[PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug

[PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug

[Yunzhi Li]

When s3c_hsotg_handle_unaligned_buf_complete() hs_req->req.buf
already destroyed, in s3c_hsotg_unmap_dma(), it touches
hs_req->req.dma again, so s3c_hsotg_unmap_dma() should be called
before s3c_hsotg_handle_unaligned_buf_complete(). Otherwise, it
will cause a bad_page BUG, when allocate this memory page next
time.

This bug led to the following crash:

BUG: Bad page state in process swapper/0  pfn:2bdbc
[   26.820440] page:eed76780 count:0 mapcount:0 mapping:  (null) index:0x0
[   26.854710] page flags: 0x200(arch_1)
[   26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set
[   26.919179] bad because of flags:
[   26.948917] page flags: 0x200(arch_1)
[   26.979100] Modules linked in:
[   27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17
[   27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>] (show_stack+0x20/0x24)
[   27.076108] [<c010a704>] (show_stack) from [<c087eea8>] (dump_stack+0x70/0x8c)
[   27.110246] [<c087eea8>] (dump_stack) from [<c01ce0b8>] (bad_page+0xfc/0x12c)
[   27.143958] [<c01ce0b8>] (bad_page) from [<c01ce65c>] (get_page_from_freelist+0x3e4/0x50c)
[   27.179298] [<c01ce65c>] (get_page_from_freelist) from [<c01ce9a0>] (__alloc_pages_nodemask)
[   27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from [<c01cf00c>] (__get_free_pages+0x20/)
[   27.252326] [<c01cf00c>] (__get_free_pages) from [<c01e5bec>] (kmalloc_order_trace+0x34/0xa)
[   27.288295] [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>] (__kmalloc+0x40/0x1ac)
[   27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>] (s3c_hsotg_ep_queue.isra.12+0x7c/0x1)
[   27.359937] [<c052abc0>] (s3c_hsotg_ep_queue.isra.12) from [<c052af88>] (s3c_hsotg_ep_queue)
[   27.397478] [<c052af88>] (s3c_hsotg_ep_queue_lock) from [<c0554110>] (rx_submit+0xfc/0x164)
[   27.433619] [<c0554110>] (rx_submit) from [<c05546e8>] (rx_complete+0x22c/0x230)
[   27.468872] [<c05546e8>] (rx_complete) from [<c052b528>] (s3c_hsotg_complete_request+0xfc/0)
[   27.506240] [<c052b528>] (s3c_hsotg_complete_request) from [<c052bba0>] (s3c_hsotg_handle_o)
[   27.545401] [<c052bba0>] (s3c_hsotg_handle_outdone) from [<c052be70>] (s3c_hsotg_epint+0x2c)
[   27.583689] [<c052be70>] (s3c_hsotg_epint) from [<c052c750>] (s3c_hsotg_irq+0x1dc/0x4ac)
[   27.621041] [<c052c750>] (s3c_hsotg_irq) from [<c01682e0>] (handle_irq_event_percpu+0x70/0x)
[   27.659066] [<c01682e0>] (handle_irq_event_percpu) from [<c01684ec>] (handle_irq_event+0x4c)
[   27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>] (handle_fasteoi_irq+0xc8/0x11)
[   27.735451] [<c016bae0>] (handle_fasteoi_irq) from [<c0167b8c>] (generic_handle_irq+0x30/0x)
[   27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>] (__handle_domain_irq+0x84/0)
[   27.812018] [<c0167ca4>] (__handle_domain_irq) from [<c01003b0>] (gic_handle_irq+0x48/0x6c)
[   27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>] (__irq_svc+0x40/0x50)
[   27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28)

Signed-off-by: Yunzhi Li <lyz@rock-chips.com>

---

 drivers/usb/dwc2/gadget.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
index 6a30887..8070602 100644
--- a/drivers/usb/dwc2/gadget.c
+++ b/drivers/usb/dwc2/gadget.c
@@ -1389,14 +1389,14 @@ static void s3c_hsotg_complete_request(struct dwc2_hsotg *hsotg,
 	if (hs_req->req.status == -EINPROGRESS)
 		hs_req->req.status = result;
 
+	if (using_dma(hsotg))
+		s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req);
+
 	s3c_hsotg_handle_unaligned_buf_complete(hsotg, hs_ep, hs_req);
 
 	hs_ep->req = NULL;
 	list_del_init(&hs_req->queue);
 
-	if (using_dma(hsotg))
-		s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req);
-
 	/*
 	 * call the complete request with the locks off, just in case the
 	 * request tries to queue more work for this endpoint.
-- 
2.0.0

RE: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug

[Kaukab, Yousaf]

> -----Original Message-----
> From: Yunzhi Li [mailto:lyz@rock-chips.com]
> Sent: Friday, May 29, 2015 1:22 PM
> To: johnyoun@synopsys.com
> Cc: heiko@sntech.de; cf@rock-chips.com; hl@rock-chips.com; yk@rock-
> chips.com; gauravsh@google.com; alberto@google.com; wulf@rock-chips.com;
> jwerner@chromium.org; jeffy.chen@rock-chips.com; Herrero, Gregory;
> Kaukab, Yousaf; huangtao@rock-chips.com; rockchip-discuss@chromium.org;
> Yunzhi Li; Greg Kroah-Hartman; linux-usb@vger.kernel.org; linux-
> kernel@vger.kernel.org
> Subject: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug
> 
> When s3c_hsotg_handle_unaligned_buf_complete() hs_req->req.buf already
> destroyed, in s3c_hsotg_unmap_dma(), it touches hs_req->req.dma again, so
> s3c_hsotg_unmap_dma() should be called before
> s3c_hsotg_handle_unaligned_buf_complete(). Otherwise, it will cause a
> bad_page BUG, when allocate this memory page next time.
> 
> This bug led to the following crash:
> 
> BUG: Bad page state in process swapper/0  pfn:2bdbc
> [   26.820440] page:eed76780 count:0 mapcount:0 mapping:  (null) index:0x0
> [   26.854710] page flags: 0x200(arch_1)
> [   26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set
> [   26.919179] bad because of flags:
> [   26.948917] page flags: 0x200(arch_1)
> [   26.979100] Modules linked in:
> [   27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17
> [   27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>]
> (show_stack+0x20/0x24)
> [   27.076108] [<c010a704>] (show_stack) from [<c087eea8>]
> (dump_stack+0x70/0x8c)
> [   27.110246] [<c087eea8>] (dump_stack) from [<c01ce0b8>]
> (bad_page+0xfc/0x12c)
> [   27.143958] [<c01ce0b8>] (bad_page) from [<c01ce65c>]
> (get_page_from_freelist+0x3e4/0x50c)
> [   27.179298] [<c01ce65c>] (get_page_from_freelist) from [<c01ce9a0>]
> (__alloc_pages_nodemask)
> [   27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from [<c01cf00c>]
> (__get_free_pages+0x20/)
> [   27.252326] [<c01cf00c>] (__get_free_pages) from [<c01e5bec>]
> (kmalloc_order_trace+0x34/0xa)
> [   27.288295] [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>]
> (__kmalloc+0x40/0x1ac)
> [   27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>]
> (s3c_hsotg_ep_queue.isra.12+0x7c/0x1)
> [   27.359937] [<c052abc0>] (s3c_hsotg_ep_queue.isra.12) from [<c052af88>]
> (s3c_hsotg_ep_queue)
> [   27.397478] [<c052af88>] (s3c_hsotg_ep_queue_lock) from [<c0554110>]
> (rx_submit+0xfc/0x164)
> [   27.433619] [<c0554110>] (rx_submit) from [<c05546e8>]
> (rx_complete+0x22c/0x230)
> [   27.468872] [<c05546e8>] (rx_complete) from [<c052b528>]
> (s3c_hsotg_complete_request+0xfc/0)
> [   27.506240] [<c052b528>] (s3c_hsotg_complete_request) from [<c052bba0>]
> (s3c_hsotg_handle_o)
> [   27.545401] [<c052bba0>] (s3c_hsotg_handle_outdone) from [<c052be70>]
> (s3c_hsotg_epint+0x2c)
> [   27.583689] [<c052be70>] (s3c_hsotg_epint) from [<c052c750>]
> (s3c_hsotg_irq+0x1dc/0x4ac)
> [   27.621041] [<c052c750>] (s3c_hsotg_irq) from [<c01682e0>]
> (handle_irq_event_percpu+0x70/0x)
> [   27.659066] [<c01682e0>] (handle_irq_event_percpu) from [<c01684ec>]
> (handle_irq_event+0x4c)
> [   27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>]
> (handle_fasteoi_irq+0xc8/0x11)
> [   27.735451] [<c016bae0>] (handle_fasteoi_irq) from [<c0167b8c>]
> (generic_handle_irq+0x30/0x)
> [   27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>]
> (__handle_domain_irq+0x84/0)
> [   27.812018] [<c0167ca4>] (__handle_domain_irq) from [<c01003b0>]
> (gic_handle_irq+0x48/0x6c)
> [   27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>]
> (__irq_svc+0x40/0x50)
> [   27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28)
> 
> Signed-off-by: Yunzhi Li <lyz@rock-chips.com>
> 
> ---
> 
>  drivers/usb/dwc2/gadget.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c index
> 6a30887..8070602 100644
> --- a/drivers/usb/dwc2/gadget.c
> +++ b/drivers/usb/dwc2/gadget.c
> @@ -1389,14 +1389,14 @@ static void s3c_hsotg_complete_request(struct
> dwc2_hsotg *hsotg,
>  	if (hs_req->req.status == -EINPROGRESS)
>  		hs_req->req.status = result;
> 
> +	if (using_dma(hsotg))
> +		s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req);
> +
>  	s3c_hsotg_handle_unaligned_buf_complete(hsotg, hs_ep,
> hs_req);
> 
>  	hs_ep->req = NULL;
>  	list_del_init(&hs_req->queue);
> 
> -	if (using_dma(hsotg))
> -		s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req);
> -
>  	/*
>  	 * call the complete request with the locks off, just in case the
>  	 * request tries to queue more work for this endpoint.

Looks good.

Reviewed-by: Mian Yousaf Kaukab <yousaf.kaukab@intel.com>

BR,
Yousaf

Re: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug

[John Youn]

On 5/28/2015 10:22 PM, Yunzhi Li wrote:
> When s3c_hsotg_handle_unaligned_buf_complete() hs_req->req.buf
> already destroyed, in s3c_hsotg_unmap_dma(), it touches
> hs_req->req.dma again, so s3c_hsotg_unmap_dma() should be called
> before s3c_hsotg_handle_unaligned_buf_complete(). Otherwise, it
> will cause a bad_page BUG, when allocate this memory page next
> time.
> 
> This bug led to the following crash:
> 
> BUG: Bad page state in process swapper/0  pfn:2bdbc
> [   26.820440] page:eed76780 count:0 mapcount:0 mapping:  (null) index:0x0
> [   26.854710] page flags: 0x200(arch_1)
> [   26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set
> [   26.919179] bad because of flags:
> [   26.948917] page flags: 0x200(arch_1)
> [   26.979100] Modules linked in:
> [   27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17
> [   27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>] (show_stack+0x20/0x24)
> [   27.076108] [<c010a704>] (show_stack) from [<c087eea8>] (dump_stack+0x70/0x8c)
> [   27.110246] [<c087eea8>] (dump_stack) from [<c01ce0b8>] (bad_page+0xfc/0x12c)
> [   27.143958] [<c01ce0b8>] (bad_page) from [<c01ce65c>] (get_page_from_freelist+0x3e4/0x50c)
> [   27.179298] [<c01ce65c>] (get_page_from_freelist) from [<c01ce9a0>] (__alloc_pages_nodemask)
> [   27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from [<c01cf00c>] (__get_free_pages+0x20/)
> [   27.252326] [<c01cf00c>] (__get_free_pages) from [<c01e5bec>] (kmalloc_order_trace+0x34/0xa)
> [   27.288295] [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>] (__kmalloc+0x40/0x1ac)
> [   27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>] (s3c_hsotg_ep_queue.isra.12+0x7c/0x1)
> [   27.359937] [<c052abc0>] (s3c_hsotg_ep_queue.isra.12) from [<c052af88>] (s3c_hsotg_ep_queue)
> [   27.397478] [<c052af88>] (s3c_hsotg_ep_queue_lock) from [<c0554110>] (rx_submit+0xfc/0x164)
> [   27.433619] [<c0554110>] (rx_submit) from [<c05546e8>] (rx_complete+0x22c/0x230)
> [   27.468872] [<c05546e8>] (rx_complete) from [<c052b528>] (s3c_hsotg_complete_request+0xfc/0)
> [   27.506240] [<c052b528>] (s3c_hsotg_complete_request) from [<c052bba0>] (s3c_hsotg_handle_o)
> [   27.545401] [<c052bba0>] (s3c_hsotg_handle_outdone) from [<c052be70>] (s3c_hsotg_epint+0x2c)
> [   27.583689] [<c052be70>] (s3c_hsotg_epint) from [<c052c750>] (s3c_hsotg_irq+0x1dc/0x4ac)
> [   27.621041] [<c052c750>] (s3c_hsotg_irq) from [<c01682e0>] (handle_irq_event_percpu+0x70/0x)
> [   27.659066] [<c01682e0>] (handle_irq_event_percpu) from [<c01684ec>] (handle_irq_event+0x4c)
> [   27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>] (handle_fasteoi_irq+0xc8/0x11)
> [   27.735451] [<c016bae0>] (handle_fasteoi_irq) from [<c0167b8c>] (generic_handle_irq+0x30/0x)
> [   27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>] (__handle_domain_irq+0x84/0)
> [   27.812018] [<c0167ca4>] (__handle_domain_irq) from [<c01003b0>] (gic_handle_irq+0x48/0x6c)
> [   27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>] (__irq_svc+0x40/0x50)
> [   27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28)
> 
> Signed-off-by: Yunzhi Li <lyz@rock-chips.com>
> 
> ---
> 
>  drivers/usb/dwc2/gadget.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
> index 6a30887..8070602 100644
> --- a/drivers/usb/dwc2/gadget.c
> +++ b/drivers/usb/dwc2/gadget.c
> @@ -1389,14 +1389,14 @@ static void s3c_hsotg_complete_request(struct dwc2_hsotg *hsotg,
>  	if (hs_req->req.status == -EINPROGRESS)
>  		hs_req->req.status = result;
>  
> +	if (using_dma(hsotg))
> +		s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req);
> +
>  	s3c_hsotg_handle_unaligned_buf_complete(hsotg, hs_ep, hs_req);
>  
>  	hs_ep->req = NULL;
>  	list_del_init(&hs_req->queue);
>  
> -	if (using_dma(hsotg))
> -		s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req);
> -
>  	/*
>  	 * call the complete request with the locks off, just in case the
>  	 * request tries to queue more work for this endpoint.
> 


Acked-by: John Youn <johnyoun@synopsys.com>


John

RE: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug

[Kaukab, Yousaf]

> -----Original Message-----
> From: John Youn [mailto:John.Youn@synopsys.com]
> Sent: Thursday, June 11, 2015 4:16 AM
> To: Yunzhi Li; John.Youn@synopsys.com
> Cc: heiko@sntech.de; cf@rock-chips.com; hl@rock-chips.com; yk@rock-
> chips.com; gauravsh@google.com; alberto@google.com; wulf@rock-chips.com;
> jwerner@chromium.org; jeffy.chen@rock-chips.com; Herrero, Gregory;
> Kaukab, Yousaf; huangtao@rock-chips.com; rockchip-discuss@chromium.org;
> Greg Kroah-Hartman; linux-usb@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug
> 
> On 5/28/2015 10:22 PM, Yunzhi Li wrote:
> > When s3c_hsotg_handle_unaligned_buf_complete() hs_req->req.buf already
> > destroyed, in s3c_hsotg_unmap_dma(), it touches hs_req->req.dma again,
> > so s3c_hsotg_unmap_dma() should be called before
> > s3c_hsotg_handle_unaligned_buf_complete(). Otherwise, it will cause a
> > bad_page BUG, when allocate this memory page next time.
> >
> > This bug led to the following crash:
> >
> > BUG: Bad page state in process swapper/0  pfn:2bdbc
> > [   26.820440] page:eed76780 count:0 mapcount:0 mapping:  (null) index:0x0
> > [   26.854710] page flags: 0x200(arch_1)
> > [   26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set
> > [   26.919179] bad because of flags:
> > [   26.948917] page flags: 0x200(arch_1)
> > [   26.979100] Modules linked in:
> > [   27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17
> > [   27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>]
> (show_stack+0x20/0x24)
> > [   27.076108] [<c010a704>] (show_stack) from [<c087eea8>]
> (dump_stack+0x70/0x8c)
> > [   27.110246] [<c087eea8>] (dump_stack) from [<c01ce0b8>]
> (bad_page+0xfc/0x12c)
> > [   27.143958] [<c01ce0b8>] (bad_page) from [<c01ce65c>]
> (get_page_from_freelist+0x3e4/0x50c)
> > [   27.179298] [<c01ce65c>] (get_page_from_freelist) from [<c01ce9a0>]
> (__alloc_pages_nodemask)
> > [   27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from [<c01cf00c>]
> (__get_free_pages+0x20/)
> > [   27.252326] [<c01cf00c>] (__get_free_pages) from [<c01e5bec>]
> (kmalloc_order_trace+0x34/0xa)
> > [   27.288295] [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>]
> (__kmalloc+0x40/0x1ac)
> > [   27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>]
> (s3c_hsotg_ep_queue.isra.12+0x7c/0x1)
> > [   27.359937] [<c052abc0>] (s3c_hsotg_ep_queue.isra.12) from [<c052af88>]
> (s3c_hsotg_ep_queue)
> > [   27.397478] [<c052af88>] (s3c_hsotg_ep_queue_lock) from [<c0554110>]
> (rx_submit+0xfc/0x164)
> > [   27.433619] [<c0554110>] (rx_submit) from [<c05546e8>]
> (rx_complete+0x22c/0x230)
> > [   27.468872] [<c05546e8>] (rx_complete) from [<c052b528>]
> (s3c_hsotg_complete_request+0xfc/0)
> > [   27.506240] [<c052b528>] (s3c_hsotg_complete_request) from
> [<c052bba0>] (s3c_hsotg_handle_o)
> > [   27.545401] [<c052bba0>] (s3c_hsotg_handle_outdone) from [<c052be70>]
> (s3c_hsotg_epint+0x2c)
> > [   27.583689] [<c052be70>] (s3c_hsotg_epint) from [<c052c750>]
> (s3c_hsotg_irq+0x1dc/0x4ac)
> > [   27.621041] [<c052c750>] (s3c_hsotg_irq) from [<c01682e0>]
> (handle_irq_event_percpu+0x70/0x)
> > [   27.659066] [<c01682e0>] (handle_irq_event_percpu) from [<c01684ec>]
> (handle_irq_event+0x4c)
> > [   27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>]
> (handle_fasteoi_irq+0xc8/0x11)
> > [   27.735451] [<c016bae0>] (handle_fasteoi_irq) from [<c0167b8c>]
> (generic_handle_irq+0x30/0x)
> > [   27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>]
> (__handle_domain_irq+0x84/0)
> > [   27.812018] [<c0167ca4>] (__handle_domain_irq) from [<c01003b0>]
> (gic_handle_irq+0x48/0x6c)
> > [   27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>]
> (__irq_svc+0x40/0x50)
> > [   27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28)
> >
> > Signed-off-by: Yunzhi Li <lyz@rock-chips.com>
> >
> > ---
> >
> >  drivers/usb/dwc2/gadget.c | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
> > index 6a30887..8070602 100644
> > --- a/drivers/usb/dwc2/gadget.c
> > +++ b/drivers/usb/dwc2/gadget.c
> > @@ -1389,14 +1389,14 @@ static void s3c_hsotg_complete_request(struct
> dwc2_hsotg *hsotg,
> >  	if (hs_req->req.status == -EINPROGRESS)
> >  		hs_req->req.status = result;
> >
> > +	if (using_dma(hsotg))
> > +		s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req);
> > +
> >  	s3c_hsotg_handle_unaligned_buf_complete(hsotg, hs_ep,
> hs_req);
> >
> >  	hs_ep->req = NULL;
> >  	list_del_init(&hs_req->queue);
> >
> > -	if (using_dma(hsotg))
> > -		s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req);
> > -
> >  	/*
> >  	 * call the complete request with the locks off, just in case the
> >  	 * request tries to queue more work for this endpoint.
> >
> 
> 
> Acked-by: John Youn <johnyoun@synopsys.com>
> 

Hi Felipe,
This patch is still missing in testing/next. Can you just take this one or would you like it to be send again?

> 
> John

BR,
Yousaf

RE: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug

[Kaukab, Yousaf]

> -----Original Message-----
> From: Kaukab, Yousaf
> Sent: Tuesday, September 22, 2015 2:24 PM
> To: John Youn; Yunzhi Li; Felipe Balbi
> Cc: heiko@sntech.de; cf@rock-chips.com; hl@rock-chips.com; yk@rock-
> chips.com; gauravsh@google.com; alberto@google.com; wulf@rock-chips.com;
> jwerner@chromium.org; jeffy.chen@rock-chips.com; Herrero, Gregory;
> huangtao@rock-chips.com; rockchip-discuss@chromium.org; Greg Kroah-
> Hartman; linux-usb@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: RE: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug
> 
> > -----Original Message-----
> > From: John Youn [mailto:John.Youn@synopsys.com]
> > Sent: Thursday, June 11, 2015 4:16 AM
> > To: Yunzhi Li; John.Youn@synopsys.com
> > Cc: heiko@sntech.de; cf@rock-chips.com; hl@rock-chips.com; yk@rock-
> > chips.com; gauravsh@google.com; alberto@google.com;
> > wulf@rock-chips.com; jwerner@chromium.org; jeffy.chen@rock-chips.com;
> > Herrero, Gregory; Kaukab, Yousaf; huangtao@rock-chips.com;
> > rockchip-discuss@chromium.org; Greg Kroah-Hartman;
> > linux-usb@vger.kernel.org; linux-kernel@vger.kernel.org
> > Subject: Re: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free
> > bug
> >
> > On 5/28/2015 10:22 PM, Yunzhi Li wrote:
> > > When s3c_hsotg_handle_unaligned_buf_complete() hs_req->req.buf
> > > already destroyed, in s3c_hsotg_unmap_dma(), it touches
> > > hs_req->req.dma again, so s3c_hsotg_unmap_dma() should be called
> > > before s3c_hsotg_handle_unaligned_buf_complete(). Otherwise, it will
> > > cause a bad_page BUG, when allocate this memory page next time.
> > >
> > > This bug led to the following crash:
> > >
> > > BUG: Bad page state in process swapper/0  pfn:2bdbc
> > > [   26.820440] page:eed76780 count:0 mapcount:0 mapping:  (null)
> index:0x0
> > > [   26.854710] page flags: 0x200(arch_1)
> > > [   26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag
> set
> > > [   26.919179] bad because of flags:
> > > [   26.948917] page flags: 0x200(arch_1)
> > > [   26.979100] Modules linked in:
> > > [   27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17
> > > [   27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>]
> > (show_stack+0x20/0x24)
> > > [   27.076108] [<c010a704>] (show_stack) from [<c087eea8>]
> > (dump_stack+0x70/0x8c)
> > > [   27.110246] [<c087eea8>] (dump_stack) from [<c01ce0b8>]
> > (bad_page+0xfc/0x12c)
> > > [   27.143958] [<c01ce0b8>] (bad_page) from [<c01ce65c>]
> > (get_page_from_freelist+0x3e4/0x50c)
> > > [   27.179298] [<c01ce65c>] (get_page_from_freelist) from [<c01ce9a0>]
> > (__alloc_pages_nodemask)
> > > [   27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from [<c01cf00c>]
> > (__get_free_pages+0x20/)
> > > [   27.252326] [<c01cf00c>] (__get_free_pages) from [<c01e5bec>]
> > (kmalloc_order_trace+0x34/0xa)
> > > [   27.288295] [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>]
> > (__kmalloc+0x40/0x1ac)
> > > [   27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>]
> > (s3c_hsotg_ep_queue.isra.12+0x7c/0x1)
> > > [   27.359937] [<c052abc0>] (s3c_hsotg_ep_queue.isra.12) from
> [<c052af88>]
> > (s3c_hsotg_ep_queue)
> > > [   27.397478] [<c052af88>] (s3c_hsotg_ep_queue_lock) from [<c0554110>]
> > (rx_submit+0xfc/0x164)
> > > [   27.433619] [<c0554110>] (rx_submit) from [<c05546e8>]
> > (rx_complete+0x22c/0x230)
> > > [   27.468872] [<c05546e8>] (rx_complete) from [<c052b528>]
> > (s3c_hsotg_complete_request+0xfc/0)
> > > [   27.506240] [<c052b528>] (s3c_hsotg_complete_request) from
> > [<c052bba0>] (s3c_hsotg_handle_o)
> > > [   27.545401] [<c052bba0>] (s3c_hsotg_handle_outdone) from
> [<c052be70>]
> > (s3c_hsotg_epint+0x2c)
> > > [   27.583689] [<c052be70>] (s3c_hsotg_epint) from [<c052c750>]
> > (s3c_hsotg_irq+0x1dc/0x4ac)
> > > [   27.621041] [<c052c750>] (s3c_hsotg_irq) from [<c01682e0>]
> > (handle_irq_event_percpu+0x70/0x)
> > > [   27.659066] [<c01682e0>] (handle_irq_event_percpu) from [<c01684ec>]
> > (handle_irq_event+0x4c)
> > > [   27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>]
> > (handle_fasteoi_irq+0xc8/0x11)
> > > [   27.735451] [<c016bae0>] (handle_fasteoi_irq) from [<c0167b8c>]
> > (generic_handle_irq+0x30/0x)
> > > [   27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>]
> > (__handle_domain_irq+0x84/0)
> > > [   27.812018] [<c0167ca4>] (__handle_domain_irq) from [<c01003b0>]
> > (gic_handle_irq+0x48/0x6c)
> > > [   27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>]
> > (__irq_svc+0x40/0x50)
> > > [   27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28)
> > >
> > > Signed-off-by: Yunzhi Li <lyz@rock-chips.com>
> > >
> > > ---
> > >
> > >  drivers/usb/dwc2/gadget.c | 6 +++---
> > >  1 file changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
> > > index 6a30887..8070602 100644
> > > --- a/drivers/usb/dwc2/gadget.c
> > > +++ b/drivers/usb/dwc2/gadget.c
> > > @@ -1389,14 +1389,14 @@ static void
> > > s3c_hsotg_complete_request(struct
> > dwc2_hsotg *hsotg,
> > >  	if (hs_req->req.status == -EINPROGRESS)
> > >  		hs_req->req.status = result;
> > >
> > > +	if (using_dma(hsotg))
> > > +		s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req);
> > > +
> > >  	s3c_hsotg_handle_unaligned_buf_complete(hsotg, hs_ep,
> > hs_req);
> > >
> > >  	hs_ep->req = NULL;
> > >  	list_del_init(&hs_req->queue);
> > >
> > > -	if (using_dma(hsotg))
> > > -		s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req);
> > > -
> > >  	/*
> > >  	 * call the complete request with the locks off, just in case the
> > >  	 * request tries to queue more work for this endpoint.
> > >
> >
> >
> > Acked-by: John Youn <johnyoun@synopsys.com>
> >
> 
> Hi Felipe,
> This patch is still missing in testing/next. Can you just take this one or would
> you like it to be send again?
> 

Hi Yunzhi,
Can you please resend this patch with all Acked-by/Tested-by/Reviewed-by applied? Otherwise let me know and I will do it on your behalf.

BR,
Yousaf

RE: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug

[Kaukab, Yousaf]

> -----Original Message-----
> From: Kaukab, Yousaf
> Sent: Friday, September 25, 2015 10:52 AM
> To: 'John Youn'; 'Yunzhi Li'; 'Felipe Balbi'
> Cc: 'heiko@sntech.de'; 'cf@rock-chips.com'; 'hl@rock-chips.com'; 'yk@rock-
> chips.com'; 'gauravsh@google.com'; 'alberto@google.com'; 'wulf@rock-
> chips.com'; 'jwerner@chromium.org'; 'jeffy.chen@rock-chips.com'; Herrero,
> Gregory; 'huangtao@rock-chips.com'; 'rockchip-discuss@chromium.org'; 'Greg
> Kroah-Hartman'; 'linux-usb@vger.kernel.org'; 'linux-kernel@vger.kernel.org'
> Subject: RE: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug
> 
> > -----Original Message-----
> > From: Kaukab, Yousaf
> > Sent: Tuesday, September 22, 2015 2:24 PM
> > To: John Youn; Yunzhi Li; Felipe Balbi
> > Cc: heiko@sntech.de; cf@rock-chips.com; hl@rock-chips.com; yk@rock-
> > chips.com; gauravsh@google.com; alberto@google.com;
> > wulf@rock-chips.com; jwerner@chromium.org; jeffy.chen@rock-chips.com;
> > Herrero, Gregory; huangtao@rock-chips.com;
> > rockchip-discuss@chromium.org; Greg Kroah- Hartman;
> > linux-usb@vger.kernel.org; linux-kernel@vger.kernel.org
> > Subject: RE: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free
> > bug
> >
> > > -----Original Message-----
> > > From: John Youn [mailto:John.Youn@synopsys.com]
> > > Sent: Thursday, June 11, 2015 4:16 AM
> > > To: Yunzhi Li; John.Youn@synopsys.com
> > > Cc: heiko@sntech.de; cf@rock-chips.com; hl@rock-chips.com; yk@rock-
> > > chips.com; gauravsh@google.com; alberto@google.com;
> > > wulf@rock-chips.com; jwerner@chromium.org;
> > > jeffy.chen@rock-chips.com; Herrero, Gregory; Kaukab, Yousaf;
> > > huangtao@rock-chips.com; rockchip-discuss@chromium.org; Greg
> > > Kroah-Hartman; linux-usb@vger.kernel.org;
> > > linux-kernel@vger.kernel.org
> > > Subject: Re: [PATCH v1] usb: dwc2: gadget: fix a memory
> > > use-after-free bug
> > >
> > > On 5/28/2015 10:22 PM, Yunzhi Li wrote:
> > > > When s3c_hsotg_handle_unaligned_buf_complete() hs_req->req.buf
> > > > already destroyed, in s3c_hsotg_unmap_dma(), it touches
> > > > hs_req->req.dma again, so s3c_hsotg_unmap_dma() should be called
> > > > before s3c_hsotg_handle_unaligned_buf_complete(). Otherwise, it
> > > > will cause a bad_page BUG, when allocate this memory page next time.
> > > >
> > > > This bug led to the following crash:
> > > >
> > > > BUG: Bad page state in process swapper/0  pfn:2bdbc
> > > > [   26.820440] page:eed76780 count:0 mapcount:0 mapping:  (null)
> > index:0x0
> > > > [   26.854710] page flags: 0x200(arch_1)
> > > > [   26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag
> > set
> > > > [   26.919179] bad because of flags:
> > > > [   26.948917] page flags: 0x200(arch_1)
> > > > [   26.979100] Modules linked in:
> > > > [   27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17
> > > > [   27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>]
> > > (show_stack+0x20/0x24)
> > > > [   27.076108] [<c010a704>] (show_stack) from [<c087eea8>]
> > > (dump_stack+0x70/0x8c)
> > > > [   27.110246] [<c087eea8>] (dump_stack) from [<c01ce0b8>]
> > > (bad_page+0xfc/0x12c)
> > > > [   27.143958] [<c01ce0b8>] (bad_page) from [<c01ce65c>]
> > > (get_page_from_freelist+0x3e4/0x50c)
> > > > [   27.179298] [<c01ce65c>] (get_page_from_freelist) from [<c01ce9a0>]
> > > (__alloc_pages_nodemask)
> > > > [   27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from
> [<c01cf00c>]
> > > (__get_free_pages+0x20/)
> > > > [   27.252326] [<c01cf00c>] (__get_free_pages) from [<c01e5bec>]
> > > (kmalloc_order_trace+0x34/0xa)
> > > > [   27.288295] [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>]
> > > (__kmalloc+0x40/0x1ac)
> > > > [   27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>]
> > > (s3c_hsotg_ep_queue.isra.12+0x7c/0x1)
> > > > [   27.359937] [<c052abc0>] (s3c_hsotg_ep_queue.isra.12) from
> > [<c052af88>]
> > > (s3c_hsotg_ep_queue)
> > > > [   27.397478] [<c052af88>] (s3c_hsotg_ep_queue_lock) from
> [<c0554110>]
> > > (rx_submit+0xfc/0x164)
> > > > [   27.433619] [<c0554110>] (rx_submit) from [<c05546e8>]
> > > (rx_complete+0x22c/0x230)
> > > > [   27.468872] [<c05546e8>] (rx_complete) from [<c052b528>]
> > > (s3c_hsotg_complete_request+0xfc/0)
> > > > [   27.506240] [<c052b528>] (s3c_hsotg_complete_request) from
> > > [<c052bba0>] (s3c_hsotg_handle_o)
> > > > [   27.545401] [<c052bba0>] (s3c_hsotg_handle_outdone) from
> > [<c052be70>]
> > > (s3c_hsotg_epint+0x2c)
> > > > [   27.583689] [<c052be70>] (s3c_hsotg_epint) from [<c052c750>]
> > > (s3c_hsotg_irq+0x1dc/0x4ac)
> > > > [   27.621041] [<c052c750>] (s3c_hsotg_irq) from [<c01682e0>]
> > > (handle_irq_event_percpu+0x70/0x)
> > > > [   27.659066] [<c01682e0>] (handle_irq_event_percpu) from
> [<c01684ec>]
> > > (handle_irq_event+0x4c)
> > > > [   27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>]
> > > (handle_fasteoi_irq+0xc8/0x11)
> > > > [   27.735451] [<c016bae0>] (handle_fasteoi_irq) from [<c0167b8c>]
> > > (generic_handle_irq+0x30/0x)
> > > > [   27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>]
> > > (__handle_domain_irq+0x84/0)
> > > > [   27.812018] [<c0167ca4>] (__handle_domain_irq) from [<c01003b0>]
> > > (gic_handle_irq+0x48/0x6c)
> > > > [   27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>]
> > > (__irq_svc+0x40/0x50)
> > > > [   27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28)
> > > >
> > > > Signed-off-by: Yunzhi Li <lyz@rock-chips.com>
> > > >
> > > > ---
> > > >
> > > >  drivers/usb/dwc2/gadget.c | 6 +++---
> > > >  1 file changed, 3 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
> > > > index 6a30887..8070602 100644
> > > > --- a/drivers/usb/dwc2/gadget.c
> > > > +++ b/drivers/usb/dwc2/gadget.c
> > > > @@ -1389,14 +1389,14 @@ static void
> > > > s3c_hsotg_complete_request(struct
> > > dwc2_hsotg *hsotg,
> > > >  	if (hs_req->req.status == -EINPROGRESS)
> > > >  		hs_req->req.status = result;
> > > >
> > > > +	if (using_dma(hsotg))
> > > > +		s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req);
> > > > +
> > > >  	s3c_hsotg_handle_unaligned_buf_complete(hsotg, hs_ep,
> > > hs_req);
> > > >
> > > >  	hs_ep->req = NULL;
> > > >  	list_del_init(&hs_req->queue);
> > > >
> > > > -	if (using_dma(hsotg))
> > > > -		s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req);
> > > > -
> > > >  	/*
> > > >  	 * call the complete request with the locks off, just in case the
> > > >  	 * request tries to queue more work for this endpoint.
> > > >
> > >
> > >
> > > Acked-by: John Youn <johnyoun@synopsys.com>
> > >
> >
> > Hi Felipe,
> > This patch is still missing in testing/next. Can you just take this
> > one or would you like it to be send again?
> >
> 
> Hi Yunzhi,
> Can you please resend this patch with all Acked-by/Tested-by/Reviewed-by
> applied? Otherwise let me know and I will do it on your behalf.
> 

I got following reply from Yunzhi (not sent to the list):

"Sorry I'm on travel now.
please help add these tags:

Acked-by: John Youn <johnyoun@synopsys.com>
Tested-by:Jeffy Chen <jeffy.chen@rock-chips.com>"

I will add these and resend the patch.

BR,
Yousaf

Re: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug

[Heiko Stübner]

Am Freitag, 29. Mai 2015, 13:22:26 schrieb Yunzhi Li:
> When s3c_hsotg_handle_unaligned_buf_complete() hs_req->req.buf
> already destroyed, in s3c_hsotg_unmap_dma(), it touches
> hs_req->req.dma again, so s3c_hsotg_unmap_dma() should be called
> before s3c_hsotg_handle_unaligned_buf_complete(). Otherwise, it
> will cause a bad_page BUG, when allocate this memory page next
> time.
> 
> This bug led to the following crash:
> 
> BUG: Bad page state in process swapper/0  pfn:2bdbc
> [   26.820440] page:eed76780 count:0 mapcount:0 mapping:  (null) index:0x0
> [   26.854710] page flags: 0x200(arch_1)
> [   26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set
> [   26.919179] bad because of flags:
> [   26.948917] page flags: 0x200(arch_1)
> [   26.979100] Modules linked in:
> [   27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17
> [   27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>]
> (show_stack+0x20/0x24) [   27.076108] [<c010a704>] (show_stack) from
> [<c087eea8>] (dump_stack+0x70/0x8c) [   27.110246] [<c087eea8>]
> (dump_stack) from [<c01ce0b8>] (bad_page+0xfc/0x12c) [   27.143958]
> [<c01ce0b8>] (bad_page) from [<c01ce65c>]
> (get_page_from_freelist+0x3e4/0x50c) [   27.179298] [<c01ce65c>]
> (get_page_from_freelist) from [<c01ce9a0>] (__alloc_pages_nodemask) [  
> 27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from [<c01cf00c>]
> (__get_free_pages+0x20/) [   27.252326] [<c01cf00c>] (__get_free_pages)
> from [<c01e5bec>] (kmalloc_order_trace+0x34/0xa) [   27.288295]
> [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>] (__kmalloc+0x40/0x1ac)
> [   27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>]
> (s3c_hsotg_ep_queue.isra.12+0x7c/0x1) [   27.359937] [<c052abc0>]
> (s3c_hsotg_ep_queue.isra.12) from [<c052af88>] (s3c_hsotg_ep_queue) [  
> 27.397478] [<c052af88>] (s3c_hsotg_ep_queue_lock) from [<c0554110>]
> (rx_submit+0xfc/0x164) [   27.433619] [<c0554110>] (rx_submit) from
> [<c05546e8>] (rx_complete+0x22c/0x230) [   27.468872] [<c05546e8>]
> (rx_complete) from [<c052b528>] (s3c_hsotg_complete_request+0xfc/0) [  
> 27.506240] [<c052b528>] (s3c_hsotg_complete_request) from [<c052bba0>]
> (s3c_hsotg_handle_o) [   27.545401] [<c052bba0>] (s3c_hsotg_handle_outdone)
> from [<c052be70>] (s3c_hsotg_epint+0x2c) [   27.583689] [<c052be70>]
> (s3c_hsotg_epint) from [<c052c750>] (s3c_hsotg_irq+0x1dc/0x4ac) [  
> 27.621041] [<c052c750>] (s3c_hsotg_irq) from [<c01682e0>]
> (handle_irq_event_percpu+0x70/0x) [   27.659066] [<c01682e0>]
> (handle_irq_event_percpu) from [<c01684ec>] (handle_irq_event+0x4c) [  
> 27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>]
> (handle_fasteoi_irq+0xc8/0x11) [   27.735451] [<c016bae0>]
> (handle_fasteoi_irq) from [<c0167b8c>] (generic_handle_irq+0x30/0x) [  
> 27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>]
> (__handle_domain_irq+0x84/0) [   27.812018] [<c0167ca4>]
> (__handle_domain_irq) from [<c01003b0>] (gic_handle_irq+0x48/0x6c) [  
> 27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>]
> (__irq_svc+0x40/0x50) [   27.886907] Exception stack(0xc0d01ee0 to
> 0xc0d01f28)
> 
> Signed-off-by: Yunzhi Li <lyz@rock-chips.com>

on a rk3288
Tested-by: Heiko Stuebner <heiko@sntech.de>