1. 02 Aug, 2021 1 commit
    • Yu Chen's avatar
      usb: gadget: Add configfs attribuite for controling match_existing_only · 48cf0b5a
      Yu Chen authored and Ionela Voinescu's avatar Ionela Voinescu committed
      
      
      Currently the "match_existing_only" of usb_gadget_driver in configfs is
      set to one which is not flexible.
      Dwc3 udc will be removed when usb core switch to host mode. This causes
      failure of writing name of dwc3 udc to configfs's UDC attribuite.
      To fix this we need to add a way to change the config of
      "match_existing_only".
      There are systems like Android do not support udev, so adding
      "match_existing_only" attribute to allow configuration by user is cost little.
      This patch adds a configfs attribuite for controling match_existing_only
      which allow user to config "match_existing_only".
      
      Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
      Cc: Felipe Balbi <balbi@kernel.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Binghui Wang <wangbinghui@hisilicon.com>
      Signed-off-by: default avatarYu Chen <chenyu56@huawei.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Change-Id: I49862a4de4e56b235278cddf7a5ec6e30c5f2ec4
      48cf0b5a
  2. 17 Mar, 2021 1 commit
    • Jim Lin's avatar
      usb: gadget: configfs: Fix KASAN use-after-free · 98f153a1
      Jim Lin authored
      
      
      When gadget is disconnected, running sequence is like this.
      . composite_disconnect
      . Call trace:
        usb_string_copy+0xd0/0x128
        gadget_config_name_configuration_store+0x4
        gadget_config_name_attr_store+0x40/0x50
        configfs_write_file+0x198/0x1f4
        vfs_write+0x100/0x220
        SyS_write+0x58/0xa8
      . configfs_composite_unbind
      . configfs_composite_bind
      
      In configfs_composite_bind, it has
      "cn->strings.s = cn->configuration;"
      
      When usb_string_copy is invoked. it would
      allocate memory, copy input string, release previous pointed memory space,
      and use new allocated memory.
      
      When gadget is connected, host sends down request to get information.
      Call trace:
        usb_gadget_get_string+0xec/0x168
        lookup_string+0x64/0x98
        composite_setup+0xa34/0x1ee8
      
      If gadget is disconnected and connected quickly, in the failed case,
      cn->configuration memory has been released by usb_string_copy kfree but
      configfs_composite_bind hasn't been run in time to assign new allocated
      "cn->configuration" pointer to "cn->strings.s".
      
      When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
      memory is accessed, "BUG: KASAN: use-after-free" error occurs.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJim Lin <jilin@nvidia.com>
      Signed-off-by: default avatarMacpaul Lin <macpaul.lin@mediatek.com>
      Link: https://lore.kernel.org/r/1615444961-13376-1-git-send-email-macpaul.lin@mediatek.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98f153a1
  3. 07 Jan, 2021 2 commits
  4. 04 Jan, 2021 2 commits
    • Chandana Kishori Chiluveru's avatar
      usb: gadget: configfs: Preserve function ordering after bind failure · 6cd0fe91
      Chandana Kishori Chiluveru authored
      When binding the ConfigFS gadget to a UDC, the functions in each
      configuration are added in list order. However, if usb_add_function()
      fails, the failed function is put back on its configuration's
      func_list and purge_configs_funcs() is called to further clean up.
      
      purge_configs_funcs() iterates over the configurations and functions
      in forward order, calling unbind() on each of the previously added
      functions. But after doing so, each function gets moved to the
      tail of the configuration's func_list. This results in reshuffling
      the original order of the functions within a configuration such
      that the failed function now appears first even though it may have
      originally appeared in the middle or even end of the list. At this
      point if the ConfigFS gadget is attempted to re-bind to the UDC,
      the functions will be added in a different order than intended,
      with the only recourse being to remove and relink the functions all
      over again.
      
      An example of this as follows:
      
      ln -s functions/mass_storage.0 configs/c.1
      ln -s functions/ncm.0 configs/c.1
      ln -s functions/ffs.adb configs/c.1	# oops, forgot to start adbd
      echo "<udc device>" > UDC		# fails
      start adbd
      echo "<udc device>" > UDC		# now succeeds, but...
      					# bind order is
      					# "ADB", mass_storage, ncm
      
      [30133.118289] configfs-gadget gadget: adding 'Mass Storage Function'/ffffff810af87200 to config 'c'/ffffff817d6a2520
      [30133.119875] configfs-gadget gadget: adding 'cdc_network'/ffffff80f48d1a00 to config 'c'/ffffff817d6a2520
      [30133.119974] using random self ethernet address
      [30133.120002] using random host ethernet address
      [30133.139604] usb0: HOST MAC 3e:27:46:ba:3e:26
      [30133.140015] usb0: MAC 6e:28:7e:42:66:6a
      [30133.140062] configfs-gadget gadget: adding 'Function FS Gadget'/ffffff80f3868438 to config 'c'/ffffff817d6a2520
      [30133.140081] configfs-gadget gadget: adding 'Function FS Gadget'/ffffff80f3868438 --> -19
      [30133.140098] configfs-gadget gadget: unbind function 'Mass Storage Function'/ffffff810af87200
      [30133.140119] configfs-gadget gadget: unbind function 'cdc_network'/ffffff80f48d1a00
      [30133.173201] configfs-gadget a600000.dwc3: failed to start g1: -19
      [30136.661933] init: starting service 'adbd'...
      [30136.700126] read descriptors
      [30136.700413] read strings
      [30138.574484] configfs-gadget gadget: adding 'Function FS Gadget'/ffffff80f3868438 to config 'c'/ffffff817d6a2520
      [30138.575497] configfs-gadget gadget: adding 'Mass Storage Function'/ffffff810af87200 to config 'c'/ffffff817d6a2520
      [30138.575554] configfs-gadget gadget: adding 'cdc_network'/ffffff80f48d1a00 to config 'c'/ffffff817d6a2520
      [30138.575631] using random self ethernet address
      [30138.575660] using random host ethernet address
      [30138.595338] usb0: HOST MAC 2e:cf:43:cd:ca:c8
      [30138.597160] usb0: MAC 6a:f0:9f:ee:82:a0
      [30138.791490] configfs-gadget gadget: super-speed config #1: c
      
      Fix this by reversing the iteration order of the functions in
      purge_config_funcs() when unbinding them, and adding them back to
      the config's func_list at the head instead of the tail. This
      ensures that we unbind and unwind back to the original list order.
      
      Fixes: 88af8bbe
      
       ("usb: gadget: the start of the configfs interface")
      Signed-off-by: default avatarChandana Kishori Chiluveru <cchiluve@codeaurora.org>
      Signed-off-by: default avatarJack Pham <jackp@codeaurora.org>
      Reviewed-by: default avatarPeter Chen <peter.chen@nxp.com>
      Link: https://lore.kernel.org/r/20201229224443.31623-1-jackp@codeaurora.org
      
      
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6cd0fe91
    • Eddie Hung's avatar
      usb: gadget: configfs: Fix use-after-free issue with udc_name · 64e6bbff
      Eddie Hung authored
      
      
      There is a use-after-free issue, if access udc_name
      in function gadget_dev_desc_UDC_store after another context
      free udc_name in function unregister_gadget.
      
      Context 1:
      gadget_dev_desc_UDC_store()->unregister_gadget()->
      free udc_name->set udc_name to NULL
      
      Context 2:
      gadget_dev_desc_UDC_show()-> access udc_name
      
      Call trace:
      dump_backtrace+0x0/0x340
      show_stack+0x14/0x1c
      dump_stack+0xe4/0x134
      print_address_description+0x78/0x478
      __kasan_report+0x270/0x2ec
      kasan_report+0x10/0x18
      __asan_report_load1_noabort+0x18/0x20
      string+0xf4/0x138
      vsnprintf+0x428/0x14d0
      sprintf+0xe4/0x12c
      gadget_dev_desc_UDC_show+0x54/0x64
      configfs_read_file+0x210/0x3a0
      __vfs_read+0xf0/0x49c
      vfs_read+0x130/0x2b4
      SyS_read+0x114/0x208
      el0_svc_naked+0x34/0x38
      
      Add mutex_lock to protect this kind of scenario.
      Signed-off-by: default avatarEddie Hung <eddie.hung@mediatek.com>
      Signed-off-by: default avatarMacpaul Lin <macpaul.lin@mediatek.com>
      Reviewed-by: default avatarPeter Chen <peter.chen@nxp.com>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/1609239215-21819-1-git-send-email-macpaul.lin@mediatek.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64e6bbff
  5. 18 Jun, 2020 1 commit
  6. 15 May, 2020 1 commit
    • Kyungtae Kim's avatar
      USB: gadget: fix illegal array access in binding with UDC · 15753588
      Kyungtae Kim authored
      FuzzUSB (a variant of syzkaller) found an illegal array access
      using an incorrect index while binding a gadget with UDC.
      
      Reference: https://www.spinics.net/lists/linux-usb/msg194331.html
      
      This bug occurs when a size variable used for a buffer
      is misused to access its strcpy-ed buffer.
      Given a buffer along with its size variable (taken from user input),
      from which, a new buffer is created using kstrdup().
      Due to the original buffer containing 0 value in the middle,
      the size of the kstrdup-ed buffer becomes smaller than that of the original.
      So accessing the kstrdup-ed buffer with the same size variable
      triggers memory access violation.
      
      The fix makes sure no zero value in the buffer,
      by comparing the strlen() of the orignal buffer with the size variable,
      so that the access to the kstrdup-ed buffer is safe.
      
      BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200
      drivers/usb/gadget/configfs.c:266
      Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208
      
      CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1
      
      
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xce/0x128 lib/dump_stack.c:118
       print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
       __kasan_report+0x131/0x1b0 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:641
       __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132
       gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266
       flush_write_buffer fs/configfs/file.c:251 [inline]
       configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283
       __vfs_write+0x85/0x110 fs/read_write.c:494
       vfs_write+0x1cd/0x510 fs/read_write.c:558
       ksys_write+0x18a/0x220 fs/read_write.c:611
       __do_sys_write fs/read_write.c:623 [inline]
       __se_sys_write fs/read_write.c:620 [inline]
       __x64_sys_write+0x73/0xb0 fs/read_write.c:620
       do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      Signed-off-by: default avatarKyungtae Kim <kt0755@gmail.com>
      Reported-and-tested-by: default avatarKyungtae Kim <kt0755@gmail.com>
      Cc: Felipe Balbi <balbi@kernel.org>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      15753588
  7. 05 May, 2020 1 commit
  8. 15 Jan, 2020 1 commit
  9. 20 Nov, 2019 1 commit
  10. 27 Oct, 2019 1 commit
    • Peter Chen's avatar
      usb: gadget: configfs: fix concurrent issue between composite APIs · 1a1c851b
      Peter Chen authored
      We meet several NULL pointer issues if configfs_composite_unbind
      and composite_setup (or composite_disconnect) are running together.
      These issues occur when do the function switch stress test, the
      configfs_compsoite_unbind is called from user mode by
      echo "" to /sys/../UDC entry, and meanwhile, the setup interrupt
      or disconnect interrupt occurs by hardware. The composite_setup
      will get the cdev from get_gadget_data, but configfs_composite_unbind
      will set gadget data as NULL, so the NULL pointer issue occurs.
      This concurrent is hard to reproduce by native kernel, but can be
      reproduced by android kernel.
      
      In this commit, we introduce one spinlock belongs to structure
      gadget_info since we can't use the same spinlock in usb_composite_dev
      due to exclusive running together between composite_setup and
      configfs_composite_unbind. And one bit flag 'unbind' to indicate the
      code is at unbind routine, this bit is needed due to we release the
      lock at during configfs_composite_unbind sometimes, and composite_setup
      may be run at that time.
      
      Several oops:
      
      oops 1:
      android_work: sent uevent USB_STATE=CONNECTED
      configfs-gadget gadget: super-speed config #1: b
      android_work: sent uevent USB_STATE=CONFIGURED
      init: Received control message 'start' for 'adbd' from pid: 3515 (system_server)
      Unable to handle kernel NULL pointer dereference at virtual address 0000002a
      init: Received control message 'stop' for 'adbd' from pid: 3375 (/vendor/bin/hw/android.hardware.usb@1.1-servic)
      Mem abort info:
        Exception class = DABT (current EL), IL = 32 bits
        SET = 0, FnV = 0
        EA = 0, S1PTW = 0
      Data abort info:
        ISV = 0, ISS = 0x00000004
        CM = 0, WnR = 0
      user pgtable: 4k pages, 48-bit VAs, pgd = ffff8008f1b7f000
      [000000000000002a] *pgd=0000000000000000
      Internal error: Oops: 96000004 [#1
      
      ] PREEMPT SMP
      Modules linked in:
      CPU: 4 PID: 2457 Comm: irq/125-5b11000 Not tainted 4.14.98-07846-g0b40a9b-dirty #16
      Hardware name: Freescale i.MX8QM MEK (DT)
      task: ffff8008f2a98000 task.stack: ffff00000b7b8000
      PC is at composite_setup+0x44/0x1508
      LR is at android_setup+0xb8/0x13c
      pc : [<ffff0000089ffb3c>] lr : [<ffff000008a032fc>] pstate: 800001c5
      sp : ffff00000b7bbb80
      x29: ffff00000b7bbb80 x28: ffff8008f2a3c010
      x27: 0000000000000001 x26: 0000000000000000                                                          [1232/1897]
      audit: audit_lost=25791 audit_rate_limit=5 audit_backlog_limit=64
      x25: 00000000ffffffa1 x24: ffff8008f2a3c010
      audit: rate limit exceeded
      x23: 0000000000000409 x22: ffff000009c8e000
      x21: ffff8008f7a8b428 x20: ffff00000afae000
      x19: ffff0000089ff000 x18: 0000000000000000
      x17: 0000000000000000 x16: ffff0000082b7c9c
      x15: 0000000000000000 x14: f1866f5b952aca46
      x13: e35502e30d44349c x12: 0000000000000008
      x11: 0000000000000008 x10: 0000000000000a30
      x9 : ffff00000b7bbd00 x8 : ffff8008f2a98a90
      x7 : ffff8008f27a9c90 x6 : 0000000000000001
      x5 : 0000000000000000 x4 : 0000000000000001
      x3 : 0000000000000000 x2 : 0000000000000006
      x1 : ffff0000089ff8d0 x0 : 732a010310b9ed00
      
      X7: 0xffff8008f27a9c10:
      9c10  00000002 00000000 00000001 00000000 13110000 ffff0000 00000002 00208040
      9c30  00000000 00000000 00000000 00000000 00000000 00000005 00000029 00000000
      9c50  00051778 00000001 f27a8e00 ffff8008 00000005 00000000 00000078 00000078
      9c70  00000078 00000000 09031d48 ffff0000 00100000 00000000 00400000 00000000
      9c90  00000001 00000000 00000000 00000000 00000000 00000000 ffefb1a0 ffff8008
      9cb0  f27a9ca8 ffff8008 00000000 00000000 b9d88037 00000173 1618a3eb 00000001
      9cd0  870a792a 0000002e 16188fe6 00000001 0000242b 00000000 00000000 00000000
      using random self ethernet address
      9cf0  019a4646 00000000 000547f3 00000000 ecfd6c33 00000002 00000000
      using random host ethernet address
       00000000
      
      X8: 0xffff8008f2a98a10:
      8a10  00000000 00000000 f7788d00 ffff8008 00000001 00000000 00000000 00000000
      8a30  eb218000 ffff8008 f2a98000 ffff8008 f2a98000 ffff8008 09885000 ffff0000
      8a50  f34df480 ffff8008 00000000 00000000 f2a98648 ffff8008 09c8e000 ffff0000
      8a70  fff2c800 ffff8008 09031d48 ffff0000 0b7bbd00 ffff0000 0b7bbd00 ffff0000
      8a90  080861bc ffff0000 00000000 00000000 00000000 00000000 00000000 00000000
      8ab0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      8ad0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      8af0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      
      X21: 0xffff8008f7a8b3a8:
      b3a8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      b3c8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      b3e8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      b408  00000000 00000000 00000000 00000000 00000000 00000000 00000001 00000000
      b428  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      b448  0053004d 00540046 00300031 00010030 eb07b520 ffff8008 20011201 00000003
      b468  e418d109 0104404e 00010302 00000000 eb07b558 ffff8008 eb07b558 ffff8008
      b488  f7a8b488 ffff8008 f7a8b488 ffff8008 f7a8b300 ffff8008 00000000 00000000
      
      X24: 0xffff8008f2a3bf90:
      bf90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfd0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bff0  00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
      c010  00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000
      c030  f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008
      c050  f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
      c070  f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008
      
      X28: 0xffff8008f2a3bf90:
      bf90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfd0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bff0  00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
      c010  00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000
      c030  f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008
      c050  f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
      c070  f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008
      
      Process irq/125-5b11000 (pid: 2457, stack limit = 0xffff00000b7b8000)
      Call trace:
      Exception stack(0xffff00000b7bba40 to 0xffff00000b7bbb80)
      ba40: 732a010310b9ed00 ffff0000089ff8d0 0000000000000006 0000000000000000
      ba60: 0000000000000001 0000000000000000 0000000000000001 ffff8008f27a9c90
      ba80: ffff8008f2a98a90 ffff00000b7bbd00 0000000000000a30 0000000000000008
      baa0: 0000000000000008 e35502e30d44349c f1866f5b952aca46 0000000000000000
      bac0: ffff0000082b7c9c 0000000000000000 0000000000000000 ffff0000089ff000
      bae0: ffff00000afae000 ffff8008f7a8b428 ffff000009c8e000 0000000000000409
      bb00: ffff8008f2a3c010 00000000ffffffa1 0000000000000000 0000000000000001
      bb20: ffff8008f2a3c010 ffff00000b7bbb80 ffff000008a032fc ffff00000b7bbb80
      bb40: ffff0000089ffb3c 00000000800001c5 ffff00000b7bbb80 732a010310b9ed00
      bb60: ffffffffffffffff ffff0000080f777c ffff00000b7bbb80 ffff0000089ffb3c
      [<ffff0000089ffb3c>] composite_setup+0x44/0x1508
      [<ffff000008a032fc>] android_setup+0xb8/0x13c
      [<ffff0000089bd9a8>] cdns3_ep0_delegate_req+0x44/0x70
      [<ffff0000089bdff4>] cdns3_check_ep0_interrupt_proceed+0x33c/0x654
      [<ffff0000089bca44>] cdns3_device_thread_irq_handler+0x4b0/0x4bc
      [<ffff0000089b77b4>] cdns3_thread_irq+0x48/0x68
      [<ffff000008145bf0>] irq_thread_fn+0x28/0x88
      [<ffff000008145e38>] irq_thread+0x13c/0x228
      [<ffff0000080fed70>] kthread+0x104/0x130
      [<ffff000008085064>] ret_from_fork+0x10/0x18
      
      oops2:
      composite_disconnect: Calling disconnect on a Gadget that is                      not connected
      android_work: did not send uevent (0 0           (null))
      init: Received control message 'stop' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx)
      init: Sending signal 9 to service 'adbd' (pid 22343) process group...
      ------------[ cut here ]------------
      audit: audit_lost=180038 audit_rate_limit=5 audit_backlog_limit=64
      audit: rate limit exceeded
      WARNING: CPU: 0 PID: 3468 at kernel_imx/drivers/usb/gadget/composite.c:2009 composite_disconnect+0x80/0x88
      Modules linked in:
      CPU: 0 PID: 3468 Comm: HWC-UEvent-Thre Not tainted 4.14.98-07846-g0b40a9b-dirty #16
      Hardware name: Freescale i.MX8QM MEK (DT)
      task: ffff8008f2349c00 task.stack: ffff00000b0a8000
      PC is at composite_disconnect+0x80/0x88
      LR is at composite_disconnect+0x80/0x88
      pc : [<ffff0000089ff9b0>] lr : [<ffff0000089ff9b0>] pstate: 600001c5
      sp : ffff000008003dd0
      x29: ffff000008003dd0 x28: ffff8008f2349c00
      x27: ffff000009885018 x26: ffff000008004000
      Timeout for IPC response!
      x25: ffff000009885018 x24: ffff000009c8e280
      x23: ffff8008f2d98010 x22: 00000000000001c0
      x21: ffff8008f2d98394 x20: ffff8008f2d98010
      x19: 0000000000000000 x18: 0000e3956f4f075a
      fxos8700 4-001e: i2c block read acc failed
      x17: 0000e395735727e8 x16: ffff00000829f4d4
      x15: ffffffffffffffff x14: 7463656e6e6f6320
      x13: 746f6e2009090920 x12: 7369207461687420
      x11: 7465676461472061 x10: 206e6f207463656e
      x9 : 6e6f637369642067 x8 : ffff000009c8e280
      x7 : ffff0000086ca6cc x6 : ffff000009f15e78
      x5 : 0000000000000000 x4 : 0000000000000000
      x3 : ffffffffffffffff x2 : c3f28b86000c3900
      x1 : c3f28b86000c3900 x0 : 000000000000004e
      
      X20: 0xffff8008f2d97f90:
      7f90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7fb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      libprocessgroup: Failed to kill process cgroup uid 0 pid 22343 in 215ms, 1 processes remain
      7fd0
      Timeout for IPC response!
       00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      using random self ethernet address
      7ff0  00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
      8010  00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc
      using random host ethernet address
       ffff0000
      8030  f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008
      8050  f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
      8070  f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008
      
      X21: 0xffff8008f2d98314:
      8314  ffff8008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      8334  00000000 00000000 00000000 00000000 00000000 08a04cf4 ffff0000 00000000
      8354  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      8374  00000000 00000000 00000000 00001001 00000000 00000000 00000000 00000000
      8394  e4bbe4bb 0f230000 ffff0000 0afae000 ffff0000 ae001000 00000000 f206d400
      Timeout for IPC response!
      83b4  ffff8008 00000000 00000000 f7957b18 ffff8008 f7957718 ffff8008 f7957018
      83d4  ffff8008 f7957118 ffff8008 f7957618 ffff8008 f7957818 ffff8008 f7957918
      83f4  ffff8008 f7957d18 ffff8008 00000000 00000000 00000000 00000000 00000000
      
      X23: 0xffff8008f2d97f90:
      7f90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7fb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7fd0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7ff0  00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
      8010  00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc ffff0000
      8030  f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008
      8050  f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
      8070  f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008
      
      X28: 0xffff8008f2349b80:
      9b80  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9ba0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9bc0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9be0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9c00  00000022 00000000 ffffffff ffffffff 00010001 00000000 00000000 00000000
      9c20  0b0a8000 ffff0000 00000002 00404040 00000000 00000000 00000000 00000000
      9c40  00000001 00000000 00000001 00000000 001ebd44 00000001 f390b800 ffff8008
      9c60  00000000 00000001 00000070 00000070 00000070 00000000 09031d48 ffff0000
      
      Call trace:
      Exception stack(0xffff000008003c90 to 0xffff000008003dd0)
      3c80:                                   000000000000004e c3f28b86000c3900
      3ca0: c3f28b86000c3900 ffffffffffffffff 0000000000000000 0000000000000000
      3cc0: ffff000009f15e78 ffff0000086ca6cc ffff000009c8e280 6e6f637369642067
      3ce0: 206e6f207463656e 7465676461472061 7369207461687420 746f6e2009090920
      3d00: 7463656e6e6f6320 ffffffffffffffff ffff00000829f4d4 0000e395735727e8
      3d20: 0000e3956f4f075a 0000000000000000 ffff8008f2d98010 ffff8008f2d98394
      3d40: 00000000000001c0 ffff8008f2d98010 ffff000009c8e280 ffff000009885018
      3d60: ffff000008004000 ffff000009885018 ffff8008f2349c00 ffff000008003dd0
      3d80: ffff0000089ff9b0 ffff000008003dd0 ffff0000089ff9b0 00000000600001c5
      3da0: ffff8008f33f2cd8 0000000000000000 0000ffffffffffff 0000000000000000
      init: Received control message 'start' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx)
      3dc0: ffff000008003dd0 ffff0000089ff9b0
      [<ffff0000089ff9b0>] composite_disconnect+0x80/0x88
      [<ffff000008a044d4>] android_disconnect+0x3c/0x68
      [<ffff0000089ba9f8>] cdns3_device_irq_handler+0xfc/0x2c8
      [<ffff0000089b84c0>] cdns3_irq+0x44/0x94
      [<ffff00000814494c>] __handle_irq_event_percpu+0x60/0x24c
      [<ffff000008144c0c>] handle_irq_event+0x58/0xc0
      [<ffff00000814873c>] handle_fasteoi_irq+0x98/0x180
      [<ffff000008143a10>] generic_handle_irq+0x24/0x38
      [<ffff000008144170>] __handle_domain_irq+0x60/0xac
      [<ffff0000080819c4>] gic_handle_irq+0xd4/0x17c
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      1a1c851b
  11. 22 Oct, 2019 1 commit
    • Peter Chen's avatar
      usb: gadget: configfs: fix concurrent issue between composite APIs · 3654aaa9
      Peter Chen authored
      We meet several NULL pointer issues if configfs_composite_unbind
      and composite_setup (or composite_disconnect) are running together.
      These issues occur when do the function switch stress test, the
      configfs_compsoite_unbind is called from user mode by
      echo "" to /sys/../UDC entry, and meanwhile, the setup interrupt
      or disconnect interrupt occurs by hardware. The composite_setup
      will get the cdev from get_gadget_data, but configfs_composite_unbind
      will set gadget data as NULL, so the NULL pointer issue occurs.
      This concurrent is hard to reproduce by native kernel, but can be
      reproduced by android kernel.
      
      In this commit, we introduce one spinlock belongs to structure
      gadget_info since we can't use the same spinlock in usb_composite_dev
      due to exclusive running together between composite_setup and
      configfs_composite_unbind. And one bit flag 'unbind' to indicate the
      code is at unbind routine, this bit is needed due to we release the
      lock at during configfs_composite_unbind sometimes, and composite_setup
      may be run at that time.
      
      Several oops:
      
      oops 1:
      android_work: sent uevent USB_STATE=CONNECTED
      configfs-gadget gadget: super-speed config #1: b
      android_work: sent uevent USB_STATE=CONFIGURED
      init: Received control message 'start' for 'adbd' from pid: 3515 (system_server)
      Unable to handle kernel NULL pointer dereference at virtual address 0000002a
      init: Received control message 'stop' for 'adbd' from pid: 3375 (/vendor/bin/hw/android.hardware.usb@1.1-servic)
      Mem abort info:
        Exception class = DABT (current EL), IL = 32 bits
        SET = 0, FnV = 0
        EA = 0, S1PTW = 0
      Data abort info:
        ISV = 0, ISS = 0x00000004
        CM = 0, WnR = 0
      user pgtable: 4k pages, 48-bit VAs, pgd = ffff8008f1b7f000
      [000000000000002a] *pgd=0000000000000000
      Internal error: Oops: 96000004 [#1
      
      ] PREEMPT SMP
      Modules linked in:
      CPU: 4 PID: 2457 Comm: irq/125-5b11000 Not tainted 4.14.98-07846-g0b40a9b-dirty #16
      Hardware name: Freescale i.MX8QM MEK (DT)
      task: ffff8008f2a98000 task.stack: ffff00000b7b8000
      PC is at composite_setup+0x44/0x1508
      LR is at android_setup+0xb8/0x13c
      pc : [<ffff0000089ffb3c>] lr : [<ffff000008a032fc>] pstate: 800001c5
      sp : ffff00000b7bbb80
      x29: ffff00000b7bbb80 x28: ffff8008f2a3c010
      x27: 0000000000000001 x26: 0000000000000000                                                          [1232/1897]
      audit: audit_lost=25791 audit_rate_limit=5 audit_backlog_limit=64
      x25: 00000000ffffffa1 x24: ffff8008f2a3c010
      audit: rate limit exceeded
      x23: 0000000000000409 x22: ffff000009c8e000
      x21: ffff8008f7a8b428 x20: ffff00000afae000
      x19: ffff0000089ff000 x18: 0000000000000000
      x17: 0000000000000000 x16: ffff0000082b7c9c
      x15: 0000000000000000 x14: f1866f5b952aca46
      x13: e35502e30d44349c x12: 0000000000000008
      x11: 0000000000000008 x10: 0000000000000a30
      x9 : ffff00000b7bbd00 x8 : ffff8008f2a98a90
      x7 : ffff8008f27a9c90 x6 : 0000000000000001
      x5 : 0000000000000000 x4 : 0000000000000001
      x3 : 0000000000000000 x2 : 0000000000000006
      x1 : ffff0000089ff8d0 x0 : 732a010310b9ed00
      
      X7: 0xffff8008f27a9c10:
      9c10  00000002 00000000 00000001 00000000 13110000 ffff0000 00000002 00208040
      9c30  00000000 00000000 00000000 00000000 00000000 00000005 00000029 00000000
      9c50  00051778 00000001 f27a8e00 ffff8008 00000005 00000000 00000078 00000078
      9c70  00000078 00000000 09031d48 ffff0000 00100000 00000000 00400000 00000000
      9c90  00000001 00000000 00000000 00000000 00000000 00000000 ffefb1a0 ffff8008
      9cb0  f27a9ca8 ffff8008 00000000 00000000 b9d88037 00000173 1618a3eb 00000001
      9cd0  870a792a 0000002e 16188fe6 00000001 0000242b 00000000 00000000 00000000
      using random self ethernet address
      9cf0  019a4646 00000000 000547f3 00000000 ecfd6c33 00000002 00000000
      using random host ethernet address
       00000000
      
      X8: 0xffff8008f2a98a10:
      8a10  00000000 00000000 f7788d00 ffff8008 00000001 00000000 00000000 00000000
      8a30  eb218000 ffff8008 f2a98000 ffff8008 f2a98000 ffff8008 09885000 ffff0000
      8a50  f34df480 ffff8008 00000000 00000000 f2a98648 ffff8008 09c8e000 ffff0000
      8a70  fff2c800 ffff8008 09031d48 ffff0000 0b7bbd00 ffff0000 0b7bbd00 ffff0000
      8a90  080861bc ffff0000 00000000 00000000 00000000 00000000 00000000 00000000
      8ab0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      8ad0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      8af0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      
      X21: 0xffff8008f7a8b3a8:
      b3a8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      b3c8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      b3e8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      b408  00000000 00000000 00000000 00000000 00000000 00000000 00000001 00000000
      b428  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      b448  0053004d 00540046 00300031 00010030 eb07b520 ffff8008 20011201 00000003
      b468  e418d109 0104404e 00010302 00000000 eb07b558 ffff8008 eb07b558 ffff8008
      b488  f7a8b488 ffff8008 f7a8b488 ffff8008 f7a8b300 ffff8008 00000000 00000000
      
      X24: 0xffff8008f2a3bf90:
      bf90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfd0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bff0  00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
      c010  00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000
      c030  f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008
      c050  f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
      c070  f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008
      
      X28: 0xffff8008f2a3bf90:
      bf90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfd0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bff0  00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
      c010  00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000
      c030  f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008
      c050  f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
      c070  f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008
      
      Process irq/125-5b11000 (pid: 2457, stack limit = 0xffff00000b7b8000)
      Call trace:
      Exception stack(0xffff00000b7bba40 to 0xffff00000b7bbb80)
      ba40: 732a010310b9ed00 ffff0000089ff8d0 0000000000000006 0000000000000000
      ba60: 0000000000000001 0000000000000000 0000000000000001 ffff8008f27a9c90
      ba80: ffff8008f2a98a90 ffff00000b7bbd00 0000000000000a30 0000000000000008
      baa0: 0000000000000008 e35502e30d44349c f1866f5b952aca46 0000000000000000
      bac0: ffff0000082b7c9c 0000000000000000 0000000000000000 ffff0000089ff000
      bae0: ffff00000afae000 ffff8008f7a8b428 ffff000009c8e000 0000000000000409
      bb00: ffff8008f2a3c010 00000000ffffffa1 0000000000000000 0000000000000001
      bb20: ffff8008f2a3c010 ffff00000b7bbb80 ffff000008a032fc ffff00000b7bbb80
      bb40: ffff0000089ffb3c 00000000800001c5 ffff00000b7bbb80 732a010310b9ed00
      bb60: ffffffffffffffff ffff0000080f777c ffff00000b7bbb80 ffff0000089ffb3c
      [<ffff0000089ffb3c>] composite_setup+0x44/0x1508
      [<ffff000008a032fc>] android_setup+0xb8/0x13c
      [<ffff0000089bd9a8>] cdns3_ep0_delegate_req+0x44/0x70
      [<ffff0000089bdff4>] cdns3_check_ep0_interrupt_proceed+0x33c/0x654
      [<ffff0000089bca44>] cdns3_device_thread_irq_handler+0x4b0/0x4bc
      [<ffff0000089b77b4>] cdns3_thread_irq+0x48/0x68
      [<ffff000008145bf0>] irq_thread_fn+0x28/0x88
      [<ffff000008145e38>] irq_thread+0x13c/0x228
      [<ffff0000080fed70>] kthread+0x104/0x130
      [<ffff000008085064>] ret_from_fork+0x10/0x18
      
      oops2:
      composite_disconnect: Calling disconnect on a Gadget that is                      not connected
      android_work: did not send uevent (0 0           (null))
      init: Received control message 'stop' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx)
      init: Sending signal 9 to service 'adbd' (pid 22343) process group...
      ------------[ cut here ]------------
      audit: audit_lost=180038 audit_rate_limit=5 audit_backlog_limit=64
      audit: rate limit exceeded
      WARNING: CPU: 0 PID: 3468 at kernel_imx/drivers/usb/gadget/composite.c:2009 composite_disconnect+0x80/0x88
      Modules linked in:
      CPU: 0 PID: 3468 Comm: HWC-UEvent-Thre Not tainted 4.14.98-07846-g0b40a9b-dirty #16
      Hardware name: Freescale i.MX8QM MEK (DT)
      task: ffff8008f2349c00 task.stack: ffff00000b0a8000
      PC is at composite_disconnect+0x80/0x88
      LR is at composite_disconnect+0x80/0x88
      pc : [<ffff0000089ff9b0>] lr : [<ffff0000089ff9b0>] pstate: 600001c5
      sp : ffff000008003dd0
      x29: ffff000008003dd0 x28: ffff8008f2349c00
      x27: ffff000009885018 x26: ffff000008004000
      Timeout for IPC response!
      x25: ffff000009885018 x24: ffff000009c8e280
      x23: ffff8008f2d98010 x22: 00000000000001c0
      x21: ffff8008f2d98394 x20: ffff8008f2d98010
      x19: 0000000000000000 x18: 0000e3956f4f075a
      fxos8700 4-001e: i2c block read acc failed
      x17: 0000e395735727e8 x16: ffff00000829f4d4
      x15: ffffffffffffffff x14: 7463656e6e6f6320
      x13: 746f6e2009090920 x12: 7369207461687420
      x11: 7465676461472061 x10: 206e6f207463656e
      x9 : 6e6f637369642067 x8 : ffff000009c8e280
      x7 : ffff0000086ca6cc x6 : ffff000009f15e78
      x5 : 0000000000000000 x4 : 0000000000000000
      x3 : ffffffffffffffff x2 : c3f28b86000c3900
      x1 : c3f28b86000c3900 x0 : 000000000000004e
      
      X20: 0xffff8008f2d97f90:
      7f90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7fb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      libprocessgroup: Failed to kill process cgroup uid 0 pid 22343 in 215ms, 1 processes remain
      7fd0
      Timeout for IPC response!
       00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      using random self ethernet address
      7ff0  00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
      8010  00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc
      using random host ethernet address
       ffff0000
      8030  f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008
      8050  f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
      8070  f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008
      
      X21: 0xffff8008f2d98314:
      8314  ffff8008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      8334  00000000 00000000 00000000 00000000 00000000 08a04cf4 ffff0000 00000000
      8354  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      8374  00000000 00000000 00000000 00001001 00000000 00000000 00000000 00000000
      8394  e4bbe4bb 0f230000 ffff0000 0afae000 ffff0000 ae001000 00000000 f206d400
      Timeout for IPC response!
      83b4  ffff8008 00000000 00000000 f7957b18 ffff8008 f7957718 ffff8008 f7957018
      83d4  ffff8008 f7957118 ffff8008 f7957618 ffff8008 f7957818 ffff8008 f7957918
      83f4  ffff8008 f7957d18 ffff8008 00000000 00000000 00000000 00000000 00000000
      
      X23: 0xffff8008f2d97f90:
      7f90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7fb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7fd0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7ff0  00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
      8010  00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc ffff0000
      8030  f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008
      8050  f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
      8070  f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008
      
      X28: 0xffff8008f2349b80:
      9b80  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9ba0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9bc0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9be0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9c00  00000022 00000000 ffffffff ffffffff 00010001 00000000 00000000 00000000
      9c20  0b0a8000 ffff0000 00000002 00404040 00000000 00000000 00000000 00000000
      9c40  00000001 00000000 00000001 00000000 001ebd44 00000001 f390b800 ffff8008
      9c60  00000000 00000001 00000070 00000070 00000070 00000000 09031d48 ffff0000
      
      Call trace:
      Exception stack(0xffff000008003c90 to 0xffff000008003dd0)
      3c80:                                   000000000000004e c3f28b86000c3900
      3ca0: c3f28b86000c3900 ffffffffffffffff 0000000000000000 0000000000000000
      3cc0: ffff000009f15e78 ffff0000086ca6cc ffff000009c8e280 6e6f637369642067
      3ce0: 206e6f207463656e 7465676461472061 7369207461687420 746f6e2009090920
      3d00: 7463656e6e6f6320 ffffffffffffffff ffff00000829f4d4 0000e395735727e8
      3d20: 0000e3956f4f075a 0000000000000000 ffff8008f2d98010 ffff8008f2d98394
      3d40: 00000000000001c0 ffff8008f2d98010 ffff000009c8e280 ffff000009885018
      3d60: ffff000008004000 ffff000009885018 ffff8008f2349c00 ffff000008003dd0
      3d80: ffff0000089ff9b0 ffff000008003dd0 ffff0000089ff9b0 00000000600001c5
      3da0: ffff8008f33f2cd8 0000000000000000 0000ffffffffffff 0000000000000000
      init: Received control message 'start' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx)
      3dc0: ffff000008003dd0 ffff0000089ff9b0
      [<ffff0000089ff9b0>] composite_disconnect+0x80/0x88
      [<ffff000008a044d4>] android_disconnect+0x3c/0x68
      [<ffff0000089ba9f8>] cdns3_device_irq_handler+0xfc/0x2c8
      [<ffff0000089b84c0>] cdns3_irq+0x44/0x94
      [<ffff00000814494c>] __handle_irq_event_percpu+0x60/0x24c
      [<ffff000008144c0c>] handle_irq_event+0x58/0xc0
      [<ffff00000814873c>] handle_fasteoi_irq+0x98/0x180
      [<ffff000008143a10>] generic_handle_irq+0x24/0x38
      [<ffff000008144170>] __handle_domain_irq+0x60/0xac
      [<ffff0000080819c4>] gic_handle_irq+0xd4/0x17c
      
      Cc: Andrzej Pietrasiewicz <andrzejtp2010@gmail.com>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      3654aaa9
  12. 26 Jul, 2018 1 commit
  13. 04 Nov, 2017 1 commit
  14. 19 Oct, 2017 1 commit
  15. 11 Oct, 2017 1 commit
    • Andrew Gabbasov's avatar
      usb: gadget: configfs: Fix memory leak of interface directory data · ff74745e
      Andrew Gabbasov authored
      Kmemleak checking configuration reports a memory leak in
      usb_os_desc_prepare_interf_dir function when rndis function
      instance is freed and then allocated again. For example, this
      happens with FunctionFS driver with RNDIS function enabled
      when "ffs-test" test application is run several times in a row.
      
      The data for intermediate "os_desc" group for interface directories
      is allocated as a single VLA chunk and (after a change of default
      groups handling) is not ever freed and actually not stored anywhere
      besides inside a list of default groups of a parent group.
      
      The fix is to make usb_os_desc_prepare_interf_dir function return
      a pointer to allocated data (as a pointer to the first VLA item)
      instead of (an unused) integer and to make the caller component
      (currently the only one is RNDIS function) responsible for storing
      the pointer and freeing the memory when appropriate.
      
      Fixes: 1ae1602d
      
       ("configfs: switch ->default groups to a linked list")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAndrew Gabbasov <andrew_gabbasov@mentor.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      ff74745e
  16. 13 Jun, 2017 2 commits
  17. 06 Mar, 2017 1 commit
  18. 01 Dec, 2016 1 commit
    • Andrzej Pietrasiewicz's avatar
      fs: configfs: don't return anything from drop_link · e16769d4
      Andrzej Pietrasiewicz authored
      
      
      Documentation/filesystems/configfs/configfs.txt says:
      
      "When unlink(2) is called on the symbolic link, the source item is
      notified via the ->drop_link() method.  Like the ->drop_item() method,
      this is a void function and cannot return failure."
      
      The ->drop_item() is indeed a void function, the ->drop_link() is
      actually not. This, together with the fact that the value of ->drop_link()
      is silently ignored suggests, that it is the ->drop_link() return
      type that should be corrected and changed to void.
      
      This patch changes drop_link() signature and all its users.
      Signed-off-by: default avatarAndrzej Pietrasiewicz <andrzej.p@samsung.com>
      [hch: reverted reformatting of some code]
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      e16769d4
  19. 31 Aug, 2016 1 commit
  20. 25 Aug, 2016 1 commit
  21. 11 Aug, 2016 1 commit
    • Winter Wang's avatar
      usb: gadget: configfs: add mutex lock before unregister gadget · cee51c33
      Winter Wang authored
      There may be a race condition if f_fs calls unregister_gadget_item in
      ffs_closed() when unregister_gadget is called by UDC store at the same time.
      this leads to a kernel NULL pointer dereference:
      
      [  310.644928] Unable to handle kernel NULL pointer dereference at virtual address 00000004
      [  310.645053] init: Service 'adbd' is being killed...
      [  310.658938] pgd = c9528000
      [  310.662515] [00000004] *pgd=19451831, *pte=00000000, *ppte=00000000
      [  310.669702] Internal error: Oops: 817 [#1
      
      ] PREEMPT SMP ARM
      [  310.675211] Modules linked in:
      [  310.678294] CPU: 0 PID: 1537 Comm: ->transport Not tainted 4.1.15-03725-g793404c #2
      [  310.685958] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      [  310.692493] task: c8e24200 ti: c945e000 task.ti: c945e000
      [  310.697911] PC is at usb_gadget_unregister_driver+0xb4/0xd0
      [  310.703502] LR is at __mutex_lock_slowpath+0x10c/0x16c
      [  310.708648] pc : [<c075efc0>]    lr : [<c0bfb0bc>]    psr: 600f0113
      <snip..>
      [  311.565585] [<c075efc0>] (usb_gadget_unregister_driver) from [<c075e2b8>] (unregister_gadget_item+0x1c/0x34)
      [  311.575426] [<c075e2b8>] (unregister_gadget_item) from [<c076fcc8>] (ffs_closed+0x8c/0x9c)
      [  311.583702] [<c076fcc8>] (ffs_closed) from [<c07736b8>] (ffs_data_reset+0xc/0xa0)
      [  311.591194] [<c07736b8>] (ffs_data_reset) from [<c07738ac>] (ffs_data_closed+0x90/0xd0)
      [  311.599208] [<c07738ac>] (ffs_data_closed) from [<c07738f8>] (ffs_ep0_release+0xc/0x14)
      [  311.607224] [<c07738f8>] (ffs_ep0_release) from [<c023e030>] (__fput+0x80/0x1d0)
      [  311.614635] [<c023e030>] (__fput) from [<c014e688>] (task_work_run+0xb0/0xe8)
      [  311.621788] [<c014e688>] (task_work_run) from [<c010afdc>] (do_work_pending+0x7c/0xa4)
      [  311.629718] [<c010afdc>] (do_work_pending) from [<c010770c>] (work_pending+0xc/0x20)
      
      for functions using functionFS, i.e. android adbd will close /dev/usb-ffs/adb/ep0
      when usb IO thread fails, but switch adb from on to off also triggers write
      "none" > UDC. These 2 operations both call unregister_gadget, which will lead
      to the panic above.
      
      add a mutex before calling unregister_gadget for api used in f_fs.
      Signed-off-by: default avatarWinter Wang <wente.wang@nxp.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      cee51c33
  22. 31 May, 2016 1 commit
  23. 06 Mar, 2016 1 commit
  24. 04 Mar, 2016 1 commit
  25. 16 Dec, 2015 1 commit
  26. 14 Oct, 2015 1 commit
  27. 29 Jul, 2015 1 commit
  28. 17 Jul, 2015 1 commit
    • Nicolas Iooss's avatar
      configfs: fix kernel infoleak through user-controlled format string · 3958b792
      Nicolas Iooss authored
      
      
      Some modules call config_item_init_type_name() and config_group_init_type_name()
      with parameter "name" directly controlled by userspace.  These two
      functions call config_item_set_name() with this name used as a format
      string, which can be used to leak information such as content of the
      stack to userspace.
      
      For example, make_netconsole_target() in netconsole module calls
      config_item_init_type_name() with the name of a newly-created directory.
      This means that the following commands give some unexpected output, with
      configfs mounted in /sys/kernel/config/ and on a system with a
      configured eth0 ethernet interface:
      
          # modprobe netconsole
          # mkdir /sys/kernel/config/netconsole/target_%lx
          # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name
          # echo 1 > /sys/kernel/config/netconsole/target_%lx/enabled
          # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name
          # dmesg |tail -n1
          [  142.697668] netconsole: target (target_ffffffffc0ae8080) is
          enabled, disable to update parameters
      
      The directory name is correct but %lx has been interpreted in the
      internal item name, displayed here in the error message used by
      store_dev_name() in drivers/net/netconsole.c.
      
      To fix this, update every caller of config_item_set_name to use "%s"
      when operating on untrusted input.
      
      This issue was found using -Wformat-security gcc flag, once a __printf
      attribute has been added to config_item_set_name().
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss_linux@m4x.org>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Acked-by: default avatarFelipe Balbi <balbi@ti.com>
      Acked-by: default avatarJoel Becker <jlbec@evilplan.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3958b792
  29. 27 Apr, 2015 1 commit
    • Krzysztof Opasiak's avatar
      usb: gadget: configfs: Fix interfaces array NULL-termination · 903124fe
      Krzysztof Opasiak authored
      memset() to 0 interfaces array before reusing
      usb_configuration structure.
      
      This commit fix bug:
      
      ln -s functions/acm.1 configs/c.1
      ln -s functions/acm.2 configs/c.1
      ln -s functions/acm.3 configs/c.1
      echo "UDC name" > UDC
      echo "" > UDC
      rm configs/c.1/acm.*
      rmdir functions/*
      mkdir functions/ecm.usb0
      ln -s functions/ecm.usb0 configs/c.1
      echo "UDC name" > UDC
      
      [   82.220969] Unable to handle kernel NULL pointer dereference at virtual address 00000000
      [   82.229009] pgd = c0004000
      [   82.231698] [00000000] *pgd=00000000
      [   82.235260] Internal error: Oops: 17 [#1
      
      ] PREEMPT SMP ARM
      [   82.240638] Modules linked in:
      [   82.243681] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.0.0-rc2 #39
      [   82.249926] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
      [   82.256003] task: c07cd2f0 ti: c07c8000 task.ti: c07c8000
      [   82.261393] PC is at composite_setup+0xe3c/0x1674
      [   82.266073] LR is at composite_setup+0xf20/0x1674
      [   82.270760] pc : [<c03510d4>]    lr : [<c03511b8>]    psr: 600001d3
      [   82.270760] sp : c07c9df0  ip : c0806448  fp : ed8c9c9c
      [   82.282216] r10: 00000001  r9 : 00000000  r8 : edaae918
      [   82.287425] r7 : ed551cc0  r6 : 00007fff  r5 : 00000000  r4 : ed799634
      [   82.293934] r3 : 00000003  r2 : 00010002  r1 : edaae918  r0 : 0000002e
      [   82.300446] Flags: nZCv  IRQs off  FIQs off  Mode SVC_32  ISA ARM  Segment kernel
      [   82.307910] Control: 10c5387d  Table: 6bc1804a  DAC: 00000015
      [   82.313638] Process swapper/0 (pid: 0, stack limit = 0xc07c8210)
      [   82.319627] Stack: (0xc07c9df0 to 0xc07ca000)
      [   82.323969] 9de0:                                     00000000 c06e65f4 00000000 c07c9f68
      [   82.332130] 9e00: 00000067 c07c59ac 000003f7 edaae918 ed8c9c98 ed799690 eca2f140 200001d3
      [   82.340289] 9e20: ee79a2d8 c07c9e88 c07c5304 ffff55db 00010002 edaae810 edaae860 eda96d50
      [   82.348448] 9e40: 00000009 ee264510 00000007 c07ca444 edaae860 c0340890 c0827a40 ffff55e0
      [   82.356607] 9e60: c0827a40 eda96e40 ee264510 edaae810 00000000 edaae860 00000007 c07ca444
      [   82.364766] 9e80: edaae860 c0354170 c03407dc c033db4c edaae810 00000000 00000000 00000010
      [   82.372925] 9ea0: 00000032 c0341670 00000000 00000000 00000001 eda96e00 00000000 00000000
      [   82.381084] 9ec0: 00000000 00000032 c0803a23 ee1aa840 00000001 c005d54c 249e2450 00000000
      [   82.389244] 9ee0: 200001d3 ee1aa840 ee1aa8a0 ed84f4c0 00000000 c07c9f68 00000067 c07c59ac
      [   82.397403] 9f00: 00000000 c005d688 ee1aa840 ee1aa8a0 c07db4b4 c006009c 00000032 00000000
      [   82.405562] 9f20: 00000001 c005ce20 c07c59ac c005cf34 f002000c c07ca780 c07c9f68 00000057
      [   82.413722] 9f40: f0020000 413fc090 00000001 c00086b4 c000f804 60000053 ffffffff c07c9f9c
      [   82.421880] 9f60: c0803a20 c0011fc0 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c
      [   82.430040] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0
      [   82.438199] 9fa0: c000f800 c000f804 60000053 ffffffff 00000000 c0050e70 c0803bc0 c0783bd8
      [   82.446358] 9fc0: ffffffff ffffffff c0783664 00000000 00000000 c07b13e8 00000000 c0803e54
      [   82.454517] 9fe0: c07ca480 c07b13e4 c07ce40c 4000406a 00000000 40008074 00000000 00000000
      [   82.462689] [<c03510d4>] (composite_setup) from [<c0340890>] (s3c_hsotg_complete_setup+0xb4/0x418)
      [   82.471626] [<c0340890>] (s3c_hsotg_complete_setup) from [<c0354170>] (usb_gadget_giveback_request+0xc/0x10)
      [   82.481429] [<c0354170>] (usb_gadget_giveback_request) from [<c033db4c>] (s3c_hsotg_complete_request+0xcc/0x12c)
      [   82.491583] [<c033db4c>] (s3c_hsotg_complete_request) from [<c0341670>] (s3c_hsotg_irq+0x4fc/0x558)
      [   82.500614] [<c0341670>] (s3c_hsotg_irq) from [<c005d54c>] (handle_irq_event_percpu+0x50/0x150)
      [   82.509291] [<c005d54c>] (handle_irq_event_percpu) from [<c005d688>] (handle_irq_event+0x3c/0x5c)
      [   82.518145] [<c005d688>] (handle_irq_event) from [<c006009c>] (handle_fasteoi_irq+0xd4/0x18c)
      [   82.526650] [<c006009c>] (handle_fasteoi_irq) from [<c005ce20>] (generic_handle_irq+0x20/0x30)
      [   82.535242] [<c005ce20>] (generic_handle_irq) from [<c005cf34>] (__handle_domain_irq+0x6c/0xdc)
      [   82.543923] [<c005cf34>] (__handle_domain_irq) from [<c00086b4>] (gic_handle_irq+0x2c/0x6c)
      [   82.552256] [<c00086b4>] (gic_handle_irq) from [<c0011fc0>] (__irq_svc+0x40/0x74)
      [   82.559716] Exception stack(0xc07c9f68 to 0xc07c9fb0)
      [   82.564753] 9f60:                   00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c
      [   82.572913] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0
      [   82.581069] 9fa0: c000f800 c000f804 60000053 ffffffff
      [   82.586113] [<c0011fc0>] (__irq_svc) from [<c000f804>] (arch_cpu_idle+0x30/0x3c)
      [   82.593491] [<c000f804>] (arch_cpu_idle) from [<c0050e70>] (cpu_startup_entry+0x128/0x1a4)
      [   82.601740] [<c0050e70>] (cpu_startup_entry) from [<c0783bd8>] (start_kernel+0x350/0x3bc)
      [   82.609890] Code: 0a000002 e3530005 05975010 15975008 (e5953000)
      [   82.615965] ---[ end trace f57d5f599a5f1bfa ]---
      
      Most of kernel code assume that interface array in
      struct usb_configuration is NULL terminated.
      
      When gadget is composed with configfs configuration
      structure may be reused for different functions set.
      
      This bug happens because purge_configs_funcs() sets
      only next_interface_id to 0. Interface array still
      contains pointers to already freed interfaces. If in
      second try we add less interfaces than earlier we
      may access unallocated memory when trying to get
      interface descriptors.
      Signed-off-by: default avatarKrzysztof Opasiak <k.opasiak@samsung.com>
      Cc: <stable@vger.kernel.org> # 3.10+
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      903124fe
  30. 23 Feb, 2015 1 commit
    • Andrzej Pietrasiewicz's avatar
      usb: gadget: configfs: don't NUL-terminate (sub)compatible ids · a0456399
      Andrzej Pietrasiewicz authored
      The "Extended Compat ID OS Feature Descriptor Specification" does not
      require the (sub)compatible ids to be NUL-terminated, because they
      are placed in a fixed-size buffer and only unused parts of it should
      contain NULs. If the buffer is fully utilized, there is no place for NULs.
      
      Consequently, the code which uses desc->ext_compat_id never expects the
      data contained to be NUL terminated.
      
      If the compatible id is stored after sub-compatible id, and the compatible
      id is full length (8 bytes), the (useless) NUL terminator overwrites the
      first byte of the sub-compatible id.
      
      If the sub-compatible id is full length (8 bytes), the (useless) NUL
      terminator ends up out of the buffer. The situation can happen in the RNDIS
      function, where the buffer is a part of struct f_rndis_opts. The next
      member of struct f_rndis_opts is a mutex, so its first byte gets
      overwritten. The said byte is a part of a mutex'es member which contains
      the information on whether the muext is locked or not. This can lead to a
      deadlock, because, in a configfs-composed gadget when a function is linked
      into a configuration with config_usb_cfg_link(), usb_get_function()
      is called, which then calls rndis_alloc(), which tries locking the same
      mutex and (wrongly) finds it already locked.
      
      This patch eliminates NUL terminating of the (sub)compatible id.
      
      Cc: <stable@vger.kernel.org> # v3.16+
      Fixes: da424314
      
      : "usb: gadget: configfs: OS Extended Compatibility descriptors support"
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarAndrzej Pietrasiewicz <andrzej.p@samsung.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      a0456399
  31. 03 Nov, 2014 2 commits
  32. 09 Sep, 2014 1 commit
  33. 30 Jun, 2014 1 commit
  34. 19 Jun, 2014 2 commits
  35. 14 May, 2014 1 commit
    • Andrzej Pietrasiewicz's avatar
      usb: gadget: configfs: OS Extended Properties descriptors support · 7419485f
      Andrzej Pietrasiewicz authored
      
      
      Add handling of OS Extended Properties descriptors from configfs interface.
      One kind of "OS Descriptors" are "Extended Properties" descriptors, which
      need to be specified per interface or per group of interfaces described
      by an IAD. This patch adds support for creating subdirectories
      in interface.<n> directory located in the function's directory.
      Names of subdirectories created become names of properties.
      Each property contains two attributes: "type" and "data".
      The type can be a numeric value 1..7 while data is a blob interpreted
      depending on the type specified.
      The types are:
      1 - unicode string
      2 - unicode string with environment variables
      3 - binary
      4 - little-endian 32-bit
      5 - big-endian 32-bit
      6 - unicode string with a symbolic link
      7 - multiple unicode strings
      Signed-off-by: default avatarAndrzej Pietrasiewicz <andrzej.p@samsung.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      7419485f