1. 03 May, 2019 3 commits
    • Alan Stern's avatar
      USB: dummy-hcd: Fix failure to give back unlinked URBs · 50896c41
      Alan Stern authored
      The syzkaller USB fuzzer identified a failure mode in which dummy-hcd
      would never give back an unlinked URB.  This causes usb_kill_urb() to
      hang, leading to WARNINGs and unkillable threads.
      
      In dummy-hcd, all URBs are given back by the dummy_timer() routine as
      it scans through the list of pending URBS.  Failure to give back URBs
      can be caused by failure to start or early exit from the scanning
      loop.  The code currently has two such pathways: One is triggered when
      an unsupported bus transfer speed is encountered, and the other by
      exhausting the simulated bandwidth for USB transfers during a frame.
      
      This patch removes those two paths, thereby allowing all unlinked URBs
      to be given back in a timely manner.  It adds a check for the bus
      speed when the gadget first starts running, so that dummy_timer() will
      never thereafter encounter an unsupported speed.  And it prevents the
      loop from exiting as soon as the total bandwidth has been used up (the
      scanning loop continues, giving back unlinked URBs as they are found,
      but not transferring any more data).
      
      Thanks to Andrey Konovalov for manually running the syzkaller fuzzer
      to help track down the source of the bug.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-and-tested-by: syzbot+d919b0f29d7b5a4994b9@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      50896c41
    • Marc Gonzalez's avatar
      usb: dwc3: Allow building USB_DWC3_QCOM without EXTCON · 67130830
      Marc Gonzalez authored
      Keep EXTCON support optional, as some platforms do not need it.
      
      Do the same for USB_DWC3_OMAP while we're at it.
      
      Fixes: 3def4031 ("usb: dwc3: add EXTCON dependency for qcom")
      Signed-off-by: default avatarMarc Gonzalez <marc.w.gonzalez@free.fr>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      67130830
    • Fei Yang's avatar
      usb: gadget: f_fs: don't free buffer prematurely · 73103c7f
      Fei Yang authored
      The following kernel panic happens due to the io_data buffer gets deallocated
      before the async io is completed. Add a check for the case where io_data buffer
      should be deallocated by ffs_user_copy_worker.
      
      [   41.663334] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
      [   41.672099] #PF error: [normal kernel read fault]
      [   41.677356] PGD 20c974067 P4D 20c974067 PUD 20c973067 PMD 0
      [   41.683687] Oops: 0000 [#1] PREEMPT SMP
      [   41.687976] CPU: 1 PID: 7 Comm: kworker/u8:0 Tainted: G     U            5.0.0-quilt-2e5dc0ac-00790-gd8c79f2-dirty #2
      [   41.705309] Workqueue: adb ffs_user_copy_worker
      [   41.705316] RIP: 0010:__vunmap+0x2a/0xc0
      [   41.705318] Code: 0f 1f 44 00 00 48 85 ff 0f 84 87 00 00 00 55 f7 c7 ff 0f 00 00 48 89 e5 41 55 41 89 f5 41 54 53 48 89 fb 75 71 e8 56 d7 ff ff <4c> 8b 60 48 4d 85 e4 74 76 48 89 df e8 25 ff ff ff 45 85 ed 74 46
      [   41.705320] RSP: 0018:ffffbc3a40053df0 EFLAGS: 00010286
      [   41.705322] RAX: 0000000000000000 RBX: ffffbc3a406f1000 RCX: 0000000000000000
      [   41.705323] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff
      [   41.705324] RBP: ffffbc3a40053e08 R08: 000000000001fb79 R09: 0000000000000037
      [   41.705325] R10: ffffbc3a40053b68 R11: ffffbc3a40053cad R12: fffffffffffffff2
      [   41.705326] R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffffffffff
      [   41.705328] FS:  0000000000000000(0000) GS:ffff9e2977a80000(0000) knlGS:0000000000000000
      [   41.705329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   41.705330] CR2: 0000000000000048 CR3: 000000020c994000 CR4: 00000000003406e0
      [   41.705331] Call Trace:
      [   41.705338]  vfree+0x50/0xb0
      [   41.705341]  ffs_user_copy_worker+0xe9/0x1c0
      [   41.705344]  process_one_work+0x19f/0x3e0
      [   41.705348]  worker_thread+0x3f/0x3b0
      [   41.829766]  kthread+0x12b/0x150
      [   41.833371]  ? process_one_work+0x3e0/0x3e0
      [   41.838045]  ? kthread_create_worker_on_cpu+0x70/0x70
      [   41.843695]  ret_from_fork+0x3a/0x50
      [   41.847689] Modules linked in: hci_uart bluetooth ecdh_generic rfkill_gpio dwc3_pci dwc3 snd_usb_audio mei_me tpm_crb snd_usbmidi_lib xhci_pci xhci_hcd mei tpm snd_hwdep cfg80211 snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_hda_core videobuf2_dma_sg crlmodule
      [   41.876880] CR2: 0000000000000048
      [   41.880584] ---[ end trace 2bc4addff0f2e673 ]---
      [   41.891346] RIP: 0010:__vunmap+0x2a/0xc0
      [   41.895734] Code: 0f 1f 44 00 00 48 85 ff 0f 84 87 00 00 00 55 f7 c7 ff 0f 00 00 48 89 e5 41 55 41 89 f5 41 54 53 48 89 fb 75 71 e8 56 d7 ff ff <4c> 8b 60 48 4d 85 e4 74 76 48 89 df e8 25 ff ff ff 45 85 ed 74 46
      [   41.916740] RSP: 0018:ffffbc3a40053df0 EFLAGS: 00010286
      [   41.922583] RAX: 0000000000000000 RBX: ffffbc3a406f1000 RCX: 0000000000000000
      [   41.930563] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff
      [   41.938540] RBP: ffffbc3a40053e08 R08: 000000000001fb79 R09: 0000000000000037
      [   41.946520] R10: ffffbc3a40053b68 R11: ffffbc3a40053cad R12: fffffffffffffff2
      [   41.954502] R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffffffffff
      [   41.962482] FS:  0000000000000000(0000) GS:ffff9e2977a80000(0000) knlGS:0000000000000000
      [   41.971536] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   41.977960] CR2: 0000000000000048 CR3: 000000020c994000 CR4: 00000000003406e0
      [   41.985930] Kernel panic - not syncing: Fatal exception
      [   41.991817] Kernel Offset: 0x16000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      [   42.009525] Rebooting in 10 seconds..
      [   52.014376] ACPI MEMORY or I/O RESET_REG.
      
      Fixes: 772a7a72 ("usb: gadget: f_fs: Allow scatter-gather buffers")
      Signed-off-by: default avatarFei Yang <fei.yang@intel.com>
      Reviewed-by: default avatarManu Gautam <mgautam@codeaurora.org>
      Tested-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      73103c7f
  2. 21 Apr, 2019 1 commit
  3. 20 Apr, 2019 11 commits
  4. 19 Apr, 2019 25 commits