linux/drivers
Eugene Shatokhin fcb0bb6aab usbnet: Fix a race between usbnet_stop() and the BH
The race may happen when a device (e.g. YOTA 4G LTE Modem) is
unplugged while the system is downloading a large file from the Net.

Hardware breakpoints and Kprobes with delays were used to confirm that
the race does actually happen.

The race is on skb_queue ('next' pointer) between usbnet_stop()
and rx_complete(), which, in turn, calls usbnet_bh().

Here is a part of the call stack with the code where the changes to the
queue happen. The line numbers are for the kernel 4.1.0:

*0 __skb_unlink (skbuff.h:1517)
    prev->next = next;
*1 defer_bh (usbnet.c:430)
    spin_lock_irqsave(&list->lock, flags);
    old_state = entry->state;
    entry->state = state;
    __skb_unlink(skb, list);
    spin_unlock(&list->lock);
    spin_lock(&dev->done.lock);
    __skb_queue_tail(&dev->done, skb);
    if (dev->done.qlen == 1)
        tasklet_schedule(&dev->bh);
    spin_unlock_irqrestore(&dev->done.lock, flags);
*2 rx_complete (usbnet.c:640)
    state = defer_bh(dev, skb, &dev->rxq, state);

At the same time, the following code repeatedly checks if the queue is
empty and reads these values concurrently with the above changes:

*0  usbnet_terminate_urbs (usbnet.c:765)
    /* maybe wait for deletions to finish. */
    while (!skb_queue_empty(&dev->rxq)
        && !skb_queue_empty(&dev->txq)
        && !skb_queue_empty(&dev->done)) {
            schedule_timeout(msecs_to_jiffies(UNLINK_TIMEOUT_MS));
            set_current_state(TASK_UNINTERRUPTIBLE);
            netif_dbg(dev, ifdown, dev->net,
                  "waited for %d urb completions\n", temp);
    }
*1  usbnet_stop (usbnet.c:806)
    if (!(info->flags & FLAG_AVOID_UNLINK_URBS))
        usbnet_terminate_urbs(dev);

As a result, it is possible, for example, that the skb is removed from
dev->rxq by __skb_unlink() before the check
"!skb_queue_empty(&dev->rxq)" in usbnet_terminate_urbs() is made. It is
also possible in this case that the skb is added to dev->done queue
after "!skb_queue_empty(&dev->done)" is checked. So
usbnet_terminate_urbs() may stop waiting and return while dev->done
queue still has an item.

Locking in defer_bh() and usbnet_terminate_urbs() was revisited to avoid
this race.

Signed-off-by: Eugene Shatokhin <eugene.shatokhin@rosalab.ru>
Reviewed-by: Bjørn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-09-08 13:17:43 -07:00
..
accessibility
acpi Power management and ACPI material for v4.3-rc1 2015-09-01 19:45:46 -07:00
amba
android
ata Merge branch 'for-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2015-09-02 08:00:54 -07:00
atm
auxdisplay auxdisplay: ks0108: initialize local parport variable 2015-08-14 17:27:17 -07:00
base Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2015-09-03 08:08:17 -07:00
bcma bcma: switch GPIO portions to use GPIOLIB_IRQCHIP 2015-08-18 09:08:47 +03:00
block Merge branch 'for-4.3/drivers' of git://git.kernel.dk/linux-block 2015-09-02 13:14:58 -07:00
bluetooth Bluetooth: hci_bcm: Fix crash on suspend 2015-08-28 21:09:14 +02:00
bus
cdrom
char Merge 4.2-rc6 into char-misc-next 2015-08-09 16:28:09 -07:00
clk ARM: DT updates for v4.3 2015-09-01 13:09:20 -07:00
clocksource Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-09-01 14:04:50 -07:00
connector
cpufreq Power management and ACPI material for v4.3-rc1 2015-09-01 19:45:46 -07:00
cpuidle Power management and ACPI material for v4.3-rc1 2015-09-01 19:45:46 -07:00
crypto Merge branch 'for-4.3/sg' of git://git.kernel.dk/linux-block 2015-09-02 13:22:38 -07:00
dca
devfreq PM / devfreq: exynos-ppmu: Add the support of PPMUv2 for Exynos5433 2015-08-03 14:33:05 +09:00
dio
dma Power management and ACPI material for v4.3-rc1 2015-09-01 19:45:46 -07:00
dma-buf
edac Minor stuff: AMD MCE decoding correction and xgene_edac cleanup. 2015-09-01 18:34:22 -07:00
eisa
extcon regulator: Updates for v4.3 2015-08-31 15:49:19 -07:00
firewire
firmware FIRMWARE: bcm47xx_nvram: Fix module license. 2015-08-19 15:00:08 +02:00
fmc
gpio treewide: fix typos in comment blocks 2015-08-07 14:46:24 +02:00
gpu Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-09-01 18:46:42 -07:00
hid Merge branch 'for-4.3/microsoft' into for-linus 2015-09-01 15:38:33 +02:00
hsi
hv Drivers: hv: vmbus: use cpu_hotplug_enable/disable 2015-08-05 11:46:44 -07:00
hwmon hwmon: (fam15h_power) Add ratio of Tsample to the PTSC period 2015-08-27 07:53:19 -07:00
hwspinlock
hwtracing/coresight coresight-etm4x: Support context-ID tracing when PID namespace is enabled 2015-08-05 13:30:15 -07:00
i2c i2c: Fix typo in i2c-bfin-twi.c 2015-08-07 15:02:59 +02:00
ide
idle intel_idle: Skylake Client Support 2015-08-15 22:10:26 -04:00
iio Second set of new device support, features and cleanup for the 4.3 cycle. 2015-08-12 12:43:41 -07:00
infiniband Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-08-21 11:44:04 -07:00
input Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-09-01 18:46:42 -07:00
iommu Merge branch 'for-4.3/sg' of git://git.kernel.dk/linux-block 2015-09-02 13:22:38 -07:00
ipack
irqchip Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-09-01 14:33:35 -07:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2015-09-03 08:08:17 -07:00
leds Besides the changes in MAINTAINERS we have: 2015-08-31 17:08:05 -07:00
lguest
macintosh
mailbox Power management and ACPI material for v4.3-rc1 2015-09-01 19:45:46 -07:00
mcb
md Merge tag 'dm-4.3-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm 2015-09-02 16:35:26 -07:00
media Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-09-01 18:46:42 -07:00
memory ARM: SoC driver updates for v4.3 2015-09-01 13:00:04 -07:00
memstick
message mptfusion: prevent some memory corruption 2015-08-26 07:11:45 -07:00
mfd Power management and ACPI material for v4.3-rc1 2015-09-01 19:45:46 -07:00
misc Merge 4.2-rc6 into char-misc-next 2015-08-09 16:28:09 -07:00
mmc Merge branch 'for-4.3/sg' of git://git.kernel.dk/linux-block 2015-09-02 13:22:38 -07:00
mtd Merge branch 'for-4.3/core' of git://git.kernel.dk/linux-block 2015-09-02 13:10:25 -07:00
net usbnet: Fix a race between usbnet_stop() and the BH 2015-09-08 13:17:43 -07:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2015-09-03 08:08:17 -07:00
ntb ntb: avoid format string in dev_set_name 2015-08-09 16:32:22 -04:00
nubus
nvdimm Merge branch 'for-4.3/core' of git://git.kernel.dk/linux-block 2015-09-02 13:10:25 -07:00
nvmem nvmem: sunxi: Move the SID driver to the nvmem framework 2015-08-05 13:44:24 -07:00
of Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2015-09-03 08:08:17 -07:00
oprofile
parisc Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-09-01 14:33:35 -07:00
parport
pci Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-09-01 14:33:35 -07:00
pcmcia
phy phy: for 4.3 2015-08-14 16:45:51 -07:00
pinctrl ARM: DT updates for v4.3 2015-09-01 13:09:20 -07:00
platform - Fix dependency issues on ChromeOS platforms 2015-08-10 10:48:11 -07:00
pnp
power Power management and ACPI material for v4.3-rc1 2015-09-01 19:45:46 -07:00
powercap powercap / RAPL: disable the 2nd power limit properly 2015-08-29 01:46:40 +02:00
pps
ps3
ptp
pwm
rapidio
ras x86/ras: Move AMD MCE injector to arch/x86/ras/ 2015-08-13 10:12:54 +02:00
regulator Merge remote-tracking branch 'regulator/topic/tps6586x' into regulator-next 2015-08-30 14:40:29 +01:00
remoteproc
reset Merge branch 'reset/ath79' into reset/next 2015-08-16 17:11:20 +02:00
rpmsg
rtc ARM: SoC platform updates for v4.3 2015-09-01 12:18:40 -07:00
s390 Merge branch 'for-4.3/core' of git://git.kernel.dk/linux-block 2015-09-02 13:10:25 -07:00
sbus
scsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2015-09-03 08:08:17 -07:00
sfi
sh
sn
soc ARM: SoC driver updates for v4.3 2015-09-01 13:00:04 -07:00
spi Merge remote-tracking branches 'spi/topic/ti-qspi', 'spi/topic/xcomm' and 'spi/topic/xlp' into spi-next 2015-08-31 14:45:45 +01:00
spmi Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-09-01 14:33:35 -07:00
ssb
staging Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2015-09-03 08:08:17 -07:00
target Merge branch 'for-4.3/sg' of git://git.kernel.dk/linux-block 2015-09-02 13:22:38 -07:00
tc
thermal Merge branch 'x86-asm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-09-01 08:40:25 -07:00
thunderbolt
tty serial: imx: save and restore context in the suspend path 2015-08-14 17:23:25 -07:00
uio uio: UIO_PRUSS should depend on HAS_DMA 2015-08-05 13:25:59 -07:00
usb Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-09-01 18:46:42 -07:00
uwb
vfio
vhost Merge 4.2-rc6 into char-misc-next 2015-08-09 16:28:09 -07:00
video Power management and ACPI material for v4.3-rc1 2015-09-01 19:45:46 -07:00
virt
virtio virtio-input: reset device and detach unused during remove 2015-08-06 10:40:35 +03:00
vlynq
vme
w1 Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-09-01 18:46:42 -07:00
watchdog char: make misc_deregister a void function 2015-08-05 10:35:49 -07:00
xen Power management and ACPI material for v4.3-rc1 2015-09-01 19:45:46 -07:00
zorro
Kconfig nvmem: Add a simple NVMEM framework for nvmem providers 2015-08-05 13:43:12 -07:00
Makefile nvmem: Add a simple NVMEM framework for nvmem providers 2015-08-05 13:43:12 -07:00