From: Guenter Roeck <linux@roeck-us.net>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: "David S . Miller" <davem@davemloft.net>,
linux-usb@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, Hayes Wang <hayeswang@realtek.com>
Subject: Re: [PATCH] r8152: Allocate interrupt buffer as part of struct r8152
Date: Tue, 31 Jan 2017 13:15:19 -0800 [thread overview]
Message-ID: <20170131211519.GA21758@roeck-us.net> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1701311448250.2048-100000@iolanthe.rowland.org>
On Tue, Jan 31, 2017 at 02:53:47PM -0500, Alan Stern wrote:
> On Tue, 31 Jan 2017, Guenter Roeck wrote:
>
> > When unloading the r8152 driver using the 'unbind' sysfs attribute
> > in a system with KASAN enabled, the following error message is seen
> > on a regular basis.
>
> ...
>
> > The two-byte allocation in conjunction with code analysis suggests that
> > the interrupt buffer has been overwritten. Added instrumentation in the
> > driver shows that the interrupt handler is called after RTL8152_UNPLUG
> > was set, and that this event is associated with the error message above.
> > This suggests that there are situations where the interrupt buffer is used
> > after it has been freed.
> >
> > To avoid the problem, allocate the interrupt buffer as part of struct
> > r8152.
> >
> > Cc: Hayes Wang <hayeswang@realtek.com>
> > Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> > ---
> > The problem is seen in chromeos-4.4, but there is not reason to believe
> > that it does not occur with the upstream kernel. It is still seen in
> > chromeos-4.4 after all patches from upstream and linux-next have been
> > applied to the driver.
> >
> > While relatively simple, I am not really convinced that this is the best
> > (or even an acceptable) solution for this problem. I am open to suggestions
> > for a better fix.
>
> The proper approach is to keep the allocation as it is, but _before_
> deallocating the buffer, make sure that the interrupt buffer won't be
> accessed any more. This may involve calling usb_kill_urb(), or
usb_kill_urb() is called. I added some more logging. The sequence is
interrupt_handler()
...
usb_kill_urb(intr_urb);
...
kfree(intr_buff);
...
BUG kmalloc-128
which leaves me a bit puzzled; the interrupt handler is called well before
the memory is freed, and it turns out that it is not always called.
I'll do some digging in the usb core.
Guenter
next prev parent reply other threads:[~2017-01-31 22:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-31 19:06 [PATCH] r8152: Allocate interrupt buffer as part of struct r8152 Guenter Roeck
2017-01-31 19:53 ` Eric Dumazet
2017-01-31 21:17 ` Guenter Roeck
2017-01-31 19:53 ` Alan Stern
2017-01-31 21:15 ` Guenter Roeck [this message]
2017-02-03 21:22 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170131211519.GA21758@roeck-us.net \
--to=linux@roeck-us.net \
--cc=davem@davemloft.net \
--cc=hayeswang@realtek.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox