From: "Michał Pecio" <michal.pecio@gmail.com>
To: "David Wang" <00107082@163.com>
Cc: "Mathias Nyman" <mathias.nyman@linux.intel.com>,
WeitaoWang-oc@zhaoxin.com, gregkh@linuxfoundation.org,
linux-usb@vger.kernel.org, regressions@lists.linux.dev,
linux-kernel@vger.kernel.org, surenb@google.com,
kent.overstreet@linux.dev
Subject: Re: [PATCH] usb: xhci: Fix xhci_free_virt_devices_depth_first()
Date: Tue, 2 Sep 2025 11:07:30 +0200 [thread overview]
Message-ID: <20250902110730.723a48a0.michal.pecio@gmail.com> (raw)
In-Reply-To: <20250902104630.6a9f088a.michal.pecio@gmail.com>
On Tue, 2 Sep 2025 10:46:30 +0200, Michał Pecio wrote:
> On Tue, 2 Sep 2025 16:30:48 +0800 (CST), David Wang wrote:
> > About the change from "<" to "<=", I did not observe any difference on my system. Is it because my system does not use up all slots?
>
> This too, you would need to fiddle with devices (or connect enough
> of them) to reach Slot ID 255 (probably the highest on most systems),
> depending on the xHCI controller and its ID allocation policy.
This made me wonder what those policies are. I'm too lazy for thorough
testing, but I plugged and unplugged the same device a few times.
Most HCs kept assigning ID 1, so they likely always pick the lowest.
My AMD chipset, two ASMedia USB 3.1 controllers and a Fresco FL1100
kept assigning sequentially increasing IDs, so I suppose I could pump
it up near the top, connect two high speed hubs and trigger this bug.
> But also as explained, this bug doesn't make things go boom just yet.
>
> Except if combined with your bug in an obscure edge case:
>
> 1. A high speed hub has slot ID HCS_MAX_SLOTS-1 and some TT children.
> 2. Another high speed hub has slot ID HCS_MAX_SLOTS.
> 3. We start with freeing the second hub.
> 4. The loop is entered and leaves vdev pointing at the first hub.
> 5. The first hub is freed instead of the second one.
> 6. Then its children are freed and UAF its tt_info.
next prev parent reply other threads:[~2025-09-02 9:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 18:13 [REGRESSION 6.17-rc3] usb/xhci: possible memory leak after suspend/resume cycle David Wang
2025-08-30 9:48 ` Michał Pecio
2025-08-30 10:06 ` David Wang
2025-08-30 10:17 ` David Wang
2025-09-01 10:14 ` Mathias Nyman
2025-09-01 11:17 ` David Wang
2025-09-02 7:30 ` [PATCH] usb: xhci: Fix xhci_free_virt_devices_depth_first() Michal Pecio
2025-09-02 8:30 ` David Wang
2025-09-02 8:46 ` [PATCH] " Michał Pecio
2025-09-02 9:07 ` Michał Pecio [this message]
2025-09-02 10:13 ` Mathias Nyman
2025-09-02 10:55 ` Michał Pecio
2025-09-02 12:58 ` Mathias Nyman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250902110730.723a48a0.michal.pecio@gmail.com \
--to=michal.pecio@gmail.com \
--cc=00107082@163.com \
--cc=WeitaoWang-oc@zhaoxin.com \
--cc=gregkh@linuxfoundation.org \
--cc=kent.overstreet@linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mathias.nyman@linux.intel.com \
--cc=regressions@lists.linux.dev \
--cc=surenb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.