From: Al Viro <viro@zeniv.linux.org.uk>
To: Macpaul Lin <macpaul.lin@mediatek.com>
Cc: Sasha Levin <sashal@kernel.org>, Shen Jing <jingx.shen@intel.com>,
CC Hwang <cc.hwang@mediatek.com>,
Mediatek WSD Upstream <wsd_upstream@mediatek.com>,
Jerry Zhang <zhangjerry@google.com>,
linux-usb@vger.kernel.org, Loda Chou <loda.chou@mediatek.com>,
linux-kernel@vger.kernel.org,
Andrzej Pietrasiewicz <andrzej.p@collabora.com>,
John Stultz <john.stultz@linaro.org>,
Vincent Pelletier <plr.vincent@gmail.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
linux-mediatek@lists.infradead.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH] lib: iov_iter.c: fix a possible calculation error on remaining bytes
Date: Tue, 18 Feb 2020 12:41:42 +0000 [thread overview]
Message-ID: <20200218124142.GJ23230@ZenIV.linux.org.uk> (raw)
In-Reply-To: <1582011672-17189-1-git-send-email-macpaul.lin@mediatek.com>
On Tue, Feb 18, 2020 at 03:41:12PM +0800, Macpaul Lin wrote:
> This issue was found when adbd trying to open functionfs with AIO mode.
> Usually, we need to set "setprop sys.usb.ffs.aio_compat 0" to enable
> adbd with AIO mode on Android.
>
> When adbd is opening functionfs, it will try to read 24 bytes at the
> fisrt read I/O control. If this reading has been failed, adbd will
> try to send FUNCTIONFS_CLEAR_HALT to functionfs. When adbd is in AIO
> mode, functionfs will be acted with asyncronized I/O path. After the
> successful read transfer has been completed by gadget hardware, the
> following series of functions will be called.
> ffs_epfile_async_io_complete() -> ffs_user_copy_worker() ->
> copy_to_iter() -> _copy_to_iter() -> copyout() ->
> iterate_and_advance() -> iterate_iovec()
>
> Adding debug trace to these functions, it has been found that in
> iterate_iovec(), the calculation result of n will be turned into zero.
> n = wanted - n; /* 0 == n = 24 - 24; */
> Which causes copyout() won't copy data to userspace since the length
> to be copied "v.iov_len" will be zero, which isn't correct. This also
> leads ffs_copy_to_iter() always return -EFAULT. Finally adbd cannot
> open functionfs and send FUNCTIONFS_CLEAR_HALT.
>
> Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
> ---
> lib/iov_iter.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> index fb29c02c6a3c..f9334144e259 100644
> --- a/lib/iov_iter.c
> +++ b/lib/iov_iter.c
> @@ -36,7 +36,8 @@
> skip = __v.iov_len; \
> n -= __v.iov_len; \
> } \
> - n = wanted - n; \
> + if (n != wanted) \
> + n = wanted - n; \
> }
First of all, nothing in that line can possibly *cause*
copyout() to do anything - it's after the calls of step. What's
more, this changes behaviour only when wanted would've been equal to
n, doesn't it? Which translates into "no decrements of n have
happened at all", i.e. "nothing has been copied". IOW, it's
a consequence of no copyout, not the cause of such. You can
make copy_to_iter() lie and pretend if has copied everything
when it has copied nothing, but that won't change the underlying
bug.
So I'm afraid your debugging is not finished - you
still need to find out what causes the copyout failures and/or
BS iov_iter padded by caller.
_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@zeniv.linux.org.uk>
To: Macpaul Lin <macpaul.lin@mediatek.com>
Cc: Matthias Brugger <matthias.bgg@gmail.com>,
Shen Jing <jingx.shen@intel.com>, Sasha Levin <sashal@kernel.org>,
John Stultz <john.stultz@linaro.org>,
Andrzej Pietrasiewicz <andrzej.p@collabora.com>,
Vincent Pelletier <plr.vincent@gmail.com>,
Jerry Zhang <zhangjerry@google.com>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
Mediatek WSD Upstream <wsd_upstream@mediatek.com>,
CC Hwang <cc.hwang@mediatek.com>,
Loda Chou <loda.chou@mediatek.com>
Subject: Re: [PATCH] lib: iov_iter.c: fix a possible calculation error on remaining bytes
Date: Tue, 18 Feb 2020 12:41:42 +0000 [thread overview]
Message-ID: <20200218124142.GJ23230@ZenIV.linux.org.uk> (raw)
In-Reply-To: <1582011672-17189-1-git-send-email-macpaul.lin@mediatek.com>
On Tue, Feb 18, 2020 at 03:41:12PM +0800, Macpaul Lin wrote:
> This issue was found when adbd trying to open functionfs with AIO mode.
> Usually, we need to set "setprop sys.usb.ffs.aio_compat 0" to enable
> adbd with AIO mode on Android.
>
> When adbd is opening functionfs, it will try to read 24 bytes at the
> fisrt read I/O control. If this reading has been failed, adbd will
> try to send FUNCTIONFS_CLEAR_HALT to functionfs. When adbd is in AIO
> mode, functionfs will be acted with asyncronized I/O path. After the
> successful read transfer has been completed by gadget hardware, the
> following series of functions will be called.
> ffs_epfile_async_io_complete() -> ffs_user_copy_worker() ->
> copy_to_iter() -> _copy_to_iter() -> copyout() ->
> iterate_and_advance() -> iterate_iovec()
>
> Adding debug trace to these functions, it has been found that in
> iterate_iovec(), the calculation result of n will be turned into zero.
> n = wanted - n; /* 0 == n = 24 - 24; */
> Which causes copyout() won't copy data to userspace since the length
> to be copied "v.iov_len" will be zero, which isn't correct. This also
> leads ffs_copy_to_iter() always return -EFAULT. Finally adbd cannot
> open functionfs and send FUNCTIONFS_CLEAR_HALT.
>
> Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
> ---
> lib/iov_iter.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> index fb29c02c6a3c..f9334144e259 100644
> --- a/lib/iov_iter.c
> +++ b/lib/iov_iter.c
> @@ -36,7 +36,8 @@
> skip = __v.iov_len; \
> n -= __v.iov_len; \
> } \
> - n = wanted - n; \
> + if (n != wanted) \
> + n = wanted - n; \
> }
First of all, nothing in that line can possibly *cause*
copyout() to do anything - it's after the calls of step. What's
more, this changes behaviour only when wanted would've been equal to
n, doesn't it? Which translates into "no decrements of n have
happened at all", i.e. "nothing has been copied". IOW, it's
a consequence of no copyout, not the cause of such. You can
make copy_to_iter() lie and pretend if has copied everything
when it has copied nothing, but that won't change the underlying
bug.
So I'm afraid your debugging is not finished - you
still need to find out what causes the copyout failures and/or
BS iov_iter padded by caller.
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@zeniv.linux.org.uk>
To: Macpaul Lin <macpaul.lin@mediatek.com>
Cc: Sasha Levin <sashal@kernel.org>, Shen Jing <jingx.shen@intel.com>,
CC Hwang <cc.hwang@mediatek.com>,
Mediatek WSD Upstream <wsd_upstream@mediatek.com>,
Jerry Zhang <zhangjerry@google.com>,
linux-usb@vger.kernel.org, Loda Chou <loda.chou@mediatek.com>,
linux-kernel@vger.kernel.org,
Andrzej Pietrasiewicz <andrzej.p@collabora.com>,
John Stultz <john.stultz@linaro.org>,
Vincent Pelletier <plr.vincent@gmail.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
linux-mediatek@lists.infradead.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH] lib: iov_iter.c: fix a possible calculation error on remaining bytes
Date: Tue, 18 Feb 2020 12:41:42 +0000 [thread overview]
Message-ID: <20200218124142.GJ23230@ZenIV.linux.org.uk> (raw)
In-Reply-To: <1582011672-17189-1-git-send-email-macpaul.lin@mediatek.com>
On Tue, Feb 18, 2020 at 03:41:12PM +0800, Macpaul Lin wrote:
> This issue was found when adbd trying to open functionfs with AIO mode.
> Usually, we need to set "setprop sys.usb.ffs.aio_compat 0" to enable
> adbd with AIO mode on Android.
>
> When adbd is opening functionfs, it will try to read 24 bytes at the
> fisrt read I/O control. If this reading has been failed, adbd will
> try to send FUNCTIONFS_CLEAR_HALT to functionfs. When adbd is in AIO
> mode, functionfs will be acted with asyncronized I/O path. After the
> successful read transfer has been completed by gadget hardware, the
> following series of functions will be called.
> ffs_epfile_async_io_complete() -> ffs_user_copy_worker() ->
> copy_to_iter() -> _copy_to_iter() -> copyout() ->
> iterate_and_advance() -> iterate_iovec()
>
> Adding debug trace to these functions, it has been found that in
> iterate_iovec(), the calculation result of n will be turned into zero.
> n = wanted - n; /* 0 == n = 24 - 24; */
> Which causes copyout() won't copy data to userspace since the length
> to be copied "v.iov_len" will be zero, which isn't correct. This also
> leads ffs_copy_to_iter() always return -EFAULT. Finally adbd cannot
> open functionfs and send FUNCTIONFS_CLEAR_HALT.
>
> Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
> ---
> lib/iov_iter.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> index fb29c02c6a3c..f9334144e259 100644
> --- a/lib/iov_iter.c
> +++ b/lib/iov_iter.c
> @@ -36,7 +36,8 @@
> skip = __v.iov_len; \
> n -= __v.iov_len; \
> } \
> - n = wanted - n; \
> + if (n != wanted) \
> + n = wanted - n; \
> }
First of all, nothing in that line can possibly *cause*
copyout() to do anything - it's after the calls of step. What's
more, this changes behaviour only when wanted would've been equal to
n, doesn't it? Which translates into "no decrements of n have
happened at all", i.e. "nothing has been copied". IOW, it's
a consequence of no copyout, not the cause of such. You can
make copy_to_iter() lie and pretend if has copied everything
when it has copied nothing, but that won't change the underlying
bug.
So I'm afraid your debugging is not finished - you
still need to find out what causes the copyout failures and/or
BS iov_iter padded by caller.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-02-18 12:44 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-18 7:41 [PATCH] lib: iov_iter.c: fix a possible calculation error on remaining bytes Macpaul Lin
2020-02-18 7:41 ` Macpaul Lin
2020-02-18 7:41 ` Macpaul Lin
2020-02-18 12:41 ` Al Viro [this message]
2020-02-18 12:41 ` Al Viro
2020-02-18 12:41 ` Al Viro
2020-02-23 13:15 ` Macpaul Lin
2020-02-23 13:15 ` Macpaul Lin
2020-02-23 13:15 ` Macpaul Lin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200218124142.GJ23230@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=andrzej.p@collabora.com \
--cc=cc.hwang@mediatek.com \
--cc=jingx.shen@intel.com \
--cc=john.stultz@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-usb@vger.kernel.org \
--cc=loda.chou@mediatek.com \
--cc=macpaul.lin@mediatek.com \
--cc=matthias.bgg@gmail.com \
--cc=plr.vincent@gmail.com \
--cc=sashal@kernel.org \
--cc=wsd_upstream@mediatek.com \
--cc=zhangjerry@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.