From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============8001966447456918336==" MIME-Version: 1.0 From: kernel test robot To: kbuild-all@lists.01.org Subject: Re: [PATCH v7] usb: f_fs: Fix use-after-free for epfile Date: Wed, 05 Jan 2022 21:15:19 +0800 Message-ID: <202201052146.RZUTvDGn-lkp@intel.com> In-Reply-To: <1641364317-11916-1-git-send-email-quic_ugoswami@quicinc.com> List-Id: --===============8001966447456918336== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Hi Udipto, Thank you for the patch! Yet something to improve: [auto build test ERROR on peter-chen-usb/for-usb-next] [cannot apply to usb/usb-testing balbi-usb/testing/next v5.16-rc8 next-2022= 0105] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/Udipto-Goswami/usb-f_fs-Fi= x-use-after-free-for-epfile/20220105-143439 base: https://git.kernel.org/pub/scm/linux/kernel/git/peter.chen/usb.git = for-usb-next config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/2022010= 5/202201052146.RZUTvDGn-lkp(a)intel.com/config) compiler: alpha-linux-gcc (GCC) 11.2.0 reproduce (this is a W=3D1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/= make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/0day-ci/linux/commit/0a319144fb2e68829c0d23f5b= 5505a19a207c906 git remote add linux-review https://github.com/0day-ci/linux git fetch --no-tags linux-review Udipto-Goswami/usb-f_fs-Fix-use-af= ter-free-for-epfile/20220105-143439 git checkout 0a319144fb2e68829c0d23f5b5505a19a207c906 # save the config file to linux build tree mkdir build_dir COMPILER_INSTALL_PATH=3D$HOME/0day COMPILER=3Dgcc-11.2.0 make.cross= O=3Dbuild_dir ARCH=3Dalpha SHELL=3D/bin/bash If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot All errors (new ones prefixed by >>): In file included from include/linux/kernel.h:17, from include/linux/list.h:9, from include/linux/rculist.h:10, from include/linux/pid.h:5, from include/linux/sched.h:14, from include/linux/blkdev.h:5, from drivers/usb/gadget/function/f_fs.c:17: drivers/usb/gadget/function/f_fs.c: In function 'ffs_epfiles_create': >> drivers/usb/gadget/function/f_fs.c:1918:43: error: 'flags' undeclared (f= irst use in this function) 1918 | spin_lock_irqsave(&ffs->eps_lock, flags); | ^~~~~ include/linux/typecheck.h:11:16: note: in definition of macro 'typecheck' 11 | typeof(x) __dummy2; \ | ^ include/linux/spinlock.h:384:9: note: in expansion of macro 'raw_spin_lo= ck_irqsave' 384 | raw_spin_lock_irqsave(spinlock_check(lock), flags); \ | ^~~~~~~~~~~~~~~~~~~~~ drivers/usb/gadget/function/f_fs.c:1918:9: note: in expansion of macro '= spin_lock_irqsave' 1918 | spin_lock_irqsave(&ffs->eps_lock, flags); | ^~~~~~~~~~~~~~~~~ drivers/usb/gadget/function/f_fs.c:1918:43: note: each undeclared identi= fier is reported only once for each function it appears in 1918 | spin_lock_irqsave(&ffs->eps_lock, flags); | ^~~~~ include/linux/typecheck.h:11:16: note: in definition of macro 'typecheck' 11 | typeof(x) __dummy2; \ | ^ include/linux/spinlock.h:384:9: note: in expansion of macro 'raw_spin_lo= ck_irqsave' 384 | raw_spin_lock_irqsave(spinlock_check(lock), flags); \ | ^~~~~~~~~~~~~~~~~~~~~ drivers/usb/gadget/function/f_fs.c:1918:9: note: in expansion of macro '= spin_lock_irqsave' 1918 | spin_lock_irqsave(&ffs->eps_lock, flags); | ^~~~~~~~~~~~~~~~~ include/linux/typecheck.h:12:25: warning: comparison of distinct pointer= types lacks a cast 12 | (void)(&__dummy =3D=3D &__dummy2); \ | ^~ include/linux/spinlock.h:251:17: note: in expansion of macro 'typecheck' 251 | typecheck(unsigned long, flags); \ | ^~~~~~~~~ include/linux/spinlock.h:384:9: note: in expansion of macro 'raw_spin_lo= ck_irqsave' 384 | raw_spin_lock_irqsave(spinlock_check(lock), flags); \ | ^~~~~~~~~~~~~~~~~~~~~ drivers/usb/gadget/function/f_fs.c:1918:9: note: in expansion of macro '= spin_lock_irqsave' 1918 | spin_lock_irqsave(&ffs->eps_lock, flags); | ^~~~~~~~~~~~~~~~~ drivers/usb/gadget/function/f_fs.c: In function 'ffs_func_eps_enable': >> drivers/usb/gadget/function/f_fs.c:1980:9: error: 'epfiles' undeclared (= first use in this function); did you mean 'epfile'? 1980 | epfiles =3D ffs->epfiles; | ^~~~~~~ | epfile vim +/flags +1918 drivers/usb/gadget/function/f_fs.c 1888 = 1889 static int ffs_epfiles_create(struct ffs_data *ffs) 1890 { 1891 struct ffs_epfile *epfile, *epfiles; 1892 unsigned i, count; 1893 = 1894 ENTER(); 1895 = 1896 count =3D ffs->eps_count; 1897 epfiles =3D kcalloc(count, sizeof(*epfiles), GFP_KERNEL); 1898 if (!epfiles) 1899 return -ENOMEM; 1900 = 1901 epfile =3D epfiles; 1902 for (i =3D 1; i <=3D count; ++i, ++epfile) { 1903 epfile->ffs =3D ffs; 1904 mutex_init(&epfile->mutex); 1905 if (ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR) 1906 sprintf(epfile->name, "ep%02x", ffs->eps_addrmap[i]); 1907 else 1908 sprintf(epfile->name, "ep%u", i); 1909 epfile->dentry =3D ffs_sb_create_file(ffs->sb, epfile->name, 1910 epfile, 1911 &ffs_epfile_operations); 1912 if (!epfile->dentry) { 1913 ffs_epfiles_destroy(epfiles, i - 1); 1914 return -ENOMEM; 1915 } 1916 } 1917 = > 1918 spin_lock_irqsave(&ffs->eps_lock, flags); 1919 ffs->epfiles =3D epfiles; 1920 spin_unlock_irqrestore(&ffs->eps_lock, flags); 1921 return 0; 1922 } 1923 = 1924 static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned= count) 1925 { 1926 struct ffs_epfile *epfile =3D epfiles; 1927 = 1928 ENTER(); 1929 = 1930 for (; count; --count, ++epfile) { 1931 BUG_ON(mutex_is_locked(&epfile->mutex)); 1932 if (epfile->dentry) { 1933 d_delete(epfile->dentry); 1934 dput(epfile->dentry); 1935 epfile->dentry =3D NULL; 1936 } 1937 } 1938 = 1939 kfree(epfiles); 1940 } 1941 = 1942 static void ffs_func_eps_disable(struct ffs_function *func) 1943 { 1944 struct ffs_ep *ep; 1945 struct ffs_epfile *epfile; 1946 unsigned short count; 1947 unsigned long flags; 1948 = 1949 spin_lock_irqsave(&func->ffs->eps_lock, flags); 1950 count =3D func->ffs->eps_count; 1951 epfile =3D func->ffs->epfiles; 1952 ep =3D func->eps; 1953 while (count--) { 1954 /* pending requests get nuked */ 1955 if (ep->ep) 1956 usb_ep_disable(ep->ep); 1957 ++ep; 1958 = 1959 if (epfile) { 1960 epfile->ep =3D NULL; 1961 __ffs_epfile_read_buffer_free(epfile); 1962 ++epfile; 1963 } 1964 } 1965 spin_unlock_irqrestore(&func->ffs->eps_lock, flags); 1966 } 1967 = 1968 static int ffs_func_eps_enable(struct ffs_function *func) 1969 { 1970 struct ffs_data *ffs; 1971 struct ffs_ep *ep; 1972 struct ffs_epfile *epfile; 1973 unsigned count; 1974 unsigned long flags; 1975 int ret =3D 0; 1976 = 1977 spin_lock_irqsave(&func->ffs->eps_lock, flags); 1978 ffs =3D func->ffs; 1979 ep =3D func->eps; > 1980 epfiles =3D ffs->epfiles; 1981 count =3D ffs->eps_count; 1982 while(count--) { 1983 ep->ep->driver_data =3D ep; 1984 = 1985 ret =3D config_ep_by_speed(func->gadget, &func->function, ep->ep); 1986 if (ret) { 1987 pr_err("%s: config_ep_by_speed(%s) returned %d\n", 1988 __func__, ep->ep->name, ret); 1989 break; 1990 } 1991 = 1992 ret =3D usb_ep_enable(ep->ep); 1993 if (!ret) { 1994 epfile->ep =3D ep; 1995 epfile->in =3D usb_endpoint_dir_in(ep->ep->desc); 1996 epfile->isoc =3D usb_endpoint_xfer_isoc(ep->ep->desc); 1997 } else { 1998 break; 1999 } 2000 = 2001 ++ep; 2002 ++epfile; 2003 } 2004 = 2005 wake_up_interruptible(&ffs->wait); 2006 spin_unlock_irqrestore(&func->ffs->eps_lock, flags); 2007 = 2008 return ret; 2009 } 2010 = --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org --===============8001966447456918336==--