> -----Original Message----- > From: Yunzhi Li [mailto:lyz@xxxxxxxxxxxxxx] > Sent: Friday, May 29, 2015 1:22 PM > To: johnyoun@xxxxxxxxxxxx > Cc: heiko@xxxxxxxxx; cf@xxxxxxxxxxxxxx; hl@xxxxxxxxxxxxxx; yk@rock- > chips.com; gauravsh@xxxxxxxxxx; alberto@xxxxxxxxxx; wulf@xxxxxxxxxxxxxx; > jwerner@xxxxxxxxxxxx; jeffy.chen@xxxxxxxxxxxxxx; Herrero, Gregory; > Kaukab, Yousaf; huangtao@xxxxxxxxxxxxxx; rockchip-discuss@xxxxxxxxxxxx; > Yunzhi Li; Greg Kroah-Hartman; linux-usb@xxxxxxxxxxxxxxx; linux- > kernel@xxxxxxxxxxxxxxx > Subject: [PATCH v1] usb: dwc2: gadget: fix a memory use-after-free bug > > When s3c_hsotg_handle_unaligned_buf_complete() hs_req->req.buf already > destroyed, in s3c_hsotg_unmap_dma(), it touches hs_req->req.dma again, so > s3c_hsotg_unmap_dma() should be called before > s3c_hsotg_handle_unaligned_buf_complete(). Otherwise, it will cause a > bad_page BUG, when allocate this memory page next time. > > This bug led to the following crash: > > BUG: Bad page state in process swapper/0 pfn:2bdbc > [ 26.820440] page:eed76780 count:0 mapcount:0 mapping: (null) index:0x0 > [ 26.854710] page flags: 0x200(arch_1) > [ 26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set > [ 26.919179] bad because of flags: > [ 26.948917] page flags: 0x200(arch_1) > [ 26.979100] Modules linked in: > [ 27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17 > [ 27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>] > (show_stack+0x20/0x24) > [ 27.076108] [<c010a704>] (show_stack) from [<c087eea8>] > (dump_stack+0x70/0x8c) > [ 27.110246] [<c087eea8>] (dump_stack) from [<c01ce0b8>] > (bad_page+0xfc/0x12c) > [ 27.143958] [<c01ce0b8>] (bad_page) from [<c01ce65c>] > (get_page_from_freelist+0x3e4/0x50c) > [ 27.179298] [<c01ce65c>] (get_page_from_freelist) from [<c01ce9a0>] > (__alloc_pages_nodemask) > [ 27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from [<c01cf00c>] > (__get_free_pages+0x20/) > [ 27.252326] [<c01cf00c>] (__get_free_pages) from [<c01e5bec>] > (kmalloc_order_trace+0x34/0xa) > [ 27.288295] [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>] > (__kmalloc+0x40/0x1ac) > [ 27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>] > (s3c_hsotg_ep_queue.isra.12+0x7c/0x1) > [ 27.359937] [<c052abc0>] (s3c_hsotg_ep_queue.isra.12) from [<c052af88>] > (s3c_hsotg_ep_queue) > [ 27.397478] [<c052af88>] (s3c_hsotg_ep_queue_lock) from [<c0554110>] > (rx_submit+0xfc/0x164) > [ 27.433619] [<c0554110>] (rx_submit) from [<c05546e8>] > (rx_complete+0x22c/0x230) > [ 27.468872] [<c05546e8>] (rx_complete) from [<c052b528>] > (s3c_hsotg_complete_request+0xfc/0) > [ 27.506240] [<c052b528>] (s3c_hsotg_complete_request) from [<c052bba0>] > (s3c_hsotg_handle_o) > [ 27.545401] [<c052bba0>] (s3c_hsotg_handle_outdone) from [<c052be70>] > (s3c_hsotg_epint+0x2c) > [ 27.583689] [<c052be70>] (s3c_hsotg_epint) from [<c052c750>] > (s3c_hsotg_irq+0x1dc/0x4ac) > [ 27.621041] [<c052c750>] (s3c_hsotg_irq) from [<c01682e0>] > (handle_irq_event_percpu+0x70/0x) > [ 27.659066] [<c01682e0>] (handle_irq_event_percpu) from [<c01684ec>] > (handle_irq_event+0x4c) > [ 27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>] > (handle_fasteoi_irq+0xc8/0x11) > [ 27.735451] [<c016bae0>] (handle_fasteoi_irq) from [<c0167b8c>] > (generic_handle_irq+0x30/0x) > [ 27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>] > (__handle_domain_irq+0x84/0) > [ 27.812018] [<c0167ca4>] (__handle_domain_irq) from [<c01003b0>] > (gic_handle_irq+0x48/0x6c) > [ 27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>] > (__irq_svc+0x40/0x50) > [ 27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28) > > Signed-off-by: Yunzhi Li <lyz@xxxxxxxxxxxxxx> > > --- > > drivers/usb/dwc2/gadget.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c index > 6a30887..8070602 100644 > --- a/drivers/usb/dwc2/gadget.c > +++ b/drivers/usb/dwc2/gadget.c > @@ -1389,14 +1389,14 @@ static void s3c_hsotg_complete_request(struct > dwc2_hsotg *hsotg, > if (hs_req->req.status == -EINPROGRESS) > hs_req->req.status = result; > > + if (using_dma(hsotg)) > + s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req); > + > s3c_hsotg_handle_unaligned_buf_complete(hsotg, hs_ep, > hs_req); > > hs_ep->req = NULL; > list_del_init(&hs_req->queue); > > - if (using_dma(hsotg)) > - s3c_hsotg_unmap_dma(hsotg, hs_ep, hs_req); > - > /* > * call the complete request with the locks off, just in case the > * request tries to queue more work for this endpoint. Looks good. Reviewed-by: Mian Yousaf Kaukab <yousaf.kaukab@xxxxxxxxx> BR, Yousaf -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
