From: "Michał Pecio" <michal.pecio@gmail.com>
To: "David Wang" <00107082@163.com>
Cc: "Mathias Nyman" <mathias.nyman@linux.intel.com>,
WeitaoWang-oc@zhaoxin.com, gregkh@linuxfoundation.org,
linux-usb@vger.kernel.org, regressions@lists.linux.dev,
linux-kernel@vger.kernel.org, surenb@google.com,
kent.overstreet@linux.dev
Subject: Re: [PATCH] usb: xhci: Fix xhci_free_virt_devices_depth_first()
Date: Tue, 2 Sep 2025 10:46:30 +0200 [thread overview]
Message-ID: <20250902104630.6a9f088a.michal.pecio@gmail.com> (raw)
In-Reply-To: <446082a4.7dbe.199098cd654.Coremail.00107082@163.com>
On Tue, 2 Sep 2025 16:30:48 +0800 (CST), David Wang wrote:
> About the change from "<" to "<=", I did not observe any difference on my system. Is it because my system does not use up all slots?
This too, you would need to fiddle with devices (or connect enough
of them) to reach Slot ID 255 (probably the highest on most systems),
depending on the xHCI controller and its ID allocation policy.
But also as explained, this bug doesn't make things go boom just yet.
Except if combined with your bug in an obscure edge case:
1. A high speed hub has slot ID HCS_MAX_SLOTS-1 and some TT children.
2. Another high speed hub has slot ID HCS_MAX_SLOTS.
3. We start with freeing the second hub.
4. The loop is entered and leaves vdev pointing at the first hub.
5. The first hub is freed instead of the second one.
6. Then its children are freed and UAF its tt_info.
next prev parent reply other threads:[~2025-09-02 8:46 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 18:13 [REGRESSION 6.17-rc3] usb/xhci: possible memory leak after suspend/resume cycle David Wang
2025-08-30 9:48 ` Michał Pecio
2025-08-30 10:06 ` David Wang
2025-08-30 10:17 ` David Wang
2025-09-01 10:14 ` Mathias Nyman
2025-09-01 11:17 ` David Wang
2025-09-02 7:30 ` [PATCH] usb: xhci: Fix xhci_free_virt_devices_depth_first() Michal Pecio
2025-09-02 8:30 ` David Wang
2025-09-02 8:46 ` Michał Pecio [this message]
2025-09-02 9:07 ` [PATCH] " Michał Pecio
2025-09-02 10:13 ` Mathias Nyman
2025-09-02 10:55 ` Michał Pecio
2025-09-02 12:58 ` Mathias Nyman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250902104630.6a9f088a.michal.pecio@gmail.com \
--to=michal.pecio@gmail.com \
--cc=00107082@163.com \
--cc=WeitaoWang-oc@zhaoxin.com \
--cc=gregkh@linuxfoundation.org \
--cc=kent.overstreet@linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mathias.nyman@linux.intel.com \
--cc=regressions@lists.linux.dev \
--cc=surenb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).