From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eugeniu Rosca <erosca@de.adit-jv.com>,
Felipe Balbi <felipe.balbi@linux.intel.com>,
Guenter Roeck <linux@roeck-us.net>
Subject: [PATCH 4.4 02/36] usb: gadget: f_uac2: fix error handling in afunc_bind (again)
Date: Tue, 9 Jun 2020 19:44:02 +0200 [thread overview]
Message-ID: <20200609173933.429375672@linuxfoundation.org> (raw)
In-Reply-To: <20200609173933.288044334@linuxfoundation.org>
From: Eugeniu Rosca <erosca@de.adit-jv.com>
commit e87581fe0509020f77ebf0b7c4c1c338c6a4bcf6 upstream.
If usb_ep_autoconfig() fails (i.e. returns a null endpoint descriptor),
we expect afunc_bind() to fail (i.e. return a negative error code).
However, due to v4.10-rc1 commit f1d3861d63a5 ("usb: gadget: f_uac2: fix
error handling at afunc_bind"), afunc_bind() returns zero, telling the
caller that it succeeded. This then generates NULL pointer dereference
in below scenario on Rcar H3-ES20-Salvator-X target:
rcar-gen3:/home/root# modprobe g_audio
[ 626.521155] g_audio gadget: afunc_bind:565 Error!
[ 626.526319] g_audio gadget: Linux USB Audio Gadget, version: Feb 2, 2012
[ 626.533405] g_audio gadget: g_audio ready
rcar-gen3:/home/root#
rcar-gen3:/home/root# modprobe -r g_audio
[ 728.256707] ==================================================================
[ 728.264293] BUG: KASAN: null-ptr-deref in u_audio_stop_capture+0x70/0x268 [u_audio]
[ 728.272244] Read of size 8 at addr 00000000000000a0 by task modprobe/2545
[ 728.279309]
[ 728.280849] CPU: 0 PID: 2545 Comm: modprobe Tainted: G WC 4.14.47+ #152
[ 728.288778] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
[ 728.296454] Call trace:
[ 728.299151] [<ffff2000080925ac>] dump_backtrace+0x0/0x364
[ 728.304808] [<ffff200008092924>] show_stack+0x14/0x1c
[ 728.310081] [<ffff200008f8d5cc>] dump_stack+0x108/0x174
[ 728.315522] [<ffff2000083c77c8>] kasan_report+0x1fc/0x354
[ 728.321134] [<ffff2000083c611c>] __asan_load8+0x24/0x94
[ 728.326600] [<ffff2000021e1618>] u_audio_stop_capture+0x70/0x268 [u_audio]
[ 728.333735] [<ffff2000021f8b7c>] afunc_disable+0x44/0x60 [usb_f_uac2]
[ 728.340503] [<ffff20000218177c>] usb_remove_function+0x9c/0x210 [libcomposite]
[ 728.348060] [<ffff200002183320>] remove_config.isra.2+0x1d8/0x218 [libcomposite]
[ 728.355788] [<ffff200002186c54>] __composite_unbind+0x104/0x1f8 [libcomposite]
[ 728.363339] [<ffff200002186d58>] composite_unbind+0x10/0x18 [libcomposite]
[ 728.370536] [<ffff20000152f158>] usb_gadget_remove_driver+0xc0/0x170 [udc_core]
[ 728.378172] [<ffff20000153154c>] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core]
[ 728.386274] [<ffff200002180de8>] usb_composite_unregister+0x10/0x18 [libcomposite]
[ 728.394116] [<ffff2000021d035c>] audio_driver_exit+0x14/0x28 [g_audio]
[ 728.400878] [<ffff200008213ed4>] SyS_delete_module+0x288/0x32c
[ 728.406935] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000)
[ 728.413624] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8
[ 728.421718] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000
[ 728.429792] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005
[ 728.437870] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000
[ 728.445952] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0
[ 728.454035] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428
[ 728.462114] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000
[ 728.470190] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010
[ 728.478281] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a
[ 728.486351] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 728.494434] [<ffff200008084780>] el0_svc_naked+0x34/0x38
[ 728.499957] ==================================================================
[ 728.507801] Unable to handle kernel NULL pointer dereference at virtual address 000000a0
[ 728.517742] Mem abort info:
[ 728.520993] Exception class = DABT (current EL), IL = 32 bits
[ 728.527375] SET = 0, FnV = 0
[ 728.530731] EA = 0, S1PTW = 0
[ 728.534361] Data abort info:
[ 728.537650] ISV = 0, ISS = 0x00000006
[ 728.541863] CM = 0, WnR = 0
[ 728.545167] user pgtable: 4k pages, 48-bit VAs, pgd = ffff8006c6100000
[ 728.552156] [00000000000000a0] *pgd=0000000716a8d003
[ 728.557519] , *pud=00000007116fc003
[ 728.561259] , *pmd=0000000000000000
[ 728.564985] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[ 728.570815] Modules linked in:
[ 728.574023] usb_f_uac2
[ 728.576560] u_audio
[ 728.578827] g_audio(-)
[ 728.581361] libcomposite
[ 728.584071] configfs
[ 728.586428] aes_ce_blk
[ 728.588960] sata_rcar
[ 728.591421] crypto_simd
[ 728.594039] cryptd
[ 728.596217] libata
[ 728.598396] aes_ce_cipher
[ 728.601188] crc32_ce
[ 728.603542] ghash_ce
[ 728.605896] gf128mul
[ 728.608250] aes_arm64
[ 728.610692] scsi_mod
[ 728.613046] sha2_ce
[ 728.615313] xhci_plat_hcd
[ 728.618106] sha256_arm64
[ 728.620811] sha1_ce
[ 728.623077] renesas_usbhs
[ 728.625869] xhci_hcd
[ 728.628243] renesas_usb3
[ 728.630948] sha1_generic
[ 728.633670] ravb_streaming(C)
[ 728.636814] udc_core
[ 728.639168] cpufreq_dt
[ 728.641697] rcar_gen3_thermal
[ 728.644840] usb_dmac
[ 728.647194] pwm_rcar
[ 728.649548] thermal_sys
[ 728.652165] virt_dma
[ 728.654519] mch_core(C)
[ 728.657137] pwm_bl
[ 728.659315] snd_soc_rcar
[ 728.662020] snd_aloop
[ 728.664462] snd_soc_generic_card
[ 728.667869] snd_soc_ak4613
[ 728.670749] ipv6
[ 728.672768] autofs4
[ 728.675052] CPU: 0 PID: 2545 Comm: modprobe Tainted: G B WC 4.14.47+ #152
[ 728.682973] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
[ 728.690637] task: ffff8006ced38000 task.stack: ffff8006cf6c0000
[ 728.696814] PC is at u_audio_stop_capture+0x70/0x268 [u_audio]
[ 728.702896] LR is at u_audio_stop_capture+0x70/0x268 [u_audio]
[ 728.708964] pc : [<ffff2000021e1618>] lr : [<ffff2000021e1618>] pstate: 60000145
[ 728.716620] sp : ffff8006cf6c7a50
[ 728.720154] x29: ffff8006cf6c7a50
[ 728.723760] x28: ffff8006ced38000
[ 728.727272] x27: ffff200008fd7000
[ 728.730857] x26: ffff2000021d2340
[ 728.734361] x25: 0000000000000000
[ 728.737948] x24: ffff200009e94b08
[ 728.741452] x23: 00000000000000a0
[ 728.745052] x22: 00000000000000a8
[ 728.748558] x21: 1ffff000d9ed8f7c
[ 728.752142] x20: ffff8006d671a800
[ 728.755646] x19: 0000000000000000
[ 728.759231] x18: 0000000000000000
[ 728.762736] x17: 0000ffffbc7c8f40
[ 728.766320] x16: ffff200008213c4c
[ 728.769823] x15: 0000000000000000
[ 728.773408] x14: 0720072007200720
[ 728.776912] x13: 0720072007200720
[ 728.780497] x12: ffffffffffffffff
[ 728.784001] x11: 0000000000000040
[ 728.787598] x10: 0000000000001600
[ 728.791103] x9 : ffff8006cf6c77a0
[ 728.794689] x8 : ffff8006ced39660
[ 728.798193] x7 : ffff20000811c738
[ 728.801794] x6 : 0000000000000000
[ 728.805299] x5 : dfff200000000000
[ 728.808885] x4 : ffff8006ced38000
[ 728.812390] x3 : ffff200008fb46e8
[ 728.815976] x2 : 0000000000000007
[ 728.819480] x1 : 3ba68643e7431500
[ 728.823066] x0 : 0000000000000000
[ 728.826574] Process modprobe (pid: 2545, stack limit = 0xffff8006cf6c0000)
[ 728.833704] Call trace:
[ 728.836292] Exception stack(0xffff8006cf6c7910 to 0xffff8006cf6c7a50)
[ 728.842987] 7900: 0000000000000000 3ba68643e7431500
[ 728.851084] 7920: 0000000000000007 ffff200008fb46e8 ffff8006ced38000 dfff200000000000
[ 728.859173] 7940: 0000000000000000 ffff20000811c738 ffff8006ced39660 ffff8006cf6c77a0
[ 728.867248] 7960: 0000000000001600 0000000000000040 ffffffffffffffff 0720072007200720
[ 728.875323] 7980: 0720072007200720 0000000000000000 ffff200008213c4c 0000ffffbc7c8f40
[ 728.883412] 79a0: 0000000000000000 0000000000000000 ffff8006d671a800 1ffff000d9ed8f7c
[ 728.891485] 79c0: 00000000000000a8 00000000000000a0 ffff200009e94b08 0000000000000000
[ 728.899561] 79e0: ffff2000021d2340 ffff200008fd7000 ffff8006ced38000 ffff8006cf6c7a50
[ 728.907636] 7a00: ffff2000021e1618 ffff8006cf6c7a50 ffff2000021e1618 0000000060000145
[ 728.915710] 7a20: 0000000000000008 0000000000000000 0000ffffffffffff 3ba68643e7431500
[ 728.923780] 7a40: ffff8006cf6c7a50 ffff2000021e1618
[ 728.928880] [<ffff2000021e1618>] u_audio_stop_capture+0x70/0x268 [u_audio]
[ 728.936032] [<ffff2000021f8b7c>] afunc_disable+0x44/0x60 [usb_f_uac2]
[ 728.942822] [<ffff20000218177c>] usb_remove_function+0x9c/0x210 [libcomposite]
[ 728.950385] [<ffff200002183320>] remove_config.isra.2+0x1d8/0x218 [libcomposite]
[ 728.958134] [<ffff200002186c54>] __composite_unbind+0x104/0x1f8 [libcomposite]
[ 728.965689] [<ffff200002186d58>] composite_unbind+0x10/0x18 [libcomposite]
[ 728.972882] [<ffff20000152f158>] usb_gadget_remove_driver+0xc0/0x170 [udc_core]
[ 728.980522] [<ffff20000153154c>] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core]
[ 728.988638] [<ffff200002180de8>] usb_composite_unregister+0x10/0x18 [libcomposite]
[ 728.996472] [<ffff2000021d035c>] audio_driver_exit+0x14/0x28 [g_audio]
[ 729.003231] [<ffff200008213ed4>] SyS_delete_module+0x288/0x32c
[ 729.009278] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000)
[ 729.015946] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8
[ 729.024022] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000
[ 729.032099] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005
[ 729.040172] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000
[ 729.048263] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0
[ 729.056337] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428
[ 729.064411] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000
[ 729.072484] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010
[ 729.080563] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a
[ 729.088636] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 729.096733] [<ffff200008084780>] el0_svc_naked+0x34/0x38
[ 729.102259] Code: 9597d1b3 aa1703e0 9102a276 958792b9 (f9405275)
[ 729.108617] ---[ end trace 7560c5fa3d100243 ]---
After this patch is applied, the issue is fixed:
rcar-gen3:/home/root# modprobe g_audio
[ 59.217127] g_audio gadget: afunc_bind:565 Error!
[ 59.222329] g_audio ee020000.usb: failed to start g_audio: -19
modprobe: ERROR: could not insert 'g_audio': No such device
rcar-gen3:/home/root# modprobe -r g_audio
rcar-gen3:/home/root#
Fixes: f1d3861d63a5 ("usb: gadget: f_uac2: fix error handling at afunc_bind")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_uac2.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_uac2.c
+++ b/drivers/usb/gadget/function/f_uac2.c
@@ -1069,13 +1069,13 @@ afunc_bind(struct usb_configuration *cfg
agdev->out_ep = usb_ep_autoconfig(gadget, &fs_epout_desc);
if (!agdev->out_ep) {
dev_err(dev, "%s:%d Error!\n", __func__, __LINE__);
- return ret;
+ return -ENODEV;
}
agdev->in_ep = usb_ep_autoconfig(gadget, &fs_epin_desc);
if (!agdev->in_ep) {
dev_err(dev, "%s:%d Error!\n", __func__, __LINE__);
- return ret;
+ return -ENODEV;
}
uac2->p_prm.uac2 = uac2;
next prev parent reply other threads:[~2020-06-09 17:46 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 17:44 [PATCH 4.4 00/36] 4.4.227-rc1 review Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 01/36] scsi: scsi_devinfo: fixup string compare Greg Kroah-Hartman
2020-06-09 17:44 ` Greg Kroah-Hartman [this message]
2020-06-09 17:44 ` [PATCH 4.4 03/36] platform/x86: acer-wmi: setup accelerometer when ACPI device was found Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 04/36] esp6: fix memleak on error path in esp6_input Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 05/36] IB/mlx4: Fix an error handling path in mlx4_ib_rereg_user_mr() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 06/36] ALSA: hda - No loopback on ALC299 codec Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 07/36] spi: dw: use "smp_mb()" to avoid sending spi data error Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 08/36] s390/ftrace: save traced function caller Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 09/36] ARC: Fix ICCM & DCCM runtime size checks Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 10/36] x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 11/36] net: bmac: Fix read of MAC address from ROM Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 12/36] net/ethernet/freescale: rework quiesce/activate for ucc_geth Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 13/36] net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 14/36] pppoe: only process PADT targeted at local interfaces Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 15/36] mmc: fix compilation of user API Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 16/36] slcan: Fix double-free on slcan_open() error path Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 17/36] slip: not call free_netdev before rtnl_unlock in slip_open Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 18/36] scsi: ufs: Release clock if DMA map fails Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 19/36] devinet: fix memleak in inetdev_init() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 20/36] NFC: st21nfca: add missed kfree_skb() in an error path Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 21/36] vsock: fix timeout in vsock_accept() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 22/36] l2tp: add sk_family checks to l2tp_validate_socket Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 23/36] l2tp: do not use inet_hash()/inet_unhash() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 24/36] USB: serial: qcserial: add DW5816e QDL support Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 25/36] USB: serial: usb_wwan: do not resubmit rx urb on fatal errors Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 26/36] USB: serial: option: add Telit LE910C1-EUX compositions Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 27/36] vt: keyboard: avoid signed integer overflow in k_ascii Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 28/36] staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 29/36] x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 30/36] x86/cpu: Add a steppings field to struct x86_cpu_id Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 31/36] x86/cpu: Add table argument to cpu_matches() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 32/36] x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 33/36] x86/speculation: Add SRBDS vulnerability and mitigation documentation Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 34/36] x86/speculation: Add Ivy Bridge to affected list Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 35/36] iio: vcnl4000: Fix i2c swapped word reading Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.4 36/36] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200609173933.429375672@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=erosca@de.adit-jv.com \
--cc=felipe.balbi@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.