From: David Miller <davem@davemloft.net>
To: 3erndeckstein@gmail.com
Cc: linux-usb@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, 3ernd.Eckstein@gmail.com,
Oliver.Zweigle@faro.com
Subject: Re: [PATCH] usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
Date: Tue, 27 Nov 2018 14:59:50 -0800 (PST) [thread overview]
Message-ID: <20181127.145950.2178672310020332163.davem@davemloft.net> (raw)
In-Reply-To: <1542977486-15363-1-git-send-email-3ernd.Eckstein@gmail.com>
From: Bernd Eckstein <3erndeckstein@gmail.com>
Date: Fri, 23 Nov 2018 13:51:26 +0100
> The bug is not easily reproducable, as it may occur very infrequently
> (we had machines with 20minutes heavy downloading before it occurred)
> However, on a virual machine (VMWare on Windows 10 host) it occurred
> pretty frequently (1-2 seconds after a speedtest was started)
>
> dev->tx_skb mab be freed via dev_kfree_skb_irq on a callback
> before it is set.
>
> This causes the following problems:
> - double free of the skb or potential memory leak
> - in dmesg: 'recvmsg bug' and 'recvmsg bug 2' and eventually
> general protection fault
>
> Example dmesg output:
...
> The proposed patch eliminates a potential racing condition.
> Before, usb_submit_urb was called and _after_ that, the skb was attached
> (dev->tx_skb). So, on a callback it was possible, however unlikely that the
> skb was freed before it was set. That way (because dev->tx_skb was not set
> to NULL after it was freed), it could happen that a skb from a earlier
> transmission was freed a second time (and the skb we should have freed did
> not get freed at all)
>
> Now we free the skb directly in ipheth_tx(). It is not passed to the
> callback anymore, eliminating the posibility of a double free of the same
> skb. Depending on the retval of usb_submit_urb() we use dev_kfree_skb_any()
> respectively dev_consume_skb_any() to free the skb.
>
> Signed-off-by: Oliver Zweigle <Oliver.Zweigle@faro.com>
> Signed-off-by: Bernd Eckstein <3ernd.Eckstein@gmail.com>
Applied and queued up for -stable, thanks.
prev parent reply other threads:[~2018-11-27 22:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-23 12:51 [PATCH] usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 Bernd Eckstein
2018-11-23 13:07 ` Yves-Alexis Perez
2018-11-27 22:59 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181127.145950.2178672310020332163.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=3ernd.Eckstein@gmail.com \
--cc=3erndeckstein@gmail.com \
--cc=Oliver.Zweigle@faro.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).