Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751415AbbL1GGi (ORCPT ); Mon, 28 Dec 2015 01:06:38 -0500 Received: from mga04.intel.com ([192.55.52.120]:55933 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750865AbbL1GGc (ORCPT ); Mon, 28 Dec 2015 01:06:32 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.20,489,1444719600"; d="scan'208";a="624610136" From: "Du, Changbin" To: Robert Baldyga , "balbi@ti.com" , "gregkh@linuxfoundation.org" CC: "r.baldyga@samsung.com" , "nab@linux-iscsi.org" , "andrzej.p@samsung.com" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: RE: [PATCH] usb: gadget: acm: set notify_req to NULL after freed to avoid double free Thread-Topic: [PATCH] usb: gadget: acm: set notify_req to NULL after freed to avoid double free Thread-Index: AQHRP5La6A921a5DX0i9RwjJ8Fenup7e4BKAgAEK/QA= Date: Mon, 28 Dec 2015 06:06:13 +0000 Message-ID: <0C18FE92A7765D4EB9EE5D38D86A563A0316D9B8@SHSMSX103.ccr.corp.intel.com> References: <1451102260-13204-1-git-send-email-changbin.du@intel.com> <5680609B.3070209@hackerion.com> In-Reply-To: <5680609B.3070209@hackerion.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id tBS66qES029083 Content-Length: 1246 Lines: 35 > On 12/26/2015 04:57 AM, changbin.du@intel.com wrote: > > From: "Du, Changbin" > > > > If acm_bind fails before allocate notification and acm->notify_req is > > not set to NULL after freed last time, double free will happen. > > Looks good to me. > > Similar problem can occur with another USB functions (at least f_ecm, > f_ncm, f_rndis and f_hid handle USB requests in analogical way). Maybe > it's worth to fix them all at once? > > > > > kernel BUG at mm/slub.c:3392! > > invalid opcode: 0000 [#1] PREEMPT SMP > > EIP is at kfree+0x172/0x180 > > Call Trace: > > [<80c0e3b6>] ? usb_ep_autoconfig_ss+0x86/0x170 > > [<80c13345>] gs_free_req+0x15/0x30 > > [<80c12df1>] acm_bind+0x1c1/0x2d0 > > [<80c0e9be>] usb_add_function+0x6e/0x120 > > [<80c213cb>] acm_function_bind_config+0x2b/0x90 > > > > Reviewed-by: Robert Baldyga > Hmm, you are right. I checked all the fucntions, found these need to be fixed: f_ecm.c f_hid.c f_ncm.c f_phonet.c f_rndis.c f_uvc.c I will update patche to fix them all. thank you. Regards, Du, Changbin ????{.n?+???????+%?????ݶ??w??{.n?+????{??G?????{ay?ʇڙ?,j??f???h?????????z_??(?階?ݢj"???m??????G????????????&???~???iO???z??v?^?m???? ????????I?