linux-toradex.git/drivers/usb/gadget/function/f_fs.c, branch v4.4.26 Linux kernel for Apalis and Colibri modules usb: f_fs: off by one bug in _ffs_func_bind() 2016-08-20T16:09:16+00:00 Dan Carpenter dan.carpenter@oracle.com 2016-05-28T04:48:10+00:00 f1d7992894fafb62b790b5112630b4f081b3b454 commit 0015f9156092d07b3ec06d37d014328419d5832e upstream. This loop is supposed to set all the .num[] values to -1 but it's off by one so it skips the first element and sets one element past the end of the array. I've cleaned up the loop a little as well. Fixes: ddf8abd25994 ('USB: f_fs: the FunctionFS driver') Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 0015f9156092d07b3ec06d37d014328419d5832e upstream.

This loop is supposed to set all the .num[] values to -1 but it's off by
one so it skips the first element and sets one element past the end of
the array.

I've cleaned up the loop a little as well.

Fixes: ddf8abd25994 ('USB: f_fs: the FunctionFS driver')
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: gadget: f_fs: Fix EFAULT generation for async read operations 2016-06-01T19:15:51+00:00 Lars-Peter Clausen lars@metafoo.de 2016-03-30T11:49:14+00:00 ed97f0d96dfad18989b922c4c4095e9d06230bf6 commit 332a5b446b7916d272c2a659a3b20909ce34d2c1 upstream. In the current implementation functionfs generates a EFAULT for async read operations if the read buffer size is larger than the URB data size. Since a application does not necessarily know how much data the host side is going to send it typically supplies a buffer larger than the actual data, which will then result in a EFAULT error. This behaviour was introduced while refactoring the code to use iov_iter interface in commit c993c39b8639 ("gadget/function/f_fs.c: use put iov_iter into io_data"). The original code took the minimum over the URB size and the user buffer size and then attempted to copy that many bytes using copy_to_user(). If copy_to_user() could not copy all data a EFAULT error was generated. Restore the original behaviour by only generating a EFAULT error when the number of bytes copied is not the size of the URB and the target buffer has not been fully filled. Commit 342f39a6c8d3 ("usb: gadget: f_fs: fix check in read operation") already fixed the same problem for the synchronous read path. Fixes: c993c39b8639 ("gadget/function/f_fs.c: use put iov_iter into io_data") Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 332a5b446b7916d272c2a659a3b20909ce34d2c1 upstream.

In the current implementation functionfs generates a EFAULT for async read
operations if the read buffer size is larger than the URB data size. Since
a application does not necessarily know how much data the host side is
going to send it typically supplies a buffer larger than the actual data,
which will then result in a EFAULT error.

This behaviour was introduced while refactoring the code to use iov_iter
interface in commit c993c39b8639 ("gadget/function/f_fs.c: use put iov_iter
into io_data"). The original code took the minimum over the URB size and
the user buffer size and then attempted to copy that many bytes using
copy_to_user(). If copy_to_user() could not copy all data a EFAULT error
was generated. Restore the original behaviour by only generating a EFAULT
error when the number of bytes copied is not the size of the URB and the
target buffer has not been fully filled.

Commit 342f39a6c8d3 ("usb: gadget: f_fs: fix check in read operation")
already fixed the same problem for the synchronous read path.

Fixes: c993c39b8639 ("gadget/function/f_fs.c: use put iov_iter into io_data")
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: gadget: f_fs: Fix use-after-free 2016-05-04T21:48:41+00:00 Lars-Peter Clausen lars@metafoo.de 2016-04-14T15:01:17+00:00 e4c7ab76586146820b394e0176f286f5a2e70cb3 commit 38740a5b87d53ceb89eb2c970150f6e94e00373a upstream. When using asynchronous read or write operations on the USB endpoints the issuer of the IO request is notified by calling the ki_complete() callback of the submitted kiocb when the URB has been completed. Calling this ki_complete() callback will free kiocb. Make sure that the structure is no longer accessed beyond that point, otherwise undefined behaviour might occur. Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support") Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 38740a5b87d53ceb89eb2c970150f6e94e00373a upstream.

When using asynchronous read or write operations on the USB endpoints the
issuer of the IO request is notified by calling the ki_complete() callback
of the submitted kiocb when the URB has been completed.

Calling this ki_complete() callback will free kiocb. Make sure that the
structure is no longer accessed beyond that point, otherwise undefined
behaviour might occur.

Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: gadget: functionfs: fix missing access_ok checks 2015-11-18T21:09:26+00:00 Daniel Walter dwalter@sigma-star.at 2015-11-18T16:15:49+00:00 7fe9a937d5156761cf79dc354f616c726b5c09e2 use safe copy_*_user instead of unsafe __copy_*_user functions when accessing userland memory. Signed-off-by: Daniel Walter <dwalter@sigma-star.at> Signed-off-by: Felipe Balbi <balbi@ti.com> 
use safe copy_*_user instead of unsafe __copy_*_user
functions when accessing userland memory.

Signed-off-by: Daniel Walter <dwalter@sigma-star.at>
Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: gadget: ffs: call functionfs_unbind() if _ffs_func_bind() fails 2015-07-31T13:57:57+00:00 Robert Baldyga r.baldyga@samsung.com 2015-07-13T09:03:50+00:00 55d811211b139ed097ddaf40d173c258f133c130 Function ffs_do_functionfs_bind() calls functionfs_bind() which allocates usb request and increments refcounts. These things needs to be cleaned up by if further steps of initialization fail by calling functionfs_unbind(). Signed-off-by: Robert Baldyga <r.baldyga@samsung.com> Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Felipe Balbi <balbi@ti.com> 
Function ffs_do_functionfs_bind() calls functionfs_bind() which allocates
usb request and increments refcounts. These things needs to be cleaned
up by if further steps of initialization fail by calling functionfs_unbind().

Signed-off-by: Robert Baldyga <r.baldyga@samsung.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: gadget: f_fs: do not set cancel function on synchronous {read,write} 2015-07-06T17:34:08+00:00 Rui Miguel Silva rui.silva@linaro.org 2015-05-18T15:02:07+00:00 4088acf1e845aba35f30fb91dee10649edbd0e84 do not try to set cancel function in synchronous operations in ffs_epfile_{read,write}_iter. Cc: <stable@vger.kernel.org> # v4.0+ Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Signed-off-by: Felipe Balbi <balbi@ti.com> 
do not try to set cancel function in synchronous operations in
ffs_epfile_{read,write}_iter.

Cc: <stable@vger.kernel.org> # v4.0+
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Merge 4.1-rc7 into usb-next 2015-06-08T17:57:51+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2015-06-08T17:57:51+00:00 19915e623458004547c1c2490b09bb923fe69337 This resolves a merge issue in musb_core.c and we want the fixes that were in Linus's tree in this branch as well for testing. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This resolves a merge issue in musb_core.c and we want the fixes that
were in Linus's tree in this branch as well for testing.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: gadget: f_fs: add extra check before unregister_gadget_item 2015-05-26T15:39:34+00:00 Rui Miguel Silva rui.silva@linaro.org 2015-05-20T13:52:40+00:00 f14e9ad17f46051b02bffffac2036486097de19e ffs_closed can race with configfs_rmdir which will call config_item_release, so add an extra check to avoid calling the unregister_gadget_item with an null gadget item. Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Signed-off-by: Felipe Balbi <balbi@ti.com> 
ffs_closed can race with configfs_rmdir which will call config_item_release, so
add an extra check to avoid calling the unregister_gadget_item with an null
gadget item.

Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: gadget: f_fs: fix check in read operation 2015-05-26T15:20:57+00:00 Rui Miguel Silva rui.silva@linaro.org 2015-05-20T13:53:33+00:00 342f39a6c8d34d638a87b7d5f2156adc4db2585c when copying to iter the size can be different then the iov count, the check for full iov is wrong and make any read on request which is not the exactly size of iov to return -EFAULT. So, just check the success of the copy. Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Signed-off-by: Felipe Balbi <balbi@ti.com> 
when copying to iter the size can be different then the iov count,
the check for full iov is wrong and make any read on request which
is not the exactly size of iov to return -EFAULT.

So, just check the success of the copy.

Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: gadget: ffs: fix: Always call ffs_closed() in ffs_data_clear() 2015-05-26T15:15:09+00:00 Krzysztof Opasiak k.opasiak@samsung.com 2015-05-22T15:25:18+00:00 49a79d8b0a5f8239b8424a3eb730006faada0ad8 Originally FFS_FL_CALL_CLOSED_CALLBACK flag has been used to indicate if we should call ffs_closed_callback(). Commit 4b187fceec3c ("usb: gadget: FunctionFS: add devices management code") changed its semantic to indicate if we should call ffs_closed() function which does a little bit more. This situation leads to: [ 122.362269] ------------[ cut here ]------------ [ 122.362287] WARNING: CPU: 2 PID: 2384 at drivers/usb/gadget/function/f_fs.c:3417 ffs_ep0_write+0x730/0x810 [usb_f_fs]() [ 122.362292] Modules linked in: [ 122.362555] CPU: 2 PID: 2384 Comm: adbd Tainted: G W 4.1.0-0.rc4.git0.1.1.fc22.i686 #1 [ 122.362561] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/25/2014 [ 122.362567] c0d1f947 415badfa 00000000 d1029e64 c0a86e54 00000000 d1029e94 c045b937 [ 122.362584] c0c37f94 00000002 00000950 f9b313d4 00000d59 f9b2ebf0 f9b2ebf0 fffffff0 [ 122.362600] 00000003 deb53d00 d1029ea4 c045ba42 00000009 00000000 d1029f08 f9b2ebf0 [ 122.362617] Call Trace: [ 122.362633] [<c0a86e54>] dump_stack+0x41/0x52 [ 122.362645] [<c045b937>] warn_slowpath_common+0x87/0xc0 [ 122.362658] [<f9b2ebf0>] ? ffs_ep0_write+0x730/0x810 [usb_f_fs] [ 122.362668] [<f9b2ebf0>] ? ffs_ep0_write+0x730/0x810 [usb_f_fs] [ 122.362678] [<c045ba42>] warn_slowpath_null+0x22/0x30 [ 122.362689] [<f9b2ebf0>] ffs_ep0_write+0x730/0x810 [usb_f_fs] [ 122.362702] [<f9b2e4c0>] ? ffs_ep0_read+0x380/0x380 [usb_f_fs] [ 122.362712] [<c05a1c1f>] __vfs_write+0x2f/0x100 [ 122.362722] [<c05a42f2>] ? __sb_start_write+0x52/0x110 [ 122.362731] [<c05a2534>] vfs_write+0x94/0x1b0 [ 122.362740] [<c0a8a1c0>] ? mutex_lock+0x10/0x30 [ 122.362749] [<c05a2f41>] SyS_write+0x51/0xb0 [ 122.362759] [<c0a8c71f>] sysenter_do_call+0x12/0x12 [ 122.362766] ---[ end trace 0673d3467cecf8db ]--- in some cases (reproduction path below). This commit get back semantic of that flag and ensures that ffs_closed() is called always when needed but ffs_closed_callback() is called only if this flag is set. Reproduction path: Compile kernel without any UDC driver or bound some gadget to existing one and then: $ modprobe g_ffs $ mount none -t functionfs mount_point $ ffs-example mount_point This will fail with -ENODEV as there is no udc. $ ffs-example mount_point This will fail with -EBUSY because ffs_data has not been properly cleaned up. Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Felipe Balbi <balbi@ti.com> 
Originally FFS_FL_CALL_CLOSED_CALLBACK flag has been used to
indicate if we should call ffs_closed_callback().

Commit 4b187fceec3c ("usb: gadget: FunctionFS: add devices
management code") changed its semantic to indicate if we should
call ffs_closed() function which does a little bit more.

This situation leads to:

[  122.362269] ------------[ cut here ]------------
[  122.362287] WARNING: CPU: 2 PID: 2384 at drivers/usb/gadget/function/f_fs.c:3417 ffs_ep0_write+0x730/0x810 [usb_f_fs]()
[  122.362292] Modules linked in:
[  122.362555] CPU: 2 PID: 2384 Comm: adbd Tainted: G        W       4.1.0-0.rc4.git0.1.1.fc22.i686 #1
[  122.362561] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/25/2014
[  122.362567]  c0d1f947 415badfa 00000000 d1029e64 c0a86e54 00000000 d1029e94 c045b937
[  122.362584]  c0c37f94 00000002 00000950 f9b313d4 00000d59 f9b2ebf0 f9b2ebf0 fffffff0
[  122.362600]  00000003 deb53d00 d1029ea4 c045ba42 00000009 00000000 d1029f08 f9b2ebf0
[  122.362617] Call Trace:
[  122.362633]  [<c0a86e54>] dump_stack+0x41/0x52
[  122.362645]  [<c045b937>] warn_slowpath_common+0x87/0xc0
[  122.362658]  [<f9b2ebf0>] ? ffs_ep0_write+0x730/0x810 [usb_f_fs]
[  122.362668]  [<f9b2ebf0>] ? ffs_ep0_write+0x730/0x810 [usb_f_fs]
[  122.362678]  [<c045ba42>] warn_slowpath_null+0x22/0x30
[  122.362689]  [<f9b2ebf0>] ffs_ep0_write+0x730/0x810 [usb_f_fs]
[  122.362702]  [<f9b2e4c0>] ? ffs_ep0_read+0x380/0x380 [usb_f_fs]
[  122.362712]  [<c05a1c1f>] __vfs_write+0x2f/0x100
[  122.362722]  [<c05a42f2>] ? __sb_start_write+0x52/0x110
[  122.362731]  [<c05a2534>] vfs_write+0x94/0x1b0
[  122.362740]  [<c0a8a1c0>] ? mutex_lock+0x10/0x30
[  122.362749]  [<c05a2f41>] SyS_write+0x51/0xb0
[  122.362759]  [<c0a8c71f>] sysenter_do_call+0x12/0x12
[  122.362766] ---[ end trace 0673d3467cecf8db ]---

in some cases (reproduction path below). This commit get back
semantic of that flag and ensures that ffs_closed() is called
always when needed but ffs_closed_callback() is called only
if this flag is set.

Reproduction path:
Compile kernel without any UDC driver or bound some gadget
to existing one and then:

$ modprobe g_ffs
$ mount none -t functionfs mount_point
$ ffs-example mount_point

This will fail with -ENODEV as there is no udc.

$ ffs-example mount_point

This will fail with -EBUSY because ffs_data has not been
properly cleaned up.

Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>