system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-11 13:55:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/drivers
History
Yunzhi Li 44583fecfd usb: dwc2: gadget: fix a memory use-after-free bug 
When dwc2_hsotg_handle_unaligned_buf_complete() hs_req->req.buf
already destroyed, in dwc2_hsotg_unmap_dma(), it touches
hs_req->req.dma again, so dwc2_hsotg_unmap_dma() should be called
before dwc2_hsotg_handle_unaligned_buf_complete(). Otherwise, it
will cause a bad_page BUG, when allocate this memory page next
time.

This bug led to the following crash:

BUG: Bad page state in process swapper/0  pfn:2bdbc
[   26.820440] page:eed76780 count:0 mapcount:0 mapping:  (null) index:0x0
[   26.854710] page flags: 0x200(arch_1)
[   26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set
[   26.919179] bad because of flags:
[   26.948917] page flags: 0x200(arch_1)
[   26.979100] Modules linked in:
[   27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17
[   27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>] (show_stack+0x20/0x24)
[   27.076108] [<c010a704>] (show_stack) from [<c087eea8>] (dump_stack+0x70/0x8c)
[   27.110246] [<c087eea8>] (dump_stack) from [<c01ce0b8>] (bad_page+0xfc/0x12c)
[   27.143958] [<c01ce0b8>] (bad_page) from [<c01ce65c>] (get_page_from_freelist+0x3e4/0x50c)
[   27.179298] [<c01ce65c>] (get_page_from_freelist) from [<c01ce9a0>] (__alloc_pages_nodemask)
[   27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from [<c01cf00c>] (__get_free_pages+0x20/)
[   27.252326] [<c01cf00c>] (__get_free_pages) from [<c01e5bec>] (kmalloc_order_trace+0x34/0xa)
[   27.288295] [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>] (__kmalloc+0x40/0x1ac)
[   27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>] (dwc2_hsotg_ep_queue.isra.12+0x7c/0x1)
[   27.359937] [<c052abc0>] (dwc2_hsotg_ep_queue.isra.12) from [<c052af88>] (dwc2_hsotg_ep_queue)
[   27.397478] [<c052af88>] (dwc2_hsotg_ep_queue_lock) from [<c0554110>] (rx_submit+0xfc/0x164)
[   27.433619] [<c0554110>] (rx_submit) from [<c05546e8>] (rx_complete+0x22c/0x230)
[   27.468872] [<c05546e8>] (rx_complete) from [<c052b528>] (dwc2_hsotg_complete_request+0xfc/0)
[   27.506240] [<c052b528>] (dwc2_hsotg_complete_request) from [<c052bba0>] (dwc2_hsotg_handle_o)
[   27.545401] [<c052bba0>] (dwc2_hsotg_handle_outdone) from [<c052be70>] (dwc2_hsotg_epint+0x2c)
[   27.583689] [<c052be70>] (dwc2_hsotg_epint) from [<c052c750>] (dwc2_hsotg_irq+0x1dc/0x4ac)
[   27.621041] [<c052c750>] (dwc2_hsotg_irq) from [<c01682e0>] (handle_irq_event_percpu+0x70/0x)
[   27.659066] [<c01682e0>] (handle_irq_event_percpu) from [<c01684ec>] (handle_irq_event+0x4c)
[   27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>] (handle_fasteoi_irq+0xc8/0x11)
[   27.735451] [<c016bae0>] (handle_fasteoi_irq) from [<c0167b8c>] (generic_handle_irq+0x30/0x)
[   27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>] (__handle_domain_irq+0x84/0)
[   27.812018] [<c0167ca4>] (__handle_domain_irq) from [<c01003b0>] (gic_handle_irq+0x48/0x6c)
[   27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>] (__irq_svc+0x40/0x50)
[   27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28)

Acked-by: John Youn <johnyoun@synopsys.com>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Tested-by: Jeffy Chen <jeffy.chen@rock-chips.com>
Signed-off-by: Yunzhi Li <lyz@rock-chips.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-10-01 12:40:27 -05:00
..
accessibility
acpi ACPI: Eliminate CONFIG_.*{, _MODULE} #ifdef in favor of IS_ENABLED() 2015-09-15 03:05:45 +02:00
amba
android mm: mark most vm_operations_struct const 2015-09-10 13:29:01 -07:00
ata Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2015-09-03 16:55:55 -07:00
atm solos-pci: Increase headroom on received packets 2015-09-17 21:29:07 -07:00
auxdisplay
base driver core fix for 4.3-rc3 2015-09-26 20:54:53 -04:00
bcma
block Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2015-09-19 18:57:09 -07:00
bluetooth Bluetooth: hci_bcm: Fix crash on suspend 2015-08-28 21:09:14 +02:00
bus regmap: Changes for v4.3 2015-09-08 16:48:55 -07:00
cdrom
char Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2015-09-26 21:05:23 -04:00
clk A few driver fixes for tegra, rockchip, and st SoCs and a two-liner 2015-09-19 20:17:40 -07:00
clocksource - New Device Support 2015-09-04 11:35:03 -07:00
connector
cpufreq cpufreq: acpi-cpufreq: Use cpufreq_cpu_get_raw() in ->get() 2015-09-16 02:17:49 +02:00
cpuidle Additional power management and ACPI material for v4.3-rc1 2015-09-11 19:11:06 -07:00
crypto Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2015-09-26 21:05:23 -04:00
dca
devfreq PM / devfreq: Fix incorrect type issue. 2015-09-11 14:23:30 +09:00
dio
dma genirq: Remove irq argument from irq flow handlers 2015-09-16 15:47:51 +02:00
dma-buf
edac edac updates for v4.3-rc1 2015-09-11 16:21:12 -07:00
eisa
extcon extcon: Fix attached value returned by is_extcon_changed 2015-09-21 15:07:19 +09:00
firewire
firmware ARM: SoC fixes for v4.3-rc 2015-09-27 06:45:18 -04:00
fmc
gpio Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-09-18 08:11:42 -07:00
gpu Merge tag 'drm-intel-fixes-2015-09-24' of git://anongit.freedesktop.org/drm-intel into drm-fixes 2015-09-25 06:52:37 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2015-09-04 12:02:11 -07:00
hsi mm: mark most vm_operations_struct const 2015-09-10 13:29:01 -07:00
hv Drivers: hv: vmbus: fix init_vp_index() for reloading hv_netvsc 2015-09-20 22:44:51 -07:00
hwmon hwmon: (nct6775) Add support for NCT6793D 2015-09-12 19:43:02 -07:00
hwspinlock
hwtracing/coresight
i2c Merge branch 'i2c/for-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2015-09-08 16:16:26 -07:00
ide
idle
iio This is the bulk of GPIO changes for the v4.3 kernel cycle: 2015-09-04 10:07:45 -07:00
infiniband Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2015-09-26 21:02:42 -04:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2015-09-11 19:17:28 -07:00
iommu fs/seq_file: convert int seq_vprint/seq_printf/etc... returns to void 2015-09-11 15:21:34 -07:00
ipack
irqchip irqchip/atmel-aic5: Use per chip mask caches in mask/unmask() 2015-09-22 15:55:51 +02:00
isdn libnvdimm for 4.3: 2015-09-08 14:35:59 -07:00
leds leds:lp55xx: Correct Kconfig dependency for f/w user helper 2015-09-17 10:02:20 +02:00
lguest
macintosh powerpc updates for 4.3 2015-09-03 16:41:38 -07:00
mailbox Merge branch 'mailbox-for-next' of git://git.linaro.org/landing-teams/working/fujitsu/integration 2015-09-05 18:11:04 -07:00
mcb
md dm crypt: constrain crypt device's max_segment_size to PAGE_SIZE 2015-09-14 12:04:24 -04:00
media media updates for v4.3-rc1 2015-09-11 16:42:39 -07:00
memory IOMMU Updates for Linux v4.3 2015-09-08 17:22:35 -07:00
memstick
message mptfusion: prevent some memory corruption 2015-08-26 07:11:45 -07:00
mfd genirq: Remove irq argument from irq flow handlers 2015-09-16 15:47:51 +02:00
misc Char/Misc driver fixes for 4.3-rc3 2015-09-26 20:53:15 -04:00
mmc MMC core: 2015-09-08 16:33:16 -07:00
mtd MTD updates #2 for 4.3-rc1: 2015-09-09 11:17:33 -07:00
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-09-26 06:01:33 -04:00
nfc This is the bulk of GPIO changes for the v4.3 kernel cycle: 2015-09-04 10:07:45 -07:00
ntb NTB: Fix range check on memory window index 2015-09-07 15:27:12 -04:00
nubus
nvdimm pmem: add proper fencing to pmem_rw_page() 2015-09-17 11:49:28 -04:00
nvmem
of Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-09-26 06:01:33 -04:00
oprofile
parisc PCI: Revert "PCI: Call pci_read_bridge_bases() from core instead of arch code" 2015-09-15 13:18:04 -05:00
parport
pci PCI updates for v4.3: 2015-09-25 11:16:53 -07:00
pcmcia pcmcia: soc_common: remove skt_dev_info's clk pointer 2015-09-03 16:01:03 +01:00
perf
phy This is the bulk of GPIO changes for the v4.3 kernel cycle: 2015-09-04 10:07:45 -07:00
pinctrl Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-09-18 08:11:42 -07:00
platform platform-drivers-x86 for 4.3-2 2015-09-17 21:41:02 -07:00
pnp
power power supply and reset fixes for the v4.3 series 2015-09-17 12:25:42 -07:00
powercap powercap / RAPL: disable the 2nd power limit properly 2015-08-29 01:46:40 +02:00
pps
ps3
ptp
pwm pwm: Changes for v4.3-rc1 2015-09-09 10:55:32 -07:00
rapidio
ras
regulator Merge commit 'b8c93646fd5c' into omap-for-v4.3/fixes 2015-09-24 16:23:20 -07:00
remoteproc
reset reset: ath79: Fix missing spin_lock_init 2015-09-01 14:48:40 +02:00
rpmsg
rtc rtc: abx80x: fix RTC write bit 2015-09-05 19:37:31 +02:00
s390 virtio: fixes on top of 4.3-rc1 2015-09-18 09:28:20 -07:00
sbus
scsi Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2015-09-11 19:00:42 -07:00
sfi
sh SH Drivers Updates for v4.3 2015-09-21 12:02:27 -07:00
sn
soc genirq: Remove irq argument from irq flow handlers 2015-09-16 15:47:51 +02:00
spi Merge remote-tracking branches 'spi/fix/spidev' and 'spi/fix/xtfpga' into spi-linus 2015-09-22 09:48:41 -07:00
spmi genirq: Remove irq argument from irq flow handlers 2015-09-16 15:47:51 +02:00
ssb
staging Staging driver fixes for 4.3-rc3 2015-09-26 20:56:50 -04:00
target iscsi-target: Avoid OFMarker + IFMarker negotiation 2015-09-24 23:24:46 -07:00
tc
thermal thermal: power_allocator: exit early if there are no cooling devices 2015-09-20 15:37:16 +08:00
thunderbolt thunderbolt: Allow loading of module on recent Apple MacBooks with thunderbolt 2 controller 2015-09-20 15:20:11 -07:00
tty tty: serial: Add missing module license for 8250_base.ko 2015-09-22 09:09:15 -07:00
uio
usb usb: dwc2: gadget: fix a memory use-after-free bug 2015-10-01 12:40:27 -05:00
uwb
vfio
vhost virtio: fixes on top of 4.3-rc1 2015-09-18 09:28:20 -07:00
video Merge branch 'akpm' (patches from Andrew) 2015-09-10 18:19:42 -07:00
virt
virtio virtio_balloon: do not change memory amount visible via /proc/meminfo 2015-09-08 13:32:11 +03:00
vlynq
vme
w1 Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-09-01 18:46:42 -07:00
watchdog Merge git://www.linux-watchdog.org/linux-watchdog 2015-09-11 15:12:59 -07:00
xen Merge branch 'akpm' (patches from Andrew) 2015-09-10 18:19:42 -07:00
zorro
Kconfig Merge branch 'for-linus' of git://ftp.arm.linux.org.uk/~rmk/linux-arm 2015-09-03 16:27:01 -07:00
Makefile This is the bulk of pin control changes for the v4.3 development 2015-09-04 10:22:09 -07:00