github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
ad02fb6a6c
linux/drivers/usb
History
John Stultz ad02fb6a6c usb: f_fs: Avoid crash due to out-of-scope stack ptr access 
[ Upstream commit 54f64d5c98 ]

Since the 5.0 merge window opened, I've been seeing frequent
crashes on suspend and reboot with the trace:

[   36.911170] Unable to handle kernel paging request at virtual address ffffff801153d660
[   36.912769] Unable to handle kernel paging request at virtual address ffffff800004b564
...
[   36.950666] Call trace:
[   36.950670]  queued_spin_lock_slowpath+0x1cc/0x2c8
[   36.950681]  _raw_spin_lock_irqsave+0x64/0x78
[   36.950692]  complete+0x28/0x70
[   36.950703]  ffs_epfile_io_complete+0x3c/0x50
[   36.950713]  usb_gadget_giveback_request+0x34/0x108
[   36.950721]  dwc3_gadget_giveback+0x50/0x68
[   36.950723]  dwc3_thread_interrupt+0x358/0x1488
[   36.950731]  irq_thread_fn+0x30/0x88
[   36.950734]  irq_thread+0x114/0x1b0
[   36.950739]  kthread+0x104/0x130
[   36.950747]  ret_from_fork+0x10/0x1c

I isolated this down to in ffs_epfile_io():
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/usb/gadget/function/f_fs.c#n1065

Where the completion done is setup on the stack:
  DECLARE_COMPLETION_ONSTACK(done);

Then later we setup a request and queue it, and wait for it:
  if (unlikely(wait_for_completion_interruptible(&done))) {
    /*
    * To avoid race condition with ffs_epfile_io_complete,
    * dequeue the request first then check
    * status. usb_ep_dequeue API should guarantee no race
    * condition with req->complete callback.
    */
    usb_ep_dequeue(ep->ep, req);
    interrupted = ep->status < 0;
  }

The problem is, that we end up being interrupted, dequeue the
request, and exit.

But then the irq triggers and we try calling complete() on the
context pointer which points to now random stack space, which
results in the panic.

Alan Stern pointed out there is a bug here, in that the snippet
above "assumes that usb_ep_dequeue() waits until the request has
been completed." And that:

    wait_for_completion(&done);

Is needed right after the usb_ep_dequeue().

Thus this patch implements that change. With it I no longer see
the crashes on suspend or reboot.

This issue seems to have been uncovered by behavioral changes in
the dwc3 driver in commit fec9095bde ("usb: dwc3: gadget:
remove wait_end_transfer").

Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Zeng Tao <prime.zeng@hisilicon.com>
Cc: Jack Pham <jackp@codeaurora.org>
Cc: Thinh Nguyen <thinh.nguyen@synopsys.com>
Cc: Chen Yu <chenyu56@huawei.com>
Cc: Jerry Zhang <zhangjerry@google.com>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Vincent Pelletier <plr.vincent@gmail.com>
Cc: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linux USB List <linux-usb@vger.kernel.org>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-04-05 22:33:08 +02:00
..
atm USB: atm: fix up some remaining DEVICE_ATTR() usage 2018-01-24 08:49:52 +01:00
c67x00
chipidea usb: chipidea: Grab the (legacy) USB PHY by phandle first 2019-04-05 22:33:01 +02:00
class usb: cdc-acm: fix race during wakeup blocking TX traffic 2019-04-03 06:26:28 +02:00
common usb: common: Consider only available nodes for dr_mode 2019-04-03 06:26:27 +02:00
core usb: hub: delay hub autosuspend if USB3 port is still link training 2019-02-12 19:47:05 +01:00
dwc2 usb: dwc2: Disable power down feature on Samsung SoCs 2019-02-12 19:47:05 +01:00
dwc3 usb: dwc3: gadget: Fix the uninitialized link_state when udc starts 2019-03-05 17:58:46 +01:00
early usb: early: Correct the endpoint type value for bulk in endpoint 2017-12-07 16:03:15 +01:00
gadget usb: f_fs: Avoid crash due to out-of-scope stack ptr access 2019-04-05 22:33:08 +02:00
host xhci: Don't let USB3 ports stuck in polling state prevent suspend 2019-04-03 06:26:28 +02:00
image
isp1760 usb: isp1760: remove redundant variable 'selector' 2018-07-13 15:41:56 +02:00
misc usb: appledisplay: Add 27" Apple Cinema Display 2018-12-13 09:16:15 +01:00
mon USB: mon: use ktime_get_real_ts64 instead of getnstimeofday64 2018-06-25 21:58:26 +08:00
mtu3 usb: mtu3: fix EXTCON dependency 2019-04-03 06:26:27 +02:00
musb usb: gadget: musb: fix short isoc packets with inventra dma 2019-02-12 19:47:25 +01:00
phy usb: phy: fix link errors 2019-03-13 14:02:34 -07:00
renesas_usbhs usb: renesas_usbhs: add support for RZ/G2E 2019-02-12 19:47:10 +01:00
roles usb: roles: Add a description for the class to Kconfig 2019-01-09 17:38:40 +01:00
serial USB: serial: option: add Olicard 600 2019-04-03 06:26:26 +02:00
storage USB: storage: add quirk for SMI SM3350 2019-01-16 22:04:32 +01:00
typec usb: typec: class: Don't use port parent for getting mux handles 2019-04-03 06:26:30 +02:00
usbip usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten 2018-11-13 11:08:41 -08:00
wusbcore usb: wusbcore: security: cast sizeof to int for comparison 2018-07-02 18:08:19 +02:00
Kconfig usb: roles: Add a description for the class to Kconfig 2019-01-09 17:38:40 +01:00
Makefile usb: roles: Add Intel xHCI USB role switch driver 2018-03-22 13:49:27 +01:00
README
usb-skeleton.c usb: usb-skeleton: use irqsave() in USB's complete callback 2018-06-28 19:36:06 +09:00

README 

To understand all the Linux-USB framework, you'll use these resources:

    * This source code.  This is necessarily an evolving work, and
      includes kerneldoc that should help you get a current overview.
      ("make pdfdocs", and then look at "usb.pdf" for host side and
      "gadget.pdf" for peripheral side.)  Also, Documentation/usb has
      more information.

    * The USB 2.0 specification (from www.usb.org), with supplements
      such as those for USB OTG and the various device classes.
      The USB specification has a good overview chapter, and USB
      peripherals conform to the widely known "Chapter 9".

    * Chip specifications for USB controllers.  Examples include
      host controllers (on PCs, servers, and more); peripheral
      controllers (in devices with Linux firmware, like printers or
      cell phones); and hard-wired peripherals like Ethernet adapters.

    * Specifications for other protocols implemented by USB peripheral
      functions.  Some are vendor-specific; others are vendor-neutral
      but just standardized outside of the www.usb.org team.

Here is a list of what each subdirectory here is, and what is contained in
them.

core/		- This is for the core USB host code, including the
		  usbfs files and the hub class driver ("hub_wq").

host/		- This is for USB host controller drivers.  This
		  includes UHCI, OHCI, EHCI, and others that might
		  be used with more specialized "embedded" systems.

gadget/		- This is for USB peripheral controller drivers and
		  the various gadget drivers which talk to them.


Individual USB driver directories.  A new driver should be added to the
first subdirectory in the list below that it fits into.

image/		- This is for still image drivers, like scanners or
		  digital cameras.
../input/	- This is for any driver that uses the input subsystem,
		  like keyboard, mice, touchscreens, tablets, etc.
../media/	- This is for multimedia drivers, like video cameras,
		  radios, and any other drivers that talk to the v4l
		  subsystem.
../net/		- This is for network drivers.
serial/		- This is for USB to serial drivers.
storage/	- This is for USB mass-storage drivers.
class/		- This is for all USB device drivers that do not fit
		  into any of the above categories, and work for a range
		  of USB Class specified devices. 
misc/		- This is for all USB device drivers that do not fit
		  into any of the above categories.