[PATCH 4.4 016/101] USB: dummy-hcd: fix bug in stop_activity (handle ep0)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
	Andrey Konovalov <andreyknvl@google.com>,
	Felipe Balbi <felipe.balbi@linux.intel.com>
Subject: [PATCH 4.4 016/101] USB: dummy-hcd: fix bug in stop_activity (handle ep0)
Date: Tue, 10 Jan 2017 14:36:29 +0100	[thread overview]
Message-ID: <20170110131523.214163418@linuxfoundation.org> (raw)
In-Reply-To: <20170110131522.493717794@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit bcdbeb844773333d2d1c08004f3b3e25921040e5 upstream.

The stop_activity() routine in dummy-hcd is supposed to unlink all
active requests for every endpoint, among other things.  But it
doesn't handle ep0.  As a result, fuzz testing can generate a WARNING
like the following:

WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170
Modules linked in:
CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35
 ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510
 ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff812b808f>] __warn+0x19f/0x1e0 kernel/panic.c:550
 [<ffffffff812b831c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
 [<ffffffff830fcb13>] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672
 [<ffffffff830ed1b0>] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195
 [<ffffffff83225031>] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612
 [<ffffffff830ebd8f>] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228
 [<ffffffff830ec084>] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357

This patch fixes the problem by iterating over all the endpoints in
the driver's ep array instead of iterating over the gadget's ep_list,
which explicitly leaves out ep0.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/udc/dummy_hcd.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/usb/gadget/udc/dummy_hcd.c
+++ b/drivers/usb/gadget/udc/dummy_hcd.c
@@ -330,7 +330,7 @@ static void nuke(struct dummy *dum, stru
 /* caller must hold lock */
 static void stop_activity(struct dummy *dum)
 {
-	struct dummy_ep	*ep;
+	int i;
 
 	/* prevent any more requests */
 	dum->address = 0;
@@ -338,8 +338,8 @@ static void stop_activity(struct dummy *
 	/* The timer is left running so that outstanding URBs can fail */
 
 	/* nuke any pending requests first, so driver i/o is quiesced */
-	list_for_each_entry(ep, &dum->gadget.ep_list, ep.ep_list)
-		nuke(dum, ep);
+	for (i = 0; i < DUMMY_ENDPOINTS; ++i)
+		nuke(dum, &dum->ep[i]);
 
 	/* driver now does any non-usb quiescing necessary */
 }

next prev parent reply	other threads:[~2017-01-10 13:38 UTC|newest]

Thread overview: 100+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CGME20170110134113epcas3p4f03897bb91bfb9896af546cda8d12e7e@epcas3p4.samsung.com>
2017-01-10 13:36 ` [PATCH 4.4 000/101] 4.4.42-stable review Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 001/101] ALSA: hda - Fix up GPIO for ASUS ROG Ranger Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 002/101] ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 003/101] ALSA: usb-audio: Fix irq/process data synchronization Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 004/101] ARM: davinci: da850: dont add emac clock to lookup table twice Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 005/101] mac80211: initialize fast-xmit info later Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 006/101] KVM: x86: reset MMU on KVM_SET_VCPU_EVENTS Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 007/101] KVM: MIPS: Flush KVM entry code from icache globally Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 008/101] usb: musb: core: add clear_ep_rxintr() to musb_platform_ops Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 009/101] usb: musb: dsps: implement clear_ep_rxintr() callback Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 010/101] usb: storage: unusual_uas: Add JMicron JMS56x to unusual device Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 011/101] usb: gadgetfs: restrict upper bound on device configuration size Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 012/101] USB: gadgetfs: fix unbounded memory allocation bug Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 013/101] USB: gadgetfs: fix use-after-free bug Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 014/101] USB: gadgetfs: fix checks of wTotalLength in config descriptors Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 015/101] USB: fix problems with duplicate endpoint addresses Greg Kroah-Hartman
2017-01-10 13:36   ` Greg Kroah-Hartman [this message]
2017-01-10 13:36   ` [PATCH 4.4 017/101] usb: gadget: composite: Test get_alt() presence instead of set_alt() Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 018/101] usb: dwc3: core: avoid Overflow events Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 019/101] usb: xhci: fix possible wild pointer Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 020/101] xhci: workaround for hosts missing CAS bit Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 021/101] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 022/101] xhci: free xhci virtual devices with leaf nodes first Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 023/101] usb: xhci: fix return value of xhci_setup_device() Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 024/101] usb: host: xhci: Fix possible wild pointer when handling abort command Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 025/101] xhci: Handle command completion and timeout race Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 026/101] usb: xhci: hold lock over xhci_abort_cmd_ring() Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 027/101] USB: serial: omninet: fix NULL-derefs at open and disconnect Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 028/101] USB: serial: quatech2: fix sleep-while-atomic in close Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 029/101] USB: serial: pl2303: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 030/101] USB: serial: keyspan_pda: verify endpoints at probe Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 031/101] USB: serial: spcp8x5: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 032/101] USB: serial: io_ti: " Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 033/101] USB: serial: io_ti: fix another " Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 034/101] USB: serial: io_ti: fix I/O after disconnect Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 035/101] USB: serial: iuu_phoenix: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 036/101] USB: serial: garmin_gps: fix memory leak on failed URB submit Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 037/101] USB: serial: ti_usb_3410_5052: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 038/101] USB: serial: io_edgeport: " Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 039/101] USB: serial: oti6858: " Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 040/101] USB: serial: cyberjack: " Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 041/101] USB: serial: kobil_sct: fix NULL-deref in write Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 042/101] USB: serial: mos7840: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 043/101] USB: serial: mos7720: " Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 044/101] USB: serial: mos7720: fix use-after-free on probe errors Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 045/101] USB: serial: mos7720: fix parport " Greg Kroah-Hartman
2017-01-10 13:36   ` [PATCH 4.4 046/101] USB: serial: mos7720: fix parallel probe Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 047/101] usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 048/101] xhci: Use delayed_work instead of timer for command timeout Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 049/101] xhci: Fix race related to abort operation Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 050/101] usb: dwc3: pci: add Intel Gemini Lake PCI ID Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 051/101] usb: musb: Fix trying to free already-free IRQ 4 Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 054/101] ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 055/101] USB: serial: kl5kusb105: abort on open exception path Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 056/101] ARM: dts: r8a7794: Correct hsusb parent clock Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 057/101] USB: phy: am335x-control: fix device and of_node leaks Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 058/101] USB: serial: io_ti: bind to interface after fw download Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 059/101] mei: bus: fix mei_cldev_enable KDoc Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 060/101] staging: iio: ad7606: fix improper setting of oversampling pins Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 061/101] usb: dwc3: gadget: always unmap EP0 requests Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 062/101] usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb() Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 063/101] usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb() Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 064/101] stable-fixup: hotplug: fix unused function warning Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 065/101] ath10k: use the right length of "background" Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 066/101] cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 067/101] hwmon: (scpi) Fix module autoload Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 068/101] hwmon: (amc6821) sign extension temperature Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 069/101] hwmon: (ds620) Fix overflows seen when writing temperature limits Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 070/101] hwmon: (nct7802) Fix overflows seen when writing into limit attributes Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 071/101] hwmon: (g762) Fix overflows and crash seen when writing " Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 072/101] clk: clk-wm831x: fix a logic error Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 074/101] iommu/amd: Missing error code in amd_iommu_init_device() Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 075/101] iommu/amd: Fix the left value check of cmd buffer Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 076/101] iommu/vt-d: Fix pasid table size encoding Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 077/101] iommu/vt-d: Flush old iommu caches for kdump when the device gets context mapped Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 078/101] ASoC: samsung: i2s: Fixup last IRQ unsafe spin lock call Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 079/101] scsi: mvsas: fix command_active typo Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 080/101] target/iscsi: Fix double free in lio_target_tiqn_addtpg() Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 081/101] irqchip/bcm7038-l1: Implement irq_cpu_offline() callback Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 082/101] PM / wakeirq: Fix dedicated wakeirq for drivers not using autosuspend Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 083/101] mmc: mmc_test: Uninitialized return value Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 084/101] s390/crypto: unlock on error in prng_tdes_read() Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 085/101] crypto: arm64/sha2-ce - fix for big endian Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 086/101] crypto: arm64/ghash-ce " Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 087/101] crypto: arm/aes-ce " Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 088/101] crypto: arm64/aes-ccm-ce: " Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 089/101] crypto: arm64/aes-neon - " Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 090/101] crypto: arm64/sha1-ce " Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 091/101] crypto: arm64/aes-xts-ce: " Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 092/101] crypto: arm64/aes-ce - " Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 093/101] md: MD_RECOVERY_NEEDED is set for mddev->recovery Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 094/101] powerpc/pci/rpadlpar: Fix device reference leaks Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 095/101] staging: comedi: dt282x: tidy up register bit defines Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 096/101] cred/userns: define current_user_ns() as a function Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 097/101] net: ti: cpmac: Fix compiler warning due to type confusion Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 098/101] net: vxge: avoid unused function warnings Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 099/101] [media] cx23885-dvb: move initialization of a8293_pdata Greg Kroah-Hartman
2017-01-10 13:37   ` [PATCH 4.4 101/101] tick/broadcast: Prevent NULL pointer dereference Greg Kroah-Hartman
2017-01-10 17:34   ` [PATCH 4.4 000/101] 4.4.42-stable review Shuah Khan
2017-01-10 22:26   ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170110131523.214163418@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=andreyknvl@google.com \
    --cc=felipe.balbi@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.