From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Vincent Pelletier <plr.vincent@gmail.com>
Subject: [PATCH 5.15 59/73] usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
Date: Mon, 3 Jan 2022 15:24:20 +0100 [thread overview]
Message-ID: <20220103142058.828856413@linuxfoundation.org> (raw)
In-Reply-To: <20220103142056.911344037@linuxfoundation.org>
From: Vincent Pelletier <plr.vincent@gmail.com>
commit b1e0887379422975f237d43d8839b751a6bcf154 upstream.
ffs_data_clear is indirectly called from both ffs_fs_kill_sb and
ffs_ep0_release, so it ends up being called twice when userland closes ep0
and then unmounts f_fs.
If userland provided an eventfd along with function's USB descriptors, it
ends up calling eventfd_ctx_put as many times, causing a refcount
underflow.
NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.
Also, set epfiles to NULL right after de-allocating it, for readability.
For completeness, ffs_data_clear actually ends up being called thrice, the
last call being before the whole ffs structure gets freed, so when this
specific sequence happens there is a second underflow happening (but not
being reported):
/sys/kernel/debug/tracing# modprobe usb_f_fs
/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter
/sys/kernel/debug/tracing# echo function > current_tracer
/sys/kernel/debug/tracing# echo 1 > tracing_on
(setup gadget, run and kill function userland process, teardown gadget)
/sys/kernel/debug/tracing# echo 0 > tracing_on
/sys/kernel/debug/tracing# cat trace
smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed
smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed
smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put
Warning output corresponding to above trace:
[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c
[ 1946.293094] refcount_t: underflow; use-after-free.
[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)
[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1
[ 1946.417950] Hardware name: BCM2835
[ 1946.425442] Backtrace:
[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)
[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c
[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)
[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)
[ 1946.482067] r5:c04a948c r4:c0a71dc8
[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)
[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04
[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)
[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0
[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)
[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])
[ 1946.582664] r5:c3b84c00 r4:c2695b00
[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])
[ 1946.609608] r5:bf54d014 r4:c2695b00
[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])
[ 1946.636217] r7:c0dfcb84 r6:c3a12260 r5:bf54d014 r4:c229f000
[ 1946.646273] [<bf547d74>] (ffs_fs_kill_sb [usb_f_fs]) from [<c0326d50>] (deactivate_locked_super+0x54/0x9c)
[ 1946.664893] r5:bf54d014 r4:c229f000
[ 1946.672921] [<c0326cfc>] (deactivate_locked_super) from [<c0326df8>] (deactivate_super+0x60/0x64)
[ 1946.690722] r5:c2a09000 r4:c229f000
[ 1946.698706] [<c0326d98>] (deactivate_super) from [<c0349a28>] (cleanup_mnt+0xe4/0x14c)
[ 1946.715553] r5:c2a09000 r4:00000000
[ 1946.723528] [<c0349944>] (cleanup_mnt) from [<c0349b08>] (__cleanup_mnt+0x1c/0x20)
[ 1946.739922] r7:c0dfcb84 r6:c3a12260 r5:c3a126fc r4:00000000
[ 1946.750088] [<c0349aec>] (__cleanup_mnt) from [<c0143d10>] (task_work_run+0x84/0xb8)
[ 1946.766602] [<c0143c8c>] (task_work_run) from [<c010bdc8>] (do_work_pending+0x470/0x56c)
[ 1946.783540] r7:5ac3c35a r6:c0d0424c r5:c200bfb0 r4:c200a000
[ 1946.793614] [<c010b958>] (do_work_pending) from [<c01000c0>] (slow_work_pending+0xc/0x20)
[ 1946.810553] Exception stack(0xc200bfb0 to 0xc200bff8)
[ 1946.820129] bfa0: 00000000 00000000 000000aa b5e21430
[ 1946.837104] bfc0: bef867a0 00000001 bef86840 00000034 bef86838 bef86790 bef86794 bef867a0
[ 1946.854125] bfe0: 00000000 bef86798 b67b7a1c b6d626a4 60000010 b5a23760
[ 1946.865335] r10:00000000 r9:c200a000 r8:c0100224 r7:00000034 r6:bef86840 r5:00000001
[ 1946.881914] r4:bef867a0
[ 1946.888793] ---[ end trace 7387f2a9725b28d0 ]---
Fixes: 5e33f6fdf735 ("usb: gadget: ffs: add eventfd notification about ffs events")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Link: https://lore.kernel.org/r/f79eeea29f3f98de6782a064ec0f7351ad2f598f.1639793920.git.plr.vincent@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1773,11 +1773,15 @@ static void ffs_data_clear(struct ffs_da
BUG_ON(ffs->gadget);
- if (ffs->epfiles)
+ if (ffs->epfiles) {
ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count);
+ ffs->epfiles = NULL;
+ }
- if (ffs->ffs_eventfd)
+ if (ffs->ffs_eventfd) {
eventfd_ctx_put(ffs->ffs_eventfd);
+ ffs->ffs_eventfd = NULL;
+ }
kfree(ffs->raw_descs_data);
kfree(ffs->raw_strings);
@@ -1790,7 +1794,6 @@ static void ffs_data_reset(struct ffs_da
ffs_data_clear(ffs);
- ffs->epfiles = NULL;
ffs->raw_descs_data = NULL;
ffs->raw_descs = NULL;
ffs->raw_strings = NULL;
next prev parent reply other threads:[~2022-01-03 14:35 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-03 14:23 [PATCH 5.15 00/73] 5.15.13-rc1 review Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 01/73] Input: i8042 - add deferred probe support Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 02/73] Input: i8042 - enable deferred probe quirk for ASUS UM325UA Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 03/73] tomoyo: Check exceeded quota early in tomoyo_domain_quota_is_ok() Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 04/73] tomoyo: use hwight16() " Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 05/73] net/sched: Extend qdisc control block with tc control block Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 06/73] parisc: Clear stale IIR value on instruction access rights trap Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 07/73] platform/mellanox: mlxbf-pmc: Fix an IS_ERR() vs NULL bug in mlxbf_pmc_map_counters Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 08/73] platform/x86: apple-gmux: use resource_size() with res Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 09/73] memblock: fix memblock_phys_alloc() section mismatch error Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 10/73] ALSA: hda: intel-sdw-acpi: harden detection of controller Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 11/73] ALSA: hda: intel-sdw-acpi: go through HDAS ACPI at max depth of 2 Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 12/73] recordmcount.pl: fix typo in s390 mcount regex Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 13/73] powerpc/ptdump: Fix DEBUG_WX since generic ptdump conversion Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 14/73] efi: Move efifb_setup_from_dmi() prototype from arch headers Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 15/73] selinux: initialize proto variable in selinux_ip_postroute_compat() Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 16/73] scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 17/73] net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 18/73] net/mlx5: Fix error print in case of IRQ request failed Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 19/73] net/mlx5: Fix SF health recovery flow Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 20/73] net/mlx5: Fix tc max supported prio for nic mode Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 21/73] net/mlx5e: Wrap the tx reporter dump callback to extract the sq Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 22/73] net/mlx5e: Fix interoperability between XSK and ICOSQ recovery flow Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 23/73] net/mlx5e: Fix ICOSQ recovery flow for XSK Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 24/73] net/mlx5e: Use tc sample stubs instead of ifdefs in source file Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 25/73] net/mlx5e: Delete forward rule for ct or sample action Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 26/73] udp: using datalen to cap ipv6 udp max gso segments Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 27/73] selftests: Calculate udpgso segment count without header adjustment Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 28/73] net: phy: fixed_phy: Fix NULL vs IS_ERR() checking in __fixed_phy_register Greg Kroah-Hartman
2022-01-03 19:47 ` Florian Fainelli
2022-01-04 7:33 ` Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 29/73] sctp: use call_rcu to free endpoint Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 30/73] net/smc: fix using of uninitialized completions Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 31/73] net: usb: pegasus: Do not drop long Ethernet frames Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 32/73] net: ag71xx: Fix a potential double free in error handling paths Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 33/73] net: lantiq_xrx200: fix statistics of received bytes Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 34/73] NFC: st21nfca: Fix memory leak in device probe and remove Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 35/73] net/smc: dont send CDC/LLC message if link not ready Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 36/73] net/smc: fix kernel panic caused by race of smc_sock Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 37/73] igc: Do not enable crosstimestamping for i225-V models Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 5.15 38/73] igc: Fix TX timestamp support for non-MSI-X platforms Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 39/73] drm/amd/display: Send s0i2_rdy in stream_count == 0 optimization Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 40/73] drm/amd/display: Set optimize_pwr_state for DCN31 Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 41/73] ionic: Initialize the lif->dbid_inuse bitmap Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 42/73] net/mlx5e: Fix wrong features assignment in case of error Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 43/73] net: bridge: mcast: add and enforce query interval minimum Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 44/73] net: bridge: mcast: add and enforce startup " Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 45/73] selftests/net: udpgso_bench_tx: fix dst ip argument Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 46/73] selftests: net: Fix a typo in udpgro_fwd.sh Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 47/73] net: bridge: mcast: fix br_multicast_ctx_vlan_global_disabled helper Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 48/73] net/ncsi: check for error return from call to nla_put_u32 Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 49/73] selftests: net: using ping6 for IPv6 in udpgro_fwd.sh Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 50/73] fsl/fman: Fix missing put_device() call in fman_port_probe Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 51/73] i2c: validate user data in compat ioctl Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 52/73] nfc: uapi: use kernel size_t to fix user-space builds Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 53/73] uapi: fix linux/nfc.h userspace compilation errors Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 54/73] drm/nouveau: wait for the exclusive fence after the shared ones v2 Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 55/73] drm/amdgpu: When the VCN(1.0) block is suspended, powergating is explicitly enabled Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 56/73] drm/amdgpu: add support for IP discovery gc_info table v2 Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 57/73] drm/amd/display: Changed pipe split policy to allow for multi-display pipe split Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 58/73] xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set Greg Kroah-Hartman
2022-01-03 14:24 ` Greg Kroah-Hartman [this message]
2022-01-03 14:24 ` [PATCH 5.15 60/73] usb: mtu3: add memory barrier before set GPDs HWO Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 61/73] usb: mtu3: fix list_head check warning Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 62/73] usb: mtu3: set interval of FS intr and isoc endpoint Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 63/73] nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 64/73] binder: fix async_free_space accounting for empty parcels Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 65/73] scsi: vmw_pvscsi: Set residual data length conditionally Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 66/73] Input: appletouch - initialize work before device registration Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 67/73] Input: spaceball - fix parsing of movement data packets Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 68/73] mm/damon/dbgfs: fix struct pid leaks in dbgfs_target_ids_write() Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 69/73] net: fix use-after-free in tw_timer_handler Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 70/73] fs/mount_setattr: always cleanup mount_kattr Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 71/73] perf intel-pt: Fix parsing of VM time correlation arguments Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 72/73] perf script: Fix CPU filtering of a scripts switch events Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 5.15 73/73] perf scripts python: intel-pt-events.py: Fix printing of " Greg Kroah-Hartman
2022-01-04 1:28 ` [PATCH 5.15 00/73] 5.15.13-rc1 review Guenter Roeck
2022-01-04 5:21 ` Naresh Kamboju
2022-01-04 6:28 ` Rudi Heitbaum
2022-01-04 9:53 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220103142058.828856413@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=plr.vincent@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.