lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87eftc6f19.fsf@linux.intel.com>
Date:   Wed, 19 Jul 2017 10:50:58 +0300
From:   Felipe Balbi <balbi@...nel.org>
To:     "He\, Bo" <bo.he@...el.com>,
        "linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-usb\@vger.kernel.org" <linux-usb@...r.kernel.org>
Cc:     "gregkh\@linuxfoundation.org" <gregkh@...uxfoundation.org>,
        "peter.chen\@nxp.com" <peter.chen@....com>,
        "k.opasiak\@samsung.com" <k.opasiak@...sung.com>,
        "stefan\@agner.ch" <stefan@...er.ch>,
        "felixhaedicke\@web.de" <felixhaedicke@....de>,
        "colin.king\@canonical.com" <colin.king@...onical.com>,
        "rogerq\@ti.com" <rogerq@...com>,
        "f.fainelli\@gmail.com" <f.fainelli@...il.com>,
        "Zhang\, Yanmin" <yanmin.zhang@...el.com>
Subject: RE: [PATCH] usb: gadget: udc: fix the kernel NULL pointer in composite_setup


Hi,

(please don't top-post and also break your lines at 80-columns ;-)

"He, Bo" <bo.he@...el.com> writes:
> 	1. the issue reproduced very rarely, we run reboot test
> 	reproduce the issue, it reproduced two times on two board after
> 	more than 1500 cycles reboot.

That's fine, we, somehow, got a use-after-free on the tracepoints. I'm
interested in fixing that without touching udc-core since that's a
dwc3-only bug.

> 	2. the kernel version is 4.4, the test case is cold reboot, I think it's not android patches cause it, it's the interrupt thread run after the udc->driver->unbind.

Yeah, I need you to try v4.13-rc1. v4.4 is *really* old. I can't accept
your patch unless I'm certain the bug still exists.

> 	3. I check more drivers, like amd5536_udc_stop, at91_stop,
> 	atmel_usba_stop, bcm63xx_udc_stop, s3c_hsudc_stop, all the
> 	interrupt disable will be in the udc_stop(), so we need
> 	guarantee to stop the interrupt then release the resource.

Right, we also disable the interrupt on ->udc_stop(). See below:

static void __dwc3_gadget_stop(struct dwc3 *dwc)
{
	dwc3_gadget_disable_irq(dwc);
	__dwc3_gadget_ep_disable(dwc->eps[0]);
	__dwc3_gadget_ep_disable(dwc->eps[1]);
}

static int dwc3_gadget_stop(struct usb_gadget *g)
{
	struct dwc3		*dwc = gadget_to_dwc(g);
	unsigned long		flags;
	int			epnum;

	spin_lock_irqsave(&dwc->lock, flags);

	if (pm_runtime_suspended(dwc->dev))
		goto out;

	__dwc3_gadget_stop(dwc);

	for (epnum = 2; epnum < DWC3_ENDPOINTS_NUM; epnum++) {
		struct dwc3_ep  *dep = dwc->eps[epnum];

		if (!dep)
			continue;

		if (!(dep->flags & DWC3_EP_END_TRANSFER_PENDING))
			continue;

		wait_event_lock_irq(dep->wait_end_transfer,
				    !(dep->flags & DWC3_EP_END_TRANSFER_PENDING),
				    dwc->lock);
	}

out:
	dwc->gadget_driver	= NULL;
	spin_unlock_irqrestore(&dwc->lock, flags);

	free_irq(dwc->irq_gadget, dwc->ev_buf);

	return 0;
}

-- 
balbi

Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ