<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/usb/gadget/function/f_fs.c, branch linux-4.1.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()</title>
<updated>2018-03-21T03:49:54+00:00</updated>
<author>
<name>Xinyong</name>
<email>xinyong.fang@linux.alibaba.com</email>
</author>
<published>2018-03-02T11:20:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f642176da2177e68e1cfdb89d5cb62d255eb53b4'/>
<id>f642176da2177e68e1cfdb89d5cb62d255eb53b4</id>
<content type='text'>
[ Upstream commit 1a087f032111a88e826877449dfb93ceb22b78b9 ]

When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
overflowed, While functionfs is unmounting, ffs_data is put twice.

Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
refcount_t") can avoid refcount overflow, but that is risk some situations.
So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.

The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
KASAN enabled configuration reports use-after-free errro.

BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0
Read of size 4 by task umount/4650
====================================================
BUG kmalloc-512 (Tainted: P        W  O   ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
    alloc_debug_processing+0x1ac/0x1e8
    ___slab_alloc.constprop.63+0x640/0x648
    __slab_alloc.isra.57.constprop.62+0x24/0x34
    kmem_cache_alloc_trace+0x1a8/0x2bc
    ffs_fs_mount+0x194/0x844
    mount_fs+0x6c/0x1d0
    vfs_kern_mount+0x50/0x1b4
    do_mount+0x258/0x1034
INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
    free_debug_processing+0x22c/0x434
    __slab_free+0x2d8/0x3a0
    kfree+0x254/0x264
    ffs_data_put+0x25c/0x320
    ffs_data_closed+0x124/0x15c
    ffs_fs_kill_sb+0xb8/0x110
    deactivate_locked_super+0x6c/0x98
    deactivate_super+0xb0/0xbc
INFO: Object 0xffffffc057938600 @offset=1536 fp=0x          (null)
......
Call trace:
[&lt;ffffff900808cf5c&gt;] dump_backtrace+0x0/0x250
[&lt;ffffff900808d3a0&gt;] show_stack+0x14/0x1c
[&lt;ffffff90084a8c04&gt;] dump_stack+0xa0/0xc8
[&lt;ffffff900826c2b4&gt;] print_trailer+0x158/0x260
[&lt;ffffff900826d9d8&gt;] object_err+0x3c/0x40
[&lt;ffffff90082745f0&gt;] kasan_report_error+0x2a8/0x754
[&lt;ffffff9008274f84&gt;] kasan_report+0x5c/0x60
[&lt;ffffff9008273208&gt;] __asan_load4+0x70/0x88
[&lt;ffffff90084cd81c&gt;] refcount_dec_and_test+0x14/0xe0
[&lt;ffffff9008d98f9c&gt;] ffs_data_put+0x80/0x320
[&lt;ffffff9008d9d904&gt;] ffs_fs_kill_sb+0xc8/0x110
[&lt;ffffff90082852a0&gt;] deactivate_locked_super+0x6c/0x98
[&lt;ffffff900828537c&gt;] deactivate_super+0xb0/0xbc
[&lt;ffffff90082af0c0&gt;] cleanup_mnt+0x64/0xec
[&lt;ffffff90082af1b0&gt;] __cleanup_mnt+0x10/0x18
[&lt;ffffff90080d9e68&gt;] task_work_run+0xcc/0x124
[&lt;ffffff900808c8c0&gt;] do_notify_resume+0x60/0x70
[&lt;ffffff90080866e4&gt;] work_pending+0x10/0x14

Cc: stable@vger.kernel.org
Signed-off-by: Xinyong &lt;xinyong.fang@linux.alibaba.com&gt;

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;

Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1a087f032111a88e826877449dfb93ceb22b78b9 ]

When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
overflowed, While functionfs is unmounting, ffs_data is put twice.

Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
refcount_t") can avoid refcount overflow, but that is risk some situations.
So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.

The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
KASAN enabled configuration reports use-after-free errro.

BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0
Read of size 4 by task umount/4650
====================================================
BUG kmalloc-512 (Tainted: P        W  O   ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
    alloc_debug_processing+0x1ac/0x1e8
    ___slab_alloc.constprop.63+0x640/0x648
    __slab_alloc.isra.57.constprop.62+0x24/0x34
    kmem_cache_alloc_trace+0x1a8/0x2bc
    ffs_fs_mount+0x194/0x844
    mount_fs+0x6c/0x1d0
    vfs_kern_mount+0x50/0x1b4
    do_mount+0x258/0x1034
INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
    free_debug_processing+0x22c/0x434
    __slab_free+0x2d8/0x3a0
    kfree+0x254/0x264
    ffs_data_put+0x25c/0x320
    ffs_data_closed+0x124/0x15c
    ffs_fs_kill_sb+0xb8/0x110
    deactivate_locked_super+0x6c/0x98
    deactivate_super+0xb0/0xbc
INFO: Object 0xffffffc057938600 @offset=1536 fp=0x          (null)
......
Call trace:
[&lt;ffffff900808cf5c&gt;] dump_backtrace+0x0/0x250
[&lt;ffffff900808d3a0&gt;] show_stack+0x14/0x1c
[&lt;ffffff90084a8c04&gt;] dump_stack+0xa0/0xc8
[&lt;ffffff900826c2b4&gt;] print_trailer+0x158/0x260
[&lt;ffffff900826d9d8&gt;] object_err+0x3c/0x40
[&lt;ffffff90082745f0&gt;] kasan_report_error+0x2a8/0x754
[&lt;ffffff9008274f84&gt;] kasan_report+0x5c/0x60
[&lt;ffffff9008273208&gt;] __asan_load4+0x70/0x88
[&lt;ffffff90084cd81c&gt;] refcount_dec_and_test+0x14/0xe0
[&lt;ffffff9008d98f9c&gt;] ffs_data_put+0x80/0x320
[&lt;ffffff9008d9d904&gt;] ffs_fs_kill_sb+0xc8/0x110
[&lt;ffffff90082852a0&gt;] deactivate_locked_super+0x6c/0x98
[&lt;ffffff900828537c&gt;] deactivate_super+0xb0/0xbc
[&lt;ffffff90082af0c0&gt;] cleanup_mnt+0x64/0xec
[&lt;ffffff90082af1b0&gt;] __cleanup_mnt+0x10/0x18
[&lt;ffffff90080d9e68&gt;] task_work_run+0xcc/0x124
[&lt;ffffff900808c8c0&gt;] do_notify_resume+0x60/0x70
[&lt;ffffff90080866e4&gt;] work_pending+0x10/0x14

Cc: stable@vger.kernel.org
Signed-off-by: Xinyong &lt;xinyong.fang@linux.alibaba.com&gt;

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;

Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Process all descriptors during bind</title>
<updated>2018-03-04T15:28:34+00:00</updated>
<author>
<name>Jack Pham</name>
<email>jackp@codeaurora.org</email>
</author>
<published>2018-01-24T08:11:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b177a6a134847538b78c12fffb49afe2f8335be0'/>
<id>b177a6a134847538b78c12fffb49afe2f8335be0</id>
<content type='text'>
[ Upstream commit 6cf439e0d37463e42784271179c8a308fd7493c6 ]

During _ffs_func_bind(), the received descriptors are evaluated
to prepare for binding with the gadget in order to allocate
endpoints and optionally set up OS descriptors. However, the
high- and super-speed descriptors are only parsed based on
whether the gadget_is_dualspeed() and gadget_is_superspeed()
calls are true, respectively.

This is a problem in case a userspace program always provides
all of the {full,high,super,OS} descriptors when configuring a
function. Then, for example if a gadget device is not capable
of SuperSpeed, the call to ffs_do_descs() for the SS descriptors
is skipped, resulting in an incorrect offset calculation for
the vla_ptr when moving on to the OS descriptors that follow.
This causes ffs_do_os_descs() to fail as it is now looking at
the SS descriptors' offset within the raw_descs buffer instead.

_ffs_func_bind() should evaluate the descriptors unconditionally,
so remove the checks for gadget speed.

Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support")
Cc: stable@vger.kernel.org
Co-Developed-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Jack Pham &lt;jackp@codeaurora.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 6cf439e0d37463e42784271179c8a308fd7493c6 ]

During _ffs_func_bind(), the received descriptors are evaluated
to prepare for binding with the gadget in order to allocate
endpoints and optionally set up OS descriptors. However, the
high- and super-speed descriptors are only parsed based on
whether the gadget_is_dualspeed() and gadget_is_superspeed()
calls are true, respectively.

This is a problem in case a userspace program always provides
all of the {full,high,super,OS} descriptors when configuring a
function. Then, for example if a gadget device is not capable
of SuperSpeed, the call to ffs_do_descs() for the SS descriptors
is skipped, resulting in an incorrect offset calculation for
the vla_ptr when moving on to the OS descriptors that follow.
This causes ffs_do_os_descs() to fail as it is now looking at
the SS descriptors' offset within the raw_descs buffer instead.

_ffs_func_bind() should evaluate the descriptors unconditionally,
so remove the checks for gadget speed.

Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support")
Cc: stable@vger.kernel.org
Co-Developed-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Jack Pham &lt;jackp@codeaurora.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: f_fs: Prevent gadget unbind if it is already unbound</title>
<updated>2018-03-01T03:09:47+00:00</updated>
<author>
<name>Hemant Kumar</name>
<email>hemantk@codeaurora.org</email>
</author>
<published>2018-01-09T07:00:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1f4ac76de1ff4b79c6ef51a1c1d909c54289ff61'/>
<id>1f4ac76de1ff4b79c6ef51a1c1d909c54289ff61</id>
<content type='text'>
[ Upstream commit ce5bf9a50daf2d9078b505aca1cea22e88ecb94a ]

Upon usb composition switch there is possibility of ep0 file
release happening after gadget driver bind. In case of composition
switch from adb to a non-adb composition gadget will never gets
bound again resulting into failure of usb device enumeration. Fix
this issue by checking FFS_FL_BOUND flag and avoid extra
gadget driver unbind if it is already done as part of composition
switch.

This fixes adb reconnection error reported on Android running
v4.4 and above kernel versions. Verified on Hikey running vanilla
v4.15-rc7 + few out of tree Mali patches.

Reviewed-at: https://android-review.googlesource.com/#/c/582632/

Cc: Felipe Balbi &lt;balbi@kernel.org&gt;
Cc: Greg KH &lt;gregkh@linux-foundation.org&gt;
Cc: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Cc: John Stultz &lt;john.stultz@linaro.org&gt;
Cc: Dmitry Shmidt &lt;dimitrysh@google.com&gt;
Cc: Badhri &lt;badhri@google.com&gt;
Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Hemant Kumar &lt;hemantk@codeaurora.org&gt;
[AmitP: Cherry-picked it from android-4.14 and updated the commit log]
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit ce5bf9a50daf2d9078b505aca1cea22e88ecb94a ]

Upon usb composition switch there is possibility of ep0 file
release happening after gadget driver bind. In case of composition
switch from adb to a non-adb composition gadget will never gets
bound again resulting into failure of usb device enumeration. Fix
this issue by checking FFS_FL_BOUND flag and avoid extra
gadget driver unbind if it is already done as part of composition
switch.

This fixes adb reconnection error reported on Android running
v4.4 and above kernel versions. Verified on Hikey running vanilla
v4.15-rc7 + few out of tree Mali patches.

Reviewed-at: https://android-review.googlesource.com/#/c/582632/

Cc: Felipe Balbi &lt;balbi@kernel.org&gt;
Cc: Greg KH &lt;gregkh@linux-foundation.org&gt;
Cc: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Cc: John Stultz &lt;john.stultz@linaro.org&gt;
Cc: Dmitry Shmidt &lt;dimitrysh@google.com&gt;
Cc: Badhri &lt;badhri@google.com&gt;
Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Hemant Kumar &lt;hemantk@codeaurora.org&gt;
[AmitP: Cherry-picked it from android-4.14 and updated the commit log]
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping</title>
<updated>2018-01-17T17:55:30+00:00</updated>
<author>
<name>Vincent Pelletier</name>
<email>plr.vincent@gmail.com</email>
</author>
<published>2017-11-26T06:52:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4e1911325f19114d781c9e8b14a3565d966bd64a'/>
<id>4e1911325f19114d781c9e8b14a3565d966bd64a</id>
<content type='text'>
[ Upstream commit 30bf90ccdec1da9c8198b161ecbff39ce4e5a9ba ]

Found using DEBUG_ATOMIC_SLEEP while submitting an AIO read operation:

[  100.853642] BUG: sleeping function called from invalid context at mm/slab.h:421
[  100.861148] in_atomic(): 1, irqs_disabled(): 1, pid: 1880, name: python
[  100.867954] 2 locks held by python/1880:
[  100.867961]  #0:  (&amp;epfile-&gt;mutex){....}, at: [&lt;f8188627&gt;] ffs_mutex_lock+0x27/0x30 [usb_f_fs]
[  100.868020]  #1:  (&amp;(&amp;ffs-&gt;eps_lock)-&gt;rlock){....}, at: [&lt;f818ad4b&gt;] ffs_epfile_io.isra.17+0x24b/0x590 [usb_f_fs]
[  100.868076] CPU: 1 PID: 1880 Comm: python Not tainted 4.14.0-edison+ #118
[  100.868085] Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48
[  100.868093] Call Trace:
[  100.868122]  dump_stack+0x47/0x62
[  100.868156]  ___might_sleep+0xfd/0x110
[  100.868182]  __might_sleep+0x68/0x70
[  100.868217]  kmem_cache_alloc_trace+0x4b/0x200
[  100.868248]  ? dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3]
[  100.868302]  dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3]
[  100.868343]  usb_ep_alloc_request+0x16/0xc0 [udc_core]
[  100.868386]  ffs_epfile_io.isra.17+0x444/0x590 [usb_f_fs]
[  100.868424]  ? _raw_spin_unlock_irqrestore+0x27/0x40
[  100.868457]  ? kiocb_set_cancel_fn+0x57/0x60
[  100.868477]  ? ffs_ep0_poll+0xc0/0xc0 [usb_f_fs]
[  100.868512]  ffs_epfile_read_iter+0xfe/0x157 [usb_f_fs]
[  100.868551]  ? security_file_permission+0x9c/0xd0
[  100.868587]  ? rw_verify_area+0xac/0x120
[  100.868633]  aio_read+0x9d/0x100
[  100.868692]  ? __fget+0xa2/0xd0
[  100.868727]  ? __might_sleep+0x68/0x70
[  100.868763]  SyS_io_submit+0x471/0x680
[  100.868878]  do_int80_syscall_32+0x4e/0xd0
[  100.868921]  entry_INT80_32+0x2a/0x2a
[  100.868932] EIP: 0xb7fbb676
[  100.868941] EFLAGS: 00000292 CPU: 1
[  100.868951] EAX: ffffffda EBX: b7aa2000 ECX: 00000002 EDX: b7af8368
[  100.868961] ESI: b7fbb660 EDI: b7aab000 EBP: bfb6c658 ESP: bfb6c638
[  100.868973]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b

Signed-off-by: Vincent Pelletier &lt;plr.vincent@gmail.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 30bf90ccdec1da9c8198b161ecbff39ce4e5a9ba ]

Found using DEBUG_ATOMIC_SLEEP while submitting an AIO read operation:

[  100.853642] BUG: sleeping function called from invalid context at mm/slab.h:421
[  100.861148] in_atomic(): 1, irqs_disabled(): 1, pid: 1880, name: python
[  100.867954] 2 locks held by python/1880:
[  100.867961]  #0:  (&amp;epfile-&gt;mutex){....}, at: [&lt;f8188627&gt;] ffs_mutex_lock+0x27/0x30 [usb_f_fs]
[  100.868020]  #1:  (&amp;(&amp;ffs-&gt;eps_lock)-&gt;rlock){....}, at: [&lt;f818ad4b&gt;] ffs_epfile_io.isra.17+0x24b/0x590 [usb_f_fs]
[  100.868076] CPU: 1 PID: 1880 Comm: python Not tainted 4.14.0-edison+ #118
[  100.868085] Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48
[  100.868093] Call Trace:
[  100.868122]  dump_stack+0x47/0x62
[  100.868156]  ___might_sleep+0xfd/0x110
[  100.868182]  __might_sleep+0x68/0x70
[  100.868217]  kmem_cache_alloc_trace+0x4b/0x200
[  100.868248]  ? dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3]
[  100.868302]  dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3]
[  100.868343]  usb_ep_alloc_request+0x16/0xc0 [udc_core]
[  100.868386]  ffs_epfile_io.isra.17+0x444/0x590 [usb_f_fs]
[  100.868424]  ? _raw_spin_unlock_irqrestore+0x27/0x40
[  100.868457]  ? kiocb_set_cancel_fn+0x57/0x60
[  100.868477]  ? ffs_ep0_poll+0xc0/0xc0 [usb_f_fs]
[  100.868512]  ffs_epfile_read_iter+0xfe/0x157 [usb_f_fs]
[  100.868551]  ? security_file_permission+0x9c/0xd0
[  100.868587]  ? rw_verify_area+0xac/0x120
[  100.868633]  aio_read+0x9d/0x100
[  100.868692]  ? __fget+0xa2/0xd0
[  100.868727]  ? __might_sleep+0x68/0x70
[  100.868763]  SyS_io_submit+0x471/0x680
[  100.868878]  do_int80_syscall_32+0x4e/0xd0
[  100.868921]  entry_INT80_32+0x2a/0x2a
[  100.868932] EIP: 0xb7fbb676
[  100.868941] EFLAGS: 00000292 CPU: 1
[  100.868951] EAX: ffffffda EBX: b7aa2000 ECX: 00000002 EDX: b7af8368
[  100.868961] ESI: b7fbb660 EDI: b7aab000 EBP: bfb6c658 ESP: bfb6c638
[  100.868973]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b

Signed-off-by: Vincent Pelletier &lt;plr.vincent@gmail.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Fix possibe deadlock</title>
<updated>2017-07-31T17:37:49+00:00</updated>
<author>
<name>Baolin Wang</name>
<email>baolin.wang@linaro.org</email>
</author>
<published>2016-12-08T11:55:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=84bad5618d67028c7f4342351fa7a5961413ed4c'/>
<id>84bad5618d67028c7f4342351fa7a5961413ed4c</id>
<content type='text'>
[ Upstream commit b3ce3ce02d146841af012d08506b4071db8ffde3 ]

When system try to close /dev/usb-ffs/adb/ep0 on one core, at the same
time another core try to attach new UDC, which will cause deadlock as
below scenario. Thus we should release ffs lock before issuing
unregister_gadget_item().

[   52.642225] c1 ======================================================
[   52.642228] c1 [ INFO: possible circular locking dependency detected ]
[   52.642236] c1 4.4.6+ #1 Tainted: G        W  O
[   52.642241] c1 -------------------------------------------------------
[   52.642245] c1 usb ffs open/2808 is trying to acquire lock:
[   52.642270] c0  (udc_lock){+.+.+.}, at: [&lt;ffffffc00065aeec&gt;]
		usb_gadget_unregister_driver+0x3c/0xc8
[   52.642272] c1  but task is already holding lock:
[   52.642283] c0  (ffs_lock){+.+.+.}, at: [&lt;ffffffc00066b244&gt;]
		ffs_data_clear+0x30/0x140
[   52.642285] c1 which lock already depends on the new lock.
[   52.642287] c1
               the existing dependency chain (in reverse order) is:
[   52.642295] c0
	       -&gt; #1 (ffs_lock){+.+.+.}:
[   52.642307] c0        [&lt;ffffffc00012340c&gt;] __lock_acquire+0x20f0/0x2238
[   52.642314] c0        [&lt;ffffffc000123b54&gt;] lock_acquire+0xe4/0x298
[   52.642322] c0        [&lt;ffffffc000aaf6e8&gt;] mutex_lock_nested+0x7c/0x3cc
[   52.642328] c0        [&lt;ffffffc00066f7bc&gt;] ffs_func_bind+0x504/0x6e8
[   52.642334] c0        [&lt;ffffffc000654004&gt;] usb_add_function+0x84/0x184
[   52.642340] c0        [&lt;ffffffc000658ca4&gt;] configfs_composite_bind+0x264/0x39c
[   52.642346] c0        [&lt;ffffffc00065b348&gt;] udc_bind_to_driver+0x58/0x11c
[   52.642352] c0        [&lt;ffffffc00065b49c&gt;] usb_udc_attach_driver+0x90/0xc8
[   52.642358] c0        [&lt;ffffffc0006598e0&gt;] gadget_dev_desc_UDC_store+0xd4/0x128
[   52.642369] c0        [&lt;ffffffc0002c14e8&gt;] configfs_write_file+0xd0/0x13c
[   52.642376] c0        [&lt;ffffffc00023c054&gt;] vfs_write+0xb8/0x214
[   52.642381] c0        [&lt;ffffffc00023cad4&gt;] SyS_write+0x54/0xb0
[   52.642388] c0        [&lt;ffffffc000085ff0&gt;] el0_svc_naked+0x24/0x28
[   52.642395] c0
              -&gt; #0 (udc_lock){+.+.+.}:
[   52.642401] c0        [&lt;ffffffc00011e3d0&gt;] print_circular_bug+0x84/0x2e4
[   52.642407] c0        [&lt;ffffffc000123454&gt;] __lock_acquire+0x2138/0x2238
[   52.642412] c0        [&lt;ffffffc000123b54&gt;] lock_acquire+0xe4/0x298
[   52.642420] c0        [&lt;ffffffc000aaf6e8&gt;] mutex_lock_nested+0x7c/0x3cc
[   52.642427] c0        [&lt;ffffffc00065aeec&gt;] usb_gadget_unregister_driver+0x3c/0xc8
[   52.642432] c0        [&lt;ffffffc00065995c&gt;] unregister_gadget_item+0x28/0x44
[   52.642439] c0        [&lt;ffffffc00066b34c&gt;] ffs_data_clear+0x138/0x140
[   52.642444] c0        [&lt;ffffffc00066b374&gt;] ffs_data_reset+0x20/0x6c
[   52.642450] c0        [&lt;ffffffc00066efd0&gt;] ffs_data_closed+0xac/0x12c
[   52.642454] c0        [&lt;ffffffc00066f070&gt;] ffs_ep0_release+0x20/0x2c
[   52.642460] c0        [&lt;ffffffc00023dbe4&gt;] __fput+0xb0/0x1f4
[   52.642466] c0        [&lt;ffffffc00023dd9c&gt;] ____fput+0x20/0x2c
[   52.642473] c0        [&lt;ffffffc0000ee944&gt;] task_work_run+0xb4/0xe8
[   52.642482] c0        [&lt;ffffffc0000cd45c&gt;] do_exit+0x360/0xb9c
[   52.642487] c0        [&lt;ffffffc0000cf228&gt;] do_group_exit+0x4c/0xb0
[   52.642494] c0        [&lt;ffffffc0000dd3c8&gt;] get_signal+0x380/0x89c
[   52.642501] c0        [&lt;ffffffc00008a8f0&gt;] do_signal+0x154/0x518
[   52.642507] c0        [&lt;ffffffc00008af00&gt;] do_notify_resume+0x70/0x78
[   52.642512] c0        [&lt;ffffffc000085ee8&gt;] work_pending+0x1c/0x20
[   52.642514] c1
              other info that might help us debug this:
[   52.642517] c1  Possible unsafe locking scenario:
[   52.642518] c1        CPU0                    CPU1
[   52.642520] c1        ----                    ----
[   52.642525] c0   lock(ffs_lock);
[   52.642529] c0                                lock(udc_lock);
[   52.642533] c0                                lock(ffs_lock);
[   52.642537] c0   lock(udc_lock);
[   52.642539] c1
                      *** DEADLOCK ***
[   52.642543] c1 1 lock held by usb ffs open/2808:
[   52.642555] c0  #0:  (ffs_lock){+.+.+.}, at: [&lt;ffffffc00066b244&gt;]
		ffs_data_clear+0x30/0x140
[   52.642557] c1 stack backtrace:
[   52.642563] c1 CPU: 1 PID: 2808 Comm: usb ffs open Tainted: G
[   52.642565] c1 Hardware name: Spreadtrum SP9860g Board (DT)
[   52.642568] c1 Call trace:
[   52.642573] c1 [&lt;ffffffc00008b430&gt;] dump_backtrace+0x0/0x170
[   52.642577] c1 [&lt;ffffffc00008b5c0&gt;] show_stack+0x20/0x28
[   52.642583] c1 [&lt;ffffffc000422694&gt;] dump_stack+0xa8/0xe0
[   52.642587] c1 [&lt;ffffffc00011e548&gt;] print_circular_bug+0x1fc/0x2e4
[   52.642591] c1 [&lt;ffffffc000123454&gt;] __lock_acquire+0x2138/0x2238
[   52.642595] c1 [&lt;ffffffc000123b54&gt;] lock_acquire+0xe4/0x298
[   52.642599] c1 [&lt;ffffffc000aaf6e8&gt;] mutex_lock_nested+0x7c/0x3cc
[   52.642604] c1 [&lt;ffffffc00065aeec&gt;] usb_gadget_unregister_driver+0x3c/0xc8
[   52.642608] c1 [&lt;ffffffc00065995c&gt;] unregister_gadget_item+0x28/0x44
[   52.642613] c1 [&lt;ffffffc00066b34c&gt;] ffs_data_clear+0x138/0x140
[   52.642618] c1 [&lt;ffffffc00066b374&gt;] ffs_data_reset+0x20/0x6c
[   52.642621] c1 [&lt;ffffffc00066efd0&gt;] ffs_data_closed+0xac/0x12c
[   52.642625] c1 [&lt;ffffffc00066f070&gt;] ffs_ep0_release+0x20/0x2c
[   52.642629] c1 [&lt;ffffffc00023dbe4&gt;] __fput+0xb0/0x1f4
[   52.642633] c1 [&lt;ffffffc00023dd9c&gt;] ____fput+0x20/0x2c
[   52.642636] c1 [&lt;ffffffc0000ee944&gt;] task_work_run+0xb4/0xe8
[   52.642640] c1 [&lt;ffffffc0000cd45c&gt;] do_exit+0x360/0xb9c
[   52.642644] c1 [&lt;ffffffc0000cf228&gt;] do_group_exit+0x4c/0xb0
[   52.642647] c1 [&lt;ffffffc0000dd3c8&gt;] get_signal+0x380/0x89c
[   52.642651] c1 [&lt;ffffffc00008a8f0&gt;] do_signal+0x154/0x518
[   52.642656] c1 [&lt;ffffffc00008af00&gt;] do_notify_resume+0x70/0x78
[   52.642659] c1 [&lt;ffffffc000085ee8&gt;] work_pending+0x1c/0x20

Acked-by: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Signed-off-by: Baolin Wang &lt;baolin.wang@linaro.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b3ce3ce02d146841af012d08506b4071db8ffde3 ]

When system try to close /dev/usb-ffs/adb/ep0 on one core, at the same
time another core try to attach new UDC, which will cause deadlock as
below scenario. Thus we should release ffs lock before issuing
unregister_gadget_item().

[   52.642225] c1 ======================================================
[   52.642228] c1 [ INFO: possible circular locking dependency detected ]
[   52.642236] c1 4.4.6+ #1 Tainted: G        W  O
[   52.642241] c1 -------------------------------------------------------
[   52.642245] c1 usb ffs open/2808 is trying to acquire lock:
[   52.642270] c0  (udc_lock){+.+.+.}, at: [&lt;ffffffc00065aeec&gt;]
		usb_gadget_unregister_driver+0x3c/0xc8
[   52.642272] c1  but task is already holding lock:
[   52.642283] c0  (ffs_lock){+.+.+.}, at: [&lt;ffffffc00066b244&gt;]
		ffs_data_clear+0x30/0x140
[   52.642285] c1 which lock already depends on the new lock.
[   52.642287] c1
               the existing dependency chain (in reverse order) is:
[   52.642295] c0
	       -&gt; #1 (ffs_lock){+.+.+.}:
[   52.642307] c0        [&lt;ffffffc00012340c&gt;] __lock_acquire+0x20f0/0x2238
[   52.642314] c0        [&lt;ffffffc000123b54&gt;] lock_acquire+0xe4/0x298
[   52.642322] c0        [&lt;ffffffc000aaf6e8&gt;] mutex_lock_nested+0x7c/0x3cc
[   52.642328] c0        [&lt;ffffffc00066f7bc&gt;] ffs_func_bind+0x504/0x6e8
[   52.642334] c0        [&lt;ffffffc000654004&gt;] usb_add_function+0x84/0x184
[   52.642340] c0        [&lt;ffffffc000658ca4&gt;] configfs_composite_bind+0x264/0x39c
[   52.642346] c0        [&lt;ffffffc00065b348&gt;] udc_bind_to_driver+0x58/0x11c
[   52.642352] c0        [&lt;ffffffc00065b49c&gt;] usb_udc_attach_driver+0x90/0xc8
[   52.642358] c0        [&lt;ffffffc0006598e0&gt;] gadget_dev_desc_UDC_store+0xd4/0x128
[   52.642369] c0        [&lt;ffffffc0002c14e8&gt;] configfs_write_file+0xd0/0x13c
[   52.642376] c0        [&lt;ffffffc00023c054&gt;] vfs_write+0xb8/0x214
[   52.642381] c0        [&lt;ffffffc00023cad4&gt;] SyS_write+0x54/0xb0
[   52.642388] c0        [&lt;ffffffc000085ff0&gt;] el0_svc_naked+0x24/0x28
[   52.642395] c0
              -&gt; #0 (udc_lock){+.+.+.}:
[   52.642401] c0        [&lt;ffffffc00011e3d0&gt;] print_circular_bug+0x84/0x2e4
[   52.642407] c0        [&lt;ffffffc000123454&gt;] __lock_acquire+0x2138/0x2238
[   52.642412] c0        [&lt;ffffffc000123b54&gt;] lock_acquire+0xe4/0x298
[   52.642420] c0        [&lt;ffffffc000aaf6e8&gt;] mutex_lock_nested+0x7c/0x3cc
[   52.642427] c0        [&lt;ffffffc00065aeec&gt;] usb_gadget_unregister_driver+0x3c/0xc8
[   52.642432] c0        [&lt;ffffffc00065995c&gt;] unregister_gadget_item+0x28/0x44
[   52.642439] c0        [&lt;ffffffc00066b34c&gt;] ffs_data_clear+0x138/0x140
[   52.642444] c0        [&lt;ffffffc00066b374&gt;] ffs_data_reset+0x20/0x6c
[   52.642450] c0        [&lt;ffffffc00066efd0&gt;] ffs_data_closed+0xac/0x12c
[   52.642454] c0        [&lt;ffffffc00066f070&gt;] ffs_ep0_release+0x20/0x2c
[   52.642460] c0        [&lt;ffffffc00023dbe4&gt;] __fput+0xb0/0x1f4
[   52.642466] c0        [&lt;ffffffc00023dd9c&gt;] ____fput+0x20/0x2c
[   52.642473] c0        [&lt;ffffffc0000ee944&gt;] task_work_run+0xb4/0xe8
[   52.642482] c0        [&lt;ffffffc0000cd45c&gt;] do_exit+0x360/0xb9c
[   52.642487] c0        [&lt;ffffffc0000cf228&gt;] do_group_exit+0x4c/0xb0
[   52.642494] c0        [&lt;ffffffc0000dd3c8&gt;] get_signal+0x380/0x89c
[   52.642501] c0        [&lt;ffffffc00008a8f0&gt;] do_signal+0x154/0x518
[   52.642507] c0        [&lt;ffffffc00008af00&gt;] do_notify_resume+0x70/0x78
[   52.642512] c0        [&lt;ffffffc000085ee8&gt;] work_pending+0x1c/0x20
[   52.642514] c1
              other info that might help us debug this:
[   52.642517] c1  Possible unsafe locking scenario:
[   52.642518] c1        CPU0                    CPU1
[   52.642520] c1        ----                    ----
[   52.642525] c0   lock(ffs_lock);
[   52.642529] c0                                lock(udc_lock);
[   52.642533] c0                                lock(ffs_lock);
[   52.642537] c0   lock(udc_lock);
[   52.642539] c1
                      *** DEADLOCK ***
[   52.642543] c1 1 lock held by usb ffs open/2808:
[   52.642555] c0  #0:  (ffs_lock){+.+.+.}, at: [&lt;ffffffc00066b244&gt;]
		ffs_data_clear+0x30/0x140
[   52.642557] c1 stack backtrace:
[   52.642563] c1 CPU: 1 PID: 2808 Comm: usb ffs open Tainted: G
[   52.642565] c1 Hardware name: Spreadtrum SP9860g Board (DT)
[   52.642568] c1 Call trace:
[   52.642573] c1 [&lt;ffffffc00008b430&gt;] dump_backtrace+0x0/0x170
[   52.642577] c1 [&lt;ffffffc00008b5c0&gt;] show_stack+0x20/0x28
[   52.642583] c1 [&lt;ffffffc000422694&gt;] dump_stack+0xa8/0xe0
[   52.642587] c1 [&lt;ffffffc00011e548&gt;] print_circular_bug+0x1fc/0x2e4
[   52.642591] c1 [&lt;ffffffc000123454&gt;] __lock_acquire+0x2138/0x2238
[   52.642595] c1 [&lt;ffffffc000123b54&gt;] lock_acquire+0xe4/0x298
[   52.642599] c1 [&lt;ffffffc000aaf6e8&gt;] mutex_lock_nested+0x7c/0x3cc
[   52.642604] c1 [&lt;ffffffc00065aeec&gt;] usb_gadget_unregister_driver+0x3c/0xc8
[   52.642608] c1 [&lt;ffffffc00065995c&gt;] unregister_gadget_item+0x28/0x44
[   52.642613] c1 [&lt;ffffffc00066b34c&gt;] ffs_data_clear+0x138/0x140
[   52.642618] c1 [&lt;ffffffc00066b374&gt;] ffs_data_reset+0x20/0x6c
[   52.642621] c1 [&lt;ffffffc00066efd0&gt;] ffs_data_closed+0xac/0x12c
[   52.642625] c1 [&lt;ffffffc00066f070&gt;] ffs_ep0_release+0x20/0x2c
[   52.642629] c1 [&lt;ffffffc00023dbe4&gt;] __fput+0xb0/0x1f4
[   52.642633] c1 [&lt;ffffffc00023dd9c&gt;] ____fput+0x20/0x2c
[   52.642636] c1 [&lt;ffffffc0000ee944&gt;] task_work_run+0xb4/0xe8
[   52.642640] c1 [&lt;ffffffc0000cd45c&gt;] do_exit+0x360/0xb9c
[   52.642644] c1 [&lt;ffffffc0000cf228&gt;] do_group_exit+0x4c/0xb0
[   52.642647] c1 [&lt;ffffffc0000dd3c8&gt;] get_signal+0x380/0x89c
[   52.642651] c1 [&lt;ffffffc00008a8f0&gt;] do_signal+0x154/0x518
[   52.642656] c1 [&lt;ffffffc00008af00&gt;] do_notify_resume+0x70/0x78
[   52.642659] c1 [&lt;ffffffc000085ee8&gt;] work_pending+0x1c/0x20

Acked-by: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Signed-off-by: Baolin Wang &lt;baolin.wang@linaro.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: avoid out of bounds access on comp_desc</title>
<updated>2017-07-31T17:37:48+00:00</updated>
<author>
<name>William Wu</name>
<email>william.wu@rock-chips.com</email>
</author>
<published>2017-04-25T09:45:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=eccc7d3c652496005f205ac4f249eb4460711bcb'/>
<id>eccc7d3c652496005f205ac4f249eb4460711bcb</id>
<content type='text'>
[ Upstream commit b7f73850bb4fac1e2209a4dd5e636d39be92f42c ]

Companion descriptor is only used for SuperSpeed endpoints,
if the endpoints are HighSpeed or FullSpeed, the Companion
descriptor will not allocated, so we can only access it if
gadget is SuperSpeed.

I can reproduce this issue on Rockchip platform rk3368 SoC
which supports USB 2.0, and use functionfs for ADB. Kernel
build with CONFIG_KASAN=y and CONFIG_SLUB_DEBUG=y report
the following BUG:

==================================================================
BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x224/0x3a0 at addr ffffffc0601f6509
Read of size 1 by task swapper/0/0
============================================================================
BUG kmalloc-256 (Not tainted): kasan: bad access detected
----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in ffs_func_bind+0x52c/0x99c age=1275 cpu=0 pid=1
alloc_debug_processing+0x128/0x17c
___slab_alloc.constprop.58+0x50c/0x610
__slab_alloc.isra.55.constprop.57+0x24/0x34
__kmalloc+0xe0/0x250
ffs_func_bind+0x52c/0x99c
usb_add_function+0xd8/0x1d4
configfs_composite_bind+0x48c/0x570
udc_bind_to_driver+0x6c/0x170
usb_udc_attach_driver+0xa4/0xd0
gadget_dev_desc_UDC_store+0xcc/0x118
configfs_write_file+0x1a0/0x1f8
__vfs_write+0x64/0x174
vfs_write+0xe4/0x200
SyS_write+0x68/0xc8
el0_svc_naked+0x24/0x28
INFO: Freed in inode_doinit_with_dentry+0x3f0/0x7c4 age=1275 cpu=7 pid=247
...
Call trace:
[&lt;ffffff900808aab4&gt;] dump_backtrace+0x0/0x230
[&lt;ffffff900808acf8&gt;] show_stack+0x14/0x1c
[&lt;ffffff90084ad420&gt;] dump_stack+0xa0/0xc8
[&lt;ffffff90082157cc&gt;] print_trailer+0x188/0x198
[&lt;ffffff9008215948&gt;] object_err+0x3c/0x4c
[&lt;ffffff900821b5ac&gt;] kasan_report+0x324/0x4dc
[&lt;ffffff900821aa38&gt;] __asan_load1+0x24/0x50
[&lt;ffffff90089eb750&gt;] ffs_func_set_alt+0x224/0x3a0
[&lt;ffffff90089d3760&gt;] composite_setup+0xdcc/0x1ac8
[&lt;ffffff90089d7394&gt;] android_setup+0x124/0x1a0
[&lt;ffffff90089acd18&gt;] _setup+0x54/0x74
[&lt;ffffff90089b6b98&gt;] handle_ep0+0x3288/0x4390
[&lt;ffffff90089b9b44&gt;] dwc_otg_pcd_handle_out_ep_intr+0x14dc/0x2ae4
[&lt;ffffff90089be85c&gt;] dwc_otg_pcd_handle_intr+0x1ec/0x298
[&lt;ffffff90089ad680&gt;] dwc_otg_pcd_irq+0x10/0x20
[&lt;ffffff9008116328&gt;] handle_irq_event_percpu+0x124/0x3ac
[&lt;ffffff9008116610&gt;] handle_irq_event+0x60/0xa0
[&lt;ffffff900811af30&gt;] handle_fasteoi_irq+0x10c/0x1d4
[&lt;ffffff9008115568&gt;] generic_handle_irq+0x30/0x40
[&lt;ffffff90081159b4&gt;] __handle_domain_irq+0xac/0xdc
[&lt;ffffff9008080e9c&gt;] gic_handle_irq+0x64/0xa4
...
Memory state around the buggy address:
  ffffffc0601f6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffffffc0601f6480: 00 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc
 &gt;ffffffc0601f6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                       ^
  ffffffc0601f6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffffffc0601f6600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================

Signed-off-by: William Wu &lt;william.wu@rock-chips.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b7f73850bb4fac1e2209a4dd5e636d39be92f42c ]

Companion descriptor is only used for SuperSpeed endpoints,
if the endpoints are HighSpeed or FullSpeed, the Companion
descriptor will not allocated, so we can only access it if
gadget is SuperSpeed.

I can reproduce this issue on Rockchip platform rk3368 SoC
which supports USB 2.0, and use functionfs for ADB. Kernel
build with CONFIG_KASAN=y and CONFIG_SLUB_DEBUG=y report
the following BUG:

==================================================================
BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x224/0x3a0 at addr ffffffc0601f6509
Read of size 1 by task swapper/0/0
============================================================================
BUG kmalloc-256 (Not tainted): kasan: bad access detected
----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in ffs_func_bind+0x52c/0x99c age=1275 cpu=0 pid=1
alloc_debug_processing+0x128/0x17c
___slab_alloc.constprop.58+0x50c/0x610
__slab_alloc.isra.55.constprop.57+0x24/0x34
__kmalloc+0xe0/0x250
ffs_func_bind+0x52c/0x99c
usb_add_function+0xd8/0x1d4
configfs_composite_bind+0x48c/0x570
udc_bind_to_driver+0x6c/0x170
usb_udc_attach_driver+0xa4/0xd0
gadget_dev_desc_UDC_store+0xcc/0x118
configfs_write_file+0x1a0/0x1f8
__vfs_write+0x64/0x174
vfs_write+0xe4/0x200
SyS_write+0x68/0xc8
el0_svc_naked+0x24/0x28
INFO: Freed in inode_doinit_with_dentry+0x3f0/0x7c4 age=1275 cpu=7 pid=247
...
Call trace:
[&lt;ffffff900808aab4&gt;] dump_backtrace+0x0/0x230
[&lt;ffffff900808acf8&gt;] show_stack+0x14/0x1c
[&lt;ffffff90084ad420&gt;] dump_stack+0xa0/0xc8
[&lt;ffffff90082157cc&gt;] print_trailer+0x188/0x198
[&lt;ffffff9008215948&gt;] object_err+0x3c/0x4c
[&lt;ffffff900821b5ac&gt;] kasan_report+0x324/0x4dc
[&lt;ffffff900821aa38&gt;] __asan_load1+0x24/0x50
[&lt;ffffff90089eb750&gt;] ffs_func_set_alt+0x224/0x3a0
[&lt;ffffff90089d3760&gt;] composite_setup+0xdcc/0x1ac8
[&lt;ffffff90089d7394&gt;] android_setup+0x124/0x1a0
[&lt;ffffff90089acd18&gt;] _setup+0x54/0x74
[&lt;ffffff90089b6b98&gt;] handle_ep0+0x3288/0x4390
[&lt;ffffff90089b9b44&gt;] dwc_otg_pcd_handle_out_ep_intr+0x14dc/0x2ae4
[&lt;ffffff90089be85c&gt;] dwc_otg_pcd_handle_intr+0x1ec/0x298
[&lt;ffffff90089ad680&gt;] dwc_otg_pcd_irq+0x10/0x20
[&lt;ffffff9008116328&gt;] handle_irq_event_percpu+0x124/0x3ac
[&lt;ffffff9008116610&gt;] handle_irq_event+0x60/0xa0
[&lt;ffffff900811af30&gt;] handle_fasteoi_irq+0x10c/0x1d4
[&lt;ffffff9008115568&gt;] generic_handle_irq+0x30/0x40
[&lt;ffffff90081159b4&gt;] __handle_domain_irq+0xac/0xdc
[&lt;ffffff9008080e9c&gt;] gic_handle_irq+0x64/0xa4
...
Memory state around the buggy address:
  ffffffc0601f6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffffffc0601f6480: 00 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc
 &gt;ffffffc0601f6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                       ^
  ffffffc0601f6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffffffc0601f6600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================

Signed-off-by: William Wu &lt;william.wu@rock-chips.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: function: f_fs: pass companion descriptor along</title>
<updated>2017-05-17T19:07:00+00:00</updated>
<author>
<name>Felipe Balbi</name>
<email>felipe.balbi@linux.intel.com</email>
</author>
<published>2017-01-31T12:54:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c48408dff998127cf7d7917e98e3bdc1b9548b9b'/>
<id>c48408dff998127cf7d7917e98e3bdc1b9548b9b</id>
<content type='text'>
[ Upstream commit 2bfa0719ac2a9b2f3c91345873d3cdebd0296ba9 ]

If we're dealing with SuperSpeed endpoints, we need
to make sure to pass along the companion descriptor
and initialize fields needed by the Gadget
API. Eventually, f_fs.c should be converted to use
config_ep_by_speed() like all other functions,
though.

Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2bfa0719ac2a9b2f3c91345873d3cdebd0296ba9 ]

If we're dealing with SuperSpeed endpoints, we need
to make sure to pass along the companion descriptor
and initialize fields needed by the Gadget
API. Eventually, f_fs.c should be converted to use
config_ep_by_speed() like all other functions,
though.

Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Assorted buffer overflow checks.</title>
<updated>2017-03-06T22:31:11+00:00</updated>
<author>
<name>Vincent Pelletier</name>
<email>plr.vincent@gmail.com</email>
</author>
<published>2017-01-18T00:57:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e749e709caba83d1051072a92a79c07774978ef8'/>
<id>e749e709caba83d1051072a92a79c07774978ef8</id>
<content type='text'>
[ Upstream commit 83e526f2a2fa4b2e82b6bd3ddbb26b70acfa8947 ]

OS descriptor head, when flagged as provided, is accessed without
checking if it fits in provided buffer. Verify length before access.
Also, there are other places where buffer length it checked
after accessing offsets which are potentially past the end. Check
buffer length before as well to fail cleanly.

Signed-off-by: Vincent Pelletier &lt;plr.vincent@gmail.com&gt;
Acked-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 83e526f2a2fa4b2e82b6bd3ddbb26b70acfa8947 ]

OS descriptor head, when flagged as provided, is accessed without
checking if it fits in provided buffer. Verify length before access.
Also, there are other places where buffer length it checked
after accessing offsets which are potentially past the end. Check
buffer length before as well to fail cleanly.

Signed-off-by: Vincent Pelletier &lt;plr.vincent@gmail.com&gt;
Acked-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Fix EFAULT generation for async read operations</title>
<updated>2016-07-11T03:07:26+00:00</updated>
<author>
<name>Lars-Peter Clausen</name>
<email>lars@metafoo.de</email>
</author>
<published>2016-03-30T11:49:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4b6986fcceb200b2edd97d7cc5799d8a7ae53086'/>
<id>4b6986fcceb200b2edd97d7cc5799d8a7ae53086</id>
<content type='text'>
[ Upstream commit 332a5b446b7916d272c2a659a3b20909ce34d2c1 ]

In the current implementation functionfs generates a EFAULT for async read
operations if the read buffer size is larger than the URB data size. Since
a application does not necessarily know how much data the host side is
going to send it typically supplies a buffer larger than the actual data,
which will then result in a EFAULT error.

This behaviour was introduced while refactoring the code to use iov_iter
interface in commit c993c39b8639 ("gadget/function/f_fs.c: use put iov_iter
into io_data"). The original code took the minimum over the URB size and
the user buffer size and then attempted to copy that many bytes using
copy_to_user(). If copy_to_user() could not copy all data a EFAULT error
was generated. Restore the original behaviour by only generating a EFAULT
error when the number of bytes copied is not the size of the URB and the
target buffer has not been fully filled.

Commit 342f39a6c8d3 ("usb: gadget: f_fs: fix check in read operation")
already fixed the same problem for the synchronous read path.

Fixes: c993c39b8639 ("gadget/function/f_fs.c: use put iov_iter into io_data")
Acked-by: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Signed-off-by: Lars-Peter Clausen &lt;lars@metafoo.de&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 332a5b446b7916d272c2a659a3b20909ce34d2c1 ]

In the current implementation functionfs generates a EFAULT for async read
operations if the read buffer size is larger than the URB data size. Since
a application does not necessarily know how much data the host side is
going to send it typically supplies a buffer larger than the actual data,
which will then result in a EFAULT error.

This behaviour was introduced while refactoring the code to use iov_iter
interface in commit c993c39b8639 ("gadget/function/f_fs.c: use put iov_iter
into io_data"). The original code took the minimum over the URB size and
the user buffer size and then attempted to copy that many bytes using
copy_to_user(). If copy_to_user() could not copy all data a EFAULT error
was generated. Restore the original behaviour by only generating a EFAULT
error when the number of bytes copied is not the size of the URB and the
target buffer has not been fully filled.

Commit 342f39a6c8d3 ("usb: gadget: f_fs: fix check in read operation")
already fixed the same problem for the synchronous read path.

Fixes: c993c39b8639 ("gadget/function/f_fs.c: use put iov_iter into io_data")
Acked-by: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Signed-off-by: Lars-Peter Clausen &lt;lars@metafoo.de&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Fix use-after-free</title>
<updated>2016-05-10T16:17:31+00:00</updated>
<author>
<name>Lars-Peter Clausen</name>
<email>lars@metafoo.de</email>
</author>
<published>2016-04-14T15:01:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0763ce11708553fc7b2124f184ce2e4bb0cb186d'/>
<id>0763ce11708553fc7b2124f184ce2e4bb0cb186d</id>
<content type='text'>
[ Upstream commit 38740a5b87d53ceb89eb2c970150f6e94e00373a ]

When using asynchronous read or write operations on the USB endpoints the
issuer of the IO request is notified by calling the ki_complete() callback
of the submitted kiocb when the URB has been completed.

Calling this ki_complete() callback will free kiocb. Make sure that the
structure is no longer accessed beyond that point, otherwise undefined
behaviour might occur.

Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
Cc: &lt;stable@vger.kernel.org&gt; # v3.15+
Signed-off-by: Lars-Peter Clausen &lt;lars@metafoo.de&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 38740a5b87d53ceb89eb2c970150f6e94e00373a ]

When using asynchronous read or write operations on the USB endpoints the
issuer of the IO request is notified by calling the ki_complete() callback
of the submitted kiocb when the URB has been completed.

Calling this ki_complete() callback will free kiocb. Make sure that the
structure is no longer accessed beyond that point, otherwise undefined
behaviour might occur.

Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
Cc: &lt;stable@vger.kernel.org&gt; # v3.15+
Signed-off-by: Lars-Peter Clausen &lt;lars@metafoo.de&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
