[4/5] USB: cdc-acm: fix unthrottle races

linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Oliver Neukum <oneukum@suse.com>
To: Johan Hovold <johan@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Alan Stern <stern@rowland.harvard.edu>
Cc: linux-usb@vger.kernel.org
Subject: [4/5] USB: cdc-acm: fix unthrottle races
Date: Mon, 29 Apr 2019 12:09:24 +0200	[thread overview]
Message-ID: <1556532564.20085.10.camel@suse.com> (raw)

On Do, 2019-04-25 at 18:05 +0200, Johan Hovold wrote:
> Fix two long-standing bugs which could potentially lead to memory
> corruption or leave the port throttled until it is reopened (on weakly
> ordered systems), respectively, when read-URB completion races with
> unthrottle().
> 
> First, the URB must not be marked as free before processing is complete
> to prevent it from being submitted by unthrottle() on another CPU.
> 
>         CPU 1                           CPU 2
>         ================                ================
>         complete()                      unthrottle()
>           process_urb();
>           smp_mb__before_atomic();
>           set_bit(i, free);               if (test_and_clear_bit(i, free))
>                                                   submit_urb();
> 
> Second, the URB must be marked as free before checking the throttled
> flag to prevent unthrottle() on another CPU from failing to observe that
> the URB needs to be submitted if complete() sees that the throttled flag
> is set.
> 
>         CPU 1                           CPU 2
>         ================                ================
>         complete()                      unthrottle()
>           set_bit(i, free);               throttled = 0;
>           smp_mb__after_atomic();         smp_mb();
>           if (throttled)                  if (test_and_clear_bit(i, free))
>                   return;                         submit_urb();
> 
> Note that test_and_clear_bit() only implies barriers when the test is
> successful. To handle the case where the URB is still in use an explicit
> barrier needs to be added to unthrottle() for the second race condition.
> 
> Also note that the first race was fixed by 36e59e0d70d6 ("cdc-acm: fix
> race between callback and unthrottle") back in 2015, but the bug was
> reintroduced a year later.
> 
> Fixes: 1aba579f3cf5 ("cdc-acm: handle read pipe errors")
> Fixes: 088c64f81284 ("USB: cdc-acm: re-write read processing")
> Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Oliver Neukum <oneukum@suse.com>

WARNING: multiple messages have this Message-ID (diff)

From: Oliver Neukum <oneukum@suse.com>
To: Johan Hovold <johan@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Alan Stern <stern@rowland.harvard.edu>
Cc: linux-usb@vger.kernel.org
Subject: Re: [PATCH 4/5] USB: cdc-acm: fix unthrottle races
Date: Mon, 29 Apr 2019 12:09:24 +0200	[thread overview]
Message-ID: <1556532564.20085.10.camel@suse.com> (raw)
Message-ID: <20190429100924.AMg41kpwK1lSFJDXDJ278ZxuY1blGjCBhBLHDsTg3Jc@z> (raw)
In-Reply-To: <20190425160540.10036-5-johan@kernel.org>

On Do, 2019-04-25 at 18:05 +0200, Johan Hovold wrote:
> Fix two long-standing bugs which could potentially lead to memory
> corruption or leave the port throttled until it is reopened (on weakly
> ordered systems), respectively, when read-URB completion races with
> unthrottle().
> 
> First, the URB must not be marked as free before processing is complete
> to prevent it from being submitted by unthrottle() on another CPU.
> 
>         CPU 1                           CPU 2
>         ================                ================
>         complete()                      unthrottle()
>           process_urb();
>           smp_mb__before_atomic();
>           set_bit(i, free);               if (test_and_clear_bit(i, free))
>                                                   submit_urb();
> 
> Second, the URB must be marked as free before checking the throttled
> flag to prevent unthrottle() on another CPU from failing to observe that
> the URB needs to be submitted if complete() sees that the throttled flag
> is set.
> 
>         CPU 1                           CPU 2
>         ================                ================
>         complete()                      unthrottle()
>           set_bit(i, free);               throttled = 0;
>           smp_mb__after_atomic();         smp_mb();
>           if (throttled)                  if (test_and_clear_bit(i, free))
>                   return;                         submit_urb();
> 
> Note that test_and_clear_bit() only implies barriers when the test is
> successful. To handle the case where the URB is still in use an explicit
> barrier needs to be added to unthrottle() for the second race condition.
> 
> Also note that the first race was fixed by 36e59e0d70d6 ("cdc-acm: fix
> race between callback and unthrottle") back in 2015, but the bug was
> reintroduced a year later.
> 
> Fixes: 1aba579f3cf5 ("cdc-acm: handle read pipe errors")
> Fixes: 088c64f81284 ("USB: cdc-acm: re-write read processing")
> Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Oliver Neukum <oneukum@suse.com>

next prev        reply	other threads:[~2019-04-29 10:09 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-25 16:05 [PATCH 0/5] USB: fix tty unthrottle races Johan Hovold
2019-04-25 16:05 ` [1/5] USB: serial: fix " Johan Hovold
2019-04-25 16:05   ` [PATCH 1/5] " Johan Hovold
2019-04-29  9:50   ` [1/5] " Oliver Neukum
2019-04-29  9:50     ` [PATCH 1/5] " Oliver Neukum
2019-04-29 10:03     ` [1/5] " Johan Hovold
2019-04-29 10:03       ` [PATCH 1/5] " Johan Hovold
2019-05-13 10:43   ` Johan Hovold
2019-05-13 10:56     ` Greg Kroah-Hartman
2019-05-13 11:46       ` Johan Hovold
2019-05-13 12:51         ` Greg Kroah-Hartman
2019-05-13 12:59           ` Johan Hovold
2019-05-14 12:53             ` Sasha Levin
2019-05-14 12:57               ` Johan Hovold
2019-04-25 16:05 ` [2/5] USB: serial: clean up throttle handling Johan Hovold
2019-04-25 16:05   ` [PATCH 2/5] " Johan Hovold
2019-04-25 16:05 ` [3/5] USB: serial: generic: drop unnecessary goto Johan Hovold
2019-04-25 16:05   ` [PATCH 3/5] " Johan Hovold
2019-04-25 16:05 ` [4/5] USB: cdc-acm: fix unthrottle races Johan Hovold
2019-04-25 16:05   ` [PATCH 4/5] " Johan Hovold
2019-04-29 10:09   ` Oliver Neukum [this message]
2019-04-29 10:09     ` Oliver Neukum
2019-04-25 16:05 ` [5/5] USB: cdc-acm: clean up throttle handling Johan Hovold
2019-04-25 16:05   ` [PATCH 5/5] " Johan Hovold
2019-04-29 10:10   ` [5/5] " Oliver Neukum
2019-04-29 10:10     ` [PATCH 5/5] " Oliver Neukum
2019-04-25 20:58 ` [PATCH 0/5] USB: fix tty unthrottle races Alan Stern
2019-04-26  4:55   ` Johan Hovold
2019-04-29  9:30 ` Johan Hovold

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1556532564.20085.10.camel@suse.com \
    --to=oneukum@suse.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=johan@kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).