All of lore.kernel.org
 help / color / mirror / Atom feed
From: Oliver Neukum <oneukum@suse.com>
To: Johan Hovold <johan@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Alan Stern <stern@rowland.harvard.edu>
Cc: linux-usb@vger.kernel.org
Subject: [4/5] USB: cdc-acm: fix unthrottle races
Date: Mon, 29 Apr 2019 12:09:24 +0200	[thread overview]
Message-ID: <1556532564.20085.10.camel@suse.com> (raw)

On Do, 2019-04-25 at 18:05 +0200, Johan Hovold wrote:
> Fix two long-standing bugs which could potentially lead to memory
> corruption or leave the port throttled until it is reopened (on weakly
> ordered systems), respectively, when read-URB completion races with
> unthrottle().
> 
> First, the URB must not be marked as free before processing is complete
> to prevent it from being submitted by unthrottle() on another CPU.
> 
>         CPU 1                           CPU 2
>         ================                ================
>         complete()                      unthrottle()
>           process_urb();
>           smp_mb__before_atomic();
>           set_bit(i, free);               if (test_and_clear_bit(i, free))
>                                                   submit_urb();
> 
> Second, the URB must be marked as free before checking the throttled
> flag to prevent unthrottle() on another CPU from failing to observe that
> the URB needs to be submitted if complete() sees that the throttled flag
> is set.
> 
>         CPU 1                           CPU 2
>         ================                ================
>         complete()                      unthrottle()
>           set_bit(i, free);               throttled = 0;
>           smp_mb__after_atomic();         smp_mb();
>           if (throttled)                  if (test_and_clear_bit(i, free))
>                   return;                         submit_urb();
> 
> Note that test_and_clear_bit() only implies barriers when the test is
> successful. To handle the case where the URB is still in use an explicit
> barrier needs to be added to unthrottle() for the second race condition.
> 
> Also note that the first race was fixed by 36e59e0d70d6 ("cdc-acm: fix
> race between callback and unthrottle") back in 2015, but the bug was
> reintroduced a year later.
> 
> Fixes: 1aba579f3cf5 ("cdc-acm: handle read pipe errors")
> Fixes: 088c64f81284 ("USB: cdc-acm: re-write read processing")
> Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Oliver Neukum <oneukum@suse.com>

WARNING: multiple messages have this Message-ID (diff)
From: Oliver Neukum <oneukum@suse.com>
To: Johan Hovold <johan@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Alan Stern <stern@rowland.harvard.edu>
Cc: linux-usb@vger.kernel.org
Subject: Re: [PATCH 4/5] USB: cdc-acm: fix unthrottle races
Date: Mon, 29 Apr 2019 12:09:24 +0200	[thread overview]
Message-ID: <1556532564.20085.10.camel@suse.com> (raw)
Message-ID: <20190429100924.AMg41kpwK1lSFJDXDJ278ZxuY1blGjCBhBLHDsTg3Jc@z> (raw)
In-Reply-To: <20190425160540.10036-5-johan@kernel.org>

On Do, 2019-04-25 at 18:05 +0200, Johan Hovold wrote:
> Fix two long-standing bugs which could potentially lead to memory
> corruption or leave the port throttled until it is reopened (on weakly
> ordered systems), respectively, when read-URB completion races with
> unthrottle().
> 
> First, the URB must not be marked as free before processing is complete
> to prevent it from being submitted by unthrottle() on another CPU.
> 
>         CPU 1                           CPU 2
>         ================                ================
>         complete()                      unthrottle()
>           process_urb();
>           smp_mb__before_atomic();
>           set_bit(i, free);               if (test_and_clear_bit(i, free))
>                                                   submit_urb();
> 
> Second, the URB must be marked as free before checking the throttled
> flag to prevent unthrottle() on another CPU from failing to observe that
> the URB needs to be submitted if complete() sees that the throttled flag
> is set.
> 
>         CPU 1                           CPU 2
>         ================                ================
>         complete()                      unthrottle()
>           set_bit(i, free);               throttled = 0;
>           smp_mb__after_atomic();         smp_mb();
>           if (throttled)                  if (test_and_clear_bit(i, free))
>                   return;                         submit_urb();
> 
> Note that test_and_clear_bit() only implies barriers when the test is
> successful. To handle the case where the URB is still in use an explicit
> barrier needs to be added to unthrottle() for the second race condition.
> 
> Also note that the first race was fixed by 36e59e0d70d6 ("cdc-acm: fix
> race between callback and unthrottle") back in 2015, but the bug was
> reintroduced a year later.
> 
> Fixes: 1aba579f3cf5 ("cdc-acm: handle read pipe errors")
> Fixes: 088c64f81284 ("USB: cdc-acm: re-write read processing")
> Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Oliver Neukum <oneukum@suse.com>

             reply	other threads:[~2019-04-29 10:09 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-29 10:09 Oliver Neukum [this message]
2019-04-29 10:09 ` [PATCH 4/5] USB: cdc-acm: fix unthrottle races Oliver Neukum
  -- strict thread matches above, loose matches on Subject: below --
2019-04-29 10:10 [5/5] USB: cdc-acm: clean up throttle handling Oliver Neukum
2019-04-29 10:10 ` [PATCH 5/5] " Oliver Neukum
2019-04-29 10:03 [1/5] USB: serial: fix unthrottle races Johan Hovold
2019-04-29 10:03 ` [PATCH 1/5] " Johan Hovold
2019-04-29  9:50 [1/5] " Oliver Neukum
2019-04-29  9:50 ` [PATCH 1/5] " Oliver Neukum
2019-04-25 16:05 [5/5] USB: cdc-acm: clean up throttle handling Johan Hovold
2019-04-25 16:05 ` [PATCH 5/5] " Johan Hovold
2019-04-25 16:05 [4/5] USB: cdc-acm: fix unthrottle races Johan Hovold
2019-04-25 16:05 ` [PATCH 4/5] " Johan Hovold
2019-04-25 16:05 [3/5] USB: serial: generic: drop unnecessary goto Johan Hovold
2019-04-25 16:05 ` [PATCH 3/5] " Johan Hovold
2019-04-25 16:05 [2/5] USB: serial: clean up throttle handling Johan Hovold
2019-04-25 16:05 ` [PATCH 2/5] " Johan Hovold
2019-04-25 16:05 [PATCH 0/5] USB: fix tty unthrottle races Johan Hovold
2019-04-25 16:05 ` [1/5] USB: serial: fix " Johan Hovold
2019-04-25 16:05   ` [PATCH 1/5] " Johan Hovold
2019-05-13 10:43   ` Johan Hovold
2019-05-13 10:56     ` Greg Kroah-Hartman
2019-05-13 11:46       ` Johan Hovold
2019-05-13 12:51         ` Greg Kroah-Hartman
2019-05-13 12:59           ` Johan Hovold
2019-05-14 12:53             ` Sasha Levin
2019-05-14 12:57               ` Johan Hovold
2019-04-25 20:58 ` [PATCH 0/5] USB: fix tty " Alan Stern
2019-04-26  4:55   ` Johan Hovold
2019-04-29  9:30 ` Johan Hovold

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1556532564.20085.10.camel@suse.com \
    --to=oneukum@suse.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=johan@kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.