race in usbnet.c in full RT

Hi,

seems there is a race in drivers/net/usbnet.c in full RT mode. To behonest I haven't hardly checked this on the latest kernel and latest RTpatch but just took a look at usbnet.c and latest RT patch and haven'tobserved any related changes.


The  usbnet_start_xmit() contains the following code:

	...
	spin_lock_irqsave (&dev->txq.lock, flags);

#ifdef	CONFIG_USB_NET1080
	if (info->flags & FLAG_FRAMING_NC) {
		header->packet_id = cpu_to_le16 ((u16)dev->dev_packet_id++);
		put_unaligned (header->packet_id, &trailer->packet_id);
#if 0
		devdbg (dev, "frame >tx h %d p %d id %d",
			header->hdr_len, header->packet_len,
			header->packet_id);
#endif
	}
#endif	/* CONFIG_USB_NET1080 */

	switch ((retval = usb_submit_urb (urb, GFP_ATOMIC))) {
	case -EPIPE:
		netif_stop_queue (net);
		defer_kevent (dev, EVENT_TX_HALT);
		break;
	default:
		devdbg (dev, "tx: submit urb err %d", retval);
		break;
	case 0:
		net->trans_start = jiffies;
		__skb_queue_tail (&dev->txq, skb);
		if (dev->txq.qlen >= TX_QLEN (dev))
			netif_stop_queue (net);
	}
	spin_unlock_irqrestore (&dev->txq.lock, flags);
	...

THe race in full RT is between tx_complete() routine and__skb_queue_tail (&dev->txq, skb): skb->list gets initialized in__skb_queue_tail() but may be dereferenced before initialization atdefer_bh() called from tx_complete() (since tx_complete() andusbnet_start_xmit() are completely asynchronous routines).

in non-RT case spin_lock_irqsave (&dev->txq.lock, flags) disablesinterrupts and thus code from usb_submit_urb() call upto__skb_queue_tail (&dev->txq, skb) executes atomically. But in RT caseinterrupts are not disabled and usb_submit_urb() triggers an interruptwhich may cause tx_complete() execution before __skb_queue_tail () call.And since skb->list gets initialized just at __skb_queue_tail(), call totx_complete() (via defer_bh() which thus executes before__skb_queue_tail) dereferences NULL (skb->list) pointer.

Thus looks tx_complete() and usbnet_start_xmit() require aserialization. Please find proposed fix attached though not sure thepatch will apply cleanly to the latest kernel.


	Eugeny

--- a/drivers/usb/net/usbnet.c	2004-12-25 00:34:58.000000000 +0300
+++ b/drivers/usb/net/usbnet.c	2005-05-26 21:02:58.000000000 +0400
@@ -2820,6 +2820,8 @@
 
 	urb->dev = NULL;
 	entry->state = tx_done;
+	spin_lock_rt (&dev->txq.lock);
+	spin_unlock_rt(&dev->txq.lock);
 	defer_bh (dev, skb);
 }

Follow-Ups:
- Re: race in usbnet.c in full RT
  - From: Ingo Molnar <[email protected]>
- Re: race in usbnet.c in full RT
  - From: Christoph Hellwig <[email protected]>

Prev by Date: Re: [PATCH] Move some more structures into "mostly_readonly"
Next by Date: Re: race in usbnet.c in full RT
Previous by thread: Problems with USB on x86_64
Next by thread: Re: race in usbnet.c in full RT
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]