From: Greg KH <gregkh@linuxfoundation.org>
To: Ying Lu <luying526@gmail.com>
Cc: oneukum@suse.com, andrew+netdev@lunn.ch, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
netdev@vger.kernel.org, linux-usb@vger.kernel.org,
linux-kernel@vger.kernel.org, luying1 <luying1@xiaomi.com>
Subject: Re: [PATCH v1 1/1] usbnet:fix NPE during rx_complete
Date: Tue, 1 Apr 2025 11:29:53 +0100 [thread overview]
Message-ID: <2025040110-unknowing-siding-c7d2@gregkh> (raw)
In-Reply-To: <e3646459ea67f10135ab821f90f66d8b6e74456c.1743497376.git.luying1@xiaomi.com>
On Tue, Apr 01, 2025 at 06:18:01PM +0800, Ying Lu wrote:
> From: luying1 <luying1@xiaomi.com>
>
> Missing usbnet_going_away Check in Critical Path.
> The usb_submit_urb function lacks a usbnet_going_away
> validation, whereas __usbnet_queue_skb includes this check.
>
> This inconsistency creates a race condition where:
> A URB request may succeed, but the corresponding SKB data
> fails to be queued.
>
> Subsequent processes:
> (e.g., rx_complete → defer_bh → __skb_unlink(skb, list))
> attempt to access skb->next, triggering a NULL pointer
> dereference (Kernel Panic).
>
> Signed-off-by: luying1 <luying1@xiaomi.com>
Please use your name, not an email alias.
Also, what commit id does this fix? Should it be applied to stable
kernels?
thanks,
greg k-h
next prev parent reply other threads:[~2025-04-01 10:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-01 10:18 [PATCH v1 0/1] usbnet:fix NPE during rx_complete Ying Lu
2025-04-01 10:18 ` [PATCH v1 1/1] " Ying Lu
2025-04-01 10:29 ` Greg KH [this message]
2025-04-01 12:48 ` Ying Lu
2025-04-01 13:46 ` Greg KH
2025-04-02 0:12 ` Ying Lu
2025-04-02 7:11 ` Greg KH
2025-04-02 8:17 ` Ying Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025040110-unknowing-siding-c7d2@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=luying1@xiaomi.com \
--cc=luying526@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).