Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp5646485img;
        Wed, 27 Mar 2019 12:21:56 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwKA72i5JH+VN3Qgu6Ih3sbvUQottFCl0fLRBw+BdA43+FinjmU6qzzkOma3ptICrRis3ok
X-Received: by 2002:a62:cd8c:: with SMTP id o134mr36470267pfg.84.1553714516665;
        Wed, 27 Mar 2019 12:21:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553714516; cv=none;
        d=google.com; s=arc-20160816;
        b=dDIYLSHi8vE7AvCw1sXUFtOVxDesam63w+ulktpU+oPjIRDuGsUt1p217V3dZ2s8xg
         K6N6mkcEgjEbho9a2bvM8UIHYF/daaB/0RYLBXV4iMe7jBOsROBtJ14y4l5/oaprdPvw
         sONDWewQyLhJW65HL8zhyUgVqn9wcT+VeCdexYadyUf2KsTHMwygefIn4zVIsXvmamEy
         3mqFJvtUsHHnBFPWfjpiGI67biNER/ZxSr0rYMwqZUYMU/2ZeFEaRs+yyxpjt25uDmgY
         TVMn6zevniEST4++XEyvEsDybrjYsUeN44/vRp93857hVebp36tts4QW41HyBDGw9mts
         mpzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=1rVSfEELbVxVVzCq5Mmp0ZCWl+TXNDeKYCuQfbkF2qs=;
        b=jmcKiPQ6vdh2nw2gLW8BjmbNomXxZY92vEvUkjUyTB2395jFBAonpyrVP+OWORGx9c
         yugy9LzSGbv5OigXZVewte2wo4w4FCZENx8TKxZEI9YCW05LSOc+FqhcLYqDDjTjk3q7
         cn9p86lqmmPQrtWtqfZjdCOVCPrZMWAjOhJWkgQRn7Z6LoP3ruSkNT6sSWypihzX7xLa
         zRaa2zpvbk2DDnze30tNhezTegX+5QCIKVCzkI8AGP9Piuw1j5AYHFohxOFwoytXzJIF
         XnfmYWShNKFWT5mMdZ5yf5U+D+vNOSc1h8/z7HZPqsu2oB0UaeHFZmBadvtGjzLv+Y96
         a0og==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=1LQcngou;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 70si20882199ple.294.2019.03.27.12.21.41;
        Wed, 27 Mar 2019 12:21:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=1LQcngou;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387722AbfC0TVI (ORCPT <rfc822;utfcpqpk@gmail.com> + 99 others);
        Wed, 27 Mar 2019 15:21:08 -0400
Received: from mail.kernel.org ([198.145.29.99]:48796 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2388067AbfC0SHA (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 27 Mar 2019 14:07:00 -0400
Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 9E0E62063F;
        Wed, 27 Mar 2019 18:06:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1553710019;
        bh=ZtjQP0+V1OpSEShmYI8C5soUdckfqe+NQc3AjHGDwKo=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=1LQcngouSLaEQVlX5DjiOdU2QTqshJYi9p6kTBJqhYY4dhqeCf9qOr3y7QYw4LykL
         WYJQGaiH7YdsiXzHJLOP1v+sjOmSCsdKKwgJ25tJ8HWLa2HopEtCPJEhVfgsR10Mlp
         wx6QOeDfSpGclMI34fe4vCOOZj9Ye2SW6916GaUw=
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     John Stultz <john.stultz@linaro.org>,
        Alan Stern <stern@rowland.harvard.edu>,
        Felipe Balbi <balbi@kernel.org>,
        Zeng Tao <prime.zeng@hisilicon.com>,
        Jack Pham <jackp@codeaurora.org>,
        Thinh Nguyen <thinh.nguyen@synopsys.com>,
        Chen Yu <chenyu56@huawei.com>,
        Jerry Zhang <zhangjerry@google.com>,
        Lars-Peter Clausen <lars@metafoo.de>,
        Vincent Pelletier <plr.vincent@gmail.com>,
        Andrzej Pietrasiewicz <andrzej.p@samsung.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux USB List <linux-usb@vger.kernel.org>,
        Felipe Balbi <felipe.balbi@linux.intel.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 5.0 158/262] usb: f_fs: Avoid crash due to out-of-scope stack ptr access
Date:   Wed, 27 Mar 2019 14:00:13 -0400
Message-Id: <20190327180158.10245-158-sashal@kernel.org>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20190327180158.10245-1-sashal@kernel.org>
References: <20190327180158.10245-1-sashal@kernel.org>
MIME-Version: 1.0
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: John Stultz <john.stultz@linaro.org>

[ Upstream commit 54f64d5c983f939901dacc8cfc0983727c5c742e ]

Since the 5.0 merge window opened, I've been seeing frequent
crashes on suspend and reboot with the trace:

[   36.911170] Unable to handle kernel paging request at virtual address ffffff801153d660
[   36.912769] Unable to handle kernel paging request at virtual address ffffff800004b564
...
[   36.950666] Call trace:
[   36.950670]  queued_spin_lock_slowpath+0x1cc/0x2c8
[   36.950681]  _raw_spin_lock_irqsave+0x64/0x78
[   36.950692]  complete+0x28/0x70
[   36.950703]  ffs_epfile_io_complete+0x3c/0x50
[   36.950713]  usb_gadget_giveback_request+0x34/0x108
[   36.950721]  dwc3_gadget_giveback+0x50/0x68
[   36.950723]  dwc3_thread_interrupt+0x358/0x1488
[   36.950731]  irq_thread_fn+0x30/0x88
[   36.950734]  irq_thread+0x114/0x1b0
[   36.950739]  kthread+0x104/0x130
[   36.950747]  ret_from_fork+0x10/0x1c

I isolated this down to in ffs_epfile_io():
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/usb/gadget/function/f_fs.c#n1065

Where the completion done is setup on the stack:
  DECLARE_COMPLETION_ONSTACK(done);

Then later we setup a request and queue it, and wait for it:
  if (unlikely(wait_for_completion_interruptible(&done))) {
    /*
    * To avoid race condition with ffs_epfile_io_complete,
    * dequeue the request first then check
    * status. usb_ep_dequeue API should guarantee no race
    * condition with req->complete callback.
    */
    usb_ep_dequeue(ep->ep, req);
    interrupted = ep->status < 0;
  }

The problem is, that we end up being interrupted, dequeue the
request, and exit.

But then the irq triggers and we try calling complete() on the
context pointer which points to now random stack space, which
results in the panic.

Alan Stern pointed out there is a bug here, in that the snippet
above "assumes that usb_ep_dequeue() waits until the request has
been completed." And that:

    wait_for_completion(&done);

Is needed right after the usb_ep_dequeue().

Thus this patch implements that change. With it I no longer see
the crashes on suspend or reboot.

This issue seems to have been uncovered by behavioral changes in
the dwc3 driver in commit fec9095bdef4e ("usb: dwc3: gadget:
remove wait_end_transfer").

Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Zeng Tao <prime.zeng@hisilicon.com>
Cc: Jack Pham <jackp@codeaurora.org>
Cc: Thinh Nguyen <thinh.nguyen@synopsys.com>
Cc: Chen Yu <chenyu56@huawei.com>
Cc: Jerry Zhang <zhangjerry@google.com>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Vincent Pelletier <plr.vincent@gmail.com>
Cc: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linux USB List <linux-usb@vger.kernel.org>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/gadget/function/f_fs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 1e5430438703..0f8d16de7a37 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1082,6 +1082,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 			 * condition with req->complete callback.
 			 */
 			usb_ep_dequeue(ep->ep, req);
+			wait_for_completion(&done);
 			interrupted = ep->status < 0;
 		}
 
-- 
2.19.1