From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
Felipe Balbi <balbi@kernel.org>,
Zeng Tao <prime.zeng@hisilicon.com>,
Jack Pham <jackp@codeaurora.org>,
Thinh Nguyen <thinh.nguyen@synopsys.com>,
Chen Yu <chenyu56@huawei.com>,
Jerry Zhang <zhangjerry@google.com>,
Lars-Peter Clausen <lars@metafoo.de>,
Vincent Pelletier <plr.vincent@gmail.com>,
Andrzej Pietrasiewicz <andrzej.p@samsung.com>,
Linux USB List <linux-usb@vger.kernel.org>,
John Stultz <john.stultz@linaro.org>,
Felipe Balbi <felipe.balbi@linux.intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 57/91] usb: f_fs: Avoid crash due to out-of-scope stack ptr access
Date: Thu, 4 Apr 2019 10:47:41 +0200 [thread overview]
Message-ID: <20190404084538.749207681@linuxfoundation.org> (raw)
In-Reply-To: <20190404084535.450029272@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit 54f64d5c983f939901dacc8cfc0983727c5c742e ]
Since the 5.0 merge window opened, I've been seeing frequent
crashes on suspend and reboot with the trace:
[ 36.911170] Unable to handle kernel paging request at virtual address ffffff801153d660
[ 36.912769] Unable to handle kernel paging request at virtual address ffffff800004b564
...
[ 36.950666] Call trace:
[ 36.950670] queued_spin_lock_slowpath+0x1cc/0x2c8
[ 36.950681] _raw_spin_lock_irqsave+0x64/0x78
[ 36.950692] complete+0x28/0x70
[ 36.950703] ffs_epfile_io_complete+0x3c/0x50
[ 36.950713] usb_gadget_giveback_request+0x34/0x108
[ 36.950721] dwc3_gadget_giveback+0x50/0x68
[ 36.950723] dwc3_thread_interrupt+0x358/0x1488
[ 36.950731] irq_thread_fn+0x30/0x88
[ 36.950734] irq_thread+0x114/0x1b0
[ 36.950739] kthread+0x104/0x130
[ 36.950747] ret_from_fork+0x10/0x1c
I isolated this down to in ffs_epfile_io():
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/usb/gadget/function/f_fs.c#n1065
Where the completion done is setup on the stack:
DECLARE_COMPLETION_ONSTACK(done);
Then later we setup a request and queue it, and wait for it:
if (unlikely(wait_for_completion_interruptible(&done))) {
/*
* To avoid race condition with ffs_epfile_io_complete,
* dequeue the request first then check
* status. usb_ep_dequeue API should guarantee no race
* condition with req->complete callback.
*/
usb_ep_dequeue(ep->ep, req);
interrupted = ep->status < 0;
}
The problem is, that we end up being interrupted, dequeue the
request, and exit.
But then the irq triggers and we try calling complete() on the
context pointer which points to now random stack space, which
results in the panic.
Alan Stern pointed out there is a bug here, in that the snippet
above "assumes that usb_ep_dequeue() waits until the request has
been completed." And that:
wait_for_completion(&done);
Is needed right after the usb_ep_dequeue().
Thus this patch implements that change. With it I no longer see
the crashes on suspend or reboot.
This issue seems to have been uncovered by behavioral changes in
the dwc3 driver in commit fec9095bdef4e ("usb: dwc3: gadget:
remove wait_end_transfer").
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Zeng Tao <prime.zeng@hisilicon.com>
Cc: Jack Pham <jackp@codeaurora.org>
Cc: Thinh Nguyen <thinh.nguyen@synopsys.com>
Cc: Chen Yu <chenyu56@huawei.com>
Cc: Jerry Zhang <zhangjerry@google.com>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Vincent Pelletier <plr.vincent@gmail.com>
Cc: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linux USB List <linux-usb@vger.kernel.org>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_fs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 04eb64381d92..927ac0ee09b7 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1008,6 +1008,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
* condition with req->complete callback.
*/
usb_ep_dequeue(ep->ep, req);
+ wait_for_completion(&done);
interrupted = ep->status < 0;
}
--
2.19.1
next prev parent reply other threads:[~2019-04-04 9:54 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-04 8:46 [PATCH 4.9 00/91] 4.9.168-stable review Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 01/91] arm64: debug: Dont propagate UNKNOWN FAR into si_code for debug signals Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 02/91] arm64: debug: Ensure debug handlers check triggering exception level Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 03/91] ext4: cleanup bh release code in ext4_ind_remove_space() Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 04/91] lib/int_sqrt: optimize initial value compute Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 05/91] tty/serial: atmel: Add is_half_duplex helper Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 06/91] tty/serial: atmel: RS485 HD w/DMA: enable RX after TX is stopped Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 07/91] mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 08/91] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 09/91] CIFS: fix POSIX lock leak and invalid ptr deref Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 10/91] h8300: use cc-cross-prefix instead of hardcoding h8300-unknown-linux- Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 11/91] tracing: kdb: Fix ftdump to not sleep Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 12/91] gpio: gpio-omap: fix level interrupt idling Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 13/91] include/linux/relay.h: fix percpu annotation in struct rchan Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 14/91] sysctl: handle overflow for file-max Greg Kroah-Hartman
2019-04-04 8:46 ` [PATCH 4.9 15/91] enic: fix build warning without CONFIG_CPUMASK_OFFSTACK Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 16/91] scsi: hisi_sas: Set PHY linkrate when disconnected Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 17/91] mm/cma.c: cma_declare_contiguous: correct err handling Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 18/91] mm/page_ext.c: fix an imbalance with kmemleak Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 19/91] mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 20/91] mm/slab.c: kmemleak no scan alien caches Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 21/91] ocfs2: fix a panic problem caused by o2cb_ctl Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 22/91] f2fs: do not use mutex lock in atomic context Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 23/91] fs/file.c: initialize init_files.resize_wait Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 24/91] cifs: use correct format characters Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 25/91] dm thin: add sanity checks to thin-pool and external snapshot creation Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 26/91] cifs: Fix NULL pointer dereference of devname Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 27/91] fs: Make splice() and tee() take into account O_NONBLOCK flag on pipes Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 28/91] jbd2: fix invalid descriptor block checksum Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 29/91] fs: fix guard_bio_eod to check for real EOD errors Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 30/91] tools lib traceevent: Fix buffer overflow in arg_eval Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 31/91] wil6210: check null pointer in _wil_cfg80211_merge_extra_ies Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 32/91] crypto: crypto4xx - add missing of_node_put after of_device_is_available Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 33/91] usb: chipidea: Grab the (legacy) USB PHY by phandle first Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 34/91] scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 35/91] coresight: etm4x: Add support to enable ETMv4.2 Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 36/91] ARM: 8840/1: use a raw_spinlock_t in unwind Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 37/91] iommu/io-pgtable-arm-v7s: Only kmemleak_ignore L2 tables Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 38/91] mmc: omap: fix the maximum timeout setting Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 39/91] e1000e: Fix -Wformat-truncation warnings Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 40/91] mlxsw: spectrum: Avoid " Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 41/91] IB/mlx4: Increase the timeout for CM cache Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 42/91] scsi: megaraid_sas: return error when create DMA pool failed Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 43/91] perf test: Fix failure of evsel-tp-sched test on s390 Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 44/91] SoC: imx-sgtl5000: add missing put_device() Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 45/91] media: sh_veu: Correct return type for mem2mem buffer helpers Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 46/91] media: s5p-jpeg: " Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 47/91] media: s5p-g2d: " Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 48/91] media: mx2_emmaprp: " Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 49/91] vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 50/91] HID: intel-ish-hid: avoid binding wrong ishtp_cl_device Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 51/91] leds: lp55xx: fix null deref on firmware load failure Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 52/91] iwlwifi: pcie: fix emergency path Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 53/91] ACPI / video: Refactor and fix dmi_is_desktop() Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 54/91] kprobes: Prohibit probing on bsearch() Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 55/91] ARM: 8833/1: Ensure that NEON code always compiles with Clang Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 56/91] ALSA: PCM: check if ops are defined before suspending PCM Greg Kroah-Hartman
2019-04-04 8:47 ` Greg Kroah-Hartman [this message]
2019-04-04 8:47 ` [PATCH 4.9 58/91] bcache: fix input overflow to cache set sysfs file io_error_halflife Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 59/91] bcache: fix input overflow to sequential_cutoff Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 60/91] bcache: improve sysfs_strtoul_clamp() Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 61/91] genirq: Avoid summation loops for /proc/stat Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 62/91] iw_cxgb4: fix srqidx leak during connection abort Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 63/91] fbdev: fbmem: fix memory access if logo is bigger than the screen Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 64/91] cdrom: Fix race condition in cdrom_sysctl_register Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 65/91] e1000e: fix cyclic resets at link up with active tx Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 66/91] ASoC: fsl-asoc-card: fix object reference leaks in fsl_asoc_card_probe Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 67/91] efi/memattr: Dont bail on zero VA if it equals the regions PA Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 68/91] ARM: dts: lpc32xx: Remove leading 0x and 0s from bindings notation Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 69/91] soc: qcom: gsbi: Fix error handling in gsbi_probe() Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 70/91] mt7601u: bump supported EEPROM version Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 71/91] ARM: avoid Cortex-A9 livelock on tight dmb loops Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 72/91] tty: increase the default flip buffer limit to 2*640K Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 73/91] powerpc/pseries: Perform full re-add of CPU for topology update post-migration Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 74/91] media: mt9m111: set initial frame size other than 0x0 Greg Kroah-Hartman
2019-04-04 8:47 ` [PATCH 4.9 75/91] hwrng: virtio - Avoid repeated init of completion Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 76/91] soc/tegra: fuse: Fix illegal free of IO base address Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 77/91] HID: intel-ish: ipc: handle PIMR before ish_wakeup also clear PISR busy_clear bit Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 78/91] hpet: Fix missing = character in the __setup() code of hpet_mmap_enable Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 79/91] dmaengine: imx-dma: fix warning comparison of distinct pointer types Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 80/91] dmaengine: qcom_hidma: assign channel cookie correctly Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 81/91] netfilter: physdev: relax br_netfilter dependency Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 82/91] media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 83/91] regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 84/91] drm/nouveau: Stop using drm_crtc_force_disable Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 85/91] x86/build: Specify elf_i386 linker emulation explicitly for i386 objects Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 86/91] selinux: do not override context on context mounts Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 87/91] wlcore: Fix memory leak in case wl12xx_fetch_firmware failure Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 88/91] x86/build: Mark per-CPU symbols as absolute explicitly for LLD Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 89/91] dmaengine: tegra: avoid overflow of byte tracking Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 90/91] drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers Greg Kroah-Hartman
2019-04-04 8:48 ` [PATCH 4.9 91/91] ACPI / video: Extend chassis-type detection with a "Lunch Box" check Greg Kroah-Hartman
2019-04-04 16:44 ` [PATCH 4.9 00/91] 4.9.168-stable review kernelci.org bot
2019-04-05 3:14 ` Naresh Kamboju
2019-04-05 15:26 ` shuah
2019-04-05 15:36 ` Jon Hunter
2019-04-05 18:30 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190404084538.749207681@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andrzej.p@samsung.com \
--cc=balbi@kernel.org \
--cc=chenyu56@huawei.com \
--cc=felipe.balbi@linux.intel.com \
--cc=jackp@codeaurora.org \
--cc=john.stultz@linaro.org \
--cc=lars@metafoo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=plr.vincent@gmail.com \
--cc=prime.zeng@hisilicon.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=thinh.nguyen@synopsys.com \
--cc=zhangjerry@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).