From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Vincent Pelletier <plr.vincent@gmail.com>
Subject: [PATCH 5.15 59/73] usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
Date: Mon, 3 Jan 2022 15:24:20 +0100 [thread overview]
Message-ID: <20220103142058.828856413@linuxfoundation.org> (raw)
In-Reply-To: <20220103142056.911344037@linuxfoundation.org>
From: Vincent Pelletier <plr.vincent@gmail.com>
commit b1e0887379422975f237d43d8839b751a6bcf154 upstream.
ffs_data_clear is indirectly called from both ffs_fs_kill_sb and
ffs_ep0_release, so it ends up being called twice when userland closes ep0
and then unmounts f_fs.
If userland provided an eventfd along with function's USB descriptors, it
ends up calling eventfd_ctx_put as many times, causing a refcount
underflow.
NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.
Also, set epfiles to NULL right after de-allocating it, for readability.
For completeness, ffs_data_clear actually ends up being called thrice, the
last call being before the whole ffs structure gets freed, so when this
specific sequence happens there is a second underflow happening (but not
being reported):
/sys/kernel/debug/tracing# modprobe usb_f_fs
/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter
/sys/kernel/debug/tracing# echo function > current_tracer
/sys/kernel/debug/tracing# echo 1 > tracing_on
(setup gadget, run and kill function userland process, teardown gadget)
/sys/kernel/debug/tracing# echo 0 > tracing_on
/sys/kernel/debug/tracing# cat trace
smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed
smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed
smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put
Warning output corresponding to above trace:
[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c
[ 1946.293094] refcount_t: underflow; use-after-free.
[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)
[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1
[ 1946.417950] Hardware name: BCM2835
[ 1946.425442] Backtrace:
[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)
[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c
[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)
[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)
[ 1946.482067] r5:c04a948c r4:c0a71dc8
[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)
[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04
[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)
[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0
[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)
[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])
[ 1946.582664] r5:c3b84c00 r4:c2695b00
[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])
[ 1946.609608] r5:bf54d014 r4:c2695b00
[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])
[ 1946.636217] r7:c0dfcb84 r6:c3a12260 r5:bf54d014 r4:c229f000
[ 1946.646273] [<bf547d74>] (ffs_fs_kill_sb [usb_f_fs]) from [<c0326d50>] (deactivate_locked_super+0x54/0x9c)
[ 1946.664893] r5:bf54d014 r4:c229f000
[ 1946.672921] [<c0326cfc>] (deactivate_locked_super) from [<c0326df8>] (deactivate_super+0x60/0x64)
[ 1946.690722] r5:c2a09000 r4:c229f000
[ 1946.698706] [<c0326d98>] (deactivate_super) from [<c0349a28>] (cleanup_mnt+0xe4/0x14c)
[ 1946.715553] r5:c2a09000 r4:00000000
[ 1946.723528] [<c0349944>] (cleanup_mnt) from [<c0349b08>] (__cleanup_mnt+0x1c/0x20)
[ 1946.739922] r7:c0dfcb84 r6:c3a12260 r5:c3a126fc r4:00000000
[ 1946.750088] [<c0349aec>] (__cleanup_mnt) from [<c0143d10>] (task_work_run+0x84/0xb8)
[ 1946.766602] [<c0143c8c>] (task_work_run) from [<c010bdc8>] (do_work_pending+0x470/0x56c)
[ 1946.783540] r7:5ac3c35a r6:c0d0424c r5:c200bfb0 r4:c200a000
[ 1946.793614] [<c010b958>] (do_work_pending) from [<c01000c0>] (slow_work_pending+0xc/0x20)
[ 1946.810553] Exception stack(0xc200bfb0 to 0xc200bff8)
[ 1946.820129] bfa0: 00000000 00000000 000000aa b5e21430
[ 1946.837104] bfc0: bef867a0 00000001 bef86840 00000034 bef86838 bef86790 bef86794 bef867a0
[ 1946.854125] bfe0: 00000000 bef86798 b67b7a1c b6d626a4 60000010 b5a23760
[ 1946.865335] r10:00000000 r9:c200a000 r8:c0100224 r7:00000034 r6:bef86840 r5:00000001
[ 1946.881914] r4:bef867a0
[ 1946.888793] ---[ end trace 7387f2a9725b28d0 ]---
Fixes: 5e33f6fdf735 ("usb: gadget: ffs: add eventfd notification about ffs events")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Link: https://lore.kernel.org/r/f79eeea29f3f98de6782a064ec0f7351ad2f598f.1639793920.git.plr.vincent@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1773,11 +1773,15 @@ static void ffs_data_clear(struct ffs_da
BUG_ON(ffs->gadget);
- if (ffs->epfiles)
+ if (ffs->epfiles) {
ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count);
+ ffs->epfiles = NULL;
+ }
- if (ffs->ffs_eventfd)
+ if (ffs->ffs_eventfd) {
eventfd_ctx_put(ffs->ffs_eventfd);
+ ffs->ffs_eventfd = NULL;
+ }
kfree(ffs->raw_descs_data);
kfree(ffs->raw_strings);
@@ -1790,7 +1794,6 @@ static void ffs_data_reset(struct ffs_da
ffs_data_clear(ffs);
- ffs->epfiles = NULL;
ffs->raw_descs_data = NULL;
ffs->raw_descs = NULL;
ffs->raw_strings = NULL;
next prev parent reply other threads:[~2022-01-03 14:35 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-03 14:23 [PATCH 5.15 00/73] 5.15.13-rc1 review Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 01/73] Input: i8042 - add deferred probe support Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 02/73] Input: i8042 - enable deferred probe quirk for ASUS UM325UA Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 03/73] tomoyo: Check exceeded quota early in tomoyo_domain_quota_is_ok() Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 04/73] tomoyo: use hwight16() " Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 05/73] net/sched: Extend qdisc control block with tc control block Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 06/73] parisc: Clear stale IIR value on instruction access rights trap Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 07/73] platform/mellanox: mlxbf-pmc: Fix an IS_ERR() vs NULL bug in mlxbf_pmc_map_counters Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 08/73] platform/x86: apple-gmux: use resource_size() with res Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 09/73] memblock: fix memblock_phys_alloc() section mismatch error Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 10/73] ALSA: hda: intel-sdw-acpi: harden detection of controller Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 11/73] ALSA: hda: intel-sdw-acpi: go through HDAS ACPI at max depth of 2 Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 12/73] recordmcount.pl: fix typo in s390 mcount regex Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 13/73] powerpc/ptdump: Fix DEBUG_WX since generic ptdump conversion Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 14/73] efi: Move efifb_setup_from_dmi() prototype from arch headers Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 15/73] selinux: initialize proto variable in selinux_ip_postroute_compat() Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 16/73] scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 17/73] net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 18/73] net/mlx5: Fix error print in case of IRQ request failed Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 19/73] net/mlx5: Fix SF health recovery flow Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 20/73] net/mlx5: Fix tc max supported prio for nic mode Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 21/73] net/mlx5e: Wrap the tx reporter dump callback to extract the sq Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 22/73] net/mlx5e: Fix interoperability between XSK and ICOSQ recovery flow Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 23/73] net/mlx5e: Fix ICOSQ recovery flow for XSK Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 24/73] net/mlx5e: Use tc sample stubs instead of ifdefs in source file Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 25/73] net/mlx5e: Delete forward rule for ct or sample action Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 26/73] udp: using datalen to cap ipv6 udp max gso segments Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 27/73] selftests: Calculate udpgso segment count without header adjustment Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 28/73] net: phy: fixed_phy: Fix NULL vs IS_ERR() checking in __fixed_phy_register Greg Kroah-Hartman
2022-01-03 19:47 ` Florian Fainelli
2022-01-04 7:33 ` Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 29/73] sctp: use call_rcu to free endpoint Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 30/73] net/smc: fix using of uninitialized completions Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 31/73] net: usb: pegasus: Do not drop long Ethernet frames Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 32/73] net: ag71xx: Fix a potential double free in error handling paths Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 33/73] net: lantiq_xrx200: fix statistics of received bytes Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 34/73] NFC: st21nfca: Fix memory leak in device probe and remove Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 35/73] net/smc: dont send CDC/LLC message if link not ready Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 36/73] net/smc: fix kernel panic caused by race of smc_sock Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 37/73] igc: Do not enable crosstimestamping for i225-V models Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 38/73] igc: Fix TX timestamp support for non-MSI-X platforms Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 39/73] drm/amd/display: Send s0i2_rdy in stream_count == 0 optimization Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 40/73] drm/amd/display: Set optimize_pwr_state for DCN31 Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 41/73] ionic: Initialize the lif->dbid_inuse bitmap Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 42/73] net/mlx5e: Fix wrong features assignment in case of error Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 43/73] net: bridge: mcast: add and enforce query interval minimum Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 44/73] net: bridge: mcast: add and enforce startup " Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 45/73] selftests/net: udpgso_bench_tx: fix dst ip argument Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 46/73] selftests: net: Fix a typo in udpgro_fwd.sh Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 47/73] net: bridge: mcast: fix br_multicast_ctx_vlan_global_disabled helper Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 48/73] net/ncsi: check for error return from call to nla_put_u32 Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 49/73] selftests: net: using ping6 for IPv6 in udpgro_fwd.sh Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 50/73] fsl/fman: Fix missing put_device() call in fman_port_probe Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 51/73] i2c: validate user data in compat ioctl Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 52/73] nfc: uapi: use kernel size_t to fix user-space builds Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 53/73] uapi: fix linux/nfc.h userspace compilation errors Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 54/73] drm/nouveau: wait for the exclusive fence after the shared ones v2 Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 55/73] drm/amdgpu: When the VCN(1.0) block is suspended, powergating is explicitly enabled Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 56/73] drm/amdgpu: add support for IP discovery gc_info table v2 Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 57/73] drm/amd/display: Changed pipe split policy to allow for multi-display pipe split Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 58/73] xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set Greg Kroah-Hartman
2022-01-03 14:24 ` Greg Kroah-Hartman [this message]
2022-01-03 14:24 ` [PATCH 5.15 60/73] usb: mtu3: add memory barrier before set GPDs HWO Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 61/73] usb: mtu3: fix list_head check warning Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 62/73] usb: mtu3: set interval of FS intr and isoc endpoint Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 63/73] nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 64/73] binder: fix async_free_space accounting for empty parcels Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 65/73] scsi: vmw_pvscsi: Set residual data length conditionally Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 66/73] Input: appletouch - initialize work before device registration Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 67/73] Input: spaceball - fix parsing of movement data packets Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 68/73] mm/damon/dbgfs: fix struct pid leaks in dbgfs_target_ids_write() Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 69/73] net: fix use-after-free in tw_timer_handler Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 70/73] fs/mount_setattr: always cleanup mount_kattr Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 71/73] perf intel-pt: Fix parsing of VM time correlation arguments Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 72/73] perf script: Fix CPU filtering of a scripts switch events Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 73/73] perf scripts python: intel-pt-events.py: Fix printing of " Greg Kroah-Hartman
2022-01-04 1:28 ` [PATCH 5.15 00/73] 5.15.13-rc1 review Guenter Roeck
2022-01-04 5:21 ` Naresh Kamboju
2022-01-04 6:28 ` Rudi Heitbaum
2022-01-04 9:53 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220103142058.828856413@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=plr.vincent@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).