From: Ming Lei <tom.leiming@gmail.com>
To: Huajun Li <huajun.li.lee@gmail.com>
Cc: Oliver Neukum <oneukum@suse.de>,
Alan Stern <stern@rowland.harvard.edu>,
Dave Jones <davej@redhat.com>,
netdev@vger.kernel.org, linux-usb@vger.kernel.org,
Fedora Kernel Team <kernel-team@fedoraproject.org>
Subject: Re: use-after-free in usbnet
Date: Sat, 21 Apr 2012 09:49:51 +0800 [thread overview]
Message-ID: <CACVXFVOc0XZ+eLHGiVwKuiUResRk8Cj9MS4EPMx7k57a0tEJhA@mail.gmail.com> (raw)
In-Reply-To: <CA+v9cxZWtGbz6uCSysVbAc1hT27rCiuJXzcvSiTxH-zuQYnrZw@mail.gmail.com>
On Fri, Apr 20, 2012 at 10:56 PM, Huajun Li <huajun.li.lee@gmail.com> wrote:
> On Fri, Apr 20, 2012 at 10:22 PM, Ming Lei <tom.leiming@gmail.com> wrote:
>> On Fri, Apr 20, 2012 at 9:37 PM, Huajun Li <huajun.li.lee@gmail.com> wrote:
>>>
>>> Above patch has already been integrated to mainline. However, maybe
>>> there still exists another potentail use-after-free issue, here is a
>>> case:
>>> After release the lock in unlink_urbs(), defer_bh() may move
>>> current skb from rxq/txq to dev->done queue, even cause the skb be
>>> released. Then in next loop cycle, it can't refer to expected skb, and
>>> may Oops again.
>>
>> Could you explain in a bit detail? Why can't the expected skb be refered
>> to in next loop?
>
>
> unlink_urbs() complete handler
> --------------------------------------
> -------------------------------------------------
> spin_unlock_irqrestore()
> rx_complete()
> derver_bh()
>
> __skb_unlink()
>
> __skb_queue_tail(&dev->done, skb) =======> skb is moved to
> dev->done, and can be freed by usbnet_bh()
> skb_queue_walk_safe()
> tmp = skb->next ===> refer to freed skb
I see the problem, so looks skb_queue_walk_safe is not safe.
I don' know why the 2nd ' tmp = skb->next' in skb_queue_walk_safe
is needed and it may become unsafe if skb is freed during current loop.
But removing the 2nd 'tmp = skb->next' doesn't help the problem, because
tmp still may become freed after releasing lock.
> If its state is x_done/tx_done/rx_cleanup, that means the the skb will
> be released soon, right? If so, it should avoid calling
> usb_unlink_urb().
Even though you can avoid calling unlink for completed URBs, the skbs
still may be freed in unlink path because complete handler will be triggered
by unlink and the referenced skb may be freed before next loop, so your
patch can't fix the oops.
As far as I can think of, we can hold lock of done queue to forbid skb free
during unlinking. The below patch may fix the problem, are you OK
with it?
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index db99536..a9809d4 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -581,7 +581,8 @@ static int unlink_urbs (struct usbnet *dev, struct
sk_buff_head *q)
struct sk_buff *skb, *skbnext;
int count = 0;
- spin_lock_irqsave (&q->lock, flags);
+ spin_lock_irqsave(&dev->done.lock, flags);
+ spin_lock(&q->lock);
skb_queue_walk_safe(q, skb, skbnext) {
struct skb_data *entry;
struct urb *urb;
@@ -598,7 +599,7 @@ static int unlink_urbs (struct usbnet *dev, struct
sk_buff_head *q)
* handler(include defer_bh).
*/
usb_get_urb(urb);
- spin_unlock_irqrestore(&q->lock, flags);
+ spin_unlock(&q->lock);
// during some PM-driven resume scenarios,
// these (async) unlinks complete immediately
retval = usb_unlink_urb (urb);
@@ -607,9 +608,10 @@ static int unlink_urbs (struct usbnet *dev,
struct sk_buff_head *q)
else
count++;
usb_put_urb(urb);
- spin_lock_irqsave(&q->lock, flags);
+ spin_lock(&q->lock);
}
- spin_unlock_irqrestore (&q->lock, flags);
+ spin_unlock(&q->lock);
+ spin_unlock_irqrestore(&dev->done.lock, flags);
return count;
}
Thanks,
--
Ming Lei
next prev parent reply other threads:[~2012-04-21 1:49 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-19 15:12 use-after-free in usbnet Dave Jones
2012-03-20 9:40 ` Ming Lei
[not found] ` <CACVXFVN5O2S0hsnzHoi=LX+KAnccHc_F0SXq9-hMOXnaoUOdkg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-03-21 1:04 ` Ming Lei
2012-03-21 1:34 ` Ming Lei
2012-03-21 14:35 ` Alan Stern
[not found] ` <Pine.LNX.4.44L0.1203211031490.1369-100000-IYeN2dnnYyZXsRXLowluHWD2FQJk+8+b@public.gmane.org>
2012-03-21 15:02 ` Ming Lei
[not found] ` <CACVXFVP+U1k7JFTmbabF-k8F3bO9zc58c3tLG6=1nQPcrR9p1g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-03-21 16:12 ` Alan Stern
[not found] ` <Pine.LNX.4.44L0.1203211201560.1369-100000-IYeN2dnnYyZXsRXLowluHWD2FQJk+8+b@public.gmane.org>
2012-03-21 16:22 ` Ming Lei
[not found] ` <CACVXFVOVjnWjqpKxbU98DAyUC_OSb8ZL-3WcyYuFXgPJn5UyuA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-03-21 17:30 ` Alan Stern
2012-03-22 9:08 ` Oliver Neukum
[not found] ` <201203221008.46882.oneukum-l3A5Bk7waGM@public.gmane.org>
2012-03-22 9:30 ` Ming Lei
2012-03-22 9:57 ` Oliver Neukum
2012-04-20 13:37 ` Huajun Li
2012-04-20 14:22 ` Ming Lei
[not found] ` <CACVXFVM5YBJkDZddeGi1_MPY7EqEV_wtoFy-NtBHYA6rxez0jg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-20 14:56 ` Huajun Li
[not found] ` <CA+v9cxZWtGbz6uCSysVbAc1hT27rCiuJXzcvSiTxH-zuQYnrZw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-20 15:07 ` Huajun Li
2012-04-21 1:49 ` Ming Lei [this message]
2012-04-21 2:02 ` Ming Lei
[not found] ` <CACVXFVOc0XZ+eLHGiVwKuiUResRk8Cj9MS4EPMx7k57a0tEJhA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-21 6:39 ` Huajun Li
[not found] ` <CA+v9cxZZpL5soSga=MX_bD45KNve-Lnr2Qb6+gr7Mv6Txyh-fA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-21 7:06 ` Ming Lei
[not found] ` <CACVXFVN6kvXk7s4Sc0d_-yKSM=rV3qcuPPBHVZYzoQjnwkGX+Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-21 7:45 ` Ming Lei
[not found] ` <CACVXFVNc_S8pTaBqMzQZx6Dt-tSP_9iXepxJzv=iR9BFu=Tj8g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-21 8:00 ` Huajun Li
2012-04-22 2:19 ` Huajun Li
2012-04-22 12:05 ` Ming Lei
2012-04-22 13:15 ` Huajun Li
[not found] ` <CA+v9cxZfzATWynXGtEe6gvcD2aRsLqAF3ZN_HM_dyU4W_rQSpg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-22 14:10 ` Ming Lei
2012-04-22 14:15 ` Ming Lei
2012-04-22 14:19 ` Ming Lei
2012-04-21 7:50 ` Huajun Li
[not found] ` <CA+v9cxa+fyzMOD-=oLLczpu1FDtTwcok+y2FkC=mHzDH3JYJ2A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-21 7:56 ` Ming Lei
[not found] ` <CACVXFVOMTbq0zbmsZAt-Pyc=3oqQ=UcWV5HgNryu7s6oMhKpQg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-21 8:23 ` Huajun Li
[not found] ` <CA+v9cxZRpthaZ=64tLzKf=AGOqaRVwe5o0UMadiXGuiuXiA7uA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-21 9:40 ` Ming Lei
[not found] ` <CACVXFVOemJqfT9OPRer3qzbVEsGyUOupoOUNCBzC4deNRsksQw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-22 2:02 ` Huajun Li
2012-04-21 19:23 ` David Miller
[not found] ` <20120421.152345.290988116097275353.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2012-04-22 1:45 ` Huajun Li
2012-04-22 2:05 ` David Miller
[not found] ` <CA+v9cxawVwKakF6c_RpAw2XUGWcbqd8M+ZJqyq76Au9rmNosmQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-26 5:02 ` Ming Lei
2012-04-26 16:30 ` Huajun Li
2012-03-21 14:44 ` Greg KH
2012-03-21 15:07 ` Ming Lei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACVXFVOc0XZ+eLHGiVwKuiUResRk8Cj9MS4EPMx7k57a0tEJhA@mail.gmail.com \
--to=tom.leiming@gmail.com \
--cc=davej@redhat.com \
--cc=huajun.li.lee@gmail.com \
--cc=kernel-team@fedoraproject.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oneukum@suse.de \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).