<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/usb/gadget, branch v4.18</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>usb: gadget: f_fs: Only return delayed status when len is 0</title>
<updated>2018-07-20T14:02:49+00:00</updated>
<author>
<name>Jerry Zhang</name>
<email>zhangjerry@google.com</email>
</author>
<published>2018-07-02T19:48:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=4d644abf25698362bd33d17c9ddc8f7122c30f17'/>
<id>4d644abf25698362bd33d17c9ddc8f7122c30f17</id>
<content type='text'>
Commit 1b9ba000 ("Allow function drivers to pause control
transfers") states that USB_GADGET_DELAYED_STATUS is only
supported if data phase is 0 bytes.

It seems that when the length is not 0 bytes, there is no
need to explicitly delay the data stage since the transfer
is not completed until the user responds. However, when the
length is 0, there is no data stage and the transfer is
finished once setup() returns, hence there is a need to
explicitly delay completion.

This manifests as the following bugs:

Prior to 946ef68ad4e4 ('Let setup() return
USB_GADGET_DELAYED_STATUS'), when setup is 0 bytes, ffs
would require user to queue a 0 byte request in order to
clear setup state. However, that 0 byte request was actually
not needed and would hang and cause errors in other setup
requests.

After the above commit, 0 byte setups work since the gadget
now accepts empty queues to ep0 to clear the delay, but all
other setups hang.

Fixes: 946ef68ad4e4 ("Let setup() return USB_GADGET_DELAYED_STATUS")
Signed-off-by: Jerry Zhang &lt;zhangjerry@google.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Acked-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit 1b9ba000 ("Allow function drivers to pause control
transfers") states that USB_GADGET_DELAYED_STATUS is only
supported if data phase is 0 bytes.

It seems that when the length is not 0 bytes, there is no
need to explicitly delay the data stage since the transfer
is not completed until the user responds. However, when the
length is 0, there is no data stage and the transfer is
finished once setup() returns, hence there is a need to
explicitly delay completion.

This manifests as the following bugs:

Prior to 946ef68ad4e4 ('Let setup() return
USB_GADGET_DELAYED_STATUS'), when setup is 0 bytes, ffs
would require user to queue a 0 byte request in order to
clear setup state. However, that 0 byte request was actually
not needed and would hang and cause errors in other setup
requests.

After the above commit, 0 byte setups work since the gadget
now accepts empty queues to ep0 to clear the delay, but all
other setups hang.

Fixes: 946ef68ad4e4 ("Let setup() return USB_GADGET_DELAYED_STATUS")
Signed-off-by: Jerry Zhang &lt;zhangjerry@google.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Acked-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3'</title>
<updated>2018-07-17T07:12:52+00:00</updated>
<author>
<name>Eugeniu Rosca</name>
<email>roscaeugeniu@gmail.com</email>
</author>
<published>2018-07-02T21:46:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=eec24f2a0d4dc3b1d95a3ccd2feb523ede3ba775'/>
<id>eec24f2a0d4dc3b1d95a3ccd2feb523ede3ba775</id>
<content type='text'>
The list [1] of commits doing endianness fixes in USB subsystem is long
due to below quote from USB spec Revision 2.0 from April 27, 2000:

------------
8.1 Byte/Bit Ordering

Multiple byte fields in standard descriptors, requests, and responses
are interpreted as and moved over the bus in little-endian order, i.e.
LSB to MSB.
------------

This commit belongs to the same family.

[1] Example of endianness fixes in USB subsystem:
commit 14e1d56cbea6 ("usb: gadget: f_uac2: endianness fixes.")
commit 42370b821168 ("usb: gadget: f_uac1: endianness fixes.")
commit 63afd5cc7877 ("USB: chaoskey: fix Alea quirk on big-endian hosts")
commit 74098c4ac782 ("usb: gadget: acm: fix endianness in notifications")
commit cdd7928df0d2 ("ACM gadget: fix endianness in notifications")
commit 323ece54e076 ("cdc-wdm: fix endianness bug in debug statements")
commit e102609f1072 ("usb: gadget: uvc: Fix endianness mismatches")
       list goes on

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;
Reviewed-by: Ruslan Bilovol &lt;ruslan.bilovol@gmail.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The list [1] of commits doing endianness fixes in USB subsystem is long
due to below quote from USB spec Revision 2.0 from April 27, 2000:

------------
8.1 Byte/Bit Ordering

Multiple byte fields in standard descriptors, requests, and responses
are interpreted as and moved over the bus in little-endian order, i.e.
LSB to MSB.
------------

This commit belongs to the same family.

[1] Example of endianness fixes in USB subsystem:
commit 14e1d56cbea6 ("usb: gadget: f_uac2: endianness fixes.")
commit 42370b821168 ("usb: gadget: f_uac1: endianness fixes.")
commit 63afd5cc7877 ("USB: chaoskey: fix Alea quirk on big-endian hosts")
commit 74098c4ac782 ("usb: gadget: acm: fix endianness in notifications")
commit cdd7928df0d2 ("ACM gadget: fix endianness in notifications")
commit 323ece54e076 ("cdc-wdm: fix endianness bug in debug statements")
commit e102609f1072 ("usb: gadget: uvc: Fix endianness mismatches")
       list goes on

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;
Reviewed-by: Ruslan Bilovol &lt;ruslan.bilovol@gmail.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: aspeed: Workaround memory ordering issue</title>
<updated>2018-07-17T07:12:51+00:00</updated>
<author>
<name>Benjamin Herrenschmidt</name>
<email>benh@kernel.crashing.org</email>
</author>
<published>2018-07-12T05:05:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=bb2863369562b3f0320fc7d8a96a5cde4b50aaea'/>
<id>bb2863369562b3f0320fc7d8a96a5cde4b50aaea</id>
<content type='text'>
The Aspeed SoC has a memory ordering issue that (thankfully)
only affects the USB gadget device. A read back is necessary
after writing to memory and before letting the device DMA
from it.

Signed-off-by: Benjamin Herrenschmidt &lt;benh@kernel.crashing.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The Aspeed SoC has a memory ordering issue that (thankfully)
only affects the USB gadget device. A read back is necessary
after writing to memory and before letting the device DMA
from it.

Signed-off-by: Benjamin Herrenschmidt &lt;benh@kernel.crashing.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: u_audio: protect stream runtime fields with stream spinlock</title>
<updated>2018-07-17T07:12:51+00:00</updated>
<author>
<name>Vladimir Zapolskiy</name>
<email>vladimir_zapolskiy@mentor.com</email>
</author>
<published>2018-06-21T15:22:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=56bc61587daadef67712068f251c4ef2e3932d94'/>
<id>56bc61587daadef67712068f251c4ef2e3932d94</id>
<content type='text'>
The change protects almost the whole body of u_audio_iso_complete()
function by PCM stream lock, this is mainly sufficient to avoid a race
between USB request completion and stream termination, the change
prevents a possibility of invalid memory access in interrupt context
by memcpy():

    Unable to handle kernel paging request at virtual address 00004e80
    pgd = c0004000
    [00004e80] *pgd=00000000
    Internal error: Oops: 817 [#1] PREEMPT SMP ARM
    CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G         C   3.14.54+ #117
    task: da180b80 ti: da192000 task.ti: da192000
    PC is at memcpy+0x50/0x330
    LR is at 0xcdd92b0e
    pc : [&lt;c029ef30&gt;]    lr : [&lt;cdd92b0e&gt;]    psr: 20000193
    sp : da193ce4  ip : dd86ae26  fp : 0000b180
    r10: daf81680  r9 : 00000000  r8 : d58a01ea
    r7 : 2c0b43e4  r6 : acdfb08b  r5 : 01a271cf  r4 : 87389377
    r3 : 69469782  r2 : 00000020  r1 : daf82fe0  r0 : 00004e80
    Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
    Control: 10c5387d  Table: 2b70804a  DAC: 00000015
    Process ksoftirqd/0 (pid: 3, stack limit = 0xda192238)

Also added a check for potential !runtime condition, commonly it is
done by PCM_RUNTIME_CHECK(substream) in the beginning, however this
does not completely prevent from oopses in u_audio_iso_complete(),
because the proper protection scheme must be implemented in PCM
library functions.

An example of *not fixed* oops due to substream-&gt;runtime-&gt;*
dereference by snd_pcm_running(substream) from
snd_pcm_period_elapsed(), where substream-&gt;runtime is gone while
waiting the substream lock:

    Unable to handle kernel paging request at virtual address 6b6b6b6b
    pgd = db7e4000
    [6b6b6b6b] *pgd=00000000
    CPU: 0 PID: 193 Comm: klogd Tainted: G         C   3.14.54+ #118
    task: db5ac500 ti: db60c000 task.ti: db60c000
    PC is at snd_pcm_period_elapsed+0x48/0xd8 [snd_pcm]
    LR is at snd_pcm_period_elapsed+0x40/0xd8 [snd_pcm]
    pc : [&lt;&gt;]    lr : [&lt;&gt;]    psr: 60000193
    Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 10c5387d  Table: 2b7e404a  DAC: 00000015
    Process klogd (pid: 193, stack limit = 0xdb60c238)
    [&lt;&gt;] (snd_pcm_period_elapsed [snd_pcm]) from [&lt;&gt;] (udc_irq+0x500/0xbbc)
    [&lt;&gt;] (udc_irq) from [&lt;&gt;] (ci_irq+0x280/0x304)
    [&lt;&gt;] (ci_irq) from [&lt;&gt;] (handle_irq_event_percpu+0xa4/0x40c)
    [&lt;&gt;] (handle_irq_event_percpu) from [&lt;&gt;] (handle_irq_event+0x3c/0x5c)
    [&lt;&gt;] (handle_irq_event) from [&lt;&gt;] (handle_fasteoi_irq+0xc4/0x110)
    [&lt;&gt;] (handle_fasteoi_irq) from [&lt;&gt;] (generic_handle_irq+0x20/0x30)
    [&lt;&gt;] (generic_handle_irq) from [&lt;&gt;] (handle_IRQ+0x80/0xc0)
    [&lt;&gt;] (handle_IRQ) from [&lt;&gt;] (gic_handle_irq+0x3c/0x60)
    [&lt;&gt;] (gic_handle_irq) from [&lt;&gt;] (__irq_svc+0x44/0x78)

Signed-off-by: Vladimir Zapolskiy &lt;vladimir_zapolskiy@mentor.com&gt;
[erosca: W/o this patch, with minimal instrumentation [1], I can
         consistently reproduce BUG: KASAN: use-after-free [2]]

[1] Instrumentation to reproduce issue [2]:
 diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c
 index a72295c953bb..bd0b308024fe 100644
 --- a/drivers/usb/gadget/function/u_audio.c
 +++ b/drivers/usb/gadget/function/u_audio.c
 @@ -16,6 +16,7 @@
  #include &lt;sound/core.h&gt;
  #include &lt;sound/pcm.h&gt;
  #include &lt;sound/pcm_params.h&gt;
 +#include &lt;linux/delay.h&gt;

  #include "u_audio.h"

 @@ -147,6 +148,8 @@ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req)

 	spin_unlock_irqrestore(&amp;prm-&gt;lock, flags);

 +	udelay(500); //delay here to increase probability of parallel activities
 +
 	/* Pack USB load in ALSA ring buffer */
 	pending = prm-&gt;dma_bytes - hw_ptr;

[2] After applying [1], below BUG occurs on Rcar-H3-Salvator-X board:
==================================================================
BUG: KASAN: use-after-free in u_audio_iso_complete+0x24c/0x520 [u_audio]
Read of size 8 at addr ffff8006cafcc248 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        WC      4.14.47+ #160
Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
Call trace:
[&lt;ffff2000080925ac&gt;] dump_backtrace+0x0/0x364
[&lt;ffff200008092924&gt;] show_stack+0x14/0x1c
[&lt;ffff200008f8dbcc&gt;] dump_stack+0x108/0x174
[&lt;ffff2000083c71b8&gt;] print_address_description+0x7c/0x32c
[&lt;ffff2000083c78e8&gt;] kasan_report+0x324/0x354
[&lt;ffff2000083c6114&gt;] __asan_load8+0x24/0x94
[&lt;ffff2000021d1b34&gt;] u_audio_iso_complete+0x24c/0x520 [u_audio]
[&lt;ffff20000152fe50&gt;] usb_gadget_giveback_request+0x480/0x4d0 [udc_core]
[&lt;ffff200001860ab8&gt;] usbhsg_queue_done+0x100/0x130 [renesas_usbhs]
[&lt;ffff20000185f814&gt;] usbhsf_pkt_handler+0x1a4/0x298 [renesas_usbhs]
[&lt;ffff20000185fb38&gt;] usbhsf_irq_ready+0x128/0x178 [renesas_usbhs]
[&lt;ffff200001859cc8&gt;] usbhs_interrupt+0x440/0x490 [renesas_usbhs]
[&lt;ffff2000081a0288&gt;] __handle_irq_event_percpu+0x594/0xa58
[&lt;ffff2000081a07d0&gt;] handle_irq_event_percpu+0x84/0x12c
[&lt;ffff2000081a0928&gt;] handle_irq_event+0xb0/0x10c
[&lt;ffff2000081a8384&gt;] handle_fasteoi_irq+0x1e0/0x2ec
[&lt;ffff20000819e5f8&gt;] generic_handle_irq+0x2c/0x44
[&lt;ffff20000819f0d0&gt;] __handle_domain_irq+0x190/0x194
[&lt;ffff20000808177c&gt;] gic_handle_irq+0x80/0xac
Exception stack(0xffff200009e97c80 to 0xffff200009e97dc0)
7c80: 0000000000000000 0000000000000000 0000000000000003 ffff200008179298
7ca0: ffff20000ae1c180 dfff200000000000 0000000000000000 ffff2000081f9a88
7cc0: ffff200009eb5960 ffff200009e97cf0 0000000000001600 ffff0400041b064b
7ce0: 0000000000000000 0000000000000002 0000000200000001 0000000000000001
7d00: ffff20000842197c 0000ffff958c4970 0000000000000000 ffff8006da0d5b80
7d20: ffff8006d4678498 0000000000000000 000000126bde0a8b ffff8006d4678480
7d40: 0000000000000000 000000126bdbea64 ffff200008fd0000 ffff8006fffff980
7d60: 00000000495f0018 ffff200009e97dc0 ffff200008b6c4ec ffff200009e97dc0
7d80: ffff200008b6c4f0 0000000020000145 ffff8006da0d5b80 ffff8006d4678498
7da0: ffffffffffffffff ffff8006d4678498 ffff200009e97dc0 ffff200008b6c4f0
[&lt;ffff200008084034&gt;] el1_irq+0xb4/0x12c
[&lt;ffff200008b6c4f0&gt;] cpuidle_enter_state+0x818/0x844
[&lt;ffff200008b6c59c&gt;] cpuidle_enter+0x18/0x20
[&lt;ffff20000815f2e4&gt;] call_cpuidle+0x98/0x9c
[&lt;ffff20000815f674&gt;] do_idle+0x214/0x264
[&lt;ffff20000815facc&gt;] cpu_startup_entry+0x20/0x24
[&lt;ffff200008fb09d8&gt;] rest_init+0x30c/0x320
[&lt;ffff2000095f1338&gt;] start_kernel+0x570/0x5b0
---&lt;-snip-&gt;---

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The change protects almost the whole body of u_audio_iso_complete()
function by PCM stream lock, this is mainly sufficient to avoid a race
between USB request completion and stream termination, the change
prevents a possibility of invalid memory access in interrupt context
by memcpy():

    Unable to handle kernel paging request at virtual address 00004e80
    pgd = c0004000
    [00004e80] *pgd=00000000
    Internal error: Oops: 817 [#1] PREEMPT SMP ARM
    CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G         C   3.14.54+ #117
    task: da180b80 ti: da192000 task.ti: da192000
    PC is at memcpy+0x50/0x330
    LR is at 0xcdd92b0e
    pc : [&lt;c029ef30&gt;]    lr : [&lt;cdd92b0e&gt;]    psr: 20000193
    sp : da193ce4  ip : dd86ae26  fp : 0000b180
    r10: daf81680  r9 : 00000000  r8 : d58a01ea
    r7 : 2c0b43e4  r6 : acdfb08b  r5 : 01a271cf  r4 : 87389377
    r3 : 69469782  r2 : 00000020  r1 : daf82fe0  r0 : 00004e80
    Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
    Control: 10c5387d  Table: 2b70804a  DAC: 00000015
    Process ksoftirqd/0 (pid: 3, stack limit = 0xda192238)

Also added a check for potential !runtime condition, commonly it is
done by PCM_RUNTIME_CHECK(substream) in the beginning, however this
does not completely prevent from oopses in u_audio_iso_complete(),
because the proper protection scheme must be implemented in PCM
library functions.

An example of *not fixed* oops due to substream-&gt;runtime-&gt;*
dereference by snd_pcm_running(substream) from
snd_pcm_period_elapsed(), where substream-&gt;runtime is gone while
waiting the substream lock:

    Unable to handle kernel paging request at virtual address 6b6b6b6b
    pgd = db7e4000
    [6b6b6b6b] *pgd=00000000
    CPU: 0 PID: 193 Comm: klogd Tainted: G         C   3.14.54+ #118
    task: db5ac500 ti: db60c000 task.ti: db60c000
    PC is at snd_pcm_period_elapsed+0x48/0xd8 [snd_pcm]
    LR is at snd_pcm_period_elapsed+0x40/0xd8 [snd_pcm]
    pc : [&lt;&gt;]    lr : [&lt;&gt;]    psr: 60000193
    Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 10c5387d  Table: 2b7e404a  DAC: 00000015
    Process klogd (pid: 193, stack limit = 0xdb60c238)
    [&lt;&gt;] (snd_pcm_period_elapsed [snd_pcm]) from [&lt;&gt;] (udc_irq+0x500/0xbbc)
    [&lt;&gt;] (udc_irq) from [&lt;&gt;] (ci_irq+0x280/0x304)
    [&lt;&gt;] (ci_irq) from [&lt;&gt;] (handle_irq_event_percpu+0xa4/0x40c)
    [&lt;&gt;] (handle_irq_event_percpu) from [&lt;&gt;] (handle_irq_event+0x3c/0x5c)
    [&lt;&gt;] (handle_irq_event) from [&lt;&gt;] (handle_fasteoi_irq+0xc4/0x110)
    [&lt;&gt;] (handle_fasteoi_irq) from [&lt;&gt;] (generic_handle_irq+0x20/0x30)
    [&lt;&gt;] (generic_handle_irq) from [&lt;&gt;] (handle_IRQ+0x80/0xc0)
    [&lt;&gt;] (handle_IRQ) from [&lt;&gt;] (gic_handle_irq+0x3c/0x60)
    [&lt;&gt;] (gic_handle_irq) from [&lt;&gt;] (__irq_svc+0x44/0x78)

Signed-off-by: Vladimir Zapolskiy &lt;vladimir_zapolskiy@mentor.com&gt;
[erosca: W/o this patch, with minimal instrumentation [1], I can
         consistently reproduce BUG: KASAN: use-after-free [2]]

[1] Instrumentation to reproduce issue [2]:
 diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c
 index a72295c953bb..bd0b308024fe 100644
 --- a/drivers/usb/gadget/function/u_audio.c
 +++ b/drivers/usb/gadget/function/u_audio.c
 @@ -16,6 +16,7 @@
  #include &lt;sound/core.h&gt;
  #include &lt;sound/pcm.h&gt;
  #include &lt;sound/pcm_params.h&gt;
 +#include &lt;linux/delay.h&gt;

  #include "u_audio.h"

 @@ -147,6 +148,8 @@ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req)

 	spin_unlock_irqrestore(&amp;prm-&gt;lock, flags);

 +	udelay(500); //delay here to increase probability of parallel activities
 +
 	/* Pack USB load in ALSA ring buffer */
 	pending = prm-&gt;dma_bytes - hw_ptr;

[2] After applying [1], below BUG occurs on Rcar-H3-Salvator-X board:
==================================================================
BUG: KASAN: use-after-free in u_audio_iso_complete+0x24c/0x520 [u_audio]
Read of size 8 at addr ffff8006cafcc248 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        WC      4.14.47+ #160
Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
Call trace:
[&lt;ffff2000080925ac&gt;] dump_backtrace+0x0/0x364
[&lt;ffff200008092924&gt;] show_stack+0x14/0x1c
[&lt;ffff200008f8dbcc&gt;] dump_stack+0x108/0x174
[&lt;ffff2000083c71b8&gt;] print_address_description+0x7c/0x32c
[&lt;ffff2000083c78e8&gt;] kasan_report+0x324/0x354
[&lt;ffff2000083c6114&gt;] __asan_load8+0x24/0x94
[&lt;ffff2000021d1b34&gt;] u_audio_iso_complete+0x24c/0x520 [u_audio]
[&lt;ffff20000152fe50&gt;] usb_gadget_giveback_request+0x480/0x4d0 [udc_core]
[&lt;ffff200001860ab8&gt;] usbhsg_queue_done+0x100/0x130 [renesas_usbhs]
[&lt;ffff20000185f814&gt;] usbhsf_pkt_handler+0x1a4/0x298 [renesas_usbhs]
[&lt;ffff20000185fb38&gt;] usbhsf_irq_ready+0x128/0x178 [renesas_usbhs]
[&lt;ffff200001859cc8&gt;] usbhs_interrupt+0x440/0x490 [renesas_usbhs]
[&lt;ffff2000081a0288&gt;] __handle_irq_event_percpu+0x594/0xa58
[&lt;ffff2000081a07d0&gt;] handle_irq_event_percpu+0x84/0x12c
[&lt;ffff2000081a0928&gt;] handle_irq_event+0xb0/0x10c
[&lt;ffff2000081a8384&gt;] handle_fasteoi_irq+0x1e0/0x2ec
[&lt;ffff20000819e5f8&gt;] generic_handle_irq+0x2c/0x44
[&lt;ffff20000819f0d0&gt;] __handle_domain_irq+0x190/0x194
[&lt;ffff20000808177c&gt;] gic_handle_irq+0x80/0xac
Exception stack(0xffff200009e97c80 to 0xffff200009e97dc0)
7c80: 0000000000000000 0000000000000000 0000000000000003 ffff200008179298
7ca0: ffff20000ae1c180 dfff200000000000 0000000000000000 ffff2000081f9a88
7cc0: ffff200009eb5960 ffff200009e97cf0 0000000000001600 ffff0400041b064b
7ce0: 0000000000000000 0000000000000002 0000000200000001 0000000000000001
7d00: ffff20000842197c 0000ffff958c4970 0000000000000000 ffff8006da0d5b80
7d20: ffff8006d4678498 0000000000000000 000000126bde0a8b ffff8006d4678480
7d40: 0000000000000000 000000126bdbea64 ffff200008fd0000 ffff8006fffff980
7d60: 00000000495f0018 ffff200009e97dc0 ffff200008b6c4ec ffff200009e97dc0
7d80: ffff200008b6c4f0 0000000020000145 ffff8006da0d5b80 ffff8006d4678498
7da0: ffffffffffffffff ffff8006d4678498 ffff200009e97dc0 ffff200008b6c4f0
[&lt;ffff200008084034&gt;] el1_irq+0xb4/0x12c
[&lt;ffff200008b6c4f0&gt;] cpuidle_enter_state+0x818/0x844
[&lt;ffff200008b6c59c&gt;] cpuidle_enter+0x18/0x20
[&lt;ffff20000815f2e4&gt;] call_cpuidle+0x98/0x9c
[&lt;ffff20000815f674&gt;] do_idle+0x214/0x264
[&lt;ffff20000815facc&gt;] cpu_startup_entry+0x20/0x24
[&lt;ffff200008fb09d8&gt;] rest_init+0x30c/0x320
[&lt;ffff2000095f1338&gt;] start_kernel+0x570/0x5b0
---&lt;-snip-&gt;---

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: u_audio: remove cached period bytes value</title>
<updated>2018-07-17T07:12:51+00:00</updated>
<author>
<name>Vladimir Zapolskiy</name>
<email>vladimir_zapolskiy@mentor.com</email>
</author>
<published>2018-06-21T15:22:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=773e53d50e227b0c03d0bb434c1636f6c49c75b2'/>
<id>773e53d50e227b0c03d0bb434c1636f6c49c75b2</id>
<content type='text'>
Substream period size potentially can be changed in runtime, however
this is not accounted in the data copying routine, the change replaces
the cached value with an actual value from substream runtime.

As a side effect the change also removes a potential division by zero
in u_audio_iso_complete() function, if there is a race with
uac_pcm_hw_free(), which sets prm-&gt;period_size to 0.

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Vladimir Zapolskiy &lt;vladimir_zapolskiy@mentor.com&gt;
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Substream period size potentially can be changed in runtime, however
this is not accounted in the data copying routine, the change replaces
the cached value with an actual value from substream runtime.

As a side effect the change also removes a potential division by zero
in u_audio_iso_complete() function, if there is a race with
uac_pcm_hw_free(), which sets prm-&gt;period_size to 0.

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Vladimir Zapolskiy &lt;vladimir_zapolskiy@mentor.com&gt;
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: u_audio: remove caching of stream buffer parameters</title>
<updated>2018-07-17T07:12:51+00:00</updated>
<author>
<name>Vladimir Zapolskiy</name>
<email>vladimir_zapolskiy@mentor.com</email>
</author>
<published>2018-06-21T15:22:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=96afb54ece0ee903d23a7ac04ddc461413b972c4'/>
<id>96afb54ece0ee903d23a7ac04ddc461413b972c4</id>
<content type='text'>
There is no necessity to copy PCM stream ring buffer area and size
properties to UAC private data structure, these values can be got
from substream itself.

The change gives more control on substream and avoid stale caching.

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Vladimir Zapolskiy &lt;vladimir_zapolskiy@mentor.com&gt;
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There is no necessity to copy PCM stream ring buffer area and size
properties to UAC private data structure, these values can be got
from substream itself.

The change gives more control on substream and avoid stale caching.

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Vladimir Zapolskiy &lt;vladimir_zapolskiy@mentor.com&gt;
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: u_audio: update hw_ptr in iso_complete after data copied</title>
<updated>2018-07-17T07:12:51+00:00</updated>
<author>
<name>Joshua Frkuska</name>
<email>joshua_frkuska@mentor.com</email>
</author>
<published>2018-06-21T15:22:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=6b37bd78d30c890e575a1bda22978d1d2a233362'/>
<id>6b37bd78d30c890e575a1bda22978d1d2a233362</id>
<content type='text'>
In u_audio_iso_complete, the runtime hw_ptr is updated before the
data is actually copied over to/from the buffer/dma area. When
ALSA uses this hw_ptr, the data may not actually be available to
be used. This causes trash/stale audio to play/record. This
patch updates the hw_ptr after the data has been copied to avoid
this.

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Joshua Frkuska &lt;joshua_frkuska@mentor.com&gt;
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In u_audio_iso_complete, the runtime hw_ptr is updated before the
data is actually copied over to/from the buffer/dma area. When
ALSA uses this hw_ptr, the data may not actually be available to
be used. This causes trash/stale audio to play/record. This
patch updates the hw_ptr after the data has been copied to avoid
this.

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Joshua Frkuska &lt;joshua_frkuska@mentor.com&gt;
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: u_audio: fix pcm/card naming in g_audio_setup()</title>
<updated>2018-07-17T07:12:51+00:00</updated>
<author>
<name>Eugeniu Rosca</name>
<email>erosca@de.adit-jv.com</email>
</author>
<published>2018-06-21T15:22:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=dfa042fa310caa475667b8c38d852f14439e0b01'/>
<id>dfa042fa310caa475667b8c38d852f14439e0b01</id>
<content type='text'>
Fix below smatch (v0.5.0-4443-g69e9094e11c1) warnings:
drivers/usb/gadget/function/u_audio.c:607 g_audio_setup() warn: strcpy() 'pcm_name' of unknown size might be too large for 'pcm-&gt;name'
drivers/usb/gadget/function/u_audio.c:614 g_audio_setup() warn: strcpy() 'card_name' of unknown size might be too large for 'card-&gt;driver'
drivers/usb/gadget/function/u_audio.c:615 g_audio_setup() warn: strcpy() 'card_name' of unknown size might be too large for 'card-&gt;shortname'

Below commits performed a similar 's/strcpy/strlcpy/' rework:
* v2.6.31 commit 8372d4980fbc ("ALSA: ctxfi - Fix PCM device naming")
* v4.14 commit 003d3e70dbeb ("ALSA: ad1848: fix format string overflow warning")
* v4.14 commit 6d8b04de87e1 ("ALSA: cs423x: fix format string overflow warning")

Fixes: eb9fecb9e69b ("usb: gadget: f_uac2: split out audio core")
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix below smatch (v0.5.0-4443-g69e9094e11c1) warnings:
drivers/usb/gadget/function/u_audio.c:607 g_audio_setup() warn: strcpy() 'pcm_name' of unknown size might be too large for 'pcm-&gt;name'
drivers/usb/gadget/function/u_audio.c:614 g_audio_setup() warn: strcpy() 'card_name' of unknown size might be too large for 'card-&gt;driver'
drivers/usb/gadget/function/u_audio.c:615 g_audio_setup() warn: strcpy() 'card_name' of unknown size might be too large for 'card-&gt;shortname'

Below commits performed a similar 's/strcpy/strlcpy/' rework:
* v2.6.31 commit 8372d4980fbc ("ALSA: ctxfi - Fix PCM device naming")
* v4.14 commit 003d3e70dbeb ("ALSA: ad1848: fix format string overflow warning")
* v4.14 commit 6d8b04de87e1 ("ALSA: cs423x: fix format string overflow warning")

Fixes: eb9fecb9e69b ("usb: gadget: f_uac2: split out audio core")
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_uac2: fix error handling in afunc_bind (again)</title>
<updated>2018-07-17T07:12:51+00:00</updated>
<author>
<name>Eugeniu Rosca</name>
<email>erosca@de.adit-jv.com</email>
</author>
<published>2018-06-21T15:22:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=e87581fe0509020f77ebf0b7c4c1c338c6a4bcf6'/>
<id>e87581fe0509020f77ebf0b7c4c1c338c6a4bcf6</id>
<content type='text'>
If usb_ep_autoconfig() fails (i.e. returns a null endpoint descriptor),
we expect afunc_bind() to fail (i.e. return a negative error code).

However, due to v4.10-rc1 commit f1d3861d63a5 ("usb: gadget: f_uac2: fix
error handling at afunc_bind"), afunc_bind() returns zero, telling the
caller that it succeeded. This then generates NULL pointer dereference
in below scenario on Rcar H3-ES20-Salvator-X target:

rcar-gen3:/home/root# modprobe g_audio
[  626.521155] g_audio gadget: afunc_bind:565 Error!
[  626.526319] g_audio gadget: Linux USB Audio Gadget, version: Feb 2, 2012
[  626.533405] g_audio gadget: g_audio ready
rcar-gen3:/home/root#
rcar-gen3:/home/root# modprobe -r g_audio
[  728.256707] ==================================================================
[  728.264293] BUG: KASAN: null-ptr-deref in u_audio_stop_capture+0x70/0x268 [u_audio]
[  728.272244] Read of size 8 at addr 00000000000000a0 by task modprobe/2545
[  728.279309]
[  728.280849] CPU: 0 PID: 2545 Comm: modprobe Tainted: G        WC      4.14.47+ #152
[  728.288778] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
[  728.296454] Call trace:
[  728.299151] [&lt;ffff2000080925ac&gt;] dump_backtrace+0x0/0x364
[  728.304808] [&lt;ffff200008092924&gt;] show_stack+0x14/0x1c
[  728.310081] [&lt;ffff200008f8d5cc&gt;] dump_stack+0x108/0x174
[  728.315522] [&lt;ffff2000083c77c8&gt;] kasan_report+0x1fc/0x354
[  728.321134] [&lt;ffff2000083c611c&gt;] __asan_load8+0x24/0x94
[  728.326600] [&lt;ffff2000021e1618&gt;] u_audio_stop_capture+0x70/0x268 [u_audio]
[  728.333735] [&lt;ffff2000021f8b7c&gt;] afunc_disable+0x44/0x60 [usb_f_uac2]
[  728.340503] [&lt;ffff20000218177c&gt;] usb_remove_function+0x9c/0x210 [libcomposite]
[  728.348060] [&lt;ffff200002183320&gt;] remove_config.isra.2+0x1d8/0x218 [libcomposite]
[  728.355788] [&lt;ffff200002186c54&gt;] __composite_unbind+0x104/0x1f8 [libcomposite]
[  728.363339] [&lt;ffff200002186d58&gt;] composite_unbind+0x10/0x18 [libcomposite]
[  728.370536] [&lt;ffff20000152f158&gt;] usb_gadget_remove_driver+0xc0/0x170 [udc_core]
[  728.378172] [&lt;ffff20000153154c&gt;] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core]
[  728.386274] [&lt;ffff200002180de8&gt;] usb_composite_unregister+0x10/0x18 [libcomposite]
[  728.394116] [&lt;ffff2000021d035c&gt;] audio_driver_exit+0x14/0x28 [g_audio]
[  728.400878] [&lt;ffff200008213ed4&gt;] SyS_delete_module+0x288/0x32c
[  728.406935] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000)
[  728.413624] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8
[  728.421718] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000
[  728.429792] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005
[  728.437870] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000
[  728.445952] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0
[  728.454035] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428
[  728.462114] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000
[  728.470190] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010
[  728.478281] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a
[  728.486351] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[  728.494434] [&lt;ffff200008084780&gt;] el0_svc_naked+0x34/0x38
[  728.499957] ==================================================================
[  728.507801] Unable to handle kernel NULL pointer dereference at virtual address 000000a0
[  728.517742] Mem abort info:
[  728.520993]   Exception class = DABT (current EL), IL = 32 bits
[  728.527375]   SET = 0, FnV = 0
[  728.530731]   EA = 0, S1PTW = 0
[  728.534361] Data abort info:
[  728.537650]   ISV = 0, ISS = 0x00000006
[  728.541863]   CM = 0, WnR = 0
[  728.545167] user pgtable: 4k pages, 48-bit VAs, pgd = ffff8006c6100000
[  728.552156] [00000000000000a0] *pgd=0000000716a8d003
[  728.557519] , *pud=00000007116fc003
[  728.561259] , *pmd=0000000000000000
[  728.564985] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[  728.570815] Modules linked in:
[  728.574023]  usb_f_uac2
[  728.576560]  u_audio
[  728.578827]  g_audio(-)
[  728.581361]  libcomposite
[  728.584071]  configfs
[  728.586428]  aes_ce_blk
[  728.588960]  sata_rcar
[  728.591421]  crypto_simd
[  728.594039]  cryptd
[  728.596217]  libata
[  728.598396]  aes_ce_cipher
[  728.601188]  crc32_ce
[  728.603542]  ghash_ce
[  728.605896]  gf128mul
[  728.608250]  aes_arm64
[  728.610692]  scsi_mod
[  728.613046]  sha2_ce
[  728.615313]  xhci_plat_hcd
[  728.618106]  sha256_arm64
[  728.620811]  sha1_ce
[  728.623077]  renesas_usbhs
[  728.625869]  xhci_hcd
[  728.628243]  renesas_usb3
[  728.630948]  sha1_generic
[  728.633670]  ravb_streaming(C)
[  728.636814]  udc_core
[  728.639168]  cpufreq_dt
[  728.641697]  rcar_gen3_thermal
[  728.644840]  usb_dmac
[  728.647194]  pwm_rcar
[  728.649548]  thermal_sys
[  728.652165]  virt_dma
[  728.654519]  mch_core(C)
[  728.657137]  pwm_bl
[  728.659315]  snd_soc_rcar
[  728.662020]  snd_aloop
[  728.664462]  snd_soc_generic_card
[  728.667869]  snd_soc_ak4613
[  728.670749]  ipv6
[  728.672768]  autofs4
[  728.675052] CPU: 0 PID: 2545 Comm: modprobe Tainted: G    B   WC      4.14.47+ #152
[  728.682973] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
[  728.690637] task: ffff8006ced38000 task.stack: ffff8006cf6c0000
[  728.696814] PC is at u_audio_stop_capture+0x70/0x268 [u_audio]
[  728.702896] LR is at u_audio_stop_capture+0x70/0x268 [u_audio]
[  728.708964] pc : [&lt;ffff2000021e1618&gt;] lr : [&lt;ffff2000021e1618&gt;] pstate: 60000145
[  728.716620] sp : ffff8006cf6c7a50
[  728.720154] x29: ffff8006cf6c7a50
[  728.723760] x28: ffff8006ced38000
[  728.727272] x27: ffff200008fd7000
[  728.730857] x26: ffff2000021d2340
[  728.734361] x25: 0000000000000000
[  728.737948] x24: ffff200009e94b08
[  728.741452] x23: 00000000000000a0
[  728.745052] x22: 00000000000000a8
[  728.748558] x21: 1ffff000d9ed8f7c
[  728.752142] x20: ffff8006d671a800
[  728.755646] x19: 0000000000000000
[  728.759231] x18: 0000000000000000
[  728.762736] x17: 0000ffffbc7c8f40
[  728.766320] x16: ffff200008213c4c
[  728.769823] x15: 0000000000000000
[  728.773408] x14: 0720072007200720
[  728.776912] x13: 0720072007200720
[  728.780497] x12: ffffffffffffffff
[  728.784001] x11: 0000000000000040
[  728.787598] x10: 0000000000001600
[  728.791103] x9 : ffff8006cf6c77a0
[  728.794689] x8 : ffff8006ced39660
[  728.798193] x7 : ffff20000811c738
[  728.801794] x6 : 0000000000000000
[  728.805299] x5 : dfff200000000000
[  728.808885] x4 : ffff8006ced38000
[  728.812390] x3 : ffff200008fb46e8
[  728.815976] x2 : 0000000000000007
[  728.819480] x1 : 3ba68643e7431500
[  728.823066] x0 : 0000000000000000
[  728.826574] Process modprobe (pid: 2545, stack limit = 0xffff8006cf6c0000)
[  728.833704] Call trace:
[  728.836292] Exception stack(0xffff8006cf6c7910 to 0xffff8006cf6c7a50)
[  728.842987] 7900:                                   0000000000000000 3ba68643e7431500
[  728.851084] 7920: 0000000000000007 ffff200008fb46e8 ffff8006ced38000 dfff200000000000
[  728.859173] 7940: 0000000000000000 ffff20000811c738 ffff8006ced39660 ffff8006cf6c77a0
[  728.867248] 7960: 0000000000001600 0000000000000040 ffffffffffffffff 0720072007200720
[  728.875323] 7980: 0720072007200720 0000000000000000 ffff200008213c4c 0000ffffbc7c8f40
[  728.883412] 79a0: 0000000000000000 0000000000000000 ffff8006d671a800 1ffff000d9ed8f7c
[  728.891485] 79c0: 00000000000000a8 00000000000000a0 ffff200009e94b08 0000000000000000
[  728.899561] 79e0: ffff2000021d2340 ffff200008fd7000 ffff8006ced38000 ffff8006cf6c7a50
[  728.907636] 7a00: ffff2000021e1618 ffff8006cf6c7a50 ffff2000021e1618 0000000060000145
[  728.915710] 7a20: 0000000000000008 0000000000000000 0000ffffffffffff 3ba68643e7431500
[  728.923780] 7a40: ffff8006cf6c7a50 ffff2000021e1618
[  728.928880] [&lt;ffff2000021e1618&gt;] u_audio_stop_capture+0x70/0x268 [u_audio]
[  728.936032] [&lt;ffff2000021f8b7c&gt;] afunc_disable+0x44/0x60 [usb_f_uac2]
[  728.942822] [&lt;ffff20000218177c&gt;] usb_remove_function+0x9c/0x210 [libcomposite]
[  728.950385] [&lt;ffff200002183320&gt;] remove_config.isra.2+0x1d8/0x218 [libcomposite]
[  728.958134] [&lt;ffff200002186c54&gt;] __composite_unbind+0x104/0x1f8 [libcomposite]
[  728.965689] [&lt;ffff200002186d58&gt;] composite_unbind+0x10/0x18 [libcomposite]
[  728.972882] [&lt;ffff20000152f158&gt;] usb_gadget_remove_driver+0xc0/0x170 [udc_core]
[  728.980522] [&lt;ffff20000153154c&gt;] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core]
[  728.988638] [&lt;ffff200002180de8&gt;] usb_composite_unregister+0x10/0x18 [libcomposite]
[  728.996472] [&lt;ffff2000021d035c&gt;] audio_driver_exit+0x14/0x28 [g_audio]
[  729.003231] [&lt;ffff200008213ed4&gt;] SyS_delete_module+0x288/0x32c
[  729.009278] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000)
[  729.015946] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8
[  729.024022] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000
[  729.032099] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005
[  729.040172] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000
[  729.048263] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0
[  729.056337] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428
[  729.064411] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000
[  729.072484] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010
[  729.080563] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a
[  729.088636] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[  729.096733] [&lt;ffff200008084780&gt;] el0_svc_naked+0x34/0x38
[  729.102259] Code: 9597d1b3 aa1703e0 9102a276 958792b9 (f9405275)
[  729.108617] ---[ end trace 7560c5fa3d100243 ]---

After this patch is applied, the issue is fixed:
rcar-gen3:/home/root# modprobe g_audio
[   59.217127] g_audio gadget: afunc_bind:565 Error!
[   59.222329] g_audio ee020000.usb: failed to start g_audio: -19
modprobe: ERROR: could not insert 'g_audio': No such device
rcar-gen3:/home/root# modprobe -r g_audio
rcar-gen3:/home/root#

Fixes: f1d3861d63a5 ("usb: gadget: f_uac2: fix error handling at afunc_bind")
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If usb_ep_autoconfig() fails (i.e. returns a null endpoint descriptor),
we expect afunc_bind() to fail (i.e. return a negative error code).

However, due to v4.10-rc1 commit f1d3861d63a5 ("usb: gadget: f_uac2: fix
error handling at afunc_bind"), afunc_bind() returns zero, telling the
caller that it succeeded. This then generates NULL pointer dereference
in below scenario on Rcar H3-ES20-Salvator-X target:

rcar-gen3:/home/root# modprobe g_audio
[  626.521155] g_audio gadget: afunc_bind:565 Error!
[  626.526319] g_audio gadget: Linux USB Audio Gadget, version: Feb 2, 2012
[  626.533405] g_audio gadget: g_audio ready
rcar-gen3:/home/root#
rcar-gen3:/home/root# modprobe -r g_audio
[  728.256707] ==================================================================
[  728.264293] BUG: KASAN: null-ptr-deref in u_audio_stop_capture+0x70/0x268 [u_audio]
[  728.272244] Read of size 8 at addr 00000000000000a0 by task modprobe/2545
[  728.279309]
[  728.280849] CPU: 0 PID: 2545 Comm: modprobe Tainted: G        WC      4.14.47+ #152
[  728.288778] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
[  728.296454] Call trace:
[  728.299151] [&lt;ffff2000080925ac&gt;] dump_backtrace+0x0/0x364
[  728.304808] [&lt;ffff200008092924&gt;] show_stack+0x14/0x1c
[  728.310081] [&lt;ffff200008f8d5cc&gt;] dump_stack+0x108/0x174
[  728.315522] [&lt;ffff2000083c77c8&gt;] kasan_report+0x1fc/0x354
[  728.321134] [&lt;ffff2000083c611c&gt;] __asan_load8+0x24/0x94
[  728.326600] [&lt;ffff2000021e1618&gt;] u_audio_stop_capture+0x70/0x268 [u_audio]
[  728.333735] [&lt;ffff2000021f8b7c&gt;] afunc_disable+0x44/0x60 [usb_f_uac2]
[  728.340503] [&lt;ffff20000218177c&gt;] usb_remove_function+0x9c/0x210 [libcomposite]
[  728.348060] [&lt;ffff200002183320&gt;] remove_config.isra.2+0x1d8/0x218 [libcomposite]
[  728.355788] [&lt;ffff200002186c54&gt;] __composite_unbind+0x104/0x1f8 [libcomposite]
[  728.363339] [&lt;ffff200002186d58&gt;] composite_unbind+0x10/0x18 [libcomposite]
[  728.370536] [&lt;ffff20000152f158&gt;] usb_gadget_remove_driver+0xc0/0x170 [udc_core]
[  728.378172] [&lt;ffff20000153154c&gt;] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core]
[  728.386274] [&lt;ffff200002180de8&gt;] usb_composite_unregister+0x10/0x18 [libcomposite]
[  728.394116] [&lt;ffff2000021d035c&gt;] audio_driver_exit+0x14/0x28 [g_audio]
[  728.400878] [&lt;ffff200008213ed4&gt;] SyS_delete_module+0x288/0x32c
[  728.406935] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000)
[  728.413624] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8
[  728.421718] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000
[  728.429792] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005
[  728.437870] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000
[  728.445952] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0
[  728.454035] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428
[  728.462114] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000
[  728.470190] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010
[  728.478281] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a
[  728.486351] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[  728.494434] [&lt;ffff200008084780&gt;] el0_svc_naked+0x34/0x38
[  728.499957] ==================================================================
[  728.507801] Unable to handle kernel NULL pointer dereference at virtual address 000000a0
[  728.517742] Mem abort info:
[  728.520993]   Exception class = DABT (current EL), IL = 32 bits
[  728.527375]   SET = 0, FnV = 0
[  728.530731]   EA = 0, S1PTW = 0
[  728.534361] Data abort info:
[  728.537650]   ISV = 0, ISS = 0x00000006
[  728.541863]   CM = 0, WnR = 0
[  728.545167] user pgtable: 4k pages, 48-bit VAs, pgd = ffff8006c6100000
[  728.552156] [00000000000000a0] *pgd=0000000716a8d003
[  728.557519] , *pud=00000007116fc003
[  728.561259] , *pmd=0000000000000000
[  728.564985] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[  728.570815] Modules linked in:
[  728.574023]  usb_f_uac2
[  728.576560]  u_audio
[  728.578827]  g_audio(-)
[  728.581361]  libcomposite
[  728.584071]  configfs
[  728.586428]  aes_ce_blk
[  728.588960]  sata_rcar
[  728.591421]  crypto_simd
[  728.594039]  cryptd
[  728.596217]  libata
[  728.598396]  aes_ce_cipher
[  728.601188]  crc32_ce
[  728.603542]  ghash_ce
[  728.605896]  gf128mul
[  728.608250]  aes_arm64
[  728.610692]  scsi_mod
[  728.613046]  sha2_ce
[  728.615313]  xhci_plat_hcd
[  728.618106]  sha256_arm64
[  728.620811]  sha1_ce
[  728.623077]  renesas_usbhs
[  728.625869]  xhci_hcd
[  728.628243]  renesas_usb3
[  728.630948]  sha1_generic
[  728.633670]  ravb_streaming(C)
[  728.636814]  udc_core
[  728.639168]  cpufreq_dt
[  728.641697]  rcar_gen3_thermal
[  728.644840]  usb_dmac
[  728.647194]  pwm_rcar
[  728.649548]  thermal_sys
[  728.652165]  virt_dma
[  728.654519]  mch_core(C)
[  728.657137]  pwm_bl
[  728.659315]  snd_soc_rcar
[  728.662020]  snd_aloop
[  728.664462]  snd_soc_generic_card
[  728.667869]  snd_soc_ak4613
[  728.670749]  ipv6
[  728.672768]  autofs4
[  728.675052] CPU: 0 PID: 2545 Comm: modprobe Tainted: G    B   WC      4.14.47+ #152
[  728.682973] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
[  728.690637] task: ffff8006ced38000 task.stack: ffff8006cf6c0000
[  728.696814] PC is at u_audio_stop_capture+0x70/0x268 [u_audio]
[  728.702896] LR is at u_audio_stop_capture+0x70/0x268 [u_audio]
[  728.708964] pc : [&lt;ffff2000021e1618&gt;] lr : [&lt;ffff2000021e1618&gt;] pstate: 60000145
[  728.716620] sp : ffff8006cf6c7a50
[  728.720154] x29: ffff8006cf6c7a50
[  728.723760] x28: ffff8006ced38000
[  728.727272] x27: ffff200008fd7000
[  728.730857] x26: ffff2000021d2340
[  728.734361] x25: 0000000000000000
[  728.737948] x24: ffff200009e94b08
[  728.741452] x23: 00000000000000a0
[  728.745052] x22: 00000000000000a8
[  728.748558] x21: 1ffff000d9ed8f7c
[  728.752142] x20: ffff8006d671a800
[  728.755646] x19: 0000000000000000
[  728.759231] x18: 0000000000000000
[  728.762736] x17: 0000ffffbc7c8f40
[  728.766320] x16: ffff200008213c4c
[  728.769823] x15: 0000000000000000
[  728.773408] x14: 0720072007200720
[  728.776912] x13: 0720072007200720
[  728.780497] x12: ffffffffffffffff
[  728.784001] x11: 0000000000000040
[  728.787598] x10: 0000000000001600
[  728.791103] x9 : ffff8006cf6c77a0
[  728.794689] x8 : ffff8006ced39660
[  728.798193] x7 : ffff20000811c738
[  728.801794] x6 : 0000000000000000
[  728.805299] x5 : dfff200000000000
[  728.808885] x4 : ffff8006ced38000
[  728.812390] x3 : ffff200008fb46e8
[  728.815976] x2 : 0000000000000007
[  728.819480] x1 : 3ba68643e7431500
[  728.823066] x0 : 0000000000000000
[  728.826574] Process modprobe (pid: 2545, stack limit = 0xffff8006cf6c0000)
[  728.833704] Call trace:
[  728.836292] Exception stack(0xffff8006cf6c7910 to 0xffff8006cf6c7a50)
[  728.842987] 7900:                                   0000000000000000 3ba68643e7431500
[  728.851084] 7920: 0000000000000007 ffff200008fb46e8 ffff8006ced38000 dfff200000000000
[  728.859173] 7940: 0000000000000000 ffff20000811c738 ffff8006ced39660 ffff8006cf6c77a0
[  728.867248] 7960: 0000000000001600 0000000000000040 ffffffffffffffff 0720072007200720
[  728.875323] 7980: 0720072007200720 0000000000000000 ffff200008213c4c 0000ffffbc7c8f40
[  728.883412] 79a0: 0000000000000000 0000000000000000 ffff8006d671a800 1ffff000d9ed8f7c
[  728.891485] 79c0: 00000000000000a8 00000000000000a0 ffff200009e94b08 0000000000000000
[  728.899561] 79e0: ffff2000021d2340 ffff200008fd7000 ffff8006ced38000 ffff8006cf6c7a50
[  728.907636] 7a00: ffff2000021e1618 ffff8006cf6c7a50 ffff2000021e1618 0000000060000145
[  728.915710] 7a20: 0000000000000008 0000000000000000 0000ffffffffffff 3ba68643e7431500
[  728.923780] 7a40: ffff8006cf6c7a50 ffff2000021e1618
[  728.928880] [&lt;ffff2000021e1618&gt;] u_audio_stop_capture+0x70/0x268 [u_audio]
[  728.936032] [&lt;ffff2000021f8b7c&gt;] afunc_disable+0x44/0x60 [usb_f_uac2]
[  728.942822] [&lt;ffff20000218177c&gt;] usb_remove_function+0x9c/0x210 [libcomposite]
[  728.950385] [&lt;ffff200002183320&gt;] remove_config.isra.2+0x1d8/0x218 [libcomposite]
[  728.958134] [&lt;ffff200002186c54&gt;] __composite_unbind+0x104/0x1f8 [libcomposite]
[  728.965689] [&lt;ffff200002186d58&gt;] composite_unbind+0x10/0x18 [libcomposite]
[  728.972882] [&lt;ffff20000152f158&gt;] usb_gadget_remove_driver+0xc0/0x170 [udc_core]
[  728.980522] [&lt;ffff20000153154c&gt;] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core]
[  728.988638] [&lt;ffff200002180de8&gt;] usb_composite_unregister+0x10/0x18 [libcomposite]
[  728.996472] [&lt;ffff2000021d035c&gt;] audio_driver_exit+0x14/0x28 [g_audio]
[  729.003231] [&lt;ffff200008213ed4&gt;] SyS_delete_module+0x288/0x32c
[  729.009278] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000)
[  729.015946] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8
[  729.024022] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000
[  729.032099] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005
[  729.040172] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000
[  729.048263] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0
[  729.056337] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428
[  729.064411] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000
[  729.072484] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010
[  729.080563] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a
[  729.088636] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[  729.096733] [&lt;ffff200008084780&gt;] el0_svc_naked+0x34/0x38
[  729.102259] Code: 9597d1b3 aa1703e0 9102a276 958792b9 (f9405275)
[  729.108617] ---[ end trace 7560c5fa3d100243 ]---

After this patch is applied, the issue is fixed:
rcar-gen3:/home/root# modprobe g_audio
[   59.217127] g_audio gadget: afunc_bind:565 Error!
[   59.222329] g_audio ee020000.usb: failed to start g_audio: -19
modprobe: ERROR: could not insert 'g_audio': No such device
rcar-gen3:/home/root# modprobe -r g_audio
rcar-gen3:/home/root#

Fixes: f1d3861d63a5 ("usb: gadget: f_uac2: fix error handling at afunc_bind")
Signed-off-by: Eugeniu Rosca &lt;erosca@de.adit-jv.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue()</title>
<updated>2018-07-17T07:12:51+00:00</updated>
<author>
<name>Jia-Ju Bai</name>
<email>baijiaju1990@gmail.com</email>
</author>
<published>2018-06-20T03:55:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=f36b507c14c4b6e634463a610294e9cb0065c8ea'/>
<id>f36b507c14c4b6e634463a610294e9cb0065c8ea</id>
<content type='text'>
The driver may sleep in an interrupt handler.
The function call path (from bottom to top) in Linux-4.16.7 is:

[FUNC] r8a66597_queue(GFP_KERNEL)
drivers/usb/gadget/udc/r8a66597-udc.c, 1193:
		r8a66597_queue in get_status
drivers/usb/gadget/udc/r8a66597-udc.c, 1301:
		get_status in setup_packet
drivers/usb/gadget/udc/r8a66597-udc.c, 1381:
		setup_packet in irq_control_stage
drivers/usb/gadget/udc/r8a66597-udc.c, 1508:
		irq_control_stage in r8a66597_irq (interrupt handler)

To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.

This bug is found by my static analysis tool (DSAC-2) and checked by
my code review.

Signed-off-by: Jia-Ju Bai &lt;baijiaju1990@gmail.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The driver may sleep in an interrupt handler.
The function call path (from bottom to top) in Linux-4.16.7 is:

[FUNC] r8a66597_queue(GFP_KERNEL)
drivers/usb/gadget/udc/r8a66597-udc.c, 1193:
		r8a66597_queue in get_status
drivers/usb/gadget/udc/r8a66597-udc.c, 1301:
		get_status in setup_packet
drivers/usb/gadget/udc/r8a66597-udc.c, 1381:
		setup_packet in irq_control_stage
drivers/usb/gadget/udc/r8a66597-udc.c, 1508:
		irq_control_stage in r8a66597_irq (interrupt handler)

To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.

This bug is found by my static analysis tool (DSAC-2) and checked by
my code review.

Signed-off-by: Jia-Ju Bai &lt;baijiaju1990@gmail.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
