[PATCH v1 Resend] usb: dwc2: gadget: fix a memory use-after-free bug
From: Yunzhi Li When dwc2_hsotg_handle_unaligned_buf_complete() hs_req->req.buf already destroyed, in dwc2_hsotg_unmap_dma(), it touches hs_req->req.dma again, so dwc2_hsotg_unmap_dma() should be called before dwc2_hsotg_handle_unaligned_buf_complete(). Otherwise, it will cause a bad_page BUG, when allocate this memory page next time. This bug led to the following crash: BUG: Bad page state in process swapper/0 pfn:2bdbc [ 26.820440] page:eed76780 count:0 mapcount:0 mapping: (null) index:0x0 [ 26.854710] page flags: 0x200(arch_1) [ 26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set [ 26.919179] bad because of flags: [ 26.948917] page flags: 0x200(arch_1) [ 26.979100] Modules linked in: [ 27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17 [ 27.041816] [] (unwind_backtrace) from [] (show_stack+0x20/0x24) [ 27.076108] [] (show_stack) from [] (dump_stack+0x70/0x8c) [ 27.110246] [] (dump_stack) from [] (bad_page+0xfc/0x12c) [ 27.143958] [] (bad_page) from [] (get_page_from_freelist+0x3e4/0x50c) [ 27.179298] [] (get_page_from_freelist) from [] (__alloc_pages_nodemask) [ 27.216296] [] (__alloc_pages_nodemask) from [] (__get_free_pages+0x20/) [ 27.252326] [] (__get_free_pages) from [] (kmalloc_order_trace+0x34/0xa) [ 27.288295] [] (kmalloc_order_trace) from [] (__kmalloc+0x40/0x1ac) [ 27.323751] [] (__kmalloc) from [] (dwc2_hsotg_ep_queue.isra.12+0x7c/0x1) [ 27.359937] [] (dwc2_hsotg_ep_queue.isra.12) from [] (dwc2_hsotg_ep_queue) [ 27.397478] [] (dwc2_hsotg_ep_queue_lock) from [] (rx_submit+0xfc/0x164) [ 27.433619] [] (rx_submit) from [] (rx_complete+0x22c/0x230) [ 27.468872] [] (rx_complete) from [] (dwc2_hsotg_complete_request+0xfc/0) [ 27.506240] [] (dwc2_hsotg_complete_request) from [] (dwc2_hsotg_handle_o) [ 27.545401] [] (dwc2_hsotg_handle_outdone) from [] (dwc2_hsotg_epint+0x2c) [ 27.583689] [] (dwc2_hsotg_epint) from [] (dwc2_hsotg_irq+0x1dc/0x4ac) [ 27.621041] [] (dwc2_hsotg_irq) from [] (handle_irq_event_percpu+0x70/0x) [ 27.659066] [] (handle_irq_event_percpu) from [] (handle_irq_event+0x4c) [ 27.697322] [] (handle_irq_event) from [] (handle_fasteoi_irq+0xc8/0x11) [ 27.735451] [] (handle_fasteoi_irq) from [] (generic_handle_irq+0x30/0x) [ 27.773918] [] (generic_handle_irq) from [] (__handle_domain_irq+0x84/0) [ 27.812018] [] (__handle_domain_irq) from [] (gic_handle_irq+0x48/0x6c) [ 27.849695] [] (gic_handle_irq) from [] (__irq_svc+0x40/0x50) [ 27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28) Acked-by: John Youn Tested-by: Heiko Stuebner Tested-by: Jeffy Chen Signed-off-by: Yunzhi Li --- Resending on Yunzhi's behalf since he is travelling. drivers/usb/dwc2/gadget.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c index 12ac879..5755e65 100644 --- a/drivers/usb/dwc2/gadget.c +++ b/drivers/usb/dwc2/gadget.c @@ -1390,14 +1390,14 @@ static void dwc2_hsotg_complete_request(struct dwc2_hsotg *hsotg, if (hs_req->req.status == -EINPROGRESS) hs_req->req.status = result; + if (using_dma(hsotg)) + dwc2_hsotg_unmap_dma(hsotg, hs_ep, hs_req); + dwc2_hsotg_handle_unaligned_buf_complete(hsotg, hs_ep, hs_req); hs_ep->req = NULL; list_del_init(&hs_req->queue); - if (using_dma(hsotg)) - dwc2_hsotg_unmap_dma(hsotg, hs_ep, hs_req); - /* * call the complete request with the locks off, just in case the * request tries to queue more work for this endpoint. -- 2.3.3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
RE: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory use-after-free bug
> -Original Message- > From: Felipe Balbi [mailto:ba...@ti.com] > Sent: Thursday, October 1, 2015 7:21 PM > To: Kaukab, Yousaf > Cc: ba...@ti.com; linux-...@vger.kernel.org; john.y...@synopsys.com; > l...@rock-chips.com; he...@sntech.de; c...@rock-chips.com; > h...@rock-chips.com; > y...@rock-chips.com; gaura...@google.com; albe...@google.com; wulf@rock- > chips.com; jwer...@chromium.org; jeffy.c...@rock-chips.com; Herrero, > Gregory; huang...@rock-chips.com; rockchip-disc...@chromium.org; > gre...@linuxfoundation.org; linux-kernel@vger.kernel.org > Subject: Re: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory use-after-free > bug > > On Thu, Oct 01, 2015 at 12:01:48PM +, Kaukab, Yousaf wrote: > > > From: Mian Yousaf Kaukab > > > Date: Tue, Sep 29, 2015 at 12:25 PM > > > Subject: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory > > > use-after-free bug > > > To: linux-...@vger.kernel.org, ba...@ti.com, john.y...@synopsys.com, > > > l...@rock-chips.com > > > Cc: he...@sntech.de, c...@rock-chips.com, h...@rock-chips.com, yk@rock- > > > chips.com, gaura...@google.com, albe...@google.com, > > > w...@rock-chips.com, jwer...@chromium.org, > > > jeffy.c...@rock-chips.com, gregory.herr...@intel.com, > > > huang...@rock-chips.com, rockchip- disc...@chromium.org, > > > gre...@linuxfoundation.org, linux- ker...@vger.kernel.org > > > > > > > > > From: Yunzhi Li > > > > > > When dwc2_hsotg_handle_unaligned_buf_complete() hs_req->req.buf > > > already destroyed, in dwc2_hsotg_unmap_dma(), it touches > > > hs_req->req.dma again, so > > > dwc2_hsotg_unmap_dma() should be called before > > > dwc2_hsotg_handle_unaligned_buf_complete(). Otherwise, it will cause > > > a bad_page BUG, when allocate this memory page next time. > > > > > > This bug led to the following crash: > > > > > > BUG: Bad page state in process swapper/0 pfn:2bdbc > > > [ 26.820440] page:eed76780 count:0 mapcount:0 mapping: (null) > index:0x0 > > > [ 26.854710] page flags: 0x200(arch_1) > > > [ 26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag > set > > > [ 26.919179] bad because of flags: > > > [ 26.948917] page flags: 0x200(arch_1) > > > [ 26.979100] Modules linked in: > > > [ 27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17 > > > [ 27.041816] [] (unwind_backtrace) from [] > > > (show_stack+0x20/0x24) > > > [ 27.076108] [] (show_stack) from [] > > > (dump_stack+0x70/0x8c) > > > [ 27.110246] [] (dump_stack) from [] > > > (bad_page+0xfc/0x12c) > > > [ 27.143958] [] (bad_page) from [] > > > (get_page_from_freelist+0x3e4/0x50c) > > > [ 27.179298] [] (get_page_from_freelist) from [] > > > (__alloc_pages_nodemask) > > > [ 27.216296] [] (__alloc_pages_nodemask) from [] > > > (__get_free_pages+0x20/) > > > [ 27.252326] [] (__get_free_pages) from [] > > > (kmalloc_order_trace+0x34/0xa) > > > [ 27.288295] [] (kmalloc_order_trace) from [] > > > (__kmalloc+0x40/0x1ac) > > > [ 27.323751] [] (__kmalloc) from [] > > > (dwc2_hsotg_ep_queue.isra.12+0x7c/0x1) > > > [ 27.359937] [] (dwc2_hsotg_ep_queue.isra.12) from > > > [] (dwc2_hsotg_ep_queue) > > > [ 27.397478] [] (dwc2_hsotg_ep_queue_lock) from > > > [] (rx_submit+0xfc/0x164) > > > [ 27.433619] [] (rx_submit) from [] > > > (rx_complete+0x22c/0x230) > > > [ 27.468872] [] (rx_complete) from [] > > > (dwc2_hsotg_complete_request+0xfc/0) > > > [ 27.506240] [] (dwc2_hsotg_complete_request) from > > > [] (dwc2_hsotg_handle_o) > > > [ 27.545401] [] (dwc2_hsotg_handle_outdone) from > > > [] (dwc2_hsotg_epint+0x2c) > > > [ 27.583689] [] (dwc2_hsotg_epint) from [] > > > (dwc2_hsotg_irq+0x1dc/0x4ac) > > > [ 27.621041] [] (dwc2_hsotg_irq) from [] > > > (handle_irq_event_percpu+0x70/0x) > > > [ 27.659066] [] (handle_irq_event_percpu) from > > > [] (handle_irq_event+0x4c) > > > [ 27.697322] [] (handle_irq_event) from [] > > > (handle_fasteoi_irq+0xc8/0x11) > > > [ 27.735451] [] (handle_fasteoi_irq) from [] > > > (generic_handle_irq+0x30/0x) > > > [ 27.773918] [] (generic_handle_irq) from [] > > > (__handle_domain_irq+0x84/0) > > > [ 27.812018] [] (__handle_domain_irq) from [] > > > (gic_handle_irq+0x48/0x6c) > > > [ 27.849695] [] (gic_handle_irq) from [] > > > (__irq_svc+0x40/0x50) > > > [ 27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28) > > > > > > Acked-by: John Youn > > > Tested-by: Heiko Stuebner > > > Tested-by: Jeffy Chen > > > Signed-off-by: Yunzhi Li > > > > Hi Felipe, > > This patch has been hanging around for a while now. Can you please apply > this? > > https://git.kernel.org/cgit/linux/kernel/git/balbi/usb.git/commit/?h=testing/nex > t&id=1c2e3377a933af9102f6c57c414c378a52d4e70d Thanks! > > -- > balbi BR, Yousaf -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
RE: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory use-after-free bug
> From: Mian Yousaf Kaukab > Date: Tue, Sep 29, 2015 at 12:25 PM > Subject: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory use-after-free bug > To: linux-...@vger.kernel.org, ba...@ti.com, john.y...@synopsys.com, > l...@rock-chips.com > Cc: he...@sntech.de, c...@rock-chips.com, h...@rock-chips.com, yk@rock- > chips.com, gaura...@google.com, albe...@google.com, w...@rock-chips.com, > jwer...@chromium.org, jeffy.c...@rock-chips.com, > gregory.herr...@intel.com, huang...@rock-chips.com, rockchip- > disc...@chromium.org, gre...@linuxfoundation.org, linux- > ker...@vger.kernel.org > > > From: Yunzhi Li > > When dwc2_hsotg_handle_unaligned_buf_complete() hs_req->req.buf already > destroyed, in dwc2_hsotg_unmap_dma(), it touches hs_req->req.dma again, so > dwc2_hsotg_unmap_dma() should be called before > dwc2_hsotg_handle_unaligned_buf_complete(). Otherwise, it will cause a > bad_page BUG, when allocate this memory page next time. > > This bug led to the following crash: > > BUG: Bad page state in process swapper/0 pfn:2bdbc > [ 26.820440] page:eed76780 count:0 mapcount:0 mapping: (null) index:0x0 > [ 26.854710] page flags: 0x200(arch_1) > [ 26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set > [ 26.919179] bad because of flags: > [ 26.948917] page flags: 0x200(arch_1) > [ 26.979100] Modules linked in: > [ 27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17 > [ 27.041816] [] (unwind_backtrace) from [] > (show_stack+0x20/0x24) > [ 27.076108] [] (show_stack) from [] > (dump_stack+0x70/0x8c) > [ 27.110246] [] (dump_stack) from [] > (bad_page+0xfc/0x12c) > [ 27.143958] [] (bad_page) from [] > (get_page_from_freelist+0x3e4/0x50c) > [ 27.179298] [] (get_page_from_freelist) from [] > (__alloc_pages_nodemask) > [ 27.216296] [] (__alloc_pages_nodemask) from [] > (__get_free_pages+0x20/) > [ 27.252326] [] (__get_free_pages) from [] > (kmalloc_order_trace+0x34/0xa) > [ 27.288295] [] (kmalloc_order_trace) from [] > (__kmalloc+0x40/0x1ac) > [ 27.323751] [] (__kmalloc) from [] > (dwc2_hsotg_ep_queue.isra.12+0x7c/0x1) > [ 27.359937] [] (dwc2_hsotg_ep_queue.isra.12) from > [] (dwc2_hsotg_ep_queue) > [ 27.397478] [] (dwc2_hsotg_ep_queue_lock) from > [] (rx_submit+0xfc/0x164) > [ 27.433619] [] (rx_submit) from [] > (rx_complete+0x22c/0x230) > [ 27.468872] [] (rx_complete) from [] > (dwc2_hsotg_complete_request+0xfc/0) > [ 27.506240] [] (dwc2_hsotg_complete_request) from > [] (dwc2_hsotg_handle_o) > [ 27.545401] [] (dwc2_hsotg_handle_outdone) from > [] (dwc2_hsotg_epint+0x2c) > [ 27.583689] [] (dwc2_hsotg_epint) from [] > (dwc2_hsotg_irq+0x1dc/0x4ac) > [ 27.621041] [] (dwc2_hsotg_irq) from [] > (handle_irq_event_percpu+0x70/0x) > [ 27.659066] [] (handle_irq_event_percpu) from > [] (handle_irq_event+0x4c) > [ 27.697322] [] (handle_irq_event) from [] > (handle_fasteoi_irq+0xc8/0x11) > [ 27.735451] [] (handle_fasteoi_irq) from [] > (generic_handle_irq+0x30/0x) > [ 27.773918] [] (generic_handle_irq) from [] > (__handle_domain_irq+0x84/0) > [ 27.812018] [] (__handle_domain_irq) from [] > (gic_handle_irq+0x48/0x6c) > [ 27.849695] [] (gic_handle_irq) from [] > (__irq_svc+0x40/0x50) > [ 27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28) > > Acked-by: John Youn > Tested-by: Heiko Stuebner > Tested-by: Jeffy Chen > Signed-off-by: Yunzhi Li Hi Felipe, This patch has been hanging around for a while now. Can you please apply this? BR, Yousaf
Re: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory use-after-free bug
On Thu, Oct 01, 2015 at 12:01:48PM +, Kaukab, Yousaf wrote: > > From: Mian Yousaf Kaukab > > Date: Tue, Sep 29, 2015 at 12:25 PM > > Subject: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory use-after-free > > bug > > To: linux-...@vger.kernel.org, ba...@ti.com, john.y...@synopsys.com, > > l...@rock-chips.com > > Cc: he...@sntech.de, c...@rock-chips.com, h...@rock-chips.com, yk@rock- > > chips.com, gaura...@google.com, albe...@google.com, w...@rock-chips.com, > > jwer...@chromium.org, jeffy.c...@rock-chips.com, > > gregory.herr...@intel.com, huang...@rock-chips.com, rockchip- > > disc...@chromium.org, gre...@linuxfoundation.org, linux- > > ker...@vger.kernel.org > > > > > > From: Yunzhi Li > > > > When dwc2_hsotg_handle_unaligned_buf_complete() hs_req->req.buf already > > destroyed, in dwc2_hsotg_unmap_dma(), it touches hs_req->req.dma again, so > > dwc2_hsotg_unmap_dma() should be called before > > dwc2_hsotg_handle_unaligned_buf_complete(). Otherwise, it will cause a > > bad_page BUG, when allocate this memory page next time. > > > > This bug led to the following crash: > > > > BUG: Bad page state in process swapper/0 pfn:2bdbc > > [ 26.820440] page:eed76780 count:0 mapcount:0 mapping: (null) index:0x0 > > [ 26.854710] page flags: 0x200(arch_1) > > [ 26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set > > [ 26.919179] bad because of flags: > > [ 26.948917] page flags: 0x200(arch_1) > > [ 26.979100] Modules linked in: > > [ 27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17 > > [ 27.041816] [] (unwind_backtrace) from [] > > (show_stack+0x20/0x24) > > [ 27.076108] [] (show_stack) from [] > > (dump_stack+0x70/0x8c) > > [ 27.110246] [] (dump_stack) from [] > > (bad_page+0xfc/0x12c) > > [ 27.143958] [] (bad_page) from [] > > (get_page_from_freelist+0x3e4/0x50c) > > [ 27.179298] [] (get_page_from_freelist) from [] > > (__alloc_pages_nodemask) > > [ 27.216296] [] (__alloc_pages_nodemask) from [] > > (__get_free_pages+0x20/) > > [ 27.252326] [] (__get_free_pages) from [] > > (kmalloc_order_trace+0x34/0xa) > > [ 27.288295] [] (kmalloc_order_trace) from [] > > (__kmalloc+0x40/0x1ac) > > [ 27.323751] [] (__kmalloc) from [] > > (dwc2_hsotg_ep_queue.isra.12+0x7c/0x1) > > [ 27.359937] [] (dwc2_hsotg_ep_queue.isra.12) from > > [] (dwc2_hsotg_ep_queue) > > [ 27.397478] [] (dwc2_hsotg_ep_queue_lock) from > > [] (rx_submit+0xfc/0x164) > > [ 27.433619] [] (rx_submit) from [] > > (rx_complete+0x22c/0x230) > > [ 27.468872] [] (rx_complete) from [] > > (dwc2_hsotg_complete_request+0xfc/0) > > [ 27.506240] [] (dwc2_hsotg_complete_request) from > > [] (dwc2_hsotg_handle_o) > > [ 27.545401] [] (dwc2_hsotg_handle_outdone) from > > [] (dwc2_hsotg_epint+0x2c) > > [ 27.583689] [] (dwc2_hsotg_epint) from [] > > (dwc2_hsotg_irq+0x1dc/0x4ac) > > [ 27.621041] [] (dwc2_hsotg_irq) from [] > > (handle_irq_event_percpu+0x70/0x) > > [ 27.659066] [] (handle_irq_event_percpu) from > > [] (handle_irq_event+0x4c) > > [ 27.697322] [] (handle_irq_event) from [] > > (handle_fasteoi_irq+0xc8/0x11) > > [ 27.735451] [] (handle_fasteoi_irq) from [] > > (generic_handle_irq+0x30/0x) > > [ 27.773918] [] (generic_handle_irq) from [] > > (__handle_domain_irq+0x84/0) > > [ 27.812018] [] (__handle_domain_irq) from [] > > (gic_handle_irq+0x48/0x6c) > > [ 27.849695] [] (gic_handle_irq) from [] > > (__irq_svc+0x40/0x50) > > [ 27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28) > > > > Acked-by: John Youn > > Tested-by: Heiko Stuebner > > Tested-by: Jeffy Chen > > Signed-off-by: Yunzhi Li > > Hi Felipe, > This patch has been hanging around for a while now. Can you please apply this? https://git.kernel.org/cgit/linux/kernel/git/balbi/usb.git/commit/?h=testing/next&id=1c2e3377a933af9102f6c57c414c378a52d4e70d -- balbi signature.asc Description: PGP signature
