Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1013035yba; Thu, 4 Apr 2019 02:25:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqzLSjZoZPIugY+4dAczHJ3d+fOsKFL3Ag5yuieKu5c5QS2xeb5MkqI4XaSFz6iYQrILKgR1 X-Received: by 2002:a63:4e64:: with SMTP id o36mr4826786pgl.213.1554369924391; Thu, 04 Apr 2019 02:25:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554369924; cv=none; d=google.com; s=arc-20160816; b=a+tnpR0l05MyN3ma6+/W8KfVp+b5f0rsAehScwYr6eW2uJL3p0aMAovaRkgwaksCIz DRFgrtgtyd2/dOxvUC0Pxdyno/6HSHTyig6FfOVq9y9+glEHOqd441HNjhhTZ1DgoCU4 c4I3TFuOAydDXsrtuCzFbffQ6T4Z8w3ee2vtdvXVDopOBqBKhHyBzK+5SrockWDxbLl3 kLFyLYtBjMeH/66QaQSRnbJ/JIYWDhOATBcT5kehPJsE3ksZuSvRAdzt3FzeYTIhF2xp reZs3roaQExPH3qFdxSqW79WD19uyx2+QOpjr3dQyGdb6BvuFfRX00qH3As18/4RSPuw D0Rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7N4kh6POkUzsdZlc6FSLJDeL+QCHuWQfPbh+MngKMKs=; b=w2bSHxqa7ecQ9ggOFPSCH+rqDJtP9XniWiCsO54SYRB+7jBSKZVHcmAL9BZLYqjTi6 HcXYN8IDR75Lc/szhnzWpbnPmFRHHkVsJv1T/Xcxbtt6+B1pm89SdEg41HyTSYuANSuo Nn68pDk8evd1PSqTpR33mFcT9zKUQ5PX5BVXQoKDhsEwqYHL0h2zYOOZiq7qcM7w0m5W Z9NSI41geilC1p4FPDZkDshRD4K+Kkh/N5k9FA762GVJop+PZ5YDyciNkmuftIsER5v2 x1apjZS3bBApLQRlffn1IO0Jti+8htEm178fsN3xbntHQLarrQho7zqD6doPGoRq6Frv VFog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ehf5MSPm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v16si15814390plo.33.2019.04.04.02.25.09; Thu, 04 Apr 2019 02:25:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ehf5MSPm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387985AbfDDJYb (ORCPT + 99 others); Thu, 4 Apr 2019 05:24:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:55182 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387521AbfDDJOd (ORCPT ); Thu, 4 Apr 2019 05:14:33 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AC6602054F; Thu, 4 Apr 2019 09:14:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554369272; bh=wSLscqyIpxDEppzg7gb6Hs3JLxQ5ozT2QA+ZbgHDM8s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ehf5MSPmQqT5cQAYp2OWP9QGGaw5j5Ot5qowJrgavx4gcVYLSGMA1O1aD9TVM0SvA mGOBa+VQ8rv8uOlhYRsn6enZmf6HKH7cpWfbUZr7Un2jSYA5rQfzJ4k716VB1uhGvR TivnJnG1Lih5/XPIgXEreQxNmuF4Fnae0eAVX53s= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , Felipe Balbi , Zeng Tao , Jack Pham , Thinh Nguyen , Chen Yu , Jerry Zhang , Lars-Peter Clausen , Vincent Pelletier , Andrzej Pietrasiewicz , Linux USB List , John Stultz , Felipe Balbi , Sasha Levin Subject: [PATCH 5.0 148/246] usb: f_fs: Avoid crash due to out-of-scope stack ptr access Date: Thu, 4 Apr 2019 10:47:28 +0200 Message-Id: <20190404084624.350930563@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190404084619.236418459@linuxfoundation.org> References: <20190404084619.236418459@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 5.0-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 54f64d5c983f939901dacc8cfc0983727c5c742e ] Since the 5.0 merge window opened, I've been seeing frequent crashes on suspend and reboot with the trace: [ 36.911170] Unable to handle kernel paging request at virtual address ffffff801153d660 [ 36.912769] Unable to handle kernel paging request at virtual address ffffff800004b564 ... [ 36.950666] Call trace: [ 36.950670] queued_spin_lock_slowpath+0x1cc/0x2c8 [ 36.950681] _raw_spin_lock_irqsave+0x64/0x78 [ 36.950692] complete+0x28/0x70 [ 36.950703] ffs_epfile_io_complete+0x3c/0x50 [ 36.950713] usb_gadget_giveback_request+0x34/0x108 [ 36.950721] dwc3_gadget_giveback+0x50/0x68 [ 36.950723] dwc3_thread_interrupt+0x358/0x1488 [ 36.950731] irq_thread_fn+0x30/0x88 [ 36.950734] irq_thread+0x114/0x1b0 [ 36.950739] kthread+0x104/0x130 [ 36.950747] ret_from_fork+0x10/0x1c I isolated this down to in ffs_epfile_io(): https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/usb/gadget/function/f_fs.c#n1065 Where the completion done is setup on the stack: DECLARE_COMPLETION_ONSTACK(done); Then later we setup a request and queue it, and wait for it: if (unlikely(wait_for_completion_interruptible(&done))) { /* * To avoid race condition with ffs_epfile_io_complete, * dequeue the request first then check * status. usb_ep_dequeue API should guarantee no race * condition with req->complete callback. */ usb_ep_dequeue(ep->ep, req); interrupted = ep->status < 0; } The problem is, that we end up being interrupted, dequeue the request, and exit. But then the irq triggers and we try calling complete() on the context pointer which points to now random stack space, which results in the panic. Alan Stern pointed out there is a bug here, in that the snippet above "assumes that usb_ep_dequeue() waits until the request has been completed." And that: wait_for_completion(&done); Is needed right after the usb_ep_dequeue(). Thus this patch implements that change. With it I no longer see the crashes on suspend or reboot. This issue seems to have been uncovered by behavioral changes in the dwc3 driver in commit fec9095bdef4e ("usb: dwc3: gadget: remove wait_end_transfer"). Cc: Alan Stern Cc: Felipe Balbi Cc: Zeng Tao Cc: Jack Pham Cc: Thinh Nguyen Cc: Chen Yu Cc: Jerry Zhang Cc: Lars-Peter Clausen Cc: Vincent Pelletier Cc: Andrzej Pietrasiewicz Cc: Greg Kroah-Hartman Cc: Linux USB List Suggested-by: Alan Stern Signed-off-by: John Stultz Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/f_fs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 1e5430438703..0f8d16de7a37 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1082,6 +1082,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) * condition with req->complete callback. */ usb_ep_dequeue(ep->ep, req); + wait_for_completion(&done); interrupted = ep->status < 0; } -- 2.19.1