From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [AUTOSEL,4.19,088/123] usb: gadget: u_ether: fix unsafe list iteration From: Sasha Levin Message-Id: <20181205093555.5386-88-sashal@kernel.org> Date: Wed, 5 Dec 2018 04:35:20 -0500 To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Marek Szyprowski , Felipe Balbi , Sasha Levin , linux-usb@vger.kernel.org List-ID: RnJvbTogTWFyZWsgU3p5cHJvd3NraSA8bS5zenlwcm93c2tpQHNhbXN1bmcuY29tPgoKWyBVcHN0 cmVhbSBjb21taXQgYzkyODdmYTY1N2IzMzI4YjQ1NDljMGFiMzllYTdmMTk3YTNkNmE1MCBdCgps aXN0X2Zvcl9lYWNoX2VudHJ5X3NhZmUoKSBpcyBub3Qgc2FmZSBmb3IgZGVsZXRpbmcgZW50cmll cyBmcm9tIHRoZQpsaXN0IGlmIHRoZSBzcGluIGxvY2ssIHdoaWNoIHByb3RlY3RzIGl0LCBpcyBy ZWxlYXNlZCBhbmQgcmVhY3F1aXJlZCBkdXJpbmcKdGhlIGxpc3QgaXRlcmF0aW9uLiBGaXggdGhp cyBpc3N1ZSBieSByZXBsYWNpbmcgdGhpcyBjb25zdHJ1Y3Rpb24gd2l0aAphIHNpbXBsZSBjaGVj ayBpZiBsaXN0IGlzIGVtcHR5IGFuZCByZW1vdmluZyB0aGUgZmlyc3QgZW50cnkgaW4gZWFjaApp dGVyYXRpb24uIFRoaXMgaXMgYWxtb3N0IGVxdWl2YWxlbnQgdG8gYSByZXZlcnQgb2YgdGhlIGNv bW1pdCBtZW50aW9uZWQgaW4KdGhlIEZpeGVzOiB0YWcuCgpUaGlzIHBhdGNoIGZpeGVzIGZvbGxv d2luZyBpc3N1ZToKLS0tPjgtLS0KVW5hYmxlIHRvIGhhbmRsZSBrZXJuZWwgTlVMTCBwb2ludGVy IGRlcmVmZXJlbmNlIGF0IHZpcnR1YWwgYWRkcmVzcyAwMDAwMDEwNApwZ2QgPSAocHRydmFsKQpb MDAwMDAxMDRdICpwZ2Q9MDAwMDAwMDAKSW50ZXJuYWwgZXJyb3I6IE9vcHM6IDgxNyBbIzFdIFBS RUVNUFQgU01QIEFSTQpNb2R1bGVzIGxpbmtlZCBpbjoKQ1BVOiAxIFBJRDogODQgQ29tbToga3dv cmtlci8xOjEgTm90IHRhaW50ZWQgNC4yMC4wLXJjMi1uZXh0LTIwMTgxMTE0LTAwMDA5LWc4MjY2 YjM1ZWM0MDQgIzEwNjEKSGFyZHdhcmUgbmFtZTogU0FNU1VORyBFWFlOT1MgKEZsYXR0ZW5lZCBE ZXZpY2UgVHJlZSkKV29ya3F1ZXVlOiBldmVudHMgZXRoX3dvcmsKUEMgaXMgYXQgcnhfZmlsbCsw eDYwLzB4YWMKTFIgaXMgYXQgX3Jhd19zcGluX2xvY2tfaXJxc2F2ZSsweDUwLzB4NWMKcGMgOiBb PGMwNjVmZWUwPl0gICAgbHIgOiBbPGMwYTA1NmI4Pl0gICAgcHNyOiA4MDAwMDA5MwpzcCA6IGVl N2ZiZWU4ICBpcCA6IDAwMDAwMTAwICBmcCA6IDAwMDAwMDAwCnIxMDogMDA2MDAwYzAgIHI5IDog YzEwYjBhYjAgIHI4IDogZWU3ZWI1YzAKcjcgOiBlZTdlYjYxNCAgcjYgOiBlZTdlYjVlYyAgcjUg OiAwMDAwMDBkYyAgcjQgOiBlZTEyYWMwMApyMyA6IGVlMTJhYzI0ICByMiA6IDAwMDAwMjAwICBy MSA6IDYwMDAwMDEzICByMCA6IGVlN2ViNWVjCkZsYWdzOiBOemN2ICBJUlFzIG9mZiAgRklRcyBv biAgTW9kZSBTVkNfMzIgIElTQSBBUk0gIFNlZ21lbnQgbm9uZQpDb250cm9sOiAxMGM1Mzg3ZCAg VGFibGU6IDZkNWRjMDRhICBEQUM6IDAwMDAwMDUxClByb2Nlc3Mga3dvcmtlci8xOjEgKHBpZDog ODQsIHN0YWNrIGxpbWl0ID0gMHgocHRydmFsKSkKU3RhY2s6ICgweGVlN2ZiZWU4IHRvIDB4ZWU3 ZmMwMDApCi4uLgpbPGMwNjVmZWUwPl0gKHJ4X2ZpbGwpIGZyb20gWzxjMDE0M2I3Yz5dIChwcm9j ZXNzX29uZV93b3JrKzB4MjAwLzB4NzM4KQpbPGMwMTQzYjdjPl0gKHByb2Nlc3Nfb25lX3dvcmsp IGZyb20gWzxjMDE0NDExOD5dICh3b3JrZXJfdGhyZWFkKzB4MmMvMHg0YzgpCls8YzAxNDQxMTg+ XSAod29ya2VyX3RocmVhZCkgZnJvbSBbPGMwMTRhOGE0Pl0gKGt0aHJlYWQrMHgxMjgvMHgxNjQp Cls8YzAxNGE4YTQ+XSAoa3RocmVhZCkgZnJvbSBbPGMwMTAxMGI0Pl0gKHJldF9mcm9tX2Zvcmsr MHgxNC8weDIwKQpFeGNlcHRpb24gc3RhY2soMHhlZTdmYmZiMCB0byAweGVlN2ZiZmY4KQouLi4K LS0tWyBlbmQgdHJhY2UgNjQ0ODBiYzgzNWViYTdkNiBdLS0tCgpGaXhlczogZmVhMTRlNjhmZjVl ICgidXNiOiBnYWRnZXQ6IHVfZXRoZXI6IHVzZSBiZXR0ZXIgbGlzdCBhY2Nlc3NvcnMiKQpTaWdu ZWQtb2ZmLWJ5OiBNYXJlayBTenlwcm93c2tpIDxtLnN6eXByb3dza2lAc2Ftc3VuZy5jb20+ClNp Z25lZC1vZmYtYnk6IEZlbGlwZSBCYWxiaSA8ZmVsaXBlLmJhbGJpQGxpbnV4LmludGVsLmNvbT4K ClNpZ25lZC1vZmYtYnk6IFNhc2hhIExldmluIDxzYXNoYWxAa2VybmVsLm9yZz4KLS0tCiBkcml2 ZXJzL3VzYi9nYWRnZXQvZnVuY3Rpb24vdV9ldGhlci5jIHwgMTEgKysrKysrLS0tLS0KIDEgZmls ZSBjaGFuZ2VkLCA2IGluc2VydGlvbnMoKyksIDUgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEv ZHJpdmVycy91c2IvZ2FkZ2V0L2Z1bmN0aW9uL3VfZXRoZXIuYyBiL2RyaXZlcnMvdXNiL2dhZGdl dC9mdW5jdGlvbi91X2V0aGVyLmMKaW5kZXggMTAwMGQ4NjQ5MjljLi4wZjAyNmQ0NDVlMzEgMTAw NjQ0Ci0tLSBhL2RyaXZlcnMvdXNiL2dhZGdldC9mdW5jdGlvbi91X2V0aGVyLmMKKysrIGIvZHJp dmVycy91c2IvZ2FkZ2V0L2Z1bmN0aW9uL3VfZXRoZXIuYwpAQCAtNDAxLDEyICs0MDEsMTIgQEAg c3RhdGljIGludCBhbGxvY19yZXF1ZXN0cyhzdHJ1Y3QgZXRoX2RldiAqZGV2LCBzdHJ1Y3QgZ2V0 aGVyICpsaW5rLCB1bnNpZ25lZCBuKQogc3RhdGljIHZvaWQgcnhfZmlsbChzdHJ1Y3QgZXRoX2Rl diAqZGV2LCBnZnBfdCBnZnBfZmxhZ3MpCiB7CiAJc3RydWN0IHVzYl9yZXF1ZXN0CSpyZXE7Ci0J c3RydWN0IHVzYl9yZXF1ZXN0CSp0bXA7CiAJdW5zaWduZWQgbG9uZwkJZmxhZ3M7CiAKIAkvKiBm aWxsIHVudXNlZCByeHEgc2xvdHMgd2l0aCBzb21lIHNrYiAqLwogCXNwaW5fbG9ja19pcnFzYXZl KCZkZXYtPnJlcV9sb2NrLCBmbGFncyk7Ci0JbGlzdF9mb3JfZWFjaF9lbnRyeV9zYWZlKHJlcSwg dG1wLCAmZGV2LT5yeF9yZXFzLCBsaXN0KSB7CisJd2hpbGUgKCFsaXN0X2VtcHR5KCZkZXYtPnJ4 X3JlcXMpKSB7CisJCXJlcSA9IGxpc3RfZmlyc3RfZW50cnkoJmRldi0+cnhfcmVxcywgc3RydWN0 IHVzYl9yZXF1ZXN0LCBsaXN0KTsKIAkJbGlzdF9kZWxfaW5pdCgmcmVxLT5saXN0KTsKIAkJc3Bp bl91bmxvY2tfaXJxcmVzdG9yZSgmZGV2LT5yZXFfbG9jaywgZmxhZ3MpOwogCkBAIC0xMTI1LDcg KzExMjUsNiBAQCB2b2lkIGdldGhlcl9kaXNjb25uZWN0KHN0cnVjdCBnZXRoZXIgKmxpbmspCiB7 CiAJc3RydWN0IGV0aF9kZXYJCSpkZXYgPSBsaW5rLT5pb3BvcnQ7CiAJc3RydWN0IHVzYl9yZXF1 ZXN0CSpyZXE7Ci0Jc3RydWN0IHVzYl9yZXF1ZXN0CSp0bXA7CiAKIAlXQVJOX09OKCFkZXYpOwog CWlmICghZGV2KQpAQCAtMTE0Miw3ICsxMTQxLDggQEAgdm9pZCBnZXRoZXJfZGlzY29ubmVjdChz dHJ1Y3QgZ2V0aGVyICpsaW5rKQogCSAqLwogCXVzYl9lcF9kaXNhYmxlKGxpbmstPmluX2VwKTsK IAlzcGluX2xvY2soJmRldi0+cmVxX2xvY2spOwotCWxpc3RfZm9yX2VhY2hfZW50cnlfc2FmZShy ZXEsIHRtcCwgJmRldi0+dHhfcmVxcywgbGlzdCkgeworCXdoaWxlICghbGlzdF9lbXB0eSgmZGV2 LT50eF9yZXFzKSkgeworCQlyZXEgPSBsaXN0X2ZpcnN0X2VudHJ5KCZkZXYtPnR4X3JlcXMsIHN0 cnVjdCB1c2JfcmVxdWVzdCwgbGlzdCk7CiAJCWxpc3RfZGVsKCZyZXEtPmxpc3QpOwogCiAJCXNw aW5fdW5sb2NrKCZkZXYtPnJlcV9sb2NrKTsKQEAgLTExNTQsNyArMTE1NCw4IEBAIHZvaWQgZ2V0 aGVyX2Rpc2Nvbm5lY3Qoc3RydWN0IGdldGhlciAqbGluaykKIAogCXVzYl9lcF9kaXNhYmxlKGxp bmstPm91dF9lcCk7CiAJc3Bpbl9sb2NrKCZkZXYtPnJlcV9sb2NrKTsKLQlsaXN0X2Zvcl9lYWNo X2VudHJ5X3NhZmUocmVxLCB0bXAsICZkZXYtPnJ4X3JlcXMsIGxpc3QpIHsKKwl3aGlsZSAoIWxp c3RfZW1wdHkoJmRldi0+cnhfcmVxcykpIHsKKwkJcmVxID0gbGlzdF9maXJzdF9lbnRyeSgmZGV2 LT5yeF9yZXFzLCBzdHJ1Y3QgdXNiX3JlcXVlc3QsIGxpc3QpOwogCQlsaXN0X2RlbCgmcmVxLT5s aXN0KTsKIAogCQlzcGluX3VubG9jaygmZGV2LT5yZXFfbG9jayk7Cg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6BE9C04EBF for ; Wed, 5 Dec 2018 09:40:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9D2C920850 for ; Wed, 5 Dec 2018 09:40:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="bxu5Ipc9" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9D2C920850 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728313AbeLEJk6 (ORCPT ); Wed, 5 Dec 2018 04:40:58 -0500 Received: from mail.kernel.org ([198.145.29.99]:45336 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728035AbeLEJky (ORCPT ); Wed, 5 Dec 2018 04:40:54 -0500 Received: from sasha-vm.mshome.net (unknown [213.57.143.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3B1F82084C; Wed, 5 Dec 2018 09:40:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544002853; bh=2o585oHr03UEwlTDKgYZDjY4+rmRx1l6FzKoi8VeG5A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bxu5Ipc95TCSIcGVz16TAc9tYjVfMxco/ZR6Xpj3eRck2a1rbsyAZb/M/Ehjkdcjo ZF5etGxZKHhSdRxTovz3EwpCS1wznOx02z9FhFsP/lvvP6DGJKcVT7pJxknWuBONDt Bvi8+mVVQN7bIi0oMa5bHnzea4ASW9jzzW9IU6Gg= From: Sasha Levin To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Marek Szyprowski , Felipe Balbi , Sasha Levin , linux-usb@vger.kernel.org Subject: [PATCH AUTOSEL 4.19 088/123] usb: gadget: u_ether: fix unsafe list iteration Date: Wed, 5 Dec 2018 04:35:20 -0500 Message-Id: <20181205093555.5386-88-sashal@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181205093555.5386-1-sashal@kernel.org> References: <20181205093555.5386-1-sashal@kernel.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marek Szyprowski [ Upstream commit c9287fa657b3328b4549c0ab39ea7f197a3d6a50 ] list_for_each_entry_safe() is not safe for deleting entries from the list if the spin lock, which protects it, is released and reacquired during the list iteration. Fix this issue by replacing this construction with a simple check if list is empty and removing the first entry in each iteration. This is almost equivalent to a revert of the commit mentioned in the Fixes: tag. This patch fixes following issue: --->8--- Unable to handle kernel NULL pointer dereference at virtual address 00000104 pgd = (ptrval) [00000104] *pgd=00000000 Internal error: Oops: 817 [#1] PREEMPT SMP ARM Modules linked in: CPU: 1 PID: 84 Comm: kworker/1:1 Not tainted 4.20.0-rc2-next-20181114-00009-g8266b35ec404 #1061 Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) Workqueue: events eth_work PC is at rx_fill+0x60/0xac LR is at _raw_spin_lock_irqsave+0x50/0x5c pc : [] lr : [] psr: 80000093 sp : ee7fbee8 ip : 00000100 fp : 00000000 r10: 006000c0 r9 : c10b0ab0 r8 : ee7eb5c0 r7 : ee7eb614 r6 : ee7eb5ec r5 : 000000dc r4 : ee12ac00 r3 : ee12ac24 r2 : 00000200 r1 : 60000013 r0 : ee7eb5ec Flags: Nzcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: 6d5dc04a DAC: 00000051 Process kworker/1:1 (pid: 84, stack limit = 0x(ptrval)) Stack: (0xee7fbee8 to 0xee7fc000) ... [] (rx_fill) from [] (process_one_work+0x200/0x738) [] (process_one_work) from [] (worker_thread+0x2c/0x4c8) [] (worker_thread) from [] (kthread+0x128/0x164) [] (kthread) from [] (ret_from_fork+0x14/0x20) Exception stack(0xee7fbfb0 to 0xee7fbff8) ... ---[ end trace 64480bc835eba7d6 ]--- Fixes: fea14e68ff5e ("usb: gadget: u_ether: use better list accessors") Signed-off-by: Marek Szyprowski Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/u_ether.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index 1000d864929c..0f026d445e31 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -401,12 +401,12 @@ static int alloc_requests(struct eth_dev *dev, struct gether *link, unsigned n) static void rx_fill(struct eth_dev *dev, gfp_t gfp_flags) { struct usb_request *req; - struct usb_request *tmp; unsigned long flags; /* fill unused rxq slots with some skb */ spin_lock_irqsave(&dev->req_lock, flags); - list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) { + while (!list_empty(&dev->rx_reqs)) { + req = list_first_entry(&dev->rx_reqs, struct usb_request, list); list_del_init(&req->list); spin_unlock_irqrestore(&dev->req_lock, flags); @@ -1125,7 +1125,6 @@ void gether_disconnect(struct gether *link) { struct eth_dev *dev = link->ioport; struct usb_request *req; - struct usb_request *tmp; WARN_ON(!dev); if (!dev) @@ -1142,7 +1141,8 @@ void gether_disconnect(struct gether *link) */ usb_ep_disable(link->in_ep); spin_lock(&dev->req_lock); - list_for_each_entry_safe(req, tmp, &dev->tx_reqs, list) { + while (!list_empty(&dev->tx_reqs)) { + req = list_first_entry(&dev->tx_reqs, struct usb_request, list); list_del(&req->list); spin_unlock(&dev->req_lock); @@ -1154,7 +1154,8 @@ void gether_disconnect(struct gether *link) usb_ep_disable(link->out_ep); spin_lock(&dev->req_lock); - list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) { + while (!list_empty(&dev->rx_reqs)) { + req = list_first_entry(&dev->rx_reqs, struct usb_request, list); list_del(&req->list); spin_unlock(&dev->req_lock); -- 2.17.1