<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/usb/gadget/function, branch linux-4.1.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>usb: gadget: f_hid: fix: Prevent accessing released memory</title>
<updated>2018-05-23T01:33:55+00:00</updated>
<author>
<name>Krzysztof Opasiak</name>
<email>kopasiak90@gmail.com</email>
</author>
<published>2017-01-19T17:55:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1d0799a8ee6f577a003015d21a1b7b510da5cdf9'/>
<id>1d0799a8ee6f577a003015d21a1b7b510da5cdf9</id>
<content type='text'>
[ Upstream commit aa65d11aa008f4de58a9cee7e121666d9d68505e ]

When we unlock our spinlock to copy data to user we may get
disabled by USB host and free the whole list of completed out
requests including the one from which we are copying the data
to user memory.

To prevent from this let's remove our working element from
the list and place it back only if there is sth left when we
finish with it.

Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Cc: stable@vger.kernel.org
Tested-by: David Lechner &lt;david@lechnology.com&gt;
Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit aa65d11aa008f4de58a9cee7e121666d9d68505e ]

When we unlock our spinlock to copy data to user we may get
disabled by USB host and free the whole list of completed out
requests including the one from which we are copying the data
to user memory.

To prevent from this let's remove our working element from
the list and place it back only if there is sth left when we
finish with it.

Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Cc: stable@vger.kernel.org
Tested-by: David Lechner &lt;david@lechnology.com&gt;
Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: define free_ep_req as universal function</title>
<updated>2018-05-23T01:33:55+00:00</updated>
<author>
<name>Felipe F. Tonello</name>
<email>eu@felipetonello.com</email>
</author>
<published>2015-11-10T17:52:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7490317aa978a85a82183d0a6ea97c05c76e659e'/>
<id>7490317aa978a85a82183d0a6ea97c05c76e659e</id>
<content type='text'>
[ Upstream commit 079fe5a6da616891cca1a26e803e1df2a87e9ae5 ]

This function is shared between gadget functions, so this avoid unnecessary
duplicated code and potentially avoid memory leaks.

Reviewed-by: Robert Baldyga &lt;r.baldyga@samsung.com&gt;
Signed-off-by: Felipe F. Tonello &lt;eu@felipetonello.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 079fe5a6da616891cca1a26e803e1df2a87e9ae5 ]

This function is shared between gadget functions, so this avoid unnecessary
duplicated code and potentially avoid memory leaks.

Reviewed-by: Robert Baldyga &lt;r.baldyga@samsung.com&gt;
Signed-off-by: Felipe F. Tonello &lt;eu@felipetonello.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()</title>
<updated>2018-03-21T03:49:54+00:00</updated>
<author>
<name>Xinyong</name>
<email>xinyong.fang@linux.alibaba.com</email>
</author>
<published>2018-03-02T11:20:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f642176da2177e68e1cfdb89d5cb62d255eb53b4'/>
<id>f642176da2177e68e1cfdb89d5cb62d255eb53b4</id>
<content type='text'>
[ Upstream commit 1a087f032111a88e826877449dfb93ceb22b78b9 ]

When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
overflowed, While functionfs is unmounting, ffs_data is put twice.

Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
refcount_t") can avoid refcount overflow, but that is risk some situations.
So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.

The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
KASAN enabled configuration reports use-after-free errro.

BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0
Read of size 4 by task umount/4650
====================================================
BUG kmalloc-512 (Tainted: P        W  O   ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
    alloc_debug_processing+0x1ac/0x1e8
    ___slab_alloc.constprop.63+0x640/0x648
    __slab_alloc.isra.57.constprop.62+0x24/0x34
    kmem_cache_alloc_trace+0x1a8/0x2bc
    ffs_fs_mount+0x194/0x844
    mount_fs+0x6c/0x1d0
    vfs_kern_mount+0x50/0x1b4
    do_mount+0x258/0x1034
INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
    free_debug_processing+0x22c/0x434
    __slab_free+0x2d8/0x3a0
    kfree+0x254/0x264
    ffs_data_put+0x25c/0x320
    ffs_data_closed+0x124/0x15c
    ffs_fs_kill_sb+0xb8/0x110
    deactivate_locked_super+0x6c/0x98
    deactivate_super+0xb0/0xbc
INFO: Object 0xffffffc057938600 @offset=1536 fp=0x          (null)
......
Call trace:
[&lt;ffffff900808cf5c&gt;] dump_backtrace+0x0/0x250
[&lt;ffffff900808d3a0&gt;] show_stack+0x14/0x1c
[&lt;ffffff90084a8c04&gt;] dump_stack+0xa0/0xc8
[&lt;ffffff900826c2b4&gt;] print_trailer+0x158/0x260
[&lt;ffffff900826d9d8&gt;] object_err+0x3c/0x40
[&lt;ffffff90082745f0&gt;] kasan_report_error+0x2a8/0x754
[&lt;ffffff9008274f84&gt;] kasan_report+0x5c/0x60
[&lt;ffffff9008273208&gt;] __asan_load4+0x70/0x88
[&lt;ffffff90084cd81c&gt;] refcount_dec_and_test+0x14/0xe0
[&lt;ffffff9008d98f9c&gt;] ffs_data_put+0x80/0x320
[&lt;ffffff9008d9d904&gt;] ffs_fs_kill_sb+0xc8/0x110
[&lt;ffffff90082852a0&gt;] deactivate_locked_super+0x6c/0x98
[&lt;ffffff900828537c&gt;] deactivate_super+0xb0/0xbc
[&lt;ffffff90082af0c0&gt;] cleanup_mnt+0x64/0xec
[&lt;ffffff90082af1b0&gt;] __cleanup_mnt+0x10/0x18
[&lt;ffffff90080d9e68&gt;] task_work_run+0xcc/0x124
[&lt;ffffff900808c8c0&gt;] do_notify_resume+0x60/0x70
[&lt;ffffff90080866e4&gt;] work_pending+0x10/0x14

Cc: stable@vger.kernel.org
Signed-off-by: Xinyong &lt;xinyong.fang@linux.alibaba.com&gt;

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;

Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1a087f032111a88e826877449dfb93ceb22b78b9 ]

When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
overflowed, While functionfs is unmounting, ffs_data is put twice.

Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
refcount_t") can avoid refcount overflow, but that is risk some situations.
So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.

The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
KASAN enabled configuration reports use-after-free errro.

BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0
Read of size 4 by task umount/4650
====================================================
BUG kmalloc-512 (Tainted: P        W  O   ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
    alloc_debug_processing+0x1ac/0x1e8
    ___slab_alloc.constprop.63+0x640/0x648
    __slab_alloc.isra.57.constprop.62+0x24/0x34
    kmem_cache_alloc_trace+0x1a8/0x2bc
    ffs_fs_mount+0x194/0x844
    mount_fs+0x6c/0x1d0
    vfs_kern_mount+0x50/0x1b4
    do_mount+0x258/0x1034
INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
    free_debug_processing+0x22c/0x434
    __slab_free+0x2d8/0x3a0
    kfree+0x254/0x264
    ffs_data_put+0x25c/0x320
    ffs_data_closed+0x124/0x15c
    ffs_fs_kill_sb+0xb8/0x110
    deactivate_locked_super+0x6c/0x98
    deactivate_super+0xb0/0xbc
INFO: Object 0xffffffc057938600 @offset=1536 fp=0x          (null)
......
Call trace:
[&lt;ffffff900808cf5c&gt;] dump_backtrace+0x0/0x250
[&lt;ffffff900808d3a0&gt;] show_stack+0x14/0x1c
[&lt;ffffff90084a8c04&gt;] dump_stack+0xa0/0xc8
[&lt;ffffff900826c2b4&gt;] print_trailer+0x158/0x260
[&lt;ffffff900826d9d8&gt;] object_err+0x3c/0x40
[&lt;ffffff90082745f0&gt;] kasan_report_error+0x2a8/0x754
[&lt;ffffff9008274f84&gt;] kasan_report+0x5c/0x60
[&lt;ffffff9008273208&gt;] __asan_load4+0x70/0x88
[&lt;ffffff90084cd81c&gt;] refcount_dec_and_test+0x14/0xe0
[&lt;ffffff9008d98f9c&gt;] ffs_data_put+0x80/0x320
[&lt;ffffff9008d9d904&gt;] ffs_fs_kill_sb+0xc8/0x110
[&lt;ffffff90082852a0&gt;] deactivate_locked_super+0x6c/0x98
[&lt;ffffff900828537c&gt;] deactivate_super+0xb0/0xbc
[&lt;ffffff90082af0c0&gt;] cleanup_mnt+0x64/0xec
[&lt;ffffff90082af1b0&gt;] __cleanup_mnt+0x10/0x18
[&lt;ffffff90080d9e68&gt;] task_work_run+0xcc/0x124
[&lt;ffffff900808c8c0&gt;] do_notify_resume+0x60/0x70
[&lt;ffffff90080866e4&gt;] work_pending+0x10/0x14

Cc: stable@vger.kernel.org
Signed-off-by: Xinyong &lt;xinyong.fang@linux.alibaba.com&gt;

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;

Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Process all descriptors during bind</title>
<updated>2018-03-04T15:28:34+00:00</updated>
<author>
<name>Jack Pham</name>
<email>jackp@codeaurora.org</email>
</author>
<published>2018-01-24T08:11:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b177a6a134847538b78c12fffb49afe2f8335be0'/>
<id>b177a6a134847538b78c12fffb49afe2f8335be0</id>
<content type='text'>
[ Upstream commit 6cf439e0d37463e42784271179c8a308fd7493c6 ]

During _ffs_func_bind(), the received descriptors are evaluated
to prepare for binding with the gadget in order to allocate
endpoints and optionally set up OS descriptors. However, the
high- and super-speed descriptors are only parsed based on
whether the gadget_is_dualspeed() and gadget_is_superspeed()
calls are true, respectively.

This is a problem in case a userspace program always provides
all of the {full,high,super,OS} descriptors when configuring a
function. Then, for example if a gadget device is not capable
of SuperSpeed, the call to ffs_do_descs() for the SS descriptors
is skipped, resulting in an incorrect offset calculation for
the vla_ptr when moving on to the OS descriptors that follow.
This causes ffs_do_os_descs() to fail as it is now looking at
the SS descriptors' offset within the raw_descs buffer instead.

_ffs_func_bind() should evaluate the descriptors unconditionally,
so remove the checks for gadget speed.

Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support")
Cc: stable@vger.kernel.org
Co-Developed-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Jack Pham &lt;jackp@codeaurora.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 6cf439e0d37463e42784271179c8a308fd7493c6 ]

During _ffs_func_bind(), the received descriptors are evaluated
to prepare for binding with the gadget in order to allocate
endpoints and optionally set up OS descriptors. However, the
high- and super-speed descriptors are only parsed based on
whether the gadget_is_dualspeed() and gadget_is_superspeed()
calls are true, respectively.

This is a problem in case a userspace program always provides
all of the {full,high,super,OS} descriptors when configuring a
function. Then, for example if a gadget device is not capable
of SuperSpeed, the call to ffs_do_descs() for the SS descriptors
is skipped, resulting in an incorrect offset calculation for
the vla_ptr when moving on to the OS descriptors that follow.
This causes ffs_do_os_descs() to fail as it is now looking at
the SS descriptors' offset within the raw_descs buffer instead.

_ffs_func_bind() should evaluate the descriptors unconditionally,
so remove the checks for gadget speed.

Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support")
Cc: stable@vger.kernel.org
Co-Developed-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Jack Pham &lt;jackp@codeaurora.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: f_fs: Prevent gadget unbind if it is already unbound</title>
<updated>2018-03-01T03:09:47+00:00</updated>
<author>
<name>Hemant Kumar</name>
<email>hemantk@codeaurora.org</email>
</author>
<published>2018-01-09T07:00:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1f4ac76de1ff4b79c6ef51a1c1d909c54289ff61'/>
<id>1f4ac76de1ff4b79c6ef51a1c1d909c54289ff61</id>
<content type='text'>
[ Upstream commit ce5bf9a50daf2d9078b505aca1cea22e88ecb94a ]

Upon usb composition switch there is possibility of ep0 file
release happening after gadget driver bind. In case of composition
switch from adb to a non-adb composition gadget will never gets
bound again resulting into failure of usb device enumeration. Fix
this issue by checking FFS_FL_BOUND flag and avoid extra
gadget driver unbind if it is already done as part of composition
switch.

This fixes adb reconnection error reported on Android running
v4.4 and above kernel versions. Verified on Hikey running vanilla
v4.15-rc7 + few out of tree Mali patches.

Reviewed-at: https://android-review.googlesource.com/#/c/582632/

Cc: Felipe Balbi &lt;balbi@kernel.org&gt;
Cc: Greg KH &lt;gregkh@linux-foundation.org&gt;
Cc: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Cc: John Stultz &lt;john.stultz@linaro.org&gt;
Cc: Dmitry Shmidt &lt;dimitrysh@google.com&gt;
Cc: Badhri &lt;badhri@google.com&gt;
Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Hemant Kumar &lt;hemantk@codeaurora.org&gt;
[AmitP: Cherry-picked it from android-4.14 and updated the commit log]
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit ce5bf9a50daf2d9078b505aca1cea22e88ecb94a ]

Upon usb composition switch there is possibility of ep0 file
release happening after gadget driver bind. In case of composition
switch from adb to a non-adb composition gadget will never gets
bound again resulting into failure of usb device enumeration. Fix
this issue by checking FFS_FL_BOUND flag and avoid extra
gadget driver unbind if it is already done as part of composition
switch.

This fixes adb reconnection error reported on Android running
v4.4 and above kernel versions. Verified on Hikey running vanilla
v4.15-rc7 + few out of tree Mali patches.

Reviewed-at: https://android-review.googlesource.com/#/c/582632/

Cc: Felipe Balbi &lt;balbi@kernel.org&gt;
Cc: Greg KH &lt;gregkh@linux-foundation.org&gt;
Cc: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Cc: John Stultz &lt;john.stultz@linaro.org&gt;
Cc: Dmitry Shmidt &lt;dimitrysh@google.com&gt;
Cc: Badhri &lt;badhri@google.com&gt;
Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Hemant Kumar &lt;hemantk@codeaurora.org&gt;
[AmitP: Cherry-picked it from android-4.14 and updated the commit log]
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed</title>
<updated>2018-03-01T00:32:13+00:00</updated>
<author>
<name>Roger Quadros</name>
<email>rogerq@ti.com</email>
</author>
<published>2017-03-08T14:05:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fd8990244ab4934e69ce3a21b8104a972679e8af'/>
<id>fd8990244ab4934e69ce3a21b8104a972679e8af</id>
<content type='text'>
[ Upstream commit 16bb05d98c904a4f6c5ce7e2d992299f794acbf2 ]

As per USB3.0 Specification "Table 9-20. Standard Endpoint Descriptor",
for interrupt and isochronous endpoints, wMaxPacketSize must be set to
1024 if the endpoint defines bMaxBurst to be greater than zero.

Reviewed-by: Laurent Pinchart &lt;laurent.pinchart@ideasonboard.com&gt;
Signed-off-by: Roger Quadros &lt;rogerq@ti.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 16bb05d98c904a4f6c5ce7e2d992299f794acbf2 ]

As per USB3.0 Specification "Table 9-20. Standard Endpoint Descriptor",
for interrupt and isochronous endpoints, wMaxPacketSize must be set to
1024 if the endpoint defines bMaxBurst to be greater than zero.

Reviewed-by: Laurent Pinchart &lt;laurent.pinchart@ideasonboard.com&gt;
Signed-off-by: Roger Quadros &lt;rogerq@ti.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping</title>
<updated>2018-01-17T17:55:30+00:00</updated>
<author>
<name>Vincent Pelletier</name>
<email>plr.vincent@gmail.com</email>
</author>
<published>2017-11-26T06:52:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4e1911325f19114d781c9e8b14a3565d966bd64a'/>
<id>4e1911325f19114d781c9e8b14a3565d966bd64a</id>
<content type='text'>
[ Upstream commit 30bf90ccdec1da9c8198b161ecbff39ce4e5a9ba ]

Found using DEBUG_ATOMIC_SLEEP while submitting an AIO read operation:

[  100.853642] BUG: sleeping function called from invalid context at mm/slab.h:421
[  100.861148] in_atomic(): 1, irqs_disabled(): 1, pid: 1880, name: python
[  100.867954] 2 locks held by python/1880:
[  100.867961]  #0:  (&amp;epfile-&gt;mutex){....}, at: [&lt;f8188627&gt;] ffs_mutex_lock+0x27/0x30 [usb_f_fs]
[  100.868020]  #1:  (&amp;(&amp;ffs-&gt;eps_lock)-&gt;rlock){....}, at: [&lt;f818ad4b&gt;] ffs_epfile_io.isra.17+0x24b/0x590 [usb_f_fs]
[  100.868076] CPU: 1 PID: 1880 Comm: python Not tainted 4.14.0-edison+ #118
[  100.868085] Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48
[  100.868093] Call Trace:
[  100.868122]  dump_stack+0x47/0x62
[  100.868156]  ___might_sleep+0xfd/0x110
[  100.868182]  __might_sleep+0x68/0x70
[  100.868217]  kmem_cache_alloc_trace+0x4b/0x200
[  100.868248]  ? dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3]
[  100.868302]  dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3]
[  100.868343]  usb_ep_alloc_request+0x16/0xc0 [udc_core]
[  100.868386]  ffs_epfile_io.isra.17+0x444/0x590 [usb_f_fs]
[  100.868424]  ? _raw_spin_unlock_irqrestore+0x27/0x40
[  100.868457]  ? kiocb_set_cancel_fn+0x57/0x60
[  100.868477]  ? ffs_ep0_poll+0xc0/0xc0 [usb_f_fs]
[  100.868512]  ffs_epfile_read_iter+0xfe/0x157 [usb_f_fs]
[  100.868551]  ? security_file_permission+0x9c/0xd0
[  100.868587]  ? rw_verify_area+0xac/0x120
[  100.868633]  aio_read+0x9d/0x100
[  100.868692]  ? __fget+0xa2/0xd0
[  100.868727]  ? __might_sleep+0x68/0x70
[  100.868763]  SyS_io_submit+0x471/0x680
[  100.868878]  do_int80_syscall_32+0x4e/0xd0
[  100.868921]  entry_INT80_32+0x2a/0x2a
[  100.868932] EIP: 0xb7fbb676
[  100.868941] EFLAGS: 00000292 CPU: 1
[  100.868951] EAX: ffffffda EBX: b7aa2000 ECX: 00000002 EDX: b7af8368
[  100.868961] ESI: b7fbb660 EDI: b7aab000 EBP: bfb6c658 ESP: bfb6c638
[  100.868973]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b

Signed-off-by: Vincent Pelletier &lt;plr.vincent@gmail.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 30bf90ccdec1da9c8198b161ecbff39ce4e5a9ba ]

Found using DEBUG_ATOMIC_SLEEP while submitting an AIO read operation:

[  100.853642] BUG: sleeping function called from invalid context at mm/slab.h:421
[  100.861148] in_atomic(): 1, irqs_disabled(): 1, pid: 1880, name: python
[  100.867954] 2 locks held by python/1880:
[  100.867961]  #0:  (&amp;epfile-&gt;mutex){....}, at: [&lt;f8188627&gt;] ffs_mutex_lock+0x27/0x30 [usb_f_fs]
[  100.868020]  #1:  (&amp;(&amp;ffs-&gt;eps_lock)-&gt;rlock){....}, at: [&lt;f818ad4b&gt;] ffs_epfile_io.isra.17+0x24b/0x590 [usb_f_fs]
[  100.868076] CPU: 1 PID: 1880 Comm: python Not tainted 4.14.0-edison+ #118
[  100.868085] Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48
[  100.868093] Call Trace:
[  100.868122]  dump_stack+0x47/0x62
[  100.868156]  ___might_sleep+0xfd/0x110
[  100.868182]  __might_sleep+0x68/0x70
[  100.868217]  kmem_cache_alloc_trace+0x4b/0x200
[  100.868248]  ? dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3]
[  100.868302]  dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3]
[  100.868343]  usb_ep_alloc_request+0x16/0xc0 [udc_core]
[  100.868386]  ffs_epfile_io.isra.17+0x444/0x590 [usb_f_fs]
[  100.868424]  ? _raw_spin_unlock_irqrestore+0x27/0x40
[  100.868457]  ? kiocb_set_cancel_fn+0x57/0x60
[  100.868477]  ? ffs_ep0_poll+0xc0/0xc0 [usb_f_fs]
[  100.868512]  ffs_epfile_read_iter+0xfe/0x157 [usb_f_fs]
[  100.868551]  ? security_file_permission+0x9c/0xd0
[  100.868587]  ? rw_verify_area+0xac/0x120
[  100.868633]  aio_read+0x9d/0x100
[  100.868692]  ? __fget+0xa2/0xd0
[  100.868727]  ? __might_sleep+0x68/0x70
[  100.868763]  SyS_io_submit+0x471/0x680
[  100.868878]  do_int80_syscall_32+0x4e/0xd0
[  100.868921]  entry_INT80_32+0x2a/0x2a
[  100.868932] EIP: 0xb7fbb676
[  100.868941] EFLAGS: 00000292 CPU: 1
[  100.868951] EAX: ffffffda EBX: b7aa2000 ECX: 00000002 EDX: b7af8368
[  100.868961] ESI: b7fbb660 EDI: b7aab000 EBP: bfb6c658 ESP: bfb6c638
[  100.868973]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b

Signed-off-by: Vincent Pelletier &lt;plr.vincent@gmail.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: g_mass_storage: Fix deadlock when driver is unbound</title>
<updated>2017-11-06T04:54:20+00:00</updated>
<author>
<name>Alan Stern</name>
<email>stern@rowland.harvard.edu</email>
</author>
<published>2017-09-21T17:22:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=608286f109dcfff0c9be039c3d2b03cd17736009'/>
<id>608286f109dcfff0c9be039c3d2b03cd17736009</id>
<content type='text'>
[ Upstream commit 1fbbb78f25d1291274f320462bf6908906f538db ]

As a holdover from the old g_file_storage gadget, the g_mass_storage
legacy gadget driver attempts to unregister itself when its main
operating thread terminates (if it hasn't been unregistered already).
This is not strictly necessary; it was never more than an attempt to
have the gadget fail cleanly if something went wrong and the main
thread was killed.

However, now that the UDC core manages gadget drivers independently of
UDC drivers, this scheme doesn't work any more.  A simple test:

	modprobe dummy-hcd
	modprobe g-mass-storage file=...
	rmmod dummy-hcd

ends up in a deadlock with the following backtrace:

 sysrq: SysRq : Show Blocked State
   task                PC stack   pid father
 file-storage    D    0  1130      2 0x00000000
 Call Trace:
  __schedule+0x53e/0x58c
  schedule+0x6e/0x77
  schedule_preempt_disabled+0xd/0xf
  __mutex_lock.isra.1+0x129/0x224
  ? _raw_spin_unlock_irqrestore+0x12/0x14
  __mutex_lock_slowpath+0x12/0x14
  mutex_lock+0x28/0x2b
  usb_gadget_unregister_driver+0x29/0x9b [udc_core]
  usb_composite_unregister+0x10/0x12 [libcomposite]
  msg_cleanup+0x1d/0x20 [g_mass_storage]
  msg_thread_exits+0xd/0xdd7 [g_mass_storage]
  fsg_main_thread+0x1395/0x13d6 [usb_f_mass_storage]
  ? __schedule+0x573/0x58c
  kthread+0xd9/0xdb
  ? do_set_interface+0x25c/0x25c [usb_f_mass_storage]
  ? init_completion+0x1e/0x1e
  ret_from_fork+0x19/0x24
 rmmod           D    0  1155    683 0x00000000
 Call Trace:
  __schedule+0x53e/0x58c
  schedule+0x6e/0x77
  schedule_timeout+0x26/0xbc
  ? __schedule+0x573/0x58c
  do_wait_for_common+0xb3/0x128
  ? usleep_range+0x81/0x81
  ? wake_up_q+0x3f/0x3f
  wait_for_common+0x2e/0x45
  wait_for_completion+0x17/0x19
  fsg_common_put+0x34/0x81 [usb_f_mass_storage]
  fsg_free_inst+0x13/0x1e [usb_f_mass_storage]
  usb_put_function_instance+0x1a/0x25 [libcomposite]
  msg_unbind+0x2a/0x42 [g_mass_storage]
  __composite_unbind+0x4a/0x6f [libcomposite]
  composite_unbind+0x12/0x14 [libcomposite]
  usb_gadget_remove_driver+0x4f/0x77 [udc_core]
  usb_del_gadget_udc+0x52/0xcc [udc_core]
  dummy_udc_remove+0x27/0x2c [dummy_hcd]
  platform_drv_remove+0x1d/0x31
  device_release_driver_internal+0xe9/0x16d
  device_release_driver+0x11/0x13
  bus_remove_device+0xd2/0xe2
  device_del+0x19f/0x221
  ? selinux_capable+0x22/0x27
  platform_device_del+0x21/0x63
  platform_device_unregister+0x10/0x1a
  cleanup+0x20/0x817 [dummy_hcd]
  SyS_delete_module+0x10c/0x197
  ? ____fput+0xd/0xf
  ? task_work_run+0x55/0x62
  ? prepare_exit_to_usermode+0x65/0x75
  do_fast_syscall_32+0x86/0xc3
  entry_SYSENTER_32+0x4e/0x7c

What happens is that removing the dummy-hcd driver causes the UDC core
to unbind the gadget driver, which it does while holding the udc_lock
mutex.  The unbind routine in g_mass_storage tells the main thread to
exit and waits for it to terminate.

But as mentioned above, when the main thread exits it tries to
unregister the mass-storage function driver.  Via the composite
framework this ends up calling usb_gadget_unregister_driver(), which
tries to acquire the udc_lock mutex.  The result is deadlock.

The simplest way to fix the problem is not to be so clever: The main
thread doesn't have to unregister the function driver.  The side
effects won't be so terrible; if the gadget is still attached to a USB
host when the main thread is killed, it will appear to the host as
though the gadget's firmware has crashed -- a reasonably accurate
interpretation, and an all-too-common occurrence for USB mass-storage
devices.

In fact, the code to unregister the driver when the main thread exits
is specific to g-mass-storage; it is not used when f-mass-storage is
included as a function in a larger composite device.  Therefore the
entire mechanism responsible for this (the fsg_operations structure
with its -&gt;thread_exits method, the fsg_common_set_ops() routine, and
the msg_thread_exits() callback routine) can all be eliminated.  Even
the msg_registered bitflag can be removed, because now the driver is
unregistered in only one place rather than in two places.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
CC: &lt;stable@vger.kernel.org&gt;
Acked-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Acked-by: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1fbbb78f25d1291274f320462bf6908906f538db ]

As a holdover from the old g_file_storage gadget, the g_mass_storage
legacy gadget driver attempts to unregister itself when its main
operating thread terminates (if it hasn't been unregistered already).
This is not strictly necessary; it was never more than an attempt to
have the gadget fail cleanly if something went wrong and the main
thread was killed.

However, now that the UDC core manages gadget drivers independently of
UDC drivers, this scheme doesn't work any more.  A simple test:

	modprobe dummy-hcd
	modprobe g-mass-storage file=...
	rmmod dummy-hcd

ends up in a deadlock with the following backtrace:

 sysrq: SysRq : Show Blocked State
   task                PC stack   pid father
 file-storage    D    0  1130      2 0x00000000
 Call Trace:
  __schedule+0x53e/0x58c
  schedule+0x6e/0x77
  schedule_preempt_disabled+0xd/0xf
  __mutex_lock.isra.1+0x129/0x224
  ? _raw_spin_unlock_irqrestore+0x12/0x14
  __mutex_lock_slowpath+0x12/0x14
  mutex_lock+0x28/0x2b
  usb_gadget_unregister_driver+0x29/0x9b [udc_core]
  usb_composite_unregister+0x10/0x12 [libcomposite]
  msg_cleanup+0x1d/0x20 [g_mass_storage]
  msg_thread_exits+0xd/0xdd7 [g_mass_storage]
  fsg_main_thread+0x1395/0x13d6 [usb_f_mass_storage]
  ? __schedule+0x573/0x58c
  kthread+0xd9/0xdb
  ? do_set_interface+0x25c/0x25c [usb_f_mass_storage]
  ? init_completion+0x1e/0x1e
  ret_from_fork+0x19/0x24
 rmmod           D    0  1155    683 0x00000000
 Call Trace:
  __schedule+0x53e/0x58c
  schedule+0x6e/0x77
  schedule_timeout+0x26/0xbc
  ? __schedule+0x573/0x58c
  do_wait_for_common+0xb3/0x128
  ? usleep_range+0x81/0x81
  ? wake_up_q+0x3f/0x3f
  wait_for_common+0x2e/0x45
  wait_for_completion+0x17/0x19
  fsg_common_put+0x34/0x81 [usb_f_mass_storage]
  fsg_free_inst+0x13/0x1e [usb_f_mass_storage]
  usb_put_function_instance+0x1a/0x25 [libcomposite]
  msg_unbind+0x2a/0x42 [g_mass_storage]
  __composite_unbind+0x4a/0x6f [libcomposite]
  composite_unbind+0x12/0x14 [libcomposite]
  usb_gadget_remove_driver+0x4f/0x77 [udc_core]
  usb_del_gadget_udc+0x52/0xcc [udc_core]
  dummy_udc_remove+0x27/0x2c [dummy_hcd]
  platform_drv_remove+0x1d/0x31
  device_release_driver_internal+0xe9/0x16d
  device_release_driver+0x11/0x13
  bus_remove_device+0xd2/0xe2
  device_del+0x19f/0x221
  ? selinux_capable+0x22/0x27
  platform_device_del+0x21/0x63
  platform_device_unregister+0x10/0x1a
  cleanup+0x20/0x817 [dummy_hcd]
  SyS_delete_module+0x10c/0x197
  ? ____fput+0xd/0xf
  ? task_work_run+0x55/0x62
  ? prepare_exit_to_usermode+0x65/0x75
  do_fast_syscall_32+0x86/0xc3
  entry_SYSENTER_32+0x4e/0x7c

What happens is that removing the dummy-hcd driver causes the UDC core
to unbind the gadget driver, which it does while holding the udc_lock
mutex.  The unbind routine in g_mass_storage tells the main thread to
exit and waits for it to terminate.

But as mentioned above, when the main thread exits it tries to
unregister the mass-storage function driver.  Via the composite
framework this ends up calling usb_gadget_unregister_driver(), which
tries to acquire the udc_lock mutex.  The result is deadlock.

The simplest way to fix the problem is not to be so clever: The main
thread doesn't have to unregister the function driver.  The side
effects won't be so terrible; if the gadget is still attached to a USB
host when the main thread is killed, it will appear to the host as
though the gadget's firmware has crashed -- a reasonably accurate
interpretation, and an all-too-common occurrence for USB mass-storage
devices.

In fact, the code to unregister the driver when the main thread exits
is specific to g-mass-storage; it is not used when f-mass-storage is
included as a function in a larger composite device.  Therefore the
entire mechanism responsible for this (the fsg_operations structure
with its -&gt;thread_exits method, the fsg_common_set_ops() routine, and
the msg_thread_exits() callback routine) can all be eliminated.  Even
the msg_registered bitflag can be removed, because now the driver is
unregistered in only one place rather than in two places.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
CC: &lt;stable@vger.kernel.org&gt;
Acked-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Acked-by: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: Fix copy/pasted error message</title>
<updated>2017-09-10T20:35:55+00:00</updated>
<author>
<name>David Lechner</name>
<email>david@lechnology.com</email>
</author>
<published>2017-01-02T23:28:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8e0390595511d32016e293fef53914c4141faa60'/>
<id>8e0390595511d32016e293fef53914c4141faa60</id>
<content type='text'>
[ Upstream commit 43aef5c2ca90535b3227e97e71604291875444ed ]

This fixes an error message that was probably copied and pasted. The same
message is used for both the in and out endpoints, so it makes it impossible
to know which one actually failed because both cases say "IN".

Make the out endpoint error message say "OUT".

Signed-off-by: David Lechner &lt;david@lechnology.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 43aef5c2ca90535b3227e97e71604291875444ed ]

This fixes an error message that was probably copied and pasted. The same
message is used for both the in and out endpoints, so it makes it impossible
to know which one actually failed because both cases say "IN".

Make the out endpoint error message say "OUT".

Signed-off-by: David Lechner &lt;david@lechnology.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Fix possibe deadlock</title>
<updated>2017-07-31T17:37:49+00:00</updated>
<author>
<name>Baolin Wang</name>
<email>baolin.wang@linaro.org</email>
</author>
<published>2016-12-08T11:55:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=84bad5618d67028c7f4342351fa7a5961413ed4c'/>
<id>84bad5618d67028c7f4342351fa7a5961413ed4c</id>
<content type='text'>
[ Upstream commit b3ce3ce02d146841af012d08506b4071db8ffde3 ]

When system try to close /dev/usb-ffs/adb/ep0 on one core, at the same
time another core try to attach new UDC, which will cause deadlock as
below scenario. Thus we should release ffs lock before issuing
unregister_gadget_item().

[   52.642225] c1 ======================================================
[   52.642228] c1 [ INFO: possible circular locking dependency detected ]
[   52.642236] c1 4.4.6+ #1 Tainted: G        W  O
[   52.642241] c1 -------------------------------------------------------
[   52.642245] c1 usb ffs open/2808 is trying to acquire lock:
[   52.642270] c0  (udc_lock){+.+.+.}, at: [&lt;ffffffc00065aeec&gt;]
		usb_gadget_unregister_driver+0x3c/0xc8
[   52.642272] c1  but task is already holding lock:
[   52.642283] c0  (ffs_lock){+.+.+.}, at: [&lt;ffffffc00066b244&gt;]
		ffs_data_clear+0x30/0x140
[   52.642285] c1 which lock already depends on the new lock.
[   52.642287] c1
               the existing dependency chain (in reverse order) is:
[   52.642295] c0
	       -&gt; #1 (ffs_lock){+.+.+.}:
[   52.642307] c0        [&lt;ffffffc00012340c&gt;] __lock_acquire+0x20f0/0x2238
[   52.642314] c0        [&lt;ffffffc000123b54&gt;] lock_acquire+0xe4/0x298
[   52.642322] c0        [&lt;ffffffc000aaf6e8&gt;] mutex_lock_nested+0x7c/0x3cc
[   52.642328] c0        [&lt;ffffffc00066f7bc&gt;] ffs_func_bind+0x504/0x6e8
[   52.642334] c0        [&lt;ffffffc000654004&gt;] usb_add_function+0x84/0x184
[   52.642340] c0        [&lt;ffffffc000658ca4&gt;] configfs_composite_bind+0x264/0x39c
[   52.642346] c0        [&lt;ffffffc00065b348&gt;] udc_bind_to_driver+0x58/0x11c
[   52.642352] c0        [&lt;ffffffc00065b49c&gt;] usb_udc_attach_driver+0x90/0xc8
[   52.642358] c0        [&lt;ffffffc0006598e0&gt;] gadget_dev_desc_UDC_store+0xd4/0x128
[   52.642369] c0        [&lt;ffffffc0002c14e8&gt;] configfs_write_file+0xd0/0x13c
[   52.642376] c0        [&lt;ffffffc00023c054&gt;] vfs_write+0xb8/0x214
[   52.642381] c0        [&lt;ffffffc00023cad4&gt;] SyS_write+0x54/0xb0
[   52.642388] c0        [&lt;ffffffc000085ff0&gt;] el0_svc_naked+0x24/0x28
[   52.642395] c0
              -&gt; #0 (udc_lock){+.+.+.}:
[   52.642401] c0        [&lt;ffffffc00011e3d0&gt;] print_circular_bug+0x84/0x2e4
[   52.642407] c0        [&lt;ffffffc000123454&gt;] __lock_acquire+0x2138/0x2238
[   52.642412] c0        [&lt;ffffffc000123b54&gt;] lock_acquire+0xe4/0x298
[   52.642420] c0        [&lt;ffffffc000aaf6e8&gt;] mutex_lock_nested+0x7c/0x3cc
[   52.642427] c0        [&lt;ffffffc00065aeec&gt;] usb_gadget_unregister_driver+0x3c/0xc8
[   52.642432] c0        [&lt;ffffffc00065995c&gt;] unregister_gadget_item+0x28/0x44
[   52.642439] c0        [&lt;ffffffc00066b34c&gt;] ffs_data_clear+0x138/0x140
[   52.642444] c0        [&lt;ffffffc00066b374&gt;] ffs_data_reset+0x20/0x6c
[   52.642450] c0        [&lt;ffffffc00066efd0&gt;] ffs_data_closed+0xac/0x12c
[   52.642454] c0        [&lt;ffffffc00066f070&gt;] ffs_ep0_release+0x20/0x2c
[   52.642460] c0        [&lt;ffffffc00023dbe4&gt;] __fput+0xb0/0x1f4
[   52.642466] c0        [&lt;ffffffc00023dd9c&gt;] ____fput+0x20/0x2c
[   52.642473] c0        [&lt;ffffffc0000ee944&gt;] task_work_run+0xb4/0xe8
[   52.642482] c0        [&lt;ffffffc0000cd45c&gt;] do_exit+0x360/0xb9c
[   52.642487] c0        [&lt;ffffffc0000cf228&gt;] do_group_exit+0x4c/0xb0
[   52.642494] c0        [&lt;ffffffc0000dd3c8&gt;] get_signal+0x380/0x89c
[   52.642501] c0        [&lt;ffffffc00008a8f0&gt;] do_signal+0x154/0x518
[   52.642507] c0        [&lt;ffffffc00008af00&gt;] do_notify_resume+0x70/0x78
[   52.642512] c0        [&lt;ffffffc000085ee8&gt;] work_pending+0x1c/0x20
[   52.642514] c1
              other info that might help us debug this:
[   52.642517] c1  Possible unsafe locking scenario:
[   52.642518] c1        CPU0                    CPU1
[   52.642520] c1        ----                    ----
[   52.642525] c0   lock(ffs_lock);
[   52.642529] c0                                lock(udc_lock);
[   52.642533] c0                                lock(ffs_lock);
[   52.642537] c0   lock(udc_lock);
[   52.642539] c1
                      *** DEADLOCK ***
[   52.642543] c1 1 lock held by usb ffs open/2808:
[   52.642555] c0  #0:  (ffs_lock){+.+.+.}, at: [&lt;ffffffc00066b244&gt;]
		ffs_data_clear+0x30/0x140
[   52.642557] c1 stack backtrace:
[   52.642563] c1 CPU: 1 PID: 2808 Comm: usb ffs open Tainted: G
[   52.642565] c1 Hardware name: Spreadtrum SP9860g Board (DT)
[   52.642568] c1 Call trace:
[   52.642573] c1 [&lt;ffffffc00008b430&gt;] dump_backtrace+0x0/0x170
[   52.642577] c1 [&lt;ffffffc00008b5c0&gt;] show_stack+0x20/0x28
[   52.642583] c1 [&lt;ffffffc000422694&gt;] dump_stack+0xa8/0xe0
[   52.642587] c1 [&lt;ffffffc00011e548&gt;] print_circular_bug+0x1fc/0x2e4
[   52.642591] c1 [&lt;ffffffc000123454&gt;] __lock_acquire+0x2138/0x2238
[   52.642595] c1 [&lt;ffffffc000123b54&gt;] lock_acquire+0xe4/0x298
[   52.642599] c1 [&lt;ffffffc000aaf6e8&gt;] mutex_lock_nested+0x7c/0x3cc
[   52.642604] c1 [&lt;ffffffc00065aeec&gt;] usb_gadget_unregister_driver+0x3c/0xc8
[   52.642608] c1 [&lt;ffffffc00065995c&gt;] unregister_gadget_item+0x28/0x44
[   52.642613] c1 [&lt;ffffffc00066b34c&gt;] ffs_data_clear+0x138/0x140
[   52.642618] c1 [&lt;ffffffc00066b374&gt;] ffs_data_reset+0x20/0x6c
[   52.642621] c1 [&lt;ffffffc00066efd0&gt;] ffs_data_closed+0xac/0x12c
[   52.642625] c1 [&lt;ffffffc00066f070&gt;] ffs_ep0_release+0x20/0x2c
[   52.642629] c1 [&lt;ffffffc00023dbe4&gt;] __fput+0xb0/0x1f4
[   52.642633] c1 [&lt;ffffffc00023dd9c&gt;] ____fput+0x20/0x2c
[   52.642636] c1 [&lt;ffffffc0000ee944&gt;] task_work_run+0xb4/0xe8
[   52.642640] c1 [&lt;ffffffc0000cd45c&gt;] do_exit+0x360/0xb9c
[   52.642644] c1 [&lt;ffffffc0000cf228&gt;] do_group_exit+0x4c/0xb0
[   52.642647] c1 [&lt;ffffffc0000dd3c8&gt;] get_signal+0x380/0x89c
[   52.642651] c1 [&lt;ffffffc00008a8f0&gt;] do_signal+0x154/0x518
[   52.642656] c1 [&lt;ffffffc00008af00&gt;] do_notify_resume+0x70/0x78
[   52.642659] c1 [&lt;ffffffc000085ee8&gt;] work_pending+0x1c/0x20

Acked-by: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Signed-off-by: Baolin Wang &lt;baolin.wang@linaro.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b3ce3ce02d146841af012d08506b4071db8ffde3 ]

When system try to close /dev/usb-ffs/adb/ep0 on one core, at the same
time another core try to attach new UDC, which will cause deadlock as
below scenario. Thus we should release ffs lock before issuing
unregister_gadget_item().

[   52.642225] c1 ======================================================
[   52.642228] c1 [ INFO: possible circular locking dependency detected ]
[   52.642236] c1 4.4.6+ #1 Tainted: G        W  O
[   52.642241] c1 -------------------------------------------------------
[   52.642245] c1 usb ffs open/2808 is trying to acquire lock:
[   52.642270] c0  (udc_lock){+.+.+.}, at: [&lt;ffffffc00065aeec&gt;]
		usb_gadget_unregister_driver+0x3c/0xc8
[   52.642272] c1  but task is already holding lock:
[   52.642283] c0  (ffs_lock){+.+.+.}, at: [&lt;ffffffc00066b244&gt;]
		ffs_data_clear+0x30/0x140
[   52.642285] c1 which lock already depends on the new lock.
[   52.642287] c1
               the existing dependency chain (in reverse order) is:
[   52.642295] c0
	       -&gt; #1 (ffs_lock){+.+.+.}:
[   52.642307] c0        [&lt;ffffffc00012340c&gt;] __lock_acquire+0x20f0/0x2238
[   52.642314] c0        [&lt;ffffffc000123b54&gt;] lock_acquire+0xe4/0x298
[   52.642322] c0        [&lt;ffffffc000aaf6e8&gt;] mutex_lock_nested+0x7c/0x3cc
[   52.642328] c0        [&lt;ffffffc00066f7bc&gt;] ffs_func_bind+0x504/0x6e8
[   52.642334] c0        [&lt;ffffffc000654004&gt;] usb_add_function+0x84/0x184
[   52.642340] c0        [&lt;ffffffc000658ca4&gt;] configfs_composite_bind+0x264/0x39c
[   52.642346] c0        [&lt;ffffffc00065b348&gt;] udc_bind_to_driver+0x58/0x11c
[   52.642352] c0        [&lt;ffffffc00065b49c&gt;] usb_udc_attach_driver+0x90/0xc8
[   52.642358] c0        [&lt;ffffffc0006598e0&gt;] gadget_dev_desc_UDC_store+0xd4/0x128
[   52.642369] c0        [&lt;ffffffc0002c14e8&gt;] configfs_write_file+0xd0/0x13c
[   52.642376] c0        [&lt;ffffffc00023c054&gt;] vfs_write+0xb8/0x214
[   52.642381] c0        [&lt;ffffffc00023cad4&gt;] SyS_write+0x54/0xb0
[   52.642388] c0        [&lt;ffffffc000085ff0&gt;] el0_svc_naked+0x24/0x28
[   52.642395] c0
              -&gt; #0 (udc_lock){+.+.+.}:
[   52.642401] c0        [&lt;ffffffc00011e3d0&gt;] print_circular_bug+0x84/0x2e4
[   52.642407] c0        [&lt;ffffffc000123454&gt;] __lock_acquire+0x2138/0x2238
[   52.642412] c0        [&lt;ffffffc000123b54&gt;] lock_acquire+0xe4/0x298
[   52.642420] c0        [&lt;ffffffc000aaf6e8&gt;] mutex_lock_nested+0x7c/0x3cc
[   52.642427] c0        [&lt;ffffffc00065aeec&gt;] usb_gadget_unregister_driver+0x3c/0xc8
[   52.642432] c0        [&lt;ffffffc00065995c&gt;] unregister_gadget_item+0x28/0x44
[   52.642439] c0        [&lt;ffffffc00066b34c&gt;] ffs_data_clear+0x138/0x140
[   52.642444] c0        [&lt;ffffffc00066b374&gt;] ffs_data_reset+0x20/0x6c
[   52.642450] c0        [&lt;ffffffc00066efd0&gt;] ffs_data_closed+0xac/0x12c
[   52.642454] c0        [&lt;ffffffc00066f070&gt;] ffs_ep0_release+0x20/0x2c
[   52.642460] c0        [&lt;ffffffc00023dbe4&gt;] __fput+0xb0/0x1f4
[   52.642466] c0        [&lt;ffffffc00023dd9c&gt;] ____fput+0x20/0x2c
[   52.642473] c0        [&lt;ffffffc0000ee944&gt;] task_work_run+0xb4/0xe8
[   52.642482] c0        [&lt;ffffffc0000cd45c&gt;] do_exit+0x360/0xb9c
[   52.642487] c0        [&lt;ffffffc0000cf228&gt;] do_group_exit+0x4c/0xb0
[   52.642494] c0        [&lt;ffffffc0000dd3c8&gt;] get_signal+0x380/0x89c
[   52.642501] c0        [&lt;ffffffc00008a8f0&gt;] do_signal+0x154/0x518
[   52.642507] c0        [&lt;ffffffc00008af00&gt;] do_notify_resume+0x70/0x78
[   52.642512] c0        [&lt;ffffffc000085ee8&gt;] work_pending+0x1c/0x20
[   52.642514] c1
              other info that might help us debug this:
[   52.642517] c1  Possible unsafe locking scenario:
[   52.642518] c1        CPU0                    CPU1
[   52.642520] c1        ----                    ----
[   52.642525] c0   lock(ffs_lock);
[   52.642529] c0                                lock(udc_lock);
[   52.642533] c0                                lock(ffs_lock);
[   52.642537] c0   lock(udc_lock);
[   52.642539] c1
                      *** DEADLOCK ***
[   52.642543] c1 1 lock held by usb ffs open/2808:
[   52.642555] c0  #0:  (ffs_lock){+.+.+.}, at: [&lt;ffffffc00066b244&gt;]
		ffs_data_clear+0x30/0x140
[   52.642557] c1 stack backtrace:
[   52.642563] c1 CPU: 1 PID: 2808 Comm: usb ffs open Tainted: G
[   52.642565] c1 Hardware name: Spreadtrum SP9860g Board (DT)
[   52.642568] c1 Call trace:
[   52.642573] c1 [&lt;ffffffc00008b430&gt;] dump_backtrace+0x0/0x170
[   52.642577] c1 [&lt;ffffffc00008b5c0&gt;] show_stack+0x20/0x28
[   52.642583] c1 [&lt;ffffffc000422694&gt;] dump_stack+0xa8/0xe0
[   52.642587] c1 [&lt;ffffffc00011e548&gt;] print_circular_bug+0x1fc/0x2e4
[   52.642591] c1 [&lt;ffffffc000123454&gt;] __lock_acquire+0x2138/0x2238
[   52.642595] c1 [&lt;ffffffc000123b54&gt;] lock_acquire+0xe4/0x298
[   52.642599] c1 [&lt;ffffffc000aaf6e8&gt;] mutex_lock_nested+0x7c/0x3cc
[   52.642604] c1 [&lt;ffffffc00065aeec&gt;] usb_gadget_unregister_driver+0x3c/0xc8
[   52.642608] c1 [&lt;ffffffc00065995c&gt;] unregister_gadget_item+0x28/0x44
[   52.642613] c1 [&lt;ffffffc00066b34c&gt;] ffs_data_clear+0x138/0x140
[   52.642618] c1 [&lt;ffffffc00066b374&gt;] ffs_data_reset+0x20/0x6c
[   52.642621] c1 [&lt;ffffffc00066efd0&gt;] ffs_data_closed+0xac/0x12c
[   52.642625] c1 [&lt;ffffffc00066f070&gt;] ffs_ep0_release+0x20/0x2c
[   52.642629] c1 [&lt;ffffffc00023dbe4&gt;] __fput+0xb0/0x1f4
[   52.642633] c1 [&lt;ffffffc00023dd9c&gt;] ____fput+0x20/0x2c
[   52.642636] c1 [&lt;ffffffc0000ee944&gt;] task_work_run+0xb4/0xe8
[   52.642640] c1 [&lt;ffffffc0000cd45c&gt;] do_exit+0x360/0xb9c
[   52.642644] c1 [&lt;ffffffc0000cf228&gt;] do_group_exit+0x4c/0xb0
[   52.642647] c1 [&lt;ffffffc0000dd3c8&gt;] get_signal+0x380/0x89c
[   52.642651] c1 [&lt;ffffffc00008a8f0&gt;] do_signal+0x154/0x518
[   52.642656] c1 [&lt;ffffffc00008af00&gt;] do_notify_resume+0x70/0x78
[   52.642659] c1 [&lt;ffffffc000085ee8&gt;] work_pending+0x1c/0x20

Acked-by: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Signed-off-by: Baolin Wang &lt;baolin.wang@linaro.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
