<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/usb/core, branch v4.14-rc4</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>USB: devio: Don't corrupt user memory</title>
<updated>2017-09-25T08:57:13+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2017-09-22T20:43:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=fa1ed74eb1c233be6131ec92df21ab46499a15b6'/>
<id>fa1ed74eb1c233be6131ec92df21ab46499a15b6</id>
<content type='text'>
The user buffer has "uurb-&gt;buffer_length" bytes.  If the kernel has more
information than that, we should truncate it instead of writing past
the end of the user's buffer.  I added a WARN_ONCE() to help the user
debug the issue.

Reported-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The user buffer has "uurb-&gt;buffer_length" bytes.  If the kernel has more
information than that, we should truncate it instead of writing past
the end of the user's buffer.  I added a WARN_ONCE() to help the user
debug the issue.

Reported-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: devio: Prevent integer overflow in proc_do_submiturb()</title>
<updated>2017-09-25T08:57:13+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2017-09-22T20:43:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=57999d1107c1e60c2ca7088f2ac0f819e2f554b3'/>
<id>57999d1107c1e60c2ca7088f2ac0f819e2f554b3</id>
<content type='text'>
There used to be an integer overflow check in proc_do_submiturb() but
we removed it.  It turns out that it's still required.  The
uurb-&gt;buffer_length variable is a signed integer and it's controlled by
the user.  It can lead to an integer overflow when we do:

	num_sgs = DIV_ROUND_UP(uurb-&gt;buffer_length, USB_SG_SIZE);

If we strip away the macro then that line looks like this:

	num_sgs = (uurb-&gt;buffer_length + USB_SG_SIZE - 1) / USB_SG_SIZE;
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It's the first addition which can overflow.

Fixes: 1129d270cbfb ("USB: Increase usbfs transfer limit")
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There used to be an integer overflow check in proc_do_submiturb() but
we removed it.  It turns out that it's still required.  The
uurb-&gt;buffer_length variable is a signed integer and it's controlled by
the user.  It can lead to an integer overflow when we do:

	num_sgs = DIV_ROUND_UP(uurb-&gt;buffer_length, USB_SG_SIZE);

If we strip away the macro then that line looks like this:

	num_sgs = (uurb-&gt;buffer_length + USB_SG_SIZE - 1) / USB_SG_SIZE;
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It's the first addition which can overflow.

Fixes: 1129d270cbfb ("USB: Increase usbfs transfer limit")
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: core: harden cdc_parse_cdc_header</title>
<updated>2017-09-21T15:01:38+00:00</updated>
<author>
<name>Greg Kroah-Hartman</name>
<email>gregkh@linuxfoundation.org</email>
</author>
<published>2017-09-21T14:58:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2e1c42391ff2556387b3cb6308b24f6f65619feb'/>
<id>2e1c42391ff2556387b3cb6308b24f6f65619feb</id>
<content type='text'>
Andrey Konovalov reported a possible out-of-bounds problem for the
cdc_parse_cdc_header function.  He writes:
	It looks like cdc_parse_cdc_header() doesn't validate buflen
	before accessing buffer[1], buffer[2] and so on. The only check
	present is while (buflen &gt; 0).

So fix this issue up by properly validating the buffer length matches
what the descriptor says it is.

Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Andrey Konovalov reported a possible out-of-bounds problem for the
cdc_parse_cdc_header function.  He writes:
	It looks like cdc_parse_cdc_header() doesn't validate buflen
	before accessing buffer[1], buffer[2] and so on. The only check
	present is while (buflen &gt; 0).

So fix this issue up by properly validating the buffer length matches
what the descriptor says it is.

Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: fix out-of-bounds in usb_set_configuration</title>
<updated>2017-09-19T15:27:16+00:00</updated>
<author>
<name>Greg Kroah-Hartman</name>
<email>gregkh@linuxfoundation.org</email>
</author>
<published>2017-09-19T13:07:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb'/>
<id>bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb</id>
<content type='text'>
Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
association descriptor.  He writes:
	It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
	descriptor. It's only checked that the size is &gt;= 2 in
	usb_parse_configuration(), so find_iad() might do out-of-bounds access
	to intf_assoc-&gt;bInterfaceCount.

And he's right, we don't check for crazy descriptors of this type very well, so
resolve this problem.  Yet another issue found by syzkaller...

Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
association descriptor.  He writes:
	It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
	descriptor. It's only checked that the size is &gt;= 2 in
	usb_parse_configuration(), so find_iad() might do out-of-bounds access
	to intf_assoc-&gt;bInterfaceCount.

And he's right, we don't check for crazy descriptors of this type very well, so
resolve this problem.  Yet another issue found by syzkaller...

Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: Increase quirk delay for USB devices</title>
<updated>2017-09-18T09:28:23+00:00</updated>
<author>
<name>Dmitry Fleytman</name>
<email>dmitry@daynix.com</email>
</author>
<published>2017-09-05T08:40:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b2a542bbb3081dbd64acc8929c140d196664c406'/>
<id>b2a542bbb3081dbd64acc8929c140d196664c406</id>
<content type='text'>
Commit e0429362ab15
("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e")
introduced quirk to workaround an issue with some Logitech webcams.

The workaround is introducing delay for some USB operations.

According to our testing, delay introduced by original commit
is not long enough and in rare cases we still see issues described
by the aforementioned commit.

This patch increases delays introduced by original commit.
Having this patch applied we do not see those problems anymore.

Signed-off-by: Dmitry Fleytman &lt;dmitry@daynix.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit e0429362ab15
("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e")
introduced quirk to workaround an issue with some Logitech webcams.

The workaround is introducing delay for some USB operations.

According to our testing, delay introduced by original commit
is not long enough and in rare cases we still see issues described
by the aforementioned commit.

This patch increases delays introduced by original commit.
Having this patch applied we do not see those problems anymore.

Signed-off-by: Dmitry Fleytman &lt;dmitry@daynix.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: core: usbport: fix "BUG: key not in .data" when lockdep is enabled</title>
<updated>2017-08-29T06:27:25+00:00</updated>
<author>
<name>Christian Lamparter</name>
<email>chunkeey@googlemail.com</email>
</author>
<published>2017-08-28T17:11:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=aa75936544fafc830ac3cc03458b771f3048a50f'/>
<id>aa75936544fafc830ac3cc03458b771f3048a50f</id>
<content type='text'>
This patch fixes a splat that happens if CONFIG_DEBUG_LOCK_ALLOC
is enabled and the ledtrig_usbport is loaded. (on a device that
has some usb ports).

[   60.695479] BUG: key c53f8420 not in .data!
[   60.695521] ------------[ cut here ]------------
[   60.698542] WARNING: CPU: 1 PID: 854 at kernel/locking/lockdep.c:3134 __kernfs_create_file+0x5c/0xc0
[   60.703355] DEBUG_LOCKS_WARN_ON(1)
[   60.712534] Modules linked in:
[   60.944078] CPU: 1 PID: 854 Comm: S96led Not tainted 4.9.44 #0
[   60.944329] Hardware name: Generic DT based system
[   60.950106] [&lt;c021585c&gt;] (unwind_backtrace) from [&lt;c0212150&gt;] (show_stack+0x10/0x14)
[   60.954878] [&lt;c0212150&gt;] (show_stack) from [&lt;c03a2bc4&gt;] (dump_stack+0x7c/0x9c)
[   60.962772] [&lt;c03a2bc4&gt;] (dump_stack) from [&lt;c021db34&gt;] (__warn+0xbc/0xec)
[   60.969799] [&lt;c021db34&gt;] (__warn) from [&lt;c021db98&gt;] (warn_slowpath_fmt+0x34/0x44)
[   60.976656] [&lt;c021db98&gt;] (warn_slowpath_fmt)
[   60.984210] [&lt;c0320688&gt;] (__kernfs_create_file)
[   60.992712] [&lt;c0320ef0&gt;] (sysfs_add_file_mode_ns)
[   61.002090] [&lt;c0321044&gt;] (sysfs_add_file) from
[   61.010619] [&lt;c0321094&gt;] (sysfs_add_file_to_group)
[   61.019263] [&lt;bf24a47c&gt;] (usbport_trig_add_usb_dev_ports [ledtrig_usbport])
[   61.031002] [&lt;c0430414&gt;] (bus_for_each_dev)
[   61.042106] [&lt;c0497dc4&gt;] (usb_for_each_dev)
[   61.050375] [&lt;bf24a2ac&gt;] (usbport_trig_activate [ledtrig_usbport])
[   61.060685] [&lt;c04e1708&gt;] (led_trigger_set) from [&lt;c04e1834&gt;]
[...]

Signed-off-by: Christian Lamparter &lt;chunkeey@googlemail.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch fixes a splat that happens if CONFIG_DEBUG_LOCK_ALLOC
is enabled and the ledtrig_usbport is loaded. (on a device that
has some usb ports).

[   60.695479] BUG: key c53f8420 not in .data!
[   60.695521] ------------[ cut here ]------------
[   60.698542] WARNING: CPU: 1 PID: 854 at kernel/locking/lockdep.c:3134 __kernfs_create_file+0x5c/0xc0
[   60.703355] DEBUG_LOCKS_WARN_ON(1)
[   60.712534] Modules linked in:
[   60.944078] CPU: 1 PID: 854 Comm: S96led Not tainted 4.9.44 #0
[   60.944329] Hardware name: Generic DT based system
[   60.950106] [&lt;c021585c&gt;] (unwind_backtrace) from [&lt;c0212150&gt;] (show_stack+0x10/0x14)
[   60.954878] [&lt;c0212150&gt;] (show_stack) from [&lt;c03a2bc4&gt;] (dump_stack+0x7c/0x9c)
[   60.962772] [&lt;c03a2bc4&gt;] (dump_stack) from [&lt;c021db34&gt;] (__warn+0xbc/0xec)
[   60.969799] [&lt;c021db34&gt;] (__warn) from [&lt;c021db98&gt;] (warn_slowpath_fmt+0x34/0x44)
[   60.976656] [&lt;c021db98&gt;] (warn_slowpath_fmt)
[   60.984210] [&lt;c0320688&gt;] (__kernfs_create_file)
[   60.992712] [&lt;c0320ef0&gt;] (sysfs_add_file_mode_ns)
[   61.002090] [&lt;c0321044&gt;] (sysfs_add_file) from
[   61.010619] [&lt;c0321094&gt;] (sysfs_add_file_to_group)
[   61.019263] [&lt;bf24a47c&gt;] (usbport_trig_add_usb_dev_ports [ledtrig_usbport])
[   61.031002] [&lt;c0430414&gt;] (bus_for_each_dev)
[   61.042106] [&lt;c0497dc4&gt;] (usb_for_each_dev)
[   61.050375] [&lt;bf24a2ac&gt;] (usbport_trig_activate [ledtrig_usbport])
[   61.060685] [&lt;c04e1708&gt;] (led_trigger_set) from [&lt;c04e1834&gt;]
[...]

Signed-off-by: Christian Lamparter &lt;chunkeey@googlemail.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: Add device quirk for Logitech HD Pro Webcam C920-C</title>
<updated>2017-08-28T09:43:39+00:00</updated>
<author>
<name>Dmitry Fleytman</name>
<email>dmitry@daynix.com</email>
</author>
<published>2017-08-25T07:38:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a1279ef74eeeb5f627f091c71d80dd7ac766c99d'/>
<id>a1279ef74eeeb5f627f091c71d80dd7ac766c99d</id>
<content type='text'>
Commit e0429362ab15
("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e")
introduced quirk to workaround an issue with some Logitech webcams.

Apparently model C920-C has the same issue so applying
the same quirk as well.

See aforementioned commit message for detailed explanation of the problem.

Signed-off-by: Dmitry Fleytman &lt;dmitry@daynix.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit e0429362ab15
("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e")
introduced quirk to workaround an issue with some Logitech webcams.

Apparently model C920-C has the same issue so applying
the same quirk as well.

See aforementioned commit message for detailed explanation of the problem.

Signed-off-by: Dmitry Fleytman &lt;dmitry@daynix.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard</title>
<updated>2017-08-28T09:43:38+00:00</updated>
<author>
<name>Kai-Heng Feng</name>
<email>kai.heng.feng@canonical.com</email>
</author>
<published>2017-08-16T02:53:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=de3af5bf259d7a0bfaac70441c8568ab5998d80c'/>
<id>de3af5bf259d7a0bfaac70441c8568ab5998d80c</id>
<content type='text'>
Corsair Strafe RGB keyboard has trouble to initialize:

[ 1.679455] usb 3-6: new full-speed USB device number 4 using xhci_hcd
[ 6.871136] usb 3-6: unable to read config index 0 descriptor/all
[ 6.871138] usb 3-6: can't read configurations, error -110
[ 6.991019] usb 3-6: new full-speed USB device number 5 using xhci_hcd
[ 12.246642] usb 3-6: unable to read config index 0 descriptor/all
[ 12.246644] usb 3-6: can't read configurations, error -110
[ 12.366555] usb 3-6: new full-speed USB device number 6 using xhci_hcd
[ 17.622145] usb 3-6: unable to read config index 0 descriptor/all
[ 17.622147] usb 3-6: can't read configurations, error -110
[ 17.742093] usb 3-6: new full-speed USB device number 7 using xhci_hcd
[ 22.997715] usb 3-6: unable to read config index 0 descriptor/all
[ 22.997716] usb 3-6: can't read configurations, error -110

Although it may work after several times unpluging/pluging:

[ 68.195240] usb 3-6: new full-speed USB device number 11 using xhci_hcd
[ 68.337459] usb 3-6: New USB device found, idVendor=1b1c, idProduct=1b20
[ 68.337463] usb 3-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 68.337466] usb 3-6: Product: Corsair STRAFE RGB Gaming Keyboard
[ 68.337468] usb 3-6: Manufacturer: Corsair
[ 68.337470] usb 3-6: SerialNumber: 0F013021AEB8046755A93ED3F5001941

Tried three quirks: USB_QUIRK_DELAY_INIT, USB_QUIRK_NO_LPM and
USB_QUIRK_DEVICE_QUALIFIER, user confirmed that USB_QUIRK_DELAY_INIT alone
can workaround this issue. Hence add the quirk for Corsair Strafe RGB.

BugLink: https://bugs.launchpad.net/bugs/1678477
Signed-off-by: Kai-Heng Feng &lt;kai.heng.feng@canonical.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Corsair Strafe RGB keyboard has trouble to initialize:

[ 1.679455] usb 3-6: new full-speed USB device number 4 using xhci_hcd
[ 6.871136] usb 3-6: unable to read config index 0 descriptor/all
[ 6.871138] usb 3-6: can't read configurations, error -110
[ 6.991019] usb 3-6: new full-speed USB device number 5 using xhci_hcd
[ 12.246642] usb 3-6: unable to read config index 0 descriptor/all
[ 12.246644] usb 3-6: can't read configurations, error -110
[ 12.366555] usb 3-6: new full-speed USB device number 6 using xhci_hcd
[ 17.622145] usb 3-6: unable to read config index 0 descriptor/all
[ 17.622147] usb 3-6: can't read configurations, error -110
[ 17.742093] usb 3-6: new full-speed USB device number 7 using xhci_hcd
[ 22.997715] usb 3-6: unable to read config index 0 descriptor/all
[ 22.997716] usb 3-6: can't read configurations, error -110

Although it may work after several times unpluging/pluging:

[ 68.195240] usb 3-6: new full-speed USB device number 11 using xhci_hcd
[ 68.337459] usb 3-6: New USB device found, idVendor=1b1c, idProduct=1b20
[ 68.337463] usb 3-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 68.337466] usb 3-6: Product: Corsair STRAFE RGB Gaming Keyboard
[ 68.337468] usb 3-6: Manufacturer: Corsair
[ 68.337470] usb 3-6: SerialNumber: 0F013021AEB8046755A93ED3F5001941

Tried three quirks: USB_QUIRK_DELAY_INIT, USB_QUIRK_NO_LPM and
USB_QUIRK_DEVICE_QUALIFIER, user confirmed that USB_QUIRK_DELAY_INIT alone
can workaround this issue. Hence add the quirk for Corsair Strafe RGB.

BugLink: https://bugs.launchpad.net/bugs/1678477
Signed-off-by: Kai-Heng Feng &lt;kai.heng.feng@canonical.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: core: constify vm_operations_struct</title>
<updated>2017-08-28T09:39:31+00:00</updated>
<author>
<name>Arvind Yadav</name>
<email>arvind.yadav.cs@gmail.com</email>
</author>
<published>2017-08-24T11:17:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b64d47ae62e5f56727ad6dc2088e13dfab524a83'/>
<id>b64d47ae62e5f56727ad6dc2088e13dfab524a83</id>
<content type='text'>
vm_operations_struct are not supposed to change at runtime.
All functions working with const vm_operations_struct.
So mark the non-const structs as const.

Signed-off-by: Arvind Yadav &lt;arvind.yadav.cs@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
vm_operations_struct are not supposed to change at runtime.
All functions working with const vm_operations_struct.
So mark the non-const structs as const.

Signed-off-by: Arvind Yadav &lt;arvind.yadav.cs@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: core: Avoid race of async_completed() w/ usbdev_release()</title>
<updated>2017-08-28T09:17:57+00:00</updated>
<author>
<name>Douglas Anderson</name>
<email>dianders@chromium.org</email>
</author>
<published>2017-08-10T22:42:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ed62ca2f4f51c17841ea39d98c0c409cb53a3e10'/>
<id>ed62ca2f4f51c17841ea39d98c0c409cb53a3e10</id>
<content type='text'>
While running reboot tests w/ a specific set of USB devices (and
slub_debug enabled), I found that once every few hours my device would
be crashed with a stack that looked like this:

[   14.012445] BUG: spinlock bad magic on CPU#0, modprobe/2091
[   14.012460]  lock: 0xffffffc0cb055978, .magic: ffffffc0, .owner: cryption contexts: %lu/%lu
[   14.012460] /1025536097, .owner_cpu: 0
[   14.012466] CPU: 0 PID: 2091 Comm: modprobe Not tainted 4.4.79 #352
[   14.012468] Hardware name: Google Kevin (DT)
[   14.012471] Call trace:
[   14.012483] [&lt;....&gt;] dump_backtrace+0x0/0x160
[   14.012487] [&lt;....&gt;] show_stack+0x20/0x28
[   14.012494] [&lt;....&gt;] dump_stack+0xb4/0xf0
[   14.012500] [&lt;....&gt;] spin_dump+0x8c/0x98
[   14.012504] [&lt;....&gt;] spin_bug+0x30/0x3c
[   14.012508] [&lt;....&gt;] do_raw_spin_lock+0x40/0x164
[   14.012515] [&lt;....&gt;] _raw_spin_lock_irqsave+0x64/0x74
[   14.012521] [&lt;....&gt;] __wake_up+0x2c/0x60
[   14.012528] [&lt;....&gt;] async_completed+0x2d0/0x300
[   14.012534] [&lt;....&gt;] __usb_hcd_giveback_urb+0xc4/0x138
[   14.012538] [&lt;....&gt;] usb_hcd_giveback_urb+0x54/0xf0
[   14.012544] [&lt;....&gt;] xhci_irq+0x1314/0x1348
[   14.012548] [&lt;....&gt;] usb_hcd_irq+0x40/0x50
[   14.012553] [&lt;....&gt;] handle_irq_event_percpu+0x1b4/0x3f0
[   14.012556] [&lt;....&gt;] handle_irq_event+0x4c/0x7c
[   14.012561] [&lt;....&gt;] handle_fasteoi_irq+0x158/0x1c8
[   14.012564] [&lt;....&gt;] generic_handle_irq+0x30/0x44
[   14.012568] [&lt;....&gt;] __handle_domain_irq+0x90/0xbc
[   14.012572] [&lt;....&gt;] gic_handle_irq+0xcc/0x18c

Investigation using kgdb() found that the wait queue that was passed
into wake_up() had been freed (it was filled with slub_debug poison).

I analyzed and instrumented the code and reproduced.  My current
belief is that this is happening:

1. async_completed() is called (from IRQ).  Moves "as" onto the
   completed list.
2. On another CPU, proc_reapurbnonblock_compat() calls
   async_getcompleted().  Blocks on spinlock.
3. async_completed() releases the lock; keeps running; gets blocked
   midway through wake_up().
4. proc_reapurbnonblock_compat() =&gt; async_getcompleted() gets the
   lock; removes "as" from completed list and frees it.
5. usbdev_release() is called.  Frees "ps".
6. async_completed() finally continues running wake_up().  ...but
   wake_up() has a pointer to the freed "ps".

The instrumentation that led me to believe this was based on adding
some trace_printk() calls in a select few functions and then using
kdb's "ftdump" at crash time.  The trace follows (NOTE: in the trace
below I cheated a little bit and added a udelay(1000) in
async_completed() after releasing the spinlock because I wanted it to
trigger quicker):

&lt;...&gt;-2104   0d.h2 13759034us!: async_completed at start: as=ffffffc0cc638200
mtpd-2055    3.... 13759356us : async_getcompleted before spin_lock_irqsave
mtpd-2055    3d..1 13759362us : async_getcompleted after list_del_init: as=ffffffc0cc638200
mtpd-2055    3.... 13759371us+: proc_reapurbnonblock_compat: free_async(ffffffc0cc638200)
mtpd-2055    3.... 13759422us+: async_getcompleted before spin_lock_irqsave
mtpd-2055    3.... 13759479us : usbdev_release at start: ps=ffffffc0cc042080
mtpd-2055    3.... 13759487us : async_getcompleted before spin_lock_irqsave
mtpd-2055    3.... 13759497us!: usbdev_release after kfree(ps): ps=ffffffc0cc042080
&lt;...&gt;-2104   0d.h2 13760294us : async_completed before wake_up(): as=ffffffc0cc638200

To fix this problem we can just move the wake_up() under the ps-&gt;lock.
There should be no issues there that I'm aware of.

Signed-off-by: Douglas Anderson &lt;dianders@chromium.org&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
While running reboot tests w/ a specific set of USB devices (and
slub_debug enabled), I found that once every few hours my device would
be crashed with a stack that looked like this:

[   14.012445] BUG: spinlock bad magic on CPU#0, modprobe/2091
[   14.012460]  lock: 0xffffffc0cb055978, .magic: ffffffc0, .owner: cryption contexts: %lu/%lu
[   14.012460] /1025536097, .owner_cpu: 0
[   14.012466] CPU: 0 PID: 2091 Comm: modprobe Not tainted 4.4.79 #352
[   14.012468] Hardware name: Google Kevin (DT)
[   14.012471] Call trace:
[   14.012483] [&lt;....&gt;] dump_backtrace+0x0/0x160
[   14.012487] [&lt;....&gt;] show_stack+0x20/0x28
[   14.012494] [&lt;....&gt;] dump_stack+0xb4/0xf0
[   14.012500] [&lt;....&gt;] spin_dump+0x8c/0x98
[   14.012504] [&lt;....&gt;] spin_bug+0x30/0x3c
[   14.012508] [&lt;....&gt;] do_raw_spin_lock+0x40/0x164
[   14.012515] [&lt;....&gt;] _raw_spin_lock_irqsave+0x64/0x74
[   14.012521] [&lt;....&gt;] __wake_up+0x2c/0x60
[   14.012528] [&lt;....&gt;] async_completed+0x2d0/0x300
[   14.012534] [&lt;....&gt;] __usb_hcd_giveback_urb+0xc4/0x138
[   14.012538] [&lt;....&gt;] usb_hcd_giveback_urb+0x54/0xf0
[   14.012544] [&lt;....&gt;] xhci_irq+0x1314/0x1348
[   14.012548] [&lt;....&gt;] usb_hcd_irq+0x40/0x50
[   14.012553] [&lt;....&gt;] handle_irq_event_percpu+0x1b4/0x3f0
[   14.012556] [&lt;....&gt;] handle_irq_event+0x4c/0x7c
[   14.012561] [&lt;....&gt;] handle_fasteoi_irq+0x158/0x1c8
[   14.012564] [&lt;....&gt;] generic_handle_irq+0x30/0x44
[   14.012568] [&lt;....&gt;] __handle_domain_irq+0x90/0xbc
[   14.012572] [&lt;....&gt;] gic_handle_irq+0xcc/0x18c

Investigation using kgdb() found that the wait queue that was passed
into wake_up() had been freed (it was filled with slub_debug poison).

I analyzed and instrumented the code and reproduced.  My current
belief is that this is happening:

1. async_completed() is called (from IRQ).  Moves "as" onto the
   completed list.
2. On another CPU, proc_reapurbnonblock_compat() calls
   async_getcompleted().  Blocks on spinlock.
3. async_completed() releases the lock; keeps running; gets blocked
   midway through wake_up().
4. proc_reapurbnonblock_compat() =&gt; async_getcompleted() gets the
   lock; removes "as" from completed list and frees it.
5. usbdev_release() is called.  Frees "ps".
6. async_completed() finally continues running wake_up().  ...but
   wake_up() has a pointer to the freed "ps".

The instrumentation that led me to believe this was based on adding
some trace_printk() calls in a select few functions and then using
kdb's "ftdump" at crash time.  The trace follows (NOTE: in the trace
below I cheated a little bit and added a udelay(1000) in
async_completed() after releasing the spinlock because I wanted it to
trigger quicker):

&lt;...&gt;-2104   0d.h2 13759034us!: async_completed at start: as=ffffffc0cc638200
mtpd-2055    3.... 13759356us : async_getcompleted before spin_lock_irqsave
mtpd-2055    3d..1 13759362us : async_getcompleted after list_del_init: as=ffffffc0cc638200
mtpd-2055    3.... 13759371us+: proc_reapurbnonblock_compat: free_async(ffffffc0cc638200)
mtpd-2055    3.... 13759422us+: async_getcompleted before spin_lock_irqsave
mtpd-2055    3.... 13759479us : usbdev_release at start: ps=ffffffc0cc042080
mtpd-2055    3.... 13759487us : async_getcompleted before spin_lock_irqsave
mtpd-2055    3.... 13759497us!: usbdev_release after kfree(ps): ps=ffffffc0cc042080
&lt;...&gt;-2104   0d.h2 13760294us : async_completed before wake_up(): as=ffffffc0cc638200

To fix this problem we can just move the wake_up() under the ps-&gt;lock.
There should be no issues there that I'm aware of.

Signed-off-by: Douglas Anderson &lt;dianders@chromium.org&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
