All of lore.kernel.org
 help / color / mirror / Atom feed
From: kernel test robot <lkp@intel.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH v7] usb: f_fs: Fix use-after-free for epfile
Date: Wed, 05 Jan 2022 21:15:19 +0800	[thread overview]
Message-ID: <202201052146.RZUTvDGn-lkp@intel.com> (raw)
In-Reply-To: <1641364317-11916-1-git-send-email-quic_ugoswami@quicinc.com>

[-- Attachment #1: Type: text/plain, Size: 8498 bytes --]

Hi Udipto,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on peter-chen-usb/for-usb-next]
[cannot apply to usb/usb-testing balbi-usb/testing/next v5.16-rc8 next-20220105]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Udipto-Goswami/usb-f_fs-Fix-use-after-free-for-epfile/20220105-143439
base:   https://git.kernel.org/pub/scm/linux/kernel/git/peter.chen/usb.git for-usb-next
config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/20220105/202201052146.RZUTvDGn-lkp(a)intel.com/config)
compiler: alpha-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/0a319144fb2e68829c0d23f5b5505a19a207c906
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Udipto-Goswami/usb-f_fs-Fix-use-after-free-for-epfile/20220105-143439
        git checkout 0a319144fb2e68829c0d23f5b5505a19a207c906
        # save the config file to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=alpha SHELL=/bin/bash

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   In file included from include/linux/kernel.h:17,
                    from include/linux/list.h:9,
                    from include/linux/rculist.h:10,
                    from include/linux/pid.h:5,
                    from include/linux/sched.h:14,
                    from include/linux/blkdev.h:5,
                    from drivers/usb/gadget/function/f_fs.c:17:
   drivers/usb/gadget/function/f_fs.c: In function 'ffs_epfiles_create':
>> drivers/usb/gadget/function/f_fs.c:1918:43: error: 'flags' undeclared (first use in this function)
    1918 |         spin_lock_irqsave(&ffs->eps_lock, flags);
         |                                           ^~~~~
   include/linux/typecheck.h:11:16: note: in definition of macro 'typecheck'
      11 |         typeof(x) __dummy2; \
         |                ^
   include/linux/spinlock.h:384:9: note: in expansion of macro 'raw_spin_lock_irqsave'
     384 |         raw_spin_lock_irqsave(spinlock_check(lock), flags);     \
         |         ^~~~~~~~~~~~~~~~~~~~~
   drivers/usb/gadget/function/f_fs.c:1918:9: note: in expansion of macro 'spin_lock_irqsave'
    1918 |         spin_lock_irqsave(&ffs->eps_lock, flags);
         |         ^~~~~~~~~~~~~~~~~
   drivers/usb/gadget/function/f_fs.c:1918:43: note: each undeclared identifier is reported only once for each function it appears in
    1918 |         spin_lock_irqsave(&ffs->eps_lock, flags);
         |                                           ^~~~~
   include/linux/typecheck.h:11:16: note: in definition of macro 'typecheck'
      11 |         typeof(x) __dummy2; \
         |                ^
   include/linux/spinlock.h:384:9: note: in expansion of macro 'raw_spin_lock_irqsave'
     384 |         raw_spin_lock_irqsave(spinlock_check(lock), flags);     \
         |         ^~~~~~~~~~~~~~~~~~~~~
   drivers/usb/gadget/function/f_fs.c:1918:9: note: in expansion of macro 'spin_lock_irqsave'
    1918 |         spin_lock_irqsave(&ffs->eps_lock, flags);
         |         ^~~~~~~~~~~~~~~~~
   include/linux/typecheck.h:12:25: warning: comparison of distinct pointer types lacks a cast
      12 |         (void)(&__dummy == &__dummy2); \
         |                         ^~
   include/linux/spinlock.h:251:17: note: in expansion of macro 'typecheck'
     251 |                 typecheck(unsigned long, flags);        \
         |                 ^~~~~~~~~
   include/linux/spinlock.h:384:9: note: in expansion of macro 'raw_spin_lock_irqsave'
     384 |         raw_spin_lock_irqsave(spinlock_check(lock), flags);     \
         |         ^~~~~~~~~~~~~~~~~~~~~
   drivers/usb/gadget/function/f_fs.c:1918:9: note: in expansion of macro 'spin_lock_irqsave'
    1918 |         spin_lock_irqsave(&ffs->eps_lock, flags);
         |         ^~~~~~~~~~~~~~~~~
   drivers/usb/gadget/function/f_fs.c: In function 'ffs_func_eps_enable':
>> drivers/usb/gadget/function/f_fs.c:1980:9: error: 'epfiles' undeclared (first use in this function); did you mean 'epfile'?
    1980 |         epfiles = ffs->epfiles;
         |         ^~~~~~~
         |         epfile


vim +/flags +1918 drivers/usb/gadget/function/f_fs.c

  1888	
  1889	static int ffs_epfiles_create(struct ffs_data *ffs)
  1890	{
  1891		struct ffs_epfile *epfile, *epfiles;
  1892		unsigned i, count;
  1893	
  1894		ENTER();
  1895	
  1896		count = ffs->eps_count;
  1897		epfiles = kcalloc(count, sizeof(*epfiles), GFP_KERNEL);
  1898		if (!epfiles)
  1899			return -ENOMEM;
  1900	
  1901		epfile = epfiles;
  1902		for (i = 1; i <= count; ++i, ++epfile) {
  1903			epfile->ffs = ffs;
  1904			mutex_init(&epfile->mutex);
  1905			if (ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR)
  1906				sprintf(epfile->name, "ep%02x", ffs->eps_addrmap[i]);
  1907			else
  1908				sprintf(epfile->name, "ep%u", i);
  1909			epfile->dentry = ffs_sb_create_file(ffs->sb, epfile->name,
  1910							 epfile,
  1911							 &ffs_epfile_operations);
  1912			if (!epfile->dentry) {
  1913				ffs_epfiles_destroy(epfiles, i - 1);
  1914				return -ENOMEM;
  1915			}
  1916		}
  1917	
> 1918		spin_lock_irqsave(&ffs->eps_lock, flags);
  1919		ffs->epfiles = epfiles;
  1920		spin_unlock_irqrestore(&ffs->eps_lock, flags);
  1921		return 0;
  1922	}
  1923	
  1924	static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count)
  1925	{
  1926		struct ffs_epfile *epfile = epfiles;
  1927	
  1928		ENTER();
  1929	
  1930		for (; count; --count, ++epfile) {
  1931			BUG_ON(mutex_is_locked(&epfile->mutex));
  1932			if (epfile->dentry) {
  1933				d_delete(epfile->dentry);
  1934				dput(epfile->dentry);
  1935				epfile->dentry = NULL;
  1936			}
  1937		}
  1938	
  1939		kfree(epfiles);
  1940	}
  1941	
  1942	static void ffs_func_eps_disable(struct ffs_function *func)
  1943	{
  1944		struct ffs_ep *ep;
  1945		struct ffs_epfile *epfile;
  1946		unsigned short count;
  1947		unsigned long flags;
  1948	
  1949		spin_lock_irqsave(&func->ffs->eps_lock, flags);
  1950		count = func->ffs->eps_count;
  1951		epfile = func->ffs->epfiles;
  1952		ep = func->eps;
  1953		while (count--) {
  1954			/* pending requests get nuked */
  1955			if (ep->ep)
  1956				usb_ep_disable(ep->ep);
  1957			++ep;
  1958	
  1959			if (epfile) {
  1960				epfile->ep = NULL;
  1961				__ffs_epfile_read_buffer_free(epfile);
  1962				++epfile;
  1963			}
  1964		}
  1965		spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
  1966	}
  1967	
  1968	static int ffs_func_eps_enable(struct ffs_function *func)
  1969	{
  1970		struct ffs_data *ffs;
  1971		struct ffs_ep *ep;
  1972		struct ffs_epfile *epfile;
  1973		unsigned count;
  1974		unsigned long flags;
  1975		int ret = 0;
  1976	
  1977		spin_lock_irqsave(&func->ffs->eps_lock, flags);
  1978		ffs = func->ffs;
  1979		ep = func->eps;
> 1980		epfiles = ffs->epfiles;
  1981		count = ffs->eps_count;
  1982		while(count--) {
  1983			ep->ep->driver_data = ep;
  1984	
  1985			ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
  1986			if (ret) {
  1987				pr_err("%s: config_ep_by_speed(%s) returned %d\n",
  1988						__func__, ep->ep->name, ret);
  1989				break;
  1990			}
  1991	
  1992			ret = usb_ep_enable(ep->ep);
  1993			if (!ret) {
  1994				epfile->ep = ep;
  1995				epfile->in = usb_endpoint_dir_in(ep->ep->desc);
  1996				epfile->isoc = usb_endpoint_xfer_isoc(ep->ep->desc);
  1997			} else {
  1998				break;
  1999			}
  2000	
  2001			++ep;
  2002			++epfile;
  2003		}
  2004	
  2005		wake_up_interruptible(&ffs->wait);
  2006		spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
  2007	
  2008		return ret;
  2009	}
  2010	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

      reply	other threads:[~2022-01-05 13:15 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-05  6:31 [PATCH v7] usb: f_fs: Fix use-after-free for epfile Udipto Goswami
2022-01-05 13:15 ` kernel test robot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202201052146.RZUTvDGn-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=kbuild-all@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.