From: "Heiko Stübner" <heiko@sntech.de>
To: Yunzhi Li <lyz@rock-chips.com>
Cc: johnyoun@synopsys.com, cf@rock-chips.com, hl@rock-chips.com,
yk@rock-chips.com, gauravsh@google.com, alberto@google.com,
wulf@rock-chips.com, jwerner@chromium.org,
jeffy.chen@rock-chips.com, gregory.herrero@intel.com,
yousaf.kaukab@intel.com, huangtao@rock-chips.com,
rockchip-discuss@chromium.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug
Date: Thu, 11 Jun 2015 13:45:54 +0200 [thread overview]
Message-ID: <2069136.rkp7puSWz5@diego> (raw)
In-Reply-To: <1432876946-4975-1-git-send-email-lyz@rock-chips.com>
Am Freitag, 29. Mai 2015, 13:22:26 schrieb Yunzhi Li:
> When s3c_hsotg_handle_unaligned_buf_complete() hs_req->req.buf
> already destroyed, in s3c_hsotg_unmap_dma(), it touches
> hs_req->req.dma again, so s3c_hsotg_unmap_dma() should be called
> before s3c_hsotg_handle_unaligned_buf_complete(). Otherwise, it
> will cause a bad_page BUG, when allocate this memory page next
> time.
>
> This bug led to the following crash:
>
> BUG: Bad page state in process swapper/0 pfn:2bdbc
> [ 26.820440] page:eed76780 count:0 mapcount:0 mapping: (null) index:0x0
> [ 26.854710] page flags: 0x200(arch_1)
> [ 26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set
> [ 26.919179] bad because of flags:
> [ 26.948917] page flags: 0x200(arch_1)
> [ 26.979100] Modules linked in:
> [ 27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17
> [ 27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>]
> (show_stack+0x20/0x24) [ 27.076108] [<c010a704>] (show_stack) from
> [<c087eea8>] (dump_stack+0x70/0x8c) [ 27.110246] [<c087eea8>]
> (dump_stack) from [<c01ce0b8>] (bad_page+0xfc/0x12c) [ 27.143958]
> [<c01ce0b8>] (bad_page) from [<c01ce65c>]
> (get_page_from_freelist+0x3e4/0x50c) [ 27.179298] [<c01ce65c>]
> (get_page_from_freelist) from [<c01ce9a0>] (__alloc_pages_nodemask) [
> 27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from [<c01cf00c>]
> (__get_free_pages+0x20/) [ 27.252326] [<c01cf00c>] (__get_free_pages)
> from [<c01e5bec>] (kmalloc_order_trace+0x34/0xa) [ 27.288295]
> [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>] (__kmalloc+0x40/0x1ac)
> [ 27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>]
> (s3c_hsotg_ep_queue.isra.12+0x7c/0x1) [ 27.359937] [<c052abc0>]
> (s3c_hsotg_ep_queue.isra.12) from [<c052af88>] (s3c_hsotg_ep_queue) [
> 27.397478] [<c052af88>] (s3c_hsotg_ep_queue_lock) from [<c0554110>]
> (rx_submit+0xfc/0x164) [ 27.433619] [<c0554110>] (rx_submit) from
> [<c05546e8>] (rx_complete+0x22c/0x230) [ 27.468872] [<c05546e8>]
> (rx_complete) from [<c052b528>] (s3c_hsotg_complete_request+0xfc/0) [
> 27.506240] [<c052b528>] (s3c_hsotg_complete_request) from [<c052bba0>]
> (s3c_hsotg_handle_o) [ 27.545401] [<c052bba0>] (s3c_hsotg_handle_outdone)
> from [<c052be70>] (s3c_hsotg_epint+0x2c) [ 27.583689] [<c052be70>]
> (s3c_hsotg_epint) from [<c052c750>] (s3c_hsotg_irq+0x1dc/0x4ac) [
> 27.621041] [<c052c750>] (s3c_hsotg_irq) from [<c01682e0>]
> (handle_irq_event_percpu+0x70/0x) [ 27.659066] [<c01682e0>]
> (handle_irq_event_percpu) from [<c01684ec>] (handle_irq_event+0x4c) [
> 27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>]
> (handle_fasteoi_irq+0xc8/0x11) [ 27.735451] [<c016bae0>]
> (handle_fasteoi_irq) from [<c0167b8c>] (generic_handle_irq+0x30/0x) [
> 27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>]
> (__handle_domain_irq+0x84/0) [ 27.812018] [<c0167ca4>]
> (__handle_domain_irq) from [<c01003b0>] (gic_handle_irq+0x48/0x6c) [
> 27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>]
> (__irq_svc+0x40/0x50) [ 27.886907] Exception stack(0xc0d01ee0 to
> 0xc0d01f28)
>
> Signed-off-by: Yunzhi Li <lyz@rock-chips.com>
on a rk3288
Tested-by: Heiko Stuebner <heiko@sntech.de>
prev parent reply other threads:[~2015-06-11 11:46 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-29 5:22 [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug Yunzhi Li
2015-05-29 5:35 ` Kaukab, Yousaf
2015-06-11 2:16 ` John Youn
2015-09-22 12:24 ` Kaukab, Yousaf
2015-09-25 8:51 ` Kaukab, Yousaf
2015-09-29 7:58 ` Kaukab, Yousaf
2015-06-11 11:45 ` Heiko Stübner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2069136.rkp7puSWz5@diego \
--to=heiko@sntech.de \
--cc=alberto@google.com \
--cc=cf@rock-chips.com \
--cc=gauravsh@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=gregory.herrero@intel.com \
--cc=hl@rock-chips.com \
--cc=huangtao@rock-chips.com \
--cc=jeffy.chen@rock-chips.com \
--cc=johnyoun@synopsys.com \
--cc=jwerner@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=lyz@rock-chips.com \
--cc=rockchip-discuss@chromium.org \
--cc=wulf@rock-chips.com \
--cc=yk@rock-chips.com \
--cc=yousaf.kaukab@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox