012-05-18 21:16 ` [ 53/54] pch_gbe: Do not abort probe on bad MAC Greg KH
2012-05-18 21:16 ` [ 54/54] pch_gbe: memory corruption calling pch_gbe_validate_option() Greg KH
2012-05-19 1:01 ` [ 00/54] 3.0.32-stable review Steven Rostedt
2012-05-19 4:20 ` Greg KH
2012-05-20 2:01 ` [PATCH] pidmap: Use GFP_ATOMIC to allocate page (was: Re: [ 00/54] 3.0.32-stable review) Steven Rostedt
2012-05-20 2:32 ` David Rientjes
2012-05-20 19:03 ` Linus Torvalds
2012-05-20 23:22 ` David Rientjes
2012-05-20 23:35 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120518211601.569045687@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=huajun.li.lee@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oneukum@suse.de \
--cc=stable@vger.kernel.org \
--cc=tom.leiming@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.