public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, stable <stable@kernel.org>,
	Akash M <akash.m5@samsung.com>
Subject: [PATCH 6.1 68/92] usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
Date: Wed, 15 Jan 2025 11:37:26 +0100	[thread overview]
Message-ID: <20250115103550.265653931@linuxfoundation.org> (raw)
In-Reply-To: <20250115103547.522503305@linuxfoundation.org>

6.1-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Akash M <akash.m5@samsung.com>

commit dfc51e48bca475bbee984e90f33fdc537ce09699 upstream.

This commit addresses an issue related to below kernel panic where
panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON
in functionsfs_bind, which easily leads to the following scenarios.

1.adb_write in adbd               2. UDC write via configfs
  =================	             =====================

->usb_ffs_open_thread()           ->UDC write
 ->open_functionfs()               ->configfs_write_iter()
  ->adb_open()                      ->gadget_dev_desc_UDC_store()
   ->adb_write()                     ->usb_gadget_register_driver_owner
                                      ->driver_register()
->StartMonitor()                       ->bus_add_driver()
 ->adb_read()                           ->gadget_bind_driver()
<times-out without BIND event>           ->configfs_composite_bind()
                                          ->usb_add_function()
->open_functionfs()                        ->ffs_func_bind()
 ->adb_open()                               ->functionfs_bind()
                                       <ffs->state !=FFS_ACTIVE>

The adb_open, adb_read, and adb_write operations are invoked from the
daemon, but trying to bind the function is a process that is invoked by
UDC write through configfs, which opens up the possibility of a race
condition between the two paths. In this race scenario, the kernel panic
occurs due to the WARN_ON from functionfs_bind when panic_on_warn is
enabled. This commit fixes the kernel panic by removing the unnecessary
WARN_ON.

Kernel panic - not syncing: kernel: panic_on_warn set ...
[   14.542395] Call trace:
[   14.542464]  ffs_func_bind+0x1c8/0x14a8
[   14.542468]  usb_add_function+0xcc/0x1f0
[   14.542473]  configfs_composite_bind+0x468/0x588
[   14.542478]  gadget_bind_driver+0x108/0x27c
[   14.542483]  really_probe+0x190/0x374
[   14.542488]  __driver_probe_device+0xa0/0x12c
[   14.542492]  driver_probe_device+0x3c/0x220
[   14.542498]  __driver_attach+0x11c/0x1fc
[   14.542502]  bus_for_each_dev+0x104/0x160
[   14.542506]  driver_attach+0x24/0x34
[   14.542510]  bus_add_driver+0x154/0x270
[   14.542514]  driver_register+0x68/0x104
[   14.542518]  usb_gadget_register_driver_owner+0x48/0xf4
[   14.542523]  gadget_dev_desc_UDC_store+0xf8/0x144
[   14.542526]  configfs_write_iter+0xf0/0x138

Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Akash M <akash.m5@samsung.com>
Link: https://lore.kernel.org/r/20241219125221.1679-1-akash.m5@samsung.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_fs.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1868,7 +1868,7 @@ static int functionfs_bind(struct ffs_da
 
 	ENTER();
 
-	if (WARN_ON(ffs->state != FFS_ACTIVE
+	if ((ffs->state != FFS_ACTIVE
 		 || test_and_set_bit(FFS_FL_BOUND, &ffs->flags)))
 		return -EBADFD;
 



  parent reply	other threads:[~2025-01-15 10:42 UTC|newest]

Thread overview: 110+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-15 10:36 [PATCH 6.1 00/92] 6.1.125-rc1 review Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 01/92] ceph: give up on paths longer than PATH_MAX Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 02/92] bpf, sockmap: Fix race between element replace and close() Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 03/92] sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 04/92] jbd2: increase IO priority for writing revoke records Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 05/92] jbd2: flush filesystem device before updating tail sequence Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 06/92] dm array: fix releasing a faulty array block twice in dm_array_cursor_end Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 07/92] dm array: fix unreleased btree blocks on closing a faulty array cursor Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 08/92] dm array: fix cursor index when skipping across block boundaries Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 09/92] exfat: fix the infinite loop in exfat_readdir() Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 10/92] exfat: fix the infinite loop in __exfat_free_cluster() Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 11/92] scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 12/92] ASoC: mediatek: disable buffer pre-allocation Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 13/92] ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 14/92] net: 802: LLC+SNAP OID:PID lookup on start of skb data Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 15/92] tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 16/92] tcp/dccp: allow a connection when sk_max_ack_backlog is zero Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 17/92] net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 18/92] bnxt_en: Fix possible memory leak when hwrm_req_replace fails Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 19/92] cxgb4: Avoid removal of uninserted tid Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 20/92] ice: fix incorrect PHY settings for 100 GB/s Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 21/92] tls: Fix tls_sw_sendmsg error handling Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 22/92] Bluetooth: hci_sync: Fix not setting Random Address when required Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 23/92] tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 24/92] netfilter: nf_tables: imbalance in flowtable binding Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 25/92] netfilter: conntrack: clamp maximum hashtable size to INT_MAX Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 26/92] sched: sch_cake: add bounds checks to host bulk flow fairness counts Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 27/92] net/mlx5: Fix variable not being completed when function returns Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 28/92] drm/mediatek: stop selecting foreign drivers Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 29/92] drm/mediatek: Fix YCbCr422 color format issue for DP Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 30/92] drm/mediatek: Fix mode valid issue for dp Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 31/92] drm/mediatek: Add return value check when reading DPCD Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 32/92] ksmbd: fix a missing return value check bug Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 33/92] afs: Fix the maximum cell name length Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 34/92] ksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 35/92] cpuidle: riscv-sbi: fix device node release in early exit of for_each_possible_cpu Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 36/92] dm thin: make get_first_thin use rcu-safe list first function Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 37/92] dm-ebs: dont set the flag DM_TARGET_PASSES_INTEGRITY Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 38/92] sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 39/92] sctp: sysctl: rto_min/max: " Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 40/92] sctp: sysctl: auth_enable: " Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 41/92] sctp: sysctl: udp_port: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 42/92] sctp: sysctl: plpmtud_probe_interval: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 43/92] drm/amd/display: Add check for granularity in dml ceil/floor helpers Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 44/92] thermal: of: fix OF node leak in of_thermal_zone_find() Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 45/92] riscv: Fix sleeping in invalid context in die() Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 46/92] ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 47/92] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 48/92] drm/amd/display: increase MAX_SURFACES to the value supported by hw Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 49/92] dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2) Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 50/92] bpf: Add MEM_WRITE attribute Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 51/92] bpf: Fix overloading of MEM_UNINITs meaning Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 52/92] USB: serial: option: add MeiG Smart SRM815 Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 53/92] USB: serial: option: add Neoway N723-EA support Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 54/92] staging: iio: ad9834: Correct phase range check Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 55/92] staging: iio: ad9832: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 56/92] usb-storage: Add max sectors quirk for Nokia 208 Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 57/92] USB: serial: cp210x: add Phoenix Contact UPS Device Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 58/92] usb: dwc3: gadget: fix writing NYET threshold Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 59/92] topology: Keep the cpumask unchanged when printing cpumap Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 60/92] misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 61/92] misc: microchip: pci1xxxx: Resolve return code mismatch during GPIO set config Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 62/92] usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 63/92] usb: dwc3-am62: Disable autosuspend during remove Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 64/92] USB: usblp: return error when setting unsupported protocol Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 65/92] USB: core: Disable LPM only for non-suspended ports Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 66/92] usb: fix reference leak in usb_new_device() Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 67/92] usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints Greg Kroah-Hartman
2025-01-15 10:37 ` Greg Kroah-Hartman [this message]
2025-01-15 10:37 ` [PATCH 6.1 69/92] iio: pressure: zpa2326: fix information leak in triggered buffer Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 70/92] iio: dummy: iio_simply_dummy_buffer: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 71/92] iio: light: vcnl4035: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 72/92] iio: imu: kmx61: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 73/92] iio: adc: ti-ads8688: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 74/92] iio: gyro: fxas21002c: Fix missing data update in trigger handler Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 75/92] iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 76/92] iio: adc: at91: call input_free_device() on allocated iio_dev Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 77/92] iio: inkern: call iio_device_put() only on mapped devices Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 78/92] iio: adc: ad7124: Disable all channels at probe time Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 79/92] io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 80/92] ARM: dts: imxrt1050: Fix clocks for mmc Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 81/92] block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 82/92] arm64: dts: rockchip: add hevc power domain clock to rk3328 Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 83/92] of: unittest: Add bus address range parsing tests Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 84/92] of/address: Add support for 3 address cell bus Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 85/92] of: address: Fix address translation when address-size is greater than 2 Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 86/92] of: address: Remove duplicated functions Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 87/92] of: address: Store number of bus flag cells rather than bool Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 88/92] of: address: Preserve the flags portion on 1:1 dma-ranges mapping Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 89/92] ocfs2: correct return value of ocfs2_local_free_info() Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 90/92] ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 91/92] drm: bridge: adv7511: use dev_err_probe in probe function Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 92/92] drm: adv7511: Fix use-after-free in adv7533_attach_dsi() Greg Kroah-Hartman
2025-01-15 12:50 ` [PATCH 6.1 00/92] 6.1.125-rc1 review Pavel Machek
2025-01-15 13:57   ` Pavel Machek
     [not found]     ` <2025011725-underdog-heftiness-49df@gregkh>
2025-01-17 21:16       ` 6.1.125 build fail was -- " Pavel Machek
2025-01-18  6:37         ` Ron Economos
2025-01-18  7:20           ` Greg Kroah-Hartman
2025-01-18 12:27             ` Ron Economos
2025-01-15 14:09   ` Ron Economos
2025-01-15 15:07     ` Greg Kroah-Hartman
2025-01-15 13:15 ` Mark Brown
2025-01-15 14:13 ` Jon Hunter
2025-01-15 22:14 ` Florian Fainelli
2025-01-15 22:32 ` Shuah Khan
2025-01-16 10:48 ` Naresh Kamboju
2025-01-16 13:59 ` Peter Schneider
2025-01-17  2:25 ` [PATCH 6.1] " Hardik Garg
2025-01-18 15:05 ` [PATCH 6.1 00/92] " Guenter Roeck
2025-01-18 15:34   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250115103550.265653931@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=akash.m5@samsung.com \
    --cc=patches@lists.linux.dev \
    --cc=stable@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox