From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Fei Yang <fei.yang@intel.com>,
Manu Gautam <mgautam@codeaurora.org>,
John Stultz <john.stultz@linaro.org>,
Felipe Balbi <felipe.balbi@linux.intel.com>,
Sasha Levin <sashal@kernel.org>,
linux-usb@vger.kernel.org
Subject: [PATCH AUTOSEL 5.1 031/375] usb: gadget: f_fs: don't free buffer prematurely
Date: Wed, 22 May 2019 15:15:31 -0400 [thread overview]
Message-ID: <20190522192115.22666-31-sashal@kernel.org> (raw)
In-Reply-To: <20190522192115.22666-1-sashal@kernel.org>
From: Fei Yang <fei.yang@intel.com>
[ Upstream commit 73103c7f958b99561555c3bd1bc1a0809e0b7d61 ]
The following kernel panic happens due to the io_data buffer gets deallocated
before the async io is completed. Add a check for the case where io_data buffer
should be deallocated by ffs_user_copy_worker.
[ 41.663334] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
[ 41.672099] #PF error: [normal kernel read fault]
[ 41.677356] PGD 20c974067 P4D 20c974067 PUD 20c973067 PMD 0
[ 41.683687] Oops: 0000 [#1] PREEMPT SMP
[ 41.687976] CPU: 1 PID: 7 Comm: kworker/u8:0 Tainted: G U 5.0.0-quilt-2e5dc0ac-00790-gd8c79f2-dirty #2
[ 41.705309] Workqueue: adb ffs_user_copy_worker
[ 41.705316] RIP: 0010:__vunmap+0x2a/0xc0
[ 41.705318] Code: 0f 1f 44 00 00 48 85 ff 0f 84 87 00 00 00 55 f7 c7 ff 0f 00 00 48 89 e5 41 55 41 89 f5 41 54 53 48 89 fb 75 71 e8 56 d7 ff ff <4c> 8b 60 48 4d 85 e4 74 76 48 89 df e8 25 ff ff ff 45 85 ed 74 46
[ 41.705320] RSP: 0018:ffffbc3a40053df0 EFLAGS: 00010286
[ 41.705322] RAX: 0000000000000000 RBX: ffffbc3a406f1000 RCX: 0000000000000000
[ 41.705323] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff
[ 41.705324] RBP: ffffbc3a40053e08 R08: 000000000001fb79 R09: 0000000000000037
[ 41.705325] R10: ffffbc3a40053b68 R11: ffffbc3a40053cad R12: fffffffffffffff2
[ 41.705326] R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffffffffff
[ 41.705328] FS: 0000000000000000(0000) GS:ffff9e2977a80000(0000) knlGS:0000000000000000
[ 41.705329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 41.705330] CR2: 0000000000000048 CR3: 000000020c994000 CR4: 00000000003406e0
[ 41.705331] Call Trace:
[ 41.705338] vfree+0x50/0xb0
[ 41.705341] ffs_user_copy_worker+0xe9/0x1c0
[ 41.705344] process_one_work+0x19f/0x3e0
[ 41.705348] worker_thread+0x3f/0x3b0
[ 41.829766] kthread+0x12b/0x150
[ 41.833371] ? process_one_work+0x3e0/0x3e0
[ 41.838045] ? kthread_create_worker_on_cpu+0x70/0x70
[ 41.843695] ret_from_fork+0x3a/0x50
[ 41.847689] Modules linked in: hci_uart bluetooth ecdh_generic rfkill_gpio dwc3_pci dwc3 snd_usb_audio mei_me tpm_crb snd_usbmidi_lib xhci_pci xhci_hcd mei tpm snd_hwdep cfg80211 snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_hda_core videobuf2_dma_sg crlmodule
[ 41.876880] CR2: 0000000000000048
[ 41.880584] ---[ end trace 2bc4addff0f2e673 ]---
[ 41.891346] RIP: 0010:__vunmap+0x2a/0xc0
[ 41.895734] Code: 0f 1f 44 00 00 48 85 ff 0f 84 87 00 00 00 55 f7 c7 ff 0f 00 00 48 89 e5 41 55 41 89 f5 41 54 53 48 89 fb 75 71 e8 56 d7 ff ff <4c> 8b 60 48 4d 85 e4 74 76 48 89 df e8 25 ff ff ff 45 85 ed 74 46
[ 41.916740] RSP: 0018:ffffbc3a40053df0 EFLAGS: 00010286
[ 41.922583] RAX: 0000000000000000 RBX: ffffbc3a406f1000 RCX: 0000000000000000
[ 41.930563] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff
[ 41.938540] RBP: ffffbc3a40053e08 R08: 000000000001fb79 R09: 0000000000000037
[ 41.946520] R10: ffffbc3a40053b68 R11: ffffbc3a40053cad R12: fffffffffffffff2
[ 41.954502] R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffffffffff
[ 41.962482] FS: 0000000000000000(0000) GS:ffff9e2977a80000(0000) knlGS:0000000000000000
[ 41.971536] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 41.977960] CR2: 0000000000000048 CR3: 000000020c994000 CR4: 00000000003406e0
[ 41.985930] Kernel panic - not syncing: Fatal exception
[ 41.991817] Kernel Offset: 0x16000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 42.009525] Rebooting in 10 seconds..
[ 52.014376] ACPI MEMORY or I/O RESET_REG.
Fixes: 772a7a724f69 ("usb: gadget: f_fs: Allow scatter-gather buffers")
Signed-off-by: Fei Yang <fei.yang@intel.com>
Reviewed-by: Manu Gautam <mgautam@codeaurora.org>
Tested-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_fs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 20413c276c616..47be961f1bf3f 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1133,7 +1133,8 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
error_mutex:
mutex_unlock(&epfile->mutex);
error:
- ffs_free_buffer(io_data);
+ if (ret != -EIOCBQUEUED) /* don't free if there is iocb queued */
+ ffs_free_buffer(io_data);
return ret;
}
--
2.20.1
next prev parent reply other threads:[~2019-05-22 20:02 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-22 19:15 [Cluster-devel] [PATCH AUTOSEL 5.1 001/375] gfs2: Fix lru_count going negative Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 002/375] cxgb4: Fix error path in cxgb4_init_module Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 003/375] afs: Fix getting the afs.fid xattr Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 004/375] NFS: make nfs_match_client killable Sasha Levin
2019-05-23 15:02 ` Benjamin Coddington
2019-05-29 18:46 ` Sasha Levin
2019-05-22 19:15 ` [Cluster-devel] [PATCH AUTOSEL 5.1 005/375] gfs2: fix race between gfs2_freeze_func and unmount Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 006/375] io_uring: use cpu_online() to check p->sq_thread_cpu instead of cpu_possible() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 007/375] IB/hfi1: Fix WQ_MEM_RECLAIM warning Sasha Levin
2019-05-22 19:15 ` [Cluster-devel] [PATCH AUTOSEL 5.1 008/375] gfs2: Fix occasional glock use-after-free Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 009/375] mmc: core: Verify SD bus width Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 010/375] batman-adv: mcast: fix multicast tt/tvlv worker locking Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 011/375] ip6: fix skb leak in ip6frag_expire_frag_queue() Sasha Levin
2019-05-23 7:47 ` Stefan Bader
2019-05-29 18:48 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 012/375] tools/bpf: fix perf build error with uClibc (seen on ARC) Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 013/375] i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 014/375] libbpf: fix invalid munmap call Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 015/375] selftests/bpf: set RLIMIT_MEMLOCK properly for test_libbpf_open.c Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` sashal
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 016/375] bpftool: exclude bash-completion/bpftool from .gitignore pattern Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 017/375] ice: Separate if conditions for ice_set_features() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 018/375] ice: Preserve VLAN Rx stripping settings Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 019/375] blk-mq: split blk_mq_alloc_and_init_hctx into two parts Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 020/375] blk-mq: grab .q_usage_counter when queuing request from plug code path Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 021/375] dmaengine: tegra210-dma: free dma controller in remove() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 022/375] net: ena: gcc 8: fix compilation warning Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 023/375] net: ena: fix: set freed objects to NULL to avoid failing future allocations Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 024/375] hv_netvsc: fix race that may miss tx queue wakeup Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 025/375] orangefs: truncate before updating size Sasha Levin
2019-05-22 21:44 ` martin
2019-05-29 18:51 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 026/375] Bluetooth: Ignore CC events not matching the last HCI command Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 027/375] pinctrl: zte: fix leaked of_node references Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 028/375] ASoC: Intel: kbl_da7219_max98357a: Map BTN_0 to KEY_PLAYPAUSE Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 029/375] usb: dwc2: gadget: Increase descriptors count for ISOC's Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 030/375] usb: dwc3: move synchronize_irq() out of the spinlock protected block Sasha Levin
2019-05-22 19:15 ` Sasha Levin [this message]
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 032/375] ASoC: hdmi-codec: unlock the device on startup errors Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 033/375] leds: avoid races with workqueue Sasha Levin
2019-05-24 22:55 ` Pavel Machek
2019-05-29 18:51 ` Sasha Levin
2019-06-17 15:57 ` Pavel Machek
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 034/375] powerpc/perf: Return accordingly on invalid chip-id in Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 035/375] powerpc/boot: Fix missing check of lseek() return value Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 036/375] powerpc/perf: Fix loop exit condition in nest_imc_event_init Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 037/375] spi: atmel-quadspi: fix crash while suspending Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 038/375] ASoC: imx: fix fiq dependencies Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 039/375] spi: pxa2xx: fix SCR (divisor) calculation Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 040/375] net/mlx5: E-Switch, Use atomic rep state to serialize state change Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 041/375] brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 042/375] ACPI / property: fix handling of data_nodes in acpi_get_next_subnode() Sasha Levin
[not found] ` <20190522192115.22666-1-sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 043/375] drm/nouveau/bar/nv50: ensure BAR is mapped Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 044/375] media: stm32-dcmi: return appropriate error codes during probe Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 045/375] ARM: vdso: Remove dependency with the arch_timer driver internals Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 046/375] arm64: Fix compiler warning from pte_unmap() with -Wunused-but-set-variable Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 047/375] mt76: remove mt76_queue dependency from tx_queue_skb function pointer Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 048/375] x86/ftrace: Set trampoline pages as executable Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 049/375] powerpc/watchdog: Use hrtimers for per-CPU heartbeat Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 050/375] cpufreq: Fix kobject memleak Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 051/375] scsi: qla2xxx: Fix a qla24xx_enable_msix() error path Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 052/375] scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 053/375] scsi: qla2xxx: Avoid that lockdep complains about unsafe locking in tcm_qla2xxx_close_session() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 054/375] scsi: qla2xxx: Fix hardirq-unsafe locking Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 055/375] x86/modules: Avoid breaking W^X while loading modules Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 056/375] Btrfs: fix data bytes_may_use underflow with fallocate due to failed quota reserve Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 057/375] btrfs: fix panic during relocation after ENOSPC before writeback happens Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 058/375] btrfs: reloc: Fix NULL pointer dereference due to expanded reloc_root lifespan Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 059/375] btrfs: Don't panic when we can't find a root key Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 060/375] iwlwifi: pcie: don't crash on invalid RX interrupt Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 061/375] rtc: 88pm860x: prevent use-after-free on device remove Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 062/375] rtc: stm32: manage the get_irq probe defer case Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 063/375] scsi: qedi: Abort ep termination if offload not scheduled Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 064/375] s390/kexec_file: Fix detection of text segment in ELF loader Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 065/375] ALSA: hda: fix unregister device twice on ASoC driver Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 066/375] sched/nohz: Run NOHZ idle load balancer on HK_FLAG_MISC CPUs Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 067/375] net: ethernet: ti: cpsw: fix allmulti cfg in dual_mac mode Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 068/375] w1: fix the resume command API Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 069/375] net: hns3: fix pause configure fail problem Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 070/375] net: hns3: fix for TX clean num when cleaning TX BD Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 071/375] net: phy: improve genphy_soft_reset Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 072/375] s390: qeth: address type mismatch warning Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 073/375] arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 074/375] net: hns3: use atomic_t replace u32 for arq's count Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 075/375] dmaengine: pl330: _stop: clear interrupt status Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 076/375] mac80211/cfg80211: update bss channel on channel switch Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 077/375] USB: serial: fix initial-termios handling Sasha Levin
2019-05-23 5:26 ` Johan Hovold
2019-05-29 18:56 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190522192115.22666-31-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=fei.yang@intel.com \
--cc=felipe.balbi@linux.intel.com \
--cc=john.stultz@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mgautam@codeaurora.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.