From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752772AbbFKLqK (ORCPT ); Thu, 11 Jun 2015 07:46:10 -0400 Received: from gloria.sntech.de ([95.129.55.99]:47655 "EHLO gloria.sntech.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751173AbbFKLqF (ORCPT ); Thu, 11 Jun 2015 07:46:05 -0400 From: Heiko =?ISO-8859-1?Q?St=FCbner?= To: Yunzhi Li Cc: johnyoun@synopsys.com, cf@rock-chips.com, hl@rock-chips.com, yk@rock-chips.com, gauravsh@google.com, alberto@google.com, wulf@rock-chips.com, jwerner@chromium.org, jeffy.chen@rock-chips.com, gregory.herrero@intel.com, yousaf.kaukab@intel.com, huangtao@rock-chips.com, rockchip-discuss@chromium.org, Greg Kroah-Hartman , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug Date: Thu, 11 Jun 2015 13:45:54 +0200 Message-ID: <2069136.rkp7puSWz5@diego> User-Agent: KMail/4.14.1 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; ) In-Reply-To: <1432876946-4975-1-git-send-email-lyz@rock-chips.com> References: <1432876946-4975-1-git-send-email-lyz@rock-chips.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Freitag, 29. Mai 2015, 13:22:26 schrieb Yunzhi Li: > When s3c_hsotg_handle_unaligned_buf_complete() hs_req->req.buf > already destroyed, in s3c_hsotg_unmap_dma(), it touches > hs_req->req.dma again, so s3c_hsotg_unmap_dma() should be called > before s3c_hsotg_handle_unaligned_buf_complete(). Otherwise, it > will cause a bad_page BUG, when allocate this memory page next > time. > > This bug led to the following crash: > > BUG: Bad page state in process swapper/0 pfn:2bdbc > [ 26.820440] page:eed76780 count:0 mapcount:0 mapping: (null) index:0x0 > [ 26.854710] page flags: 0x200(arch_1) > [ 26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set > [ 26.919179] bad because of flags: > [ 26.948917] page flags: 0x200(arch_1) > [ 26.979100] Modules linked in: > [ 27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17 > [ 27.041816] [] (unwind_backtrace) from [] > (show_stack+0x20/0x24) [ 27.076108] [] (show_stack) from > [] (dump_stack+0x70/0x8c) [ 27.110246] [] > (dump_stack) from [] (bad_page+0xfc/0x12c) [ 27.143958] > [] (bad_page) from [] > (get_page_from_freelist+0x3e4/0x50c) [ 27.179298] [] > (get_page_from_freelist) from [] (__alloc_pages_nodemask) [ > 27.216296] [] (__alloc_pages_nodemask) from [] > (__get_free_pages+0x20/) [ 27.252326] [] (__get_free_pages) > from [] (kmalloc_order_trace+0x34/0xa) [ 27.288295] > [] (kmalloc_order_trace) from [] (__kmalloc+0x40/0x1ac) > [ 27.323751] [] (__kmalloc) from [] > (s3c_hsotg_ep_queue.isra.12+0x7c/0x1) [ 27.359937] [] > (s3c_hsotg_ep_queue.isra.12) from [] (s3c_hsotg_ep_queue) [ > 27.397478] [] (s3c_hsotg_ep_queue_lock) from [] > (rx_submit+0xfc/0x164) [ 27.433619] [] (rx_submit) from > [] (rx_complete+0x22c/0x230) [ 27.468872] [] > (rx_complete) from [] (s3c_hsotg_complete_request+0xfc/0) [ > 27.506240] [] (s3c_hsotg_complete_request) from [] > (s3c_hsotg_handle_o) [ 27.545401] [] (s3c_hsotg_handle_outdone) > from [] (s3c_hsotg_epint+0x2c) [ 27.583689] [] > (s3c_hsotg_epint) from [] (s3c_hsotg_irq+0x1dc/0x4ac) [ > 27.621041] [] (s3c_hsotg_irq) from [] > (handle_irq_event_percpu+0x70/0x) [ 27.659066] [] > (handle_irq_event_percpu) from [] (handle_irq_event+0x4c) [ > 27.697322] [] (handle_irq_event) from [] > (handle_fasteoi_irq+0xc8/0x11) [ 27.735451] [] > (handle_fasteoi_irq) from [] (generic_handle_irq+0x30/0x) [ > 27.773918] [] (generic_handle_irq) from [] > (__handle_domain_irq+0x84/0) [ 27.812018] [] > (__handle_domain_irq) from [] (gic_handle_irq+0x48/0x6c) [ > 27.849695] [] (gic_handle_irq) from [] > (__irq_svc+0x40/0x50) [ 27.886907] Exception stack(0xc0d01ee0 to > 0xc0d01f28) > > Signed-off-by: Yunzhi Li on a rk3288 Tested-by: Heiko Stuebner