Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965374AbcCJFT3 (ORCPT ); Thu, 10 Mar 2016 00:19:29 -0500 Received: from mail.linux-iscsi.org ([67.23.28.174]:49188 "EHLO linux-iscsi.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750806AbcCJFT0 (ORCPT ); Thu, 10 Mar 2016 00:19:26 -0500 Message-ID: <1457587163.4062.13.camel@haakon3.risingtidesystems.com> Subject: Re: [patch -target tree] usb: gadget: f_tcm: use after free From: "Nicholas A. Bellinger" To: Andrzej Pietrasiewicz Cc: Felipe Balbi , Dan Carpenter , Christoph Hellwig , Greg Kroah-Hartman , Sebastian Andrzej Siewior , Bart Van Assche , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, target-devel@vger.kernel.org Date: Wed, 09 Mar 2016 21:19:23 -0800 In-Reply-To: <56E01CE4.5060501@samsung.com> References: <20160302100848.GC5533@mwanda> <87k2ll856m.fsf@ti.com> <1457162818.19657.282.camel@haakon3.risingtidesystems.com> <56E01CE4.5060501@samsung.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.4.4-1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4575 Lines: 143 Hi Andrzej, On Wed, 2016-03-09 at 13:53 +0100, Andrzej Pietrasiewicz wrote: > Hi Nicholas, > > W dniu 05.03.2016 o 08:26, Nicholas A. Bellinger pisze: > > Hi Felipe + usb-gadget folks, > > > > On Wed, 2016-03-02 at 13:55 +0200, Felipe Balbi wrote: > > > > > > > usb-gadget/tcm: Conversion to percpu_ida tag pre-allocation > > http://www.spinics.net/lists/target-devel/msg11777.html > > > > usb-gadget/tcm: Convert to TARGET_SCF_ACK_KREF I/O krefs > > http://www.spinics.net/lists/target-devel/msg11782.html > > > > Felipe, Sebastian, & Andrezj, would you be so kind to review and test > > usb-gadget using target-pending/for-next code..? > > > > > > Actually I have noticed a problem at > 8b00965 "target: Convert demo-mode only drivers to target_alloc_session" > > I get: > > [ 1698.406304] configfs-gadget gadget: high-speed config #1: c > [ 1698.410547] Using the BOT protocol > [ 1698.414163] Missing nexus, ignoring command > [ 1698.417944] bot_cmd_complete(309): -22 > > I think the third message is from f_tcm. It is because > tpg->tpg_nexus is not set anymore, because the line > > tpg->tpg_nexus = tv_nexus; > > is removed by the commit mentioned above. > > Restoring this line fixes the problem. Thanks for testing! Applying the following patch to re-add the missing assingment as a proper alloc_session callback. diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c index e352a31..348140c 100644 --- a/drivers/usb/gadget/function/f_tcm.c +++ b/drivers/usb/gadget/function/f_tcm.c @@ -1570,6 +1570,16 @@ out: return ret; } +static int usbg_alloc_sess_cb(struct se_portal_group *se_tpg, + struct se_session *se_sess, void *p) +{ + struct usbg_tpg *tpg = container_of(se_tpg, + struct usbg_tpg, se_tpg); + + tpg->tpg_nexus = p; + return 0; +} + static int tcm_usbg_make_nexus(struct usbg_tpg *tpg, char *name) { struct tcm_usbg_nexus *tv_nexus; @@ -1591,7 +1601,7 @@ static int tcm_usbg_make_nexus(struct usbg_tpg *tpg, char *name) tv_nexus->tvn_se_sess = target_alloc_session(&tpg->se_tpg, 128, sizeof(struct usbg_cmd), TARGET_PROT_NORMAL, name, - tv_nexus, NULL); + tv_nexus, usbg_alloc_sess_cb); if (IS_ERR(tv_nexus->tvn_se_sess)) { #define MAKE_NEXUS_MSG "core_tpg_check_initiator_node_acl() failed for %s\n" pr_debug(MAKE_NEXUS_MSG, name); > > Then percpu_ida commit produces the below result > (it does not happen immediately, but a while after > running the script). > I did not bisect, though; I only checked the commits > which alter drivers/usb/gadget/function/f_tcm.c. > The last one which (almost) works is: > > 8b00965 "target: Convert demo-mode only drivers to target_alloc_session" > > AP > > I used the following script: > > 8<---------------------------- > > #!/bin/bash > > mount -t configfs none /sys/kernel/config > modprobe libcomposite > cd /sys/kernel/config/usb_gadget > mkdir tcm > cd tcm > mkdir functions/tcm.0 > cd /sys/kernel/config/target/ > mkdir usb_gadget > cd usb_gadget > mkdir naa.0123456789abcdef > cd naa.0123456789abcdef > mkdir tpgt_1 > cd tpgt_1 > echo naa.01234567890abcdef > nexus > echo 1 > enable > cd /sys/kernel/config/usb_gadget/tcm > mkdir configs/c.1 > ln -s functions/tcm.0 configs/c.1 > echo 0x0525 > idVendor > echo 0x1234 > idProduct > echo 12400000.dwc3 > UDC > > 8<---------------------------- > > # [ 45.510513] ERR bot_status_complete(73) > [ 45.671921] configfs-gadget gadget: high-speed config #1: c > [ 45.676158] Using the BOT protocol > [ 45.679860] ------------[ cut here ]------------ > [ 45.683981] kernel BUG at drivers/target/target_core_transport.c:1476! Mmmm, usbg_get_cmd() was missing an explicit memset() after tag lookup. How about the following..? diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c index e352a31..d4e8a91 100644 --- a/drivers/usb/gadget/function/f_tcm.c +++ b/drivers/usb/gadget/function/f_tcm.c @@ -1078,6 +1078,7 @@ static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu, return ERR_PTR(-ENOMEM); cmd = &((struct usbg_cmd *)se_sess->sess_cmd_map)[tag]; + memset(cmd, 0, sizeof(*cmd)); cmd->se_cmd.map_tag = tag; cmd->se_cmd.tag = cmd->tag = scsi_tag; cmd->fu = fu;