From: Johan Hovold <johan@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org, Johan Hovold <johan@kernel.org>,
Alan Stern <stern@rowland.harvard.edu>,
Oliver Neukum <oneukum@suse.com>,
stable@vger.kernel.org
Subject: Re: [PATCH 1/5] USB: serial: fix unthrottle races
Date: Mon, 13 May 2019 12:43:39 +0200 [thread overview]
Message-ID: <20190513104339.GA9651@localhost> (raw)
In-Reply-To: <20190425160540.10036-2-johan@kernel.org>
On Thu, Apr 25, 2019 at 06:05:36PM +0200, Johan Hovold wrote:
> Fix two long-standing bugs which could potentially lead to memory
> corruption or leave the port throttled until it is reopened (on weakly
> ordered systems), respectively, when read-URB completion races with
> unthrottle().
>
> First, the URB must not be marked as free before processing is complete
> to prevent it from being submitted by unthrottle() on another CPU.
>
> CPU 1 CPU 2
> ================ ================
> complete() unthrottle()
> process_urb();
> smp_mb__before_atomic();
> set_bit(i, free); if (test_and_clear_bit(i, free))
> submit_urb();
>
> Second, the URB must be marked as free before checking the throttled
> flag to prevent unthrottle() on another CPU from failing to observe that
> the URB needs to be submitted if complete() sees that the throttled flag
> is set.
>
> CPU 1 CPU 2
> ================ ================
> complete() unthrottle()
> set_bit(i, free); throttled = 0;
> smp_mb__after_atomic(); smp_mb();
> if (throttled) if (test_and_clear_bit(i, free))
> return; submit_urb();
>
> Note that test_and_clear_bit() only implies barriers when the test is
> successful. To handle the case where the URB is still in use an explicit
> barrier needs to be added to unthrottle() for the second race condition.
>
> Fixes: d83b405383c9 ("USB: serial: add support for multiple read urbs")
> Signed-off-by: Johan Hovold <johan@kernel.org>
Greg, I noticed you added a stable tag to the corresponding cdc-acm fix
and think I should have added on one from the start to this one as well.
Would you mind queuing this one up for stable?
Upstream commit 3f5edd58d040bfa4b74fb89bc02f0bc6b9cd06ab.
Thanks,
Johan
next parent reply other threads:[~2019-05-13 10:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20190425160540.10036-1-johan@kernel.org>
[not found] ` <20190425160540.10036-2-johan@kernel.org>
2019-05-13 10:43 ` Johan Hovold [this message]
2019-05-13 10:56 ` [PATCH 1/5] USB: serial: fix unthrottle races Greg Kroah-Hartman
2019-05-13 11:46 ` Johan Hovold
2019-05-13 12:51 ` Greg Kroah-Hartman
2019-05-13 12:59 ` Johan Hovold
2019-05-14 12:53 ` Sasha Levin
2019-05-14 12:57 ` Johan Hovold
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190513104339.GA9651@localhost \
--to=johan@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox