Message ID | 1428e2d7b7b74fccb3493384f96c521a@huawei.com |
---|---|
State | Superseded |
Headers | show |
Series | xhci: solve a double free problem while doing s4 | expand |
On 9.6.2021 17.22, Zhangjiantao (Kirin, nanjing) wrote: > when system is doing s4, the process of xhci_resume may be as below: > 1、xhci_mem_cleanup > 2、xhci_init->xhci_mem_init->xhci_mem_cleanup(when memory is not enough). > xhci_mem_cleanup will be executed twice when system is out of memory. > xhci->port_caps is freed in xhci_mem_cleanup,but it isn't set to NULL. > It will be freed twice when xhci_mem_cleanup is called the second time. > Thanks, nice catch > We got following bug when system resumes from s4: > > kernel BUG at mm/slub.c:309! > Internal error: Oops - BUG: 0 [#1] PREEMPT SMP > CPU: 0 PID: 5929 Tainted: G S W 5.4.96-arm64-desktop #1 > pc : __slab_free+0x5c/0x424 > lr : kfree+0x30c/0x32c > > Call trace: > __slab_free+0x5c/0x424 > kfree+0x30c/0x32c > xhci_mem_cleanup+0x394/0x3cc > xhci_mem_init+0x9ac/0x1070 > xhci_init+0x8c/0x1d0 > xhci_resume+0x1cc/0x5fc > xhci_plat_resume+0x64/0x70 > platform_pm_thaw+0x28/0x60 > dpm_run_callback+0x54/0x24c > device_resume+0xd0/0x200 > async_resume+0x24/0x60 > async_run_entry_fn+0x44/0x110 > process_one_work+0x1f0/0x490 > worker_thread+0x5c/0x450 > kthread+0x158/0x160 > ret_from_fork+0x10/0x24 > > Signed-off-by: Tao Xue <xuetao09@huawei.com> Checkpatch complains: ERROR: Missing Signed-off-by: line by nominal patch author 'Zhangjiantao (Kirin, nanjing) <water.zhangjiantao@huawei.com>' Is Zhangjiantao (Kirin, nanjing) the correct author? If yes can I add "Signed-off-by: Zhangjiantao (Kirin, nanjing) <water.zhangjiantao@huawei.com>? I'll add the stable and correct fixes tags for this. Thanks Mathias
On Thu, Jun 10, 2021 at 04:45:54PM +0300, Mathias Nyman wrote: > On 9.6.2021 17.22, Zhangjiantao (Kirin, nanjing) wrote: > > when system is doing s4, the process of xhci_resume may be as below: > > 1、xhci_mem_cleanup > > 2、xhci_init->xhci_mem_init->xhci_mem_cleanup(when memory is not enough). > > xhci_mem_cleanup will be executed twice when system is out of memory. > > xhci->port_caps is freed in xhci_mem_cleanup,but it isn't set to NULL. > > It will be freed twice when xhci_mem_cleanup is called the second time. > > > > Thanks, nice catch > > > We got following bug when system resumes from s4: > > > > kernel BUG at mm/slub.c:309! > > Internal error: Oops - BUG: 0 [#1] PREEMPT SMP > > CPU: 0 PID: 5929 Tainted: G S W 5.4.96-arm64-desktop #1 > > pc : __slab_free+0x5c/0x424 > > lr : kfree+0x30c/0x32c > > > > Call trace: > > __slab_free+0x5c/0x424 > > kfree+0x30c/0x32c > > xhci_mem_cleanup+0x394/0x3cc > > xhci_mem_init+0x9ac/0x1070 > > xhci_init+0x8c/0x1d0 > > xhci_resume+0x1cc/0x5fc > > xhci_plat_resume+0x64/0x70 > > platform_pm_thaw+0x28/0x60 > > dpm_run_callback+0x54/0x24c > > device_resume+0xd0/0x200 > > async_resume+0x24/0x60 > > async_run_entry_fn+0x44/0x110 > > process_one_work+0x1f0/0x490 > > worker_thread+0x5c/0x450 > > kthread+0x158/0x160 > > ret_from_fork+0x10/0x24 > > > > Signed-off-by: Tao Xue <xuetao09@huawei.com> > > Checkpatch complains: > ERROR: Missing Signed-off-by: line by nominal patch author 'Zhangjiantao (Kirin, nanjing) <water.zhangjiantao@huawei.com>' > > Is Zhangjiantao (Kirin, nanjing) the correct author? If yes can I add > "Signed-off-by: Zhangjiantao (Kirin, nanjing) <water.zhangjiantao@huawei.com>? Please note that it is generally a bad thing for others to add someone else's s-o-b line, as it is a legal agreement. It is best for them to send it instead. thanks, greg k-h
On 10.6.2021 17.01, gregkh@linuxfoundation.org wrote: > On Thu, Jun 10, 2021 at 04:45:54PM +0300, Mathias Nyman wrote: >> On 9.6.2021 17.22, Zhangjiantao (Kirin, nanjing) wrote: >>> when system is doing s4, the process of xhci_resume may be as below: >>> 1、xhci_mem_cleanup >>> 2、xhci_init->xhci_mem_init->xhci_mem_cleanup(when memory is not enough). >>> xhci_mem_cleanup will be executed twice when system is out of memory. >>> xhci->port_caps is freed in xhci_mem_cleanup,but it isn't set to NULL. >>> It will be freed twice when xhci_mem_cleanup is called the second time. >>> >> >> Thanks, nice catch >> >>> We got following bug when system resumes from s4: >>> >>> kernel BUG at mm/slub.c:309! >>> Internal error: Oops - BUG: 0 [#1] PREEMPT SMP >>> CPU: 0 PID: 5929 Tainted: G S W 5.4.96-arm64-desktop #1 >>> pc : __slab_free+0x5c/0x424 >>> lr : kfree+0x30c/0x32c >>> >>> Call trace: >>> __slab_free+0x5c/0x424 >>> kfree+0x30c/0x32c >>> xhci_mem_cleanup+0x394/0x3cc >>> xhci_mem_init+0x9ac/0x1070 >>> xhci_init+0x8c/0x1d0 >>> xhci_resume+0x1cc/0x5fc >>> xhci_plat_resume+0x64/0x70 >>> platform_pm_thaw+0x28/0x60 >>> dpm_run_callback+0x54/0x24c >>> device_resume+0xd0/0x200 >>> async_resume+0x24/0x60 >>> async_run_entry_fn+0x44/0x110 >>> process_one_work+0x1f0/0x490 >>> worker_thread+0x5c/0x450 >>> kthread+0x158/0x160 >>> ret_from_fork+0x10/0x24 >>> >>> Signed-off-by: Tao Xue <xuetao09@huawei.com> >> >> Checkpatch complains: >> ERROR: Missing Signed-off-by: line by nominal patch author 'Zhangjiantao (Kirin, nanjing) <water.zhangjiantao@huawei.com>' >> >> Is Zhangjiantao (Kirin, nanjing) the correct author? If yes can I add >> "Signed-off-by: Zhangjiantao (Kirin, nanjing) <water.zhangjiantao@huawei.com>? > > Please note that it is generally a bad thing for others to add someone > else's s-o-b line, as it is a legal agreement. It is best for them to > send it instead. Good point. Zhangjiantao (Kirin, nanjing), could you resend with Author/Signed-off-by corrected. Thanks -Mathias
On 2021/6/11 3:27, Mathias Nyman wrote: > On 10.6.2021 17.01, gregkh@linuxfoundation.org wrote: >> On Thu, Jun 10, 2021 at 04:45:54PM +0300, Mathias Nyman wrote: >>> On 9.6.2021 17.22, Zhangjiantao (Kirin, nanjing) wrote: >>>> when system is doing s4, the process of xhci_resume may be as below: >>>> 1、xhci_mem_cleanup >>>> 2、xhci_init->xhci_mem_init->xhci_mem_cleanup(when memory is not enough). >>>> xhci_mem_cleanup will be executed twice when system is out of memory. >>>> xhci->port_caps is freed in xhci_mem_cleanup,but it isn't set to NULL. >>>> It will be freed twice when xhci_mem_cleanup is called the second time. >>>> >>> Thanks, nice catch >>> >>>> We got following bug when system resumes from s4: >>>> >>>> kernel BUG at mm/slub.c:309! >>>> Internal error: Oops - BUG: 0 [#1] PREEMPT SMP >>>> CPU: 0 PID: 5929 Tainted: G S W 5.4.96-arm64-desktop #1 >>>> pc : __slab_free+0x5c/0x424 >>>> lr : kfree+0x30c/0x32c >>>> >>>> Call trace: >>>> __slab_free+0x5c/0x424 >>>> kfree+0x30c/0x32c >>>> xhci_mem_cleanup+0x394/0x3cc >>>> xhci_mem_init+0x9ac/0x1070 >>>> xhci_init+0x8c/0x1d0 >>>> xhci_resume+0x1cc/0x5fc >>>> xhci_plat_resume+0x64/0x70 >>>> platform_pm_thaw+0x28/0x60 >>>> dpm_run_callback+0x54/0x24c >>>> device_resume+0xd0/0x200 >>>> async_resume+0x24/0x60 >>>> async_run_entry_fn+0x44/0x110 >>>> process_one_work+0x1f0/0x490 >>>> worker_thread+0x5c/0x450 >>>> kthread+0x158/0x160 >>>> ret_from_fork+0x10/0x24 >>>> >>>> Signed-off-by: Tao Xue <xuetao09@huawei.com> >>> Checkpatch complains: >>> ERROR: Missing Signed-off-by: line by nominal patch author 'Zhangjiantao (Kirin, nanjing) <water.zhangjiantao@huawei.com>' >>> >>> Is Zhangjiantao (Kirin, nanjing) the correct author? If yes can I add >>> "Signed-off-by: Zhangjiantao (Kirin, nanjing) <water.zhangjiantao@huawei.com>? >> Please note that it is generally a bad thing for others to add someone >> else's s-o-b line, as it is a legal agreement. It is best for them to >> send it instead. > Good point. > Zhangjiantao (Kirin, nanjing), could you resend with Author/Signed-off-by corrected. Yes, I amd and Tao Xue are both the correct author, I will resend soon; Thanks --Zhangjiantao
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index f66815f..e4b0c04 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -1924,6 +1924,7 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci) xhci->hw_ports = NULL; xhci->rh_bw = NULL; xhci->ext_caps = NULL; + xhci->port_caps = NULL; xhci->page_size = 0; xhci->page_shift = 0;
when system is doing s4, the process of xhci_resume may be as below: 1、xhci_mem_cleanup 2、xhci_init->xhci_mem_init->xhci_mem_cleanup(when memory is not enough). xhci_mem_cleanup will be executed twice when system is out of memory. xhci->port_caps is freed in xhci_mem_cleanup,but it isn't set to NULL. It will be freed twice when xhci_mem_cleanup is called the second time. We got following bug when system resumes from s4: kernel BUG at mm/slub.c:309! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP CPU: 0 PID: 5929 Tainted: G S W 5.4.96-arm64-desktop #1 pc : __slab_free+0x5c/0x424 lr : kfree+0x30c/0x32c Call trace: __slab_free+0x5c/0x424 kfree+0x30c/0x32c xhci_mem_cleanup+0x394/0x3cc xhci_mem_init+0x9ac/0x1070 xhci_init+0x8c/0x1d0 xhci_resume+0x1cc/0x5fc xhci_plat_resume+0x64/0x70 platform_pm_thaw+0x28/0x60 dpm_run_callback+0x54/0x24c device_resume+0xd0/0x200 async_resume+0x24/0x60 async_run_entry_fn+0x44/0x110 process_one_work+0x1f0/0x490 worker_thread+0x5c/0x450 kthread+0x158/0x160 ret_from_fork+0x10/0x24 Signed-off-by: Tao Xue <xuetao09@huawei.com> --- drivers/usb/host/xhci-mem.c | 1 + 1 file changed, 1 insertion(+) -- 2.7.4