From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Alan Stern <stern@rowland.harvard.edu>,
David Brownell <david-b@pacbell.net>
Subject: [19/44] USB: EHCI: fix obscure race in ehci_endpoint_disable
Date: Tue, 07 Dec 2010 16:04:18 -0800 [thread overview]
Message-ID: <20101208000641.423978067@clark.site> (raw)
In-Reply-To: <20101208003205.GA4286@kroah.com>
2.6.27-stable review patch. If anyone has any objections, please let us know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 02e2c51ba3e80acde600721ea784c3ef84da5ea1 upstream.
This patch (as1435) fixes an obscure and unlikely race in ehci-hcd.
When an async URB is unlinked, the corresponding QH is removed from
the async list. If the QH's endpoint is then disabled while the URB
is being given back, ehci_endpoint_disable() won't find the QH on the
async list, causing it to believe that the QH has been lost. This
will lead to a memory leak at best and quite possibly to an oops.
The solution is to trust usbcore not to lose track of endpoints. If
the QH isn't on the async list then it doesn't need to be taken off
the list, but the driver should still wait for the QH to become IDLE
before disabling it.
In theory this fixes Bugzilla #20182. In fact the race is so rare
that it's not possible to tell whether the bug is still present.
However, adding delays and making other changes to force the race
seems to show that the patch works.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
CC: David Brownell <david-b@pacbell.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/host/ehci-hcd.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/usb/host/ehci-hcd.c
+++ b/drivers/usb/host/ehci-hcd.c
@@ -954,10 +954,11 @@ rescan:
tmp && tmp != qh;
tmp = tmp->qh_next.qh)
continue;
- /* periodic qh self-unlinks on empty */
- if (!tmp)
- goto nogood;
- unlink_async (ehci, qh);
+ /* periodic qh self-unlinks on empty, and a COMPLETING qh
+ * may already be unlinked.
+ */
+ if (tmp)
+ unlink_async(ehci, qh);
/* FALL THROUGH */
case QH_STATE_UNLINK: /* wait for hw to finish? */
case QH_STATE_UNLINK_WAIT:
@@ -972,7 +973,6 @@ idle_timeout:
}
/* else FALL THROUGH */
default:
-nogood:
/* caller was supposed to have unlinked any requests;
* that's not our job. just leak this memory.
*/
next prev parent reply other threads:[~2010-12-08 0:34 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-08 0:32 [00/44] 2.6.27.57-stable review Greg KH
2010-12-08 0:04 ` [01/44] block: check for proper length of iov entries in blk_rq_map_user_iov() Greg KH
2010-12-08 0:04 ` [02/44] irda: Fix parameter extraction stack overflow Greg KH
2010-12-08 0:04 ` [03/44] irda: Fix heap memory corruption in iriap.c Greg KH
2010-12-08 0:04 ` [04/44] percpu: fix list_head init bug in __percpu_counter_init() Greg KH
2010-12-08 0:04 ` [05/44] um: fix global timer issue when using CONFIG_NO_HZ Greg KH
2010-12-08 0:04 ` [06/44] numa: fix slab_node(MPOL_BIND) Greg KH
2010-12-08 3:03 ` Lee Schermerhorn
2010-12-08 3:03 ` Lee Schermerhorn
2010-12-08 4:17 ` Greg KH
2010-12-08 4:37 ` Eric Dumazet
2010-12-08 13:54 ` Lee Schermerhorn
2010-12-08 4:33 ` Eric Dumazet
2010-12-08 5:07 ` Eric Dumazet
2010-12-08 13:53 ` Lee Schermerhorn
2010-12-08 0:04 ` [07/44] mm: fix return value of scan_lru_pages in memory unplug Greg KH
2010-12-08 0:04 ` [08/44] mm: fix is_mem_section_removable() page_order BUG_ON check Greg KH
2010-12-08 0:04 ` [09/44] ipc: initialize structure memory to zero for compat functions Greg KH
2010-12-08 0:04 ` [10/44] ipc: shm: fix information leak to userland Greg KH
2010-12-08 0:04 ` [11/44] sys_semctl: fix kernel stack leakage Greg KH
2010-12-08 0:04 ` [12/44] drivers/char/vt_ioctl.c: fix VT_OPENQRY error value Greg KH
2010-12-08 0:04 ` [13/44] eCryptfs: Clear LOOKUP_OPEN flag when creating lower file Greg KH
2010-12-08 0:04 ` [14/44] bio: take care not overflow page count when mapping/copying user data Greg KH
2010-12-08 0:04 ` [15/44] libata: fix NULL sdev dereference race in atapi_qc_complete() Greg KH
2010-12-08 0:04 ` [16/44] usb: misc: sisusbvga: fix information leak to userland Greg KH
2010-12-08 0:04 ` [17/44] usb: misc: iowarrior: " Greg KH
2010-12-08 0:04 ` [18/44] usb: core: " Greg KH
2010-12-08 0:04 ` Greg KH [this message]
2010-12-08 0:04 ` [20/44] USB: storage: sierra_ms: fix sysfs file attribute Greg KH
2010-12-08 0:04 ` [21/44] USB: atm: ueagle-atm: fix up some permissions on the sysfs files Greg KH
2010-12-08 0:04 ` [22/44] USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions Greg KH
2010-12-08 0:04 ` [23/44] USB: misc: usbled: " Greg KH
2010-12-08 0:04 ` [24/44] USB: misc: trancevibrator: fix up a sysfs attribute permission Greg KH
2010-12-08 0:04 ` [25/44] acpi-cpufreq: fix a memleak when unloading driver Greg KH
2010-12-08 0:04 ` [26/44] do_exit(): make sure that we run with get_fs() == USER_DS Greg KH
2010-12-08 0:04 ` [27/44] DECnet: dont leak uninitialized stack byte Greg KH
2010-12-08 0:04 ` [28/44] ARM: 6482/2: Fix find_next_zero_bit and related assembly Greg KH
2010-12-08 0:04 ` [29/44] net: clear heap allocations for privileged ethtool actions Greg KH
2010-12-08 0:04 ` [30/44] xfrm4: strip ECN and IP Precedence bits in policy lookup Greg KH
2010-12-08 0:04 ` [31/44] net: Fix IPv6 PMTU disc. w/ asymmetric routes Greg KH
2010-12-08 0:04 ` [32/44] rose: Fix signedness issues wrt. digi count Greg KH
2010-12-08 0:04 ` [33/44] net: Fix the condition passed to sk_wait_event() Greg KH
2010-12-08 0:04 ` [34/44] Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows Greg KH
2010-12-08 1:22 ` Linus Torvalds
2010-12-08 4:16 ` Greg KH
2010-12-08 5:50 ` Eric Dumazet
2010-12-08 16:25 ` David Miller
2010-12-08 23:13 ` Greg KH
2010-12-08 0:04 ` [35/44] tcp: Fix race in tcp_poll Greg KH
2010-12-08 0:04 ` [36/44] net: Truncate recvfrom and sendto length to INT_MAX Greg KH
2010-12-08 0:04 ` [37/44] ipv6: conntrack: Add member of user to nf_ct_frag6_queue structure Greg KH
2010-12-08 0:04 ` [38/44] x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet Greg KH
2010-12-08 0:04 ` [39/44] memory corruption in X.25 facilities parsing Greg KH
2010-12-08 0:04 ` [40/44] can-bcm: fix minor heap overflow Greg KH
2010-12-08 0:04 ` [41/44] V4L/DVB: ivtvfb: prevent reading uninitialized stack memory Greg KH
2010-12-08 0:04 ` [42/44] x25: Prevent crashing when parsing bad X.25 facilities Greg KH
2010-12-08 0:04 ` [43/44] econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849 Greg KH
2010-12-08 0:04 ` [44/44] econet: fix CVE-2010-3850 Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101208000641.423978067@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=david-b@pacbell.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox