lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Oct 2015 07:09:17 +0000 From: "Kaukab, Yousaf" <yousaf.kaukab@...el.com> To: "balbi@...com" <balbi@...com> CC: "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>, "john.youn@...opsys.com" <john.youn@...opsys.com>, "lyz@...k-chips.com" <lyz@...k-chips.com>, "heiko@...ech.de" <heiko@...ech.de>, "cf@...k-chips.com" <cf@...k-chips.com>, "hl@...k-chips.com" <hl@...k-chips.com>, "yk@...k-chips.com" <yk@...k-chips.com>, "gauravsh@...gle.com" <gauravsh@...gle.com>, "alberto@...gle.com" <alberto@...gle.com>, "wulf@...k-chips.com" <wulf@...k-chips.com>, "jwerner@...omium.org" <jwerner@...omium.org>, "jeffy.chen@...k-chips.com" <jeffy.chen@...k-chips.com>, "Herrero, Gregory" <gregory.herrero@...el.com>, "huangtao@...k-chips.com" <huangtao@...k-chips.com>, "rockchip-discuss@...omium.org" <rockchip-discuss@...omium.org>, "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: RE: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory use-after-free bug > -----Original Message----- > From: Felipe Balbi [mailto:balbi@...com] > Sent: Thursday, October 1, 2015 7:21 PM > To: Kaukab, Yousaf > Cc: balbi@...com; linux-usb@...r.kernel.org; john.youn@...opsys.com; > lyz@...k-chips.com; heiko@...ech.de; cf@...k-chips.com; hl@...k-chips.com; > yk@...k-chips.com; gauravsh@...gle.com; alberto@...gle.com; wulf@...k- > chips.com; jwerner@...omium.org; jeffy.chen@...k-chips.com; Herrero, > Gregory; huangtao@...k-chips.com; rockchip-discuss@...omium.org; > gregkh@...uxfoundation.org; linux-kernel@...r.kernel.org > Subject: Re: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory use-after-free > bug > > On Thu, Oct 01, 2015 at 12:01:48PM +0000, Kaukab, Yousaf wrote: > > > From: Mian Yousaf Kaukab <yousaf.kaukab@...el.com> > > > Date: Tue, Sep 29, 2015 at 12:25 PM > > > Subject: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory > > > use-after-free bug > > > To: linux-usb@...r.kernel.org, balbi@...com, john.youn@...opsys.com, > > > lyz@...k-chips.com > > > Cc: heiko@...ech.de, cf@...k-chips.com, hl@...k-chips.com, yk@...k- > > > chips.com, gauravsh@...gle.com, alberto@...gle.com, > > > wulf@...k-chips.com, jwerner@...omium.org, > > > jeffy.chen@...k-chips.com, gregory.herrero@...el.com, > > > huangtao@...k-chips.com, rockchip- discuss@...omium.org, > > > gregkh@...uxfoundation.org, linux- kernel@...r.kernel.org > > > > > > > > > From: Yunzhi Li <lyz@...k-chips.com> > > > > > > When dwc2_hsotg_handle_unaligned_buf_complete() hs_req->req.buf > > > already destroyed, in dwc2_hsotg_unmap_dma(), it touches > > > hs_req->req.dma again, so > > > dwc2_hsotg_unmap_dma() should be called before > > > dwc2_hsotg_handle_unaligned_buf_complete(). Otherwise, it will cause > > > a bad_page BUG, when allocate this memory page next time. > > > > > > This bug led to the following crash: > > > > > > BUG: Bad page state in process swapper/0 pfn:2bdbc > > > [ 26.820440] page:eed76780 count:0 mapcount:0 mapping: (null) > index:0x0 > > > [ 26.854710] page flags: 0x200(arch_1) > > > [ 26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag > set > > > [ 26.919179] bad because of flags: > > > [ 26.948917] page flags: 0x200(arch_1) > > > [ 26.979100] Modules linked in: > > > [ 27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17 > > > [ 27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>] > > > (show_stack+0x20/0x24) > > > [ 27.076108] [<c010a704>] (show_stack) from [<c087eea8>] > > > (dump_stack+0x70/0x8c) > > > [ 27.110246] [<c087eea8>] (dump_stack) from [<c01ce0b8>] > > > (bad_page+0xfc/0x12c) > > > [ 27.143958] [<c01ce0b8>] (bad_page) from [<c01ce65c>] > > > (get_page_from_freelist+0x3e4/0x50c) > > > [ 27.179298] [<c01ce65c>] (get_page_from_freelist) from [<c01ce9a0>] > > > (__alloc_pages_nodemask) > > > [ 27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from [<c01cf00c>] > > > (__get_free_pages+0x20/) > > > [ 27.252326] [<c01cf00c>] (__get_free_pages) from [<c01e5bec>] > > > (kmalloc_order_trace+0x34/0xa) > > > [ 27.288295] [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>] > > > (__kmalloc+0x40/0x1ac) > > > [ 27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>] > > > (dwc2_hsotg_ep_queue.isra.12+0x7c/0x1) > > > [ 27.359937] [<c052abc0>] (dwc2_hsotg_ep_queue.isra.12) from > > > [<c052af88>] (dwc2_hsotg_ep_queue) > > > [ 27.397478] [<c052af88>] (dwc2_hsotg_ep_queue_lock) from > > > [<c0554110>] (rx_submit+0xfc/0x164) > > > [ 27.433619] [<c0554110>] (rx_submit) from [<c05546e8>] > > > (rx_complete+0x22c/0x230) > > > [ 27.468872] [<c05546e8>] (rx_complete) from [<c052b528>] > > > (dwc2_hsotg_complete_request+0xfc/0) > > > [ 27.506240] [<c052b528>] (dwc2_hsotg_complete_request) from > > > [<c052bba0>] (dwc2_hsotg_handle_o) > > > [ 27.545401] [<c052bba0>] (dwc2_hsotg_handle_outdone) from > > > [<c052be70>] (dwc2_hsotg_epint+0x2c) > > > [ 27.583689] [<c052be70>] (dwc2_hsotg_epint) from [<c052c750>] > > > (dwc2_hsotg_irq+0x1dc/0x4ac) > > > [ 27.621041] [<c052c750>] (dwc2_hsotg_irq) from [<c01682e0>] > > > (handle_irq_event_percpu+0x70/0x) > > > [ 27.659066] [<c01682e0>] (handle_irq_event_percpu) from > > > [<c01684ec>] (handle_irq_event+0x4c) > > > [ 27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>] > > > (handle_fasteoi_irq+0xc8/0x11) > > > [ 27.735451] [<c016bae0>] (handle_fasteoi_irq) from [<c0167b8c>] > > > (generic_handle_irq+0x30/0x) > > > [ 27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>] > > > (__handle_domain_irq+0x84/0) > > > [ 27.812018] [<c0167ca4>] (__handle_domain_irq) from [<c01003b0>] > > > (gic_handle_irq+0x48/0x6c) > > > [ 27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>] > > > (__irq_svc+0x40/0x50) > > > [ 27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28) > > > > > > Acked-by: John Youn <johnyoun@...opsys.com> > > > Tested-by: Heiko Stuebner <heiko@...ech.de> > > > Tested-by: Jeffy Chen <jeffy.chen@...k-chips.com> > > > Signed-off-by: Yunzhi Li <lyz@...k-chips.com> > > > > Hi Felipe, > > This patch has been hanging around for a while now. Can you please apply > this? > > https://git.kernel.org/cgit/linux/kernel/git/balbi/usb.git/commit/?h=testing/nex > t&id=1c2e3377a933af9102f6c57c414c378a52d4e70d Thanks! > > -- > balbi BR, Yousaf -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists