Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.131 2025-11-24T09:29:17+00:00 2025-11-24T09:29:17+00:00 Owen Gu guhuinan@xiaomi.com 2025-09-15T09:29:07+00:00 urn:sha1:fc1141a530dfc91f0ee19b7f422a2d24829584bc commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 upstream. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues Signed-off-by: Owen Gu <guhuinan@xiaomi.com> Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-01-17T12:36:22+00:00 Akash M akash.m5@samsung.com 2024-12-19T12:52:19+00:00 urn:sha1:ea6a1498742430eb2effce0d1439ff29ef37dd7d commit dfc51e48bca475bbee984e90f33fdc537ce09699 upstream. This commit addresses an issue related to below kernel panic where panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON in functionsfs_bind, which easily leads to the following scenarios. 1.adb_write in adbd 2. UDC write via configfs ================= ===================== ->usb_ffs_open_thread() ->UDC write ->open_functionfs() ->configfs_write_iter() ->adb_open() ->gadget_dev_desc_UDC_store() ->adb_write() ->usb_gadget_register_driver_owner ->driver_register() ->StartMonitor() ->bus_add_driver() ->adb_read() ->gadget_bind_driver() <times-out without BIND event> ->configfs_composite_bind() ->usb_add_function() ->open_functionfs() ->ffs_func_bind() ->adb_open() ->functionfs_bind() <ffs->state !=FFS_ACTIVE> The adb_open, adb_read, and adb_write operations are invoked from the daemon, but trying to bind the function is a process that is invoked by UDC write through configfs, which opens up the possibility of a race condition between the two paths. In this race scenario, the kernel panic occurs due to the WARN_ON from functionfs_bind when panic_on_warn is enabled. This commit fixes the kernel panic by removing the unnecessary WARN_ON. Kernel panic - not syncing: kernel: panic_on_warn set ... [ 14.542395] Call trace: [ 14.542464] ffs_func_bind+0x1c8/0x14a8 [ 14.542468] usb_add_function+0xcc/0x1f0 [ 14.542473] configfs_composite_bind+0x468/0x588 [ 14.542478] gadget_bind_driver+0x108/0x27c [ 14.542483] really_probe+0x190/0x374 [ 14.542488] __driver_probe_device+0xa0/0x12c [ 14.542492] driver_probe_device+0x3c/0x220 [ 14.542498] __driver_attach+0x11c/0x1fc [ 14.542502] bus_for_each_dev+0x104/0x160 [ 14.542506] driver_attach+0x24/0x34 [ 14.542510] bus_add_driver+0x154/0x270 [ 14.542514] driver_register+0x68/0x104 [ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4 [ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144 [ 14.542526] configfs_write_iter+0xf0/0x138 Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver") Cc: stable <stable@kernel.org> Signed-off-by: Akash M <akash.m5@samsung.com> Link: https://lore.kernel.org/r/20241219125221.1679-1-akash.m5@samsung.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-05-17T10:02:29+00:00 Chris Wulff Chris.Wulff@biamp.com 2024-04-23T18:02:15+00:00 urn:sha1:1a15d6e242bda4ca73e8e75224093ea850237305 commit 0aea736ddb877b93f6d2dd8cf439840d6b4970a9 upstream. If the USB driver passes a pointer into the TRB buffer for creq, this buffer can be overwritten with the status response as soon as the event is queued. This can make the final check return USB_GADGET_DELAYED_STATUS when it shouldn't. Instead use the stored wLength. Fixes: 4d644abf2569 ("usb: gadget: f_fs: Only return delayed status when len is 0") Cc: stable <stable@kernel.org> Signed-off-by: Chris Wulff <chris.wulff@biamp.com> Link: https://lore.kernel.org/r/CO1PR17MB5419BD664264A558B2395E28E1112@CO1PR17MB5419.namprd17.prod.outlook.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-05-17T10:02:28+00:00 Wesley Cheng quic_wcheng@quicinc.com 2024-04-09T01:40:59+00:00 urn:sha1:73c05ad46bb4fbbdb346004651576d1c8dbcffbb commit 24729b307eefcd7c476065cd7351c1a018082c19 upstream. FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support") Cc: stable <stable@kernel.org> # b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com> Link: https://lore.kernel.org/r/20240409014059.6740-1-quic_wcheng@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-07-13T08:28:03+00:00 Jeff Layton jlayton@kernel.org 2023-07-05T19:00:45+00:00 urn:sha1:c7603adcc6b1e8be32aed4ff95fe20806014ac34 In later patches, we're going to change how the inode's ctime field is used. Switch to using accessor functions instead of raw accesses of inode->i_ctime. Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Jeff Layton <jlayton@kernel.org> Message-Id: <20230705190309.579783-18-jlayton@kernel.org> Signed-off-by: Christian Brauner <brauner@kernel.org> 2023-05-29T14:24:08+00:00 Uttkarsh Aggarwal quic_uaggarwa@quicinc.com 2023-05-25T09:28:54+00:00 urn:sha1:efb6b535207395a5c7317993602e2503ca8cb4b3 While exercising the unbind path, with the current implementation the functionfs_unbind would be calling which waits for the ffs->mutex to be available, however within the same time ffs_ep0_read is invoked & if no setup packets are pending, it will invoke function wait_event_interruptible_exclusive_locked_irq which by definition waits for the ev.count to be increased inside the same mutex for which functionfs_unbind is waiting. This creates deadlock situation because the functionfs_unbind won't get the lock until ev.count is increased which can only happen if the caller ffs_func_unbind can proceed further. Following is the illustration: CPU1 CPU2 ffs_func_unbind() ffs_ep0_read() mutex_lock(ffs->mutex) wait_event(ffs->ev.count) functionfs_unbind() mutex_lock(ffs->mutex) mutex_unlock(ffs->mutex) ffs_event_add() <deadlock> Fix this by moving the event unbind before functionfs_unbind to ensure the ev.count is incrased properly. Fixes: 6a19da111057 ("usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait") Cc: stable <stable@kernel.org> Signed-off-by: Uttkarsh Aggarwal <quic_uaggarwa@quicinc.com> Link: https://lore.kernel.org/r/20230525092854.7992-1-quic_uaggarwa@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-04-10T06:56:59+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2023-04-10T06:56:59+00:00 urn:sha1:8e86652e3e7152bba80c3b4d03814e40ede1abc7 We need the USB fixes in here for testing, and this resolves two merge conflicts, one pointed out by linux-next: drivers/usb/dwc3/dwc3-pci.c drivers/usb/host/xhci-pci.c Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-04-05T17:24:01+00:00 Sandeep Dhavale dhavale@google.com 2023-04-01T06:05:08+00:00 urn:sha1:d356b3cdd00cae4508be566a47c0cfb74e14862a iov_iter for ffs_epfile_read_iter can be ITER_UBUF with io_uring. In that case dup_iter() does not have to allocate anything and it can return NULL. ffs_epfile_read_iter treats this as a failure and returns -ENOMEM. Fix it by checking if iter_is_ubuf(). Fixes: 1e23db450cff ("io_uring: use iter_ubuf for single range imports") Signed-off-by: Sandeep Dhavale <dhavale@google.com> Acked-by: Jens Axboe <axboe@kernel.dk> Link: https://lore.kernel.org/r/20230401060509.3608259-2-dhavale@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-03-29T06:55:58+00:00 Linyu Yuan quic_linyyuan@quicinc.com 2023-03-27T10:12:15+00:00 urn:sha1:f54134b3fc7954dbaa4da42198286e49bcb48ed7 ENTER() used to show function name which called during runtime, ftrace can be used to get same information, let's remove it. Signed-off-by: Linyu Yuan <quic_linyyuan@quicinc.com> Link: https://lore.kernel.org/r/1679911940-4727-1-git-send-email-quic_linyyuan@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-03-09T14:34:21+00:00 Yuta Hayama hayama@lineo.co.jp 2023-02-28T08:56:37+00:00 urn:sha1:180bb831b232b43bbd658dcdb20a49020059c1b8 Currently, the USB gadget framework supports only version 1.0 of the MS OS descriptor. OS desc has a field bcdVersion indicating its version, with v1.0 represented by the value 0x100. However, __ffs_do_os_desc_header() was expecting the incorrect value 0x1, so allow the correct value 0x100. The bcdVersion field of the descriptor that is actually sent to the host is set by composite_setup() (in composite.c) to the fixed value 0x100. Therefore, it can be understood that __ffs_do_os_desc_header() is only performing a format check of the OS desc passed to functionfs. If a value other than 0x100 is accepted, there is no effect on communication over the USB bus. Indeed, until now __ffs_do_os_desc_header() has only accepted the incorrect value 0x1, but there was no problem with the communication over the USB bus. However, this can be confusing for functionfs userspace drivers. Since bcdVersion=0x100 is used in actual communication, functionfs should accept the value 0x100. Note that the correct value for bcdVersion in OS desc v1.0 is 0x100, but to avoid breaking old userspace drivers, the value 0x1 is also accepted as an exception. At this time, a message is output to notify the user to fix the userspace driver. Signed-off-by: Yuta Hayama <hayama@lineo.co.jp> Reviewed-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com> Link: https://lore.kernel.org/r/290f96db-1877-5137-373a-318e7b4f2dde@lineo.co.jp Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>