2020-08-26 13:45:24

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [GIT PULL] USB fixes for 5.9-rc3

The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:

Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)

are available in the Git repository at:

git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3

for you to fetch changes up to 23e26d0577535f5ffe4ff8ed6d06e009553c0bca:

usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures (2020-08-25 16:02:35 +0200)

----------------------------------------------------------------
USB fixes for 5.9-rc3

Here are a small set of USB fixes for 5.9-rc3.

Like most set of USB bugfixes, they include the usual:
- usb gadget driver fixes
- xhci driver fixes
- typec fixes
- new qurks and ids
- fixes for USB patches merged in 5.9-rc1

Nothing huge, all of these have been in linux-next with no reported
issues:

Signed-off-by: Greg Kroah-Hartman <[email protected]>

----------------------------------------------------------------
Alan Stern (1):
USB: yurex: Fix bad gfp argument

Andy Shevchenko (1):
usb: hcd: Fix use after free in usb_hcd_pci_remove()

Badhri Jagan Sridharan (1):
usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures

Bastien Nocera (2):
USB: Also match device drivers using the ->match vfunc
USB: Fix device driver race

Brooke Basile (2):
USB: gadget: u_f: add overflow checks to VLA macros
USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()

Christophe JAILLET (1):
usb: gadget: f_tcm: Fix some resource leaks in some error paths

Ding Hui (1):
xhci: Always restore EP_SOFT_CLEAR_TOGGLE even if ep reset failed

Evgeny Novikov (1):
USB: lvtest: return proper error code in probe

Greg Kroah-Hartman (1):
Merge tag 'fixes-for-v5.9-rc2' of git://git.kernel.org/.../balbi/usb into usb-linus

Hans de Goede (4):
usb: typec: ucsi: Fix AB BA lock inversion
usb: typec: ucsi: Fix 2 unlocked ucsi_run_command calls
usb: typec: ucsi: Rework ppm_lock handling
usb: typec: ucsi: Hold con->lock for the entire duration of ucsi_register_port()

Heikki Krogerus (1):
tools: usb: move to tools buildsystem

JC Kuo (2):
usb: host: xhci-tegra: otg usb2/usb3 port init
usb: host: xhci-tegra: fix tegra_xusb_get_phy()

Kai-Heng Feng (2):
USB: quirks: Add no-lpm quirk for another Raydium touchscreen
xhci: Do warm-reset when both CAS and XDEV_RESUME are set

Li Jun (1):
usb: host: xhci: fix ep context print mismatch in debugfs

M. Vefa Bicakci (1):
usbip: Implement a match function to fix usbip

Thinh Nguyen (4):
usb: dwc3: gadget: Don't setup more than requested
usb: dwc3: gadget: Fix handling ZLP
usb: dwc3: gadget: Handle ZLP for sg requests
usb: uas: Add quirk for PNY Pro Elite

Tom Rix (1):
USB: cdc-acm: rework notification_buffer resizing

Vinod Koul (1):
usb: renesas-xhci: remove version check

周琰杰 (Zhou Yanjie) (1):
USB: PHY: JZ4770: Fix static checker warning.

drivers/usb/class/cdc-acm.c | 22 ++++---
drivers/usb/core/driver.c | 40 ++++++++++++-
drivers/usb/core/generic.c | 5 +-
drivers/usb/core/hcd-pci.c | 5 +-
drivers/usb/core/quirks.c | 2 +
drivers/usb/dwc3/gadget.c | 107 +++++++++++++++++++++++++++++------
drivers/usb/gadget/function/f_ncm.c | 81 ++++++++++++++++++++++----
drivers/usb/gadget/function/f_tcm.c | 7 ++-
drivers/usb/gadget/u_f.h | 38 +++++++++----
drivers/usb/host/xhci-debugfs.c | 8 +--
drivers/usb/host/xhci-hub.c | 19 ++++---
drivers/usb/host/xhci-pci-renesas.c | 19 +------
drivers/usb/host/xhci-tegra.c | 4 +-
drivers/usb/host/xhci.c | 3 +-
drivers/usb/misc/lvstest.c | 2 +-
drivers/usb/misc/yurex.c | 2 +-
drivers/usb/phy/phy-jz4770.c | 1 +
drivers/usb/storage/unusual_uas.h | 7 +++
drivers/usb/typec/tcpm/tcpm.c | 28 ++++++++-
drivers/usb/typec/ucsi/displayport.c | 9 +--
drivers/usb/typec/ucsi/ucsi.c | 103 +++++++++++++++++----------------
drivers/usb/usbip/stub_dev.c | 6 ++
tools/usb/Build | 2 +
tools/usb/Makefile | 53 ++++++++++++++---
24 files changed, 408 insertions(+), 165 deletions(-)
create mode 100644 tools/usb/Build


2020-08-26 15:06:01

by Marek Szyprowski

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

Hi Greg,

On 26.08.2020 15:43, Greg KH wrote:
> The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
>
> Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
>
> are available in the Git repository at:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3
>
> for you to fetch changes up to 23e26d0577535f5ffe4ff8ed6d06e009553c0bca:
>
> usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures (2020-08-25 16:02:35 +0200)
>
> ----------------------------------------------------------------
> USB fixes for 5.9-rc3
>
> Here are a small set of USB fixes for 5.9-rc3.
>
> Like most set of USB bugfixes, they include the usual:
> - usb gadget driver fixes
> - xhci driver fixes
> - typec fixes
> - new qurks and ids
> - fixes for USB patches merged in 5.9-rc1
>
> Nothing huge, all of these have been in linux-next with no reported
> issues:
>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
>
> ----------------------------------------------------------------
> Alan Stern (1):
> USB: yurex: Fix bad gfp argument
>
> Andy Shevchenko (1):
> usb: hcd: Fix use after free in usb_hcd_pci_remove()
>
> Badhri Jagan Sridharan (1):
> usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures
>
> Bastien Nocera (2):
> USB: Also match device drivers using the ->match vfunc
> USB: Fix device driver race
>
> Brooke Basile (2):
> USB: gadget: u_f: add overflow checks to VLA macros

Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
didn't get the proper testing in linux-next (next-20200826 is the first
one with this patch).

This is how it explodes on Samsung Exynos (ARM 32bit) based board with
g_ether module loaded:

------------[ cut here ]------------
kernel BUG at mm/slub.c:4116!
Internal error: Oops - BUG: 0 [#1] SMP ARM
Modules linked in: usb_f_ecm g_ether(+) usb_f_rndis u_ether libcomposite
panel_samsung_s6e8aa0 s5p_csis s5p_fimc exynos4_is_common v4l2_fwnode
max8997_regulator rtc_max8997 leds_max8997 max8
emless mms114 governor_simpleondemand s5p_mfc lima gpu_sched s5p_jpeg
v4l2_mem2mem videobuf2_dma_contig videobuf2_memops videobuf2_v4l2
videobuf2_common phy_exynos_usb2 exynosdrm analogix_dp
 s3c2410_wdt
CPU: 0 PID: 616 Comm: modprobe Not tainted 5.9.0-rc1-00026-gb1cd1b65afba
#9023
Hardware name: Samsung Exynos (Flattened Device Tree)
PC is at kfree+0x234/0x268
LR is at config_item_set_name+0x60/0xb0
...
Process modprobe (pid: 616, stack limit = 0x(ptrval))
...
[<c0494248>] (kfree) from [<c05347a0>] (config_item_set_name+0x60/0xb0)
[<c05347a0>] (config_item_set_name) from [<c0534844>]
(config_group_init_type_name+0x1c/0x50)
[<c0534844>] (config_group_init_type_name) from [<bf14bc18>]
(usb_os_desc_prepare_interf_dir+0x54/0x124 [libcomposite])
[<bf14bc18>] (usb_os_desc_prepare_interf_dir [libcomposite]) from
[<bf15af9c>] (rndis_alloc_inst+0x100/0x150 [usb_f_rndis])
[<bf15af9c>] (rndis_alloc_inst [usb_f_rndis]) from [<bf1499dc>]
(try_get_usb_function_instance+0x88/0xa4 [libcomposite])
[<bf1499dc>] (try_get_usb_function_instance [libcomposite]) from
[<bf149ad8>] (usb_get_function_instance+0xc/0x44 [libcomposite])
[<bf149ad8>] (usb_get_function_instance [libcomposite]) from
[<bf114164>] (eth_bind+0xdc/0x34c [g_ether])
[<bf114164>] (eth_bind [g_ether]) from [<bf1497cc>]
(composite_bind+0x78/0x1a8 [libcomposite])
[<bf1497cc>] (composite_bind [libcomposite]) from [<c0c62a0c>]
(udc_bind_to_driver+0x60/0x108)
[<c0c62a0c>] (udc_bind_to_driver) from [<c0c62ed8>]
(usb_gadget_probe_driver+0x100/0x158)
[<c0c62ed8>] (usb_gadget_probe_driver) from [<c0301fd0>]
(do_one_initcall+0x54/0x220)
[<c0301fd0>] (do_one_initcall) from [<c03de390>] (do_init_module+0x60/0x210)
[<c03de390>] (do_init_module) from [<c03dd0d4>] (load_module+0x2078/0x24c0)
[<c03dd0d4>] (load_module) from [<c03dd758>] (sys_finit_module+0xc8/0xd8)
[<c03dd758>] (sys_finit_module) from [<c03000c0>]
(ret_fast_syscall+0x0/0x54)
Exception stack(0xedd1dfa8 to 0xedd1dff0)
...
---[ end trace 0dc21d79c1880545 ]---

I also didn't manage to find any mailing list, where this patch has been
initially posted...


> USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()
>
> Christophe JAILLET (1):
> usb: gadget: f_tcm: Fix some resource leaks in some error paths
>
> Ding Hui (1):
> xhci: Always restore EP_SOFT_CLEAR_TOGGLE even if ep reset failed
>
> Evgeny Novikov (1):
> USB: lvtest: return proper error code in probe
>
> Greg Kroah-Hartman (1):
> Merge tag 'fixes-for-v5.9-rc2' of git://git.kernel.org/.../balbi/usb into usb-linus
>
> Hans de Goede (4):
> usb: typec: ucsi: Fix AB BA lock inversion
> usb: typec: ucsi: Fix 2 unlocked ucsi_run_command calls
> usb: typec: ucsi: Rework ppm_lock handling
> usb: typec: ucsi: Hold con->lock for the entire duration of ucsi_register_port()
>
> Heikki Krogerus (1):
> tools: usb: move to tools buildsystem
>
> JC Kuo (2):
> usb: host: xhci-tegra: otg usb2/usb3 port init
> usb: host: xhci-tegra: fix tegra_xusb_get_phy()
>
> Kai-Heng Feng (2):
> USB: quirks: Add no-lpm quirk for another Raydium touchscreen
> xhci: Do warm-reset when both CAS and XDEV_RESUME are set
>
> Li Jun (1):
> usb: host: xhci: fix ep context print mismatch in debugfs
>
> M. Vefa Bicakci (1):
> usbip: Implement a match function to fix usbip
>
> Thinh Nguyen (4):
> usb: dwc3: gadget: Don't setup more than requested
> usb: dwc3: gadget: Fix handling ZLP
> usb: dwc3: gadget: Handle ZLP for sg requests
> usb: uas: Add quirk for PNY Pro Elite
>
> Tom Rix (1):
> USB: cdc-acm: rework notification_buffer resizing
>
> Vinod Koul (1):
> usb: renesas-xhci: remove version check
>
> 周琰杰 (Zhou Yanjie) (1):
> USB: PHY: JZ4770: Fix static checker warning.
>
> drivers/usb/class/cdc-acm.c | 22 ++++---
> drivers/usb/core/driver.c | 40 ++++++++++++-
> drivers/usb/core/generic.c | 5 +-
> drivers/usb/core/hcd-pci.c | 5 +-
> drivers/usb/core/quirks.c | 2 +
> drivers/usb/dwc3/gadget.c | 107 +++++++++++++++++++++++++++++------
> drivers/usb/gadget/function/f_ncm.c | 81 ++++++++++++++++++++++----
> drivers/usb/gadget/function/f_tcm.c | 7 ++-
> drivers/usb/gadget/u_f.h | 38 +++++++++----
> drivers/usb/host/xhci-debugfs.c | 8 +--
> drivers/usb/host/xhci-hub.c | 19 ++++---
> drivers/usb/host/xhci-pci-renesas.c | 19 +------
> drivers/usb/host/xhci-tegra.c | 4 +-
> drivers/usb/host/xhci.c | 3 +-
> drivers/usb/misc/lvstest.c | 2 +-
> drivers/usb/misc/yurex.c | 2 +-
> drivers/usb/phy/phy-jz4770.c | 1 +
> drivers/usb/storage/unusual_uas.h | 7 +++
> drivers/usb/typec/tcpm/tcpm.c | 28 ++++++++-
> drivers/usb/typec/ucsi/displayport.c | 9 +--
> drivers/usb/typec/ucsi/ucsi.c | 103 +++++++++++++++++----------------
> drivers/usb/usbip/stub_dev.c | 6 ++
> tools/usb/Build | 2 +
> tools/usb/Makefile | 53 ++++++++++++++---
> 24 files changed, 408 insertions(+), 165 deletions(-)
> create mode 100644 tools/usb/Build
>
>
Best regards
--
Marek Szyprowski, PhD
Samsung R&D Institute Poland

2020-08-26 15:34:34

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> Hi Greg,
>
> On 26.08.2020 15:43, Greg KH wrote:
> > The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
> >
> > Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
> >
> > are available in the Git repository at:
> >
> > git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3
> >
> > for you to fetch changes up to 23e26d0577535f5ffe4ff8ed6d06e009553c0bca:
> >
> > usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures (2020-08-25 16:02:35 +0200)
> >
> > ----------------------------------------------------------------
> > USB fixes for 5.9-rc3
> >
> > Here are a small set of USB fixes for 5.9-rc3.
> >
> > Like most set of USB bugfixes, they include the usual:
> > - usb gadget driver fixes
> > - xhci driver fixes
> > - typec fixes
> > - new qurks and ids
> > - fixes for USB patches merged in 5.9-rc1
> >
> > Nothing huge, all of these have been in linux-next with no reported
> > issues:
> >
> > Signed-off-by: Greg Kroah-Hartman <[email protected]>
> >
> > ----------------------------------------------------------------
> > Alan Stern (1):
> > USB: yurex: Fix bad gfp argument
> >
> > Andy Shevchenko (1):
> > usb: hcd: Fix use after free in usb_hcd_pci_remove()
> >
> > Badhri Jagan Sridharan (1):
> > usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures
> >
> > Bastien Nocera (2):
> > USB: Also match device drivers using the ->match vfunc
> > USB: Fix device driver race
> >
> > Brooke Basile (2):
> > USB: gadget: u_f: add overflow checks to VLA macros
>
> Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
> didn't get the proper testing in linux-next (next-20200826 is the first
> one with this patch).
>
> This is how it explodes on Samsung Exynos (ARM 32bit) based board with
> g_ether module loaded:
>
> ------------[ cut here ]------------
> kernel BUG at mm/slub.c:4116!

Why is slub.c erroring? How is this related to freeing memory?

> Internal error: Oops - BUG: 0 [#1] SMP ARM
> Modules linked in: usb_f_ecm g_ether(+) usb_f_rndis u_ether libcomposite
> panel_samsung_s6e8aa0 s5p_csis s5p_fimc exynos4_is_common v4l2_fwnode
> max8997_regulator rtc_max8997 leds_max8997 max8
> emless mms114 governor_simpleondemand s5p_mfc lima gpu_sched s5p_jpeg
> v4l2_mem2mem videobuf2_dma_contig videobuf2_memops videobuf2_v4l2
> videobuf2_common phy_exynos_usb2 exynosdrm analogix_dp
> ?s3c2410_wdt
> CPU: 0 PID: 616 Comm: modprobe Not tainted 5.9.0-rc1-00026-gb1cd1b65afba
> #9023
> Hardware name: Samsung Exynos (Flattened Device Tree)
> PC is at kfree+0x234/0x268
> LR is at config_item_set_name+0x60/0xb0
> ...
> Process modprobe (pid: 616, stack limit = 0x(ptrval))
> ...
> [<c0494248>] (kfree) from [<c05347a0>] (config_item_set_name+0x60/0xb0)
> [<c05347a0>] (config_item_set_name) from [<c0534844>]
> (config_group_init_type_name+0x1c/0x50)

Odd, for a "normal" descriptor, the logic should have remained the same
as without this patch.

What does the descriptor definition of your device look like that it
triggers this traceback?

> [<c0534844>] (config_group_init_type_name) from [<bf14bc18>]
> (usb_os_desc_prepare_interf_dir+0x54/0x124 [libcomposite])
> [<bf14bc18>] (usb_os_desc_prepare_interf_dir [libcomposite]) from
> [<bf15af9c>] (rndis_alloc_inst+0x100/0x150 [usb_f_rndis])
> [<bf15af9c>] (rndis_alloc_inst [usb_f_rndis]) from [<bf1499dc>]
> (try_get_usb_function_instance+0x88/0xa4 [libcomposite])
> [<bf1499dc>] (try_get_usb_function_instance [libcomposite]) from
> [<bf149ad8>] (usb_get_function_instance+0xc/0x44 [libcomposite])
> [<bf149ad8>] (usb_get_function_instance [libcomposite]) from
> [<bf114164>] (eth_bind+0xdc/0x34c [g_ether])
> [<bf114164>] (eth_bind [g_ether]) from [<bf1497cc>]
> (composite_bind+0x78/0x1a8 [libcomposite])
> [<bf1497cc>] (composite_bind [libcomposite]) from [<c0c62a0c>]
> (udc_bind_to_driver+0x60/0x108)
> [<c0c62a0c>] (udc_bind_to_driver) from [<c0c62ed8>]
> (usb_gadget_probe_driver+0x100/0x158)
> [<c0c62ed8>] (usb_gadget_probe_driver) from [<c0301fd0>]
> (do_one_initcall+0x54/0x220)
> [<c0301fd0>] (do_one_initcall) from [<c03de390>] (do_init_module+0x60/0x210)
> [<c03de390>] (do_init_module) from [<c03dd0d4>] (load_module+0x2078/0x24c0)
> [<c03dd0d4>] (load_module) from [<c03dd758>] (sys_finit_module+0xc8/0xd8)
> [<c03dd758>] (sys_finit_module) from [<c03000c0>]
> (ret_fast_syscall+0x0/0x54)
> Exception stack(0xedd1dfa8 to 0xedd1dff0)
> ...
> ---[ end trace 0dc21d79c1880545 ]---

Brooke, any ideas?

thanks,

greg k-h

2020-08-26 15:54:49

by Andy Shevchenko

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

On Wed, Aug 26, 2020 at 6:36 PM Greg KH <[email protected]> wrote:
> On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> > On 26.08.2020 15:43, Greg KH wrote:

> > > Brooke Basile (2):
> > > USB: gadget: u_f: add overflow checks to VLA macros
> >
> > Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
> > didn't get the proper testing in linux-next (next-20200826 is the first
> > one with this patch).
> >
> > This is how it explodes on Samsung Exynos (ARM 32bit) based board with
> > g_ether module loaded:

> Odd, for a "normal" descriptor, the logic should have remained the same
> as without this patch.

> Brooke, any ideas?

I have an idea.

Does below fix this?


--
With Best Regards,
Andy Shevchenko


Attachments:
1.diff (1.07 kB)

2020-08-26 16:00:09

by Kees Cook

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

On Wed, Aug 26, 2020 at 05:33:47PM +0200, Greg KH wrote:
> On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> > Hi Greg,
> >
> > On 26.08.2020 15:43, Greg KH wrote:
> > > The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
> > >
> > > Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
> > >
> > > are available in the Git repository at:
> > >
> > > git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3
> > >
> > > for you to fetch changes up to 23e26d0577535f5ffe4ff8ed6d06e009553c0bca:
> > >
> > > usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures (2020-08-25 16:02:35 +0200)
> > >
> > > ----------------------------------------------------------------
> > > USB fixes for 5.9-rc3
> > >
> > > Here are a small set of USB fixes for 5.9-rc3.
> > >
> > > Like most set of USB bugfixes, they include the usual:
> > > - usb gadget driver fixes
> > > - xhci driver fixes
> > > - typec fixes
> > > - new qurks and ids
> > > - fixes for USB patches merged in 5.9-rc1
> > >
> > > Nothing huge, all of these have been in linux-next with no reported
> > > issues:
> > >
> > > Signed-off-by: Greg Kroah-Hartman <[email protected]>
> > >
> > > ----------------------------------------------------------------
> > > Alan Stern (1):
> > > USB: yurex: Fix bad gfp argument
> > >
> > > Andy Shevchenko (1):
> > > usb: hcd: Fix use after free in usb_hcd_pci_remove()
> > >
> > > Badhri Jagan Sridharan (1):
> > > usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures
> > >
> > > Bastien Nocera (2):
> > > USB: Also match device drivers using the ->match vfunc
> > > USB: Fix device driver race
> > >
> > > Brooke Basile (2):
> > > USB: gadget: u_f: add overflow checks to VLA macros
> >
> > Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
> > didn't get the proper testing in linux-next (next-20200826 is the first
> > one with this patch).
> >
> > This is how it explodes on Samsung Exynos (ARM 32bit) based board with
> > g_ether module loaded:
> >
> > ------------[ cut here ]------------
> > kernel BUG at mm/slub.c:4116!
>
> Why is slub.c erroring? How is this related to freeing memory?

I assume this is related to the size calculations in the VLA macros...
nothing _looks_ wrong with that patch, but obviously something is. :)
Hmmm

--
Kees Cook

2020-08-26 16:16:37

by Andy Shevchenko

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

On Wed, Aug 26, 2020 at 7:00 PM Kees Cook <[email protected]> wrote:
> On Wed, Aug 26, 2020 at 05:33:47PM +0200, Greg KH wrote:
> > On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> > > On 26.08.2020 15:43, Greg KH wrote:

...

> > Why is slub.c erroring? How is this related to freeing memory?
>
> I assume this is related to the size calculations in the VLA macros...
> nothing _looks_ wrong with that patch, but obviously something is. :)
> Hmmm

What about the idea I have shared above? (summary: different scope of
two offset variables, and thus outer one is always 0)


--
With Best Regards,
Andy Shevchenko

2020-08-26 16:18:18

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

On Wed, Aug 26, 2020 at 06:53:02PM +0300, Andy Shevchenko wrote:
> On Wed, Aug 26, 2020 at 6:36 PM Greg KH <[email protected]> wrote:
> > On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> > > On 26.08.2020 15:43, Greg KH wrote:
>
> > > > Brooke Basile (2):
> > > > USB: gadget: u_f: add overflow checks to VLA macros
> > >
> > > Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
> > > didn't get the proper testing in linux-next (next-20200826 is the first
> > > one with this patch).
> > >
> > > This is how it explodes on Samsung Exynos (ARM 32bit) based board with
> > > g_ether module loaded:
>
> > Odd, for a "normal" descriptor, the logic should have remained the same
> > as without this patch.
>
> > Brooke, any ideas?
>
> I have an idea.
>
> Does below fix this?
>
>
> --
> With Best Regards,
> Andy Shevchenko

> diff --git a/drivers/usb/gadget/u_f.h b/drivers/usb/gadget/u_f.h
> index df4e1dcb357d..0b5c5f0dd073 100644
> --- a/drivers/usb/gadget/u_f.h
> +++ b/drivers/usb/gadget/u_f.h
> @@ -25,8 +25,8 @@
> size_t offset = 0; \
> if (groupname##__next != SIZE_MAX) { \
> size_t align_mask = __alignof__(type) - 1; \
> - size_t offset = (groupname##__next + align_mask) \
> - & ~align_mask; \
> + offset = (groupname##__next + align_mask) & \
> + ~align_mask; \
> size_t size = array_size(n, sizeof(type)); \
> if (check_add_overflow(offset, size, \
> &groupname##__next)) { \
> @@ -43,8 +43,8 @@
> size_t offset = 0; \
> if (groupname##__next != SIZE_MAX) { \
> size_t align_mask = __alignof__(type) - 1; \
> - size_t offset = (groupname##__next + align_mask) \
> - & ~align_mask; \
> + offset = (groupname##__next + align_mask) & \
> + ~align_mask; \
> if (check_add_overflow(offset, groupname##_##name##__sz,\
> &groupname##__next)) { \
> groupname##__next = SIZE_MAX; \

Oh wow, yeah, that should fix the problem, but would be good to get
confirmation...

thanks,

greg k-h

2020-08-26 16:19:08

by Marek Szyprowski

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

Hi Andy,

On 26.08.2020 17:53, Andy Shevchenko wrote:
> On Wed, Aug 26, 2020 at 6:36 PM Greg KH <[email protected]> wrote:
>> On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
>>> On 26.08.2020 15:43, Greg KH wrote:
>>>
>>>> Brooke Basile (2):
>>>> USB: gadget: u_f: add overflow checks to VLA macros
>>> Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
>>> didn't get the proper testing in linux-next (next-20200826 is the first
>>> one with this patch).
>>>
>>> This is how it explodes on Samsung Exynos (ARM 32bit) based board with
>>> g_ether module loaded:
>> Odd, for a "normal" descriptor, the logic should have remained the same
>> as without this patch.
>> Brooke, any ideas?
> I have an idea.
>
> Does below fix this?

Yep, that's it. I've also moved offset assignment in the first part
after size_t size = array_size(n, sizeof(type));

Feel free to add:

Reported-by: Marek Szyprowski <[email protected]>

Tested-by: Marek Szyprowski <[email protected]>

Thanks!

Best regards
--
Marek Szyprowski, PhD
Samsung R&D Institute Poland

2020-08-26 16:22:22

by Andy Shevchenko

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

On Wed, Aug 26, 2020 at 7:17 PM Marek Szyprowski
<[email protected]> wrote:
> On 26.08.2020 17:53, Andy Shevchenko wrote:
> > On Wed, Aug 26, 2020 at 6:36 PM Greg KH <[email protected]> wrote:
> >> On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> >>> On 26.08.2020 15:43, Greg KH wrote:
> >>>
> >>>> Brooke Basile (2):
> >>>> USB: gadget: u_f: add overflow checks to VLA macros
> >>> Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
> >>> didn't get the proper testing in linux-next (next-20200826 is the first
> >>> one with this patch).
> >>>
> >>> This is how it explodes on Samsung Exynos (ARM 32bit) based board with
> >>> g_ether module loaded:
> >> Odd, for a "normal" descriptor, the logic should have remained the same
> >> as without this patch.
> >> Brooke, any ideas?
> > I have an idea.
> >
> > Does below fix this?
>
> Yep, that's it. I've also moved offset assignment in the first part
> after size_t size = array_size(n, sizeof(type));
>
> Feel free to add:
>
> Reported-by: Marek Szyprowski <[email protected]>
>
> Tested-by: Marek Szyprowski <[email protected]>

Will send a formal patch soon. Thanks for reporting and testing!

--
With Best Regards,
Andy Shevchenko

2020-08-26 17:21:56

by Linus Torvalds

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

On Wed, Aug 26, 2020 at 6:43 AM Greg KH <[email protected]> wrote:
>
> USB fixes for 5.9-rc3

I'm dropping this, since it seems to break things more than it fixes.

I see that the breakage is already figured out, but I'll just wait for
the next fixes pull with the fix for the problem.

Linus

2020-08-26 17:21:58

by Brooke Basile

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

On 8/26/20 12:17 PM, Marek Szyprowski wrote:
> Hi Andy,
>
> On 26.08.2020 17:53, Andy Shevchenko wrote:
>> On Wed, Aug 26, 2020 at 6:36 PM Greg KH <[email protected]> wrote:
>>> On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
>>>> On 26.08.2020 15:43, Greg KH wrote:
>>>>
>>>>> Brooke Basile (2):
>>>>> USB: gadget: u_f: add overflow checks to VLA macros
>>>> Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
>>>> didn't get the proper testing in linux-next (next-20200826 is the first
>>>> one with this patch).
>>>>
>>>> This is how it explodes on Samsung Exynos (ARM 32bit) based board with
>>>> g_ether module loaded:
>>> Odd, for a "normal" descriptor, the logic should have remained the same
>>> as without this patch.
>>> Brooke, any ideas?
>> I have an idea.
>>
>> Does below fix this?
>
> Yep, that's it. I've also moved offset assignment in the first part
> after size_t size = array_size(n, sizeof(type));
>
> Feel free to add:
>
> Reported-by: Marek Szyprowski <[email protected]>
>
> Tested-by: Marek Szyprowski <[email protected]>
>
> Thanks!
>
> Best regards
>
Ah, I see. My apologies, I don't know how I was able to miss something
like this when building/testing...

Thank you for testing and reporting the issue.

Best,
Brooke Basile

2020-08-26 19:16:08

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

On Wed, Aug 26, 2020 at 10:18:23AM -0700, Linus Torvalds wrote:
> On Wed, Aug 26, 2020 at 6:43 AM Greg KH <[email protected]> wrote:
> >
> > USB fixes for 5.9-rc3
>
> I'm dropping this, since it seems to break things more than it fixes.
>
> I see that the breakage is already figured out, but I'll just wait for
> the next fixes pull with the fix for the problem.

No worries, I'll fix this up and send a new pull request later this
week, sorry for the trouble,

greg k-h

2020-08-27 07:54:52

by Krzysztof Kozlowski

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

On Wed, 26 Aug 2020 at 17:03, Marek Szyprowski <[email protected]> wrote:
>
> Hi Greg,
>
> On 26.08.2020 15:43, Greg KH wrote:
> > The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
> >
> > Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
> >
> > are available in the Git repository at:
> >
> > git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3
> >
> > for you to fetch changes up to 23e26d0577535f5ffe4ff8ed6d06e009553c0bca:
> >
> > usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures (2020-08-25 16:02:35 +0200)
> >
> > ----------------------------------------------------------------
> > USB fixes for 5.9-rc3
> >
> > Here are a small set of USB fixes for 5.9-rc3.
> >
> > Like most set of USB bugfixes, they include the usual:
> > - usb gadget driver fixes
> > - xhci driver fixes
> > - typec fixes
> > - new qurks and ids
> > - fixes for USB patches merged in 5.9-rc1
> >
> > Nothing huge, all of these have been in linux-next with no reported
> > issues:
> >
> > Signed-off-by: Greg Kroah-Hartman <[email protected]>
> >
> > ----------------------------------------------------------------
> > Alan Stern (1):
> > USB: yurex: Fix bad gfp argument
> >
> > Andy Shevchenko (1):
> > usb: hcd: Fix use after free in usb_hcd_pci_remove()
> >
> > Badhri Jagan Sridharan (1):
> > usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures
> >
> > Bastien Nocera (2):
> > USB: Also match device drivers using the ->match vfunc
> > USB: Fix device driver race
> >
> > Brooke Basile (2):
> > USB: gadget: u_f: add overflow checks to VLA macros
>
> Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
> didn't get the proper testing in linux-next (next-20200826 is the first
> one with this patch).
>

Hi Greg,

I have a different question - why is this patch not findable on any
LKML lists? lore.kernel.org does not have it. Neither has mine inbox
tracking most of the lists (also main linux-kernel). Maybe subject
changed?

Do we have another process of sending patches for fast inclusion in
the Linux kernel? Is addressing a HW vulnerability?

Best regards,
Krzysztof

2020-08-30 19:16:46

by pr-tracker-bot

[permalink] [raw]
Subject: Re: [GIT PULL] USB fixes for 5.9-rc3

The pull request you sent on Wed, 26 Aug 2020 15:43:15 +0200:

> git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/068834a2773b6a12805105cfadbb3d4229fc6e0a

Thank you!

--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html