From patchwork Wed Dec 5 09:35:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sasha Levin X-Patchwork-Id: 152880 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp9088838ljp; Wed, 5 Dec 2018 01:40:57 -0800 (PST) X-Google-Smtp-Source: AFSGD/Xe2Qpsog9JsCsE47OrXNWA9+apy2+U7nKXCIIZ61cNbPm+PeUKsZXvTcCuc62raCM7Camt X-Received: by 2002:a63:bf0b:: with SMTP id v11mr20241719pgf.302.1544002857609; Wed, 05 Dec 2018 01:40:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544002857; cv=none; d=google.com; s=arc-20160816; b=z2j0uo8qgoxnismRt9Qcr9vU1ptAp76Ac8c5T5QL8tAwzSuI9TWUJXyKe8Ik73wI5+ Yri3ekrhEAuNu+weiVQYyljbLkwrc2WSAmfr/kKQfi6diTEkpk2iCj9tKuSru0hhTWTN IviTDPaaJ8BzvEEzX1OhNLZCNvmsMZ+tvUfwriwvgHUaOkq62t7YLwF99kf+Xa/HHZ7o Zr7bsx+oc0XLH8NZ4MZ3IlCbHES+zP45hT/Xi+gmhOo97icUe90qXnL6UZ//a2cJm031 vtnT87EqXDr2NzRJJjSLFooDiWFPjARLl7FXWj4kTLtYBxcXF+fCYrpFXC9cJRk9Tuq7 hhMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=P4kdMljcwAzjMzV1VOch9O0yZ0BukHg18zK5glNGedo=; b=ezcfbBjYTHI5RgWwtRYhWfZXg/NIt1LRAo4x7UgpPLCkeNR827xeC+rR6QEayEC/gQ eGfcGRpz79aqH0Isro1mSO2tsqVsIoNAZOHu43yf8+1jBuoQGLk1Qw+oKumHJKWqEiFb J3XhAa9sYVmlDwcwzm+fbR768r41mTHdpzYYc8FGnKTClSRh9Spm4yaoSs15phTSn35w ehNhNu7lXp4zQZsKRMY1F/R9Ge5UqXClCG+stUM1BdtuaxmNC9+F/Vhk+w5Oc9wWAf/b oM7xjVEELU8sRAx3F51c3017edydd1cAzjeVP+LJScB5yN2uaIoH3tyZfg4ibMVqYeEF DL3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bxu5Ipc9; spf=pass (google.com: best guess record for domain of linux-usb-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-usb-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 4si19731775pff.161.2018.12.05.01.40.57; Wed, 05 Dec 2018 01:40:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-usb-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bxu5Ipc9; spf=pass (google.com: best guess record for domain of linux-usb-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-usb-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728797AbeLEJkz (ORCPT + 5 others); Wed, 5 Dec 2018 04:40:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:45336 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728035AbeLEJky (ORCPT ); Wed, 5 Dec 2018 04:40:54 -0500 Received: from sasha-vm.mshome.net (unknown [213.57.143.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3B1F82084C; Wed, 5 Dec 2018 09:40:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544002853; bh=2o585oHr03UEwlTDKgYZDjY4+rmRx1l6FzKoi8VeG5A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bxu5Ipc95TCSIcGVz16TAc9tYjVfMxco/ZR6Xpj3eRck2a1rbsyAZb/M/Ehjkdcjo ZF5etGxZKHhSdRxTovz3EwpCS1wznOx02z9FhFsP/lvvP6DGJKcVT7pJxknWuBONDt Bvi8+mVVQN7bIi0oMa5bHnzea4ASW9jzzW9IU6Gg= From: Sasha Levin To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Marek Szyprowski , Felipe Balbi , Sasha Levin , linux-usb@vger.kernel.org Subject: [PATCH AUTOSEL 4.19 088/123] usb: gadget: u_ether: fix unsafe list iteration Date: Wed, 5 Dec 2018 04:35:20 -0500 Message-Id: <20181205093555.5386-88-sashal@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181205093555.5386-1-sashal@kernel.org> References: <20181205093555.5386-1-sashal@kernel.org> Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org From: Marek Szyprowski [ Upstream commit c9287fa657b3328b4549c0ab39ea7f197a3d6a50 ] list_for_each_entry_safe() is not safe for deleting entries from the list if the spin lock, which protects it, is released and reacquired during the list iteration. Fix this issue by replacing this construction with a simple check if list is empty and removing the first entry in each iteration. This is almost equivalent to a revert of the commit mentioned in the Fixes: tag. This patch fixes following issue: --->8--- Unable to handle kernel NULL pointer dereference at virtual address 00000104 pgd = (ptrval) [00000104] *pgd=00000000 Internal error: Oops: 817 [#1] PREEMPT SMP ARM Modules linked in: CPU: 1 PID: 84 Comm: kworker/1:1 Not tainted 4.20.0-rc2-next-20181114-00009-g8266b35ec404 #1061 Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) Workqueue: events eth_work PC is at rx_fill+0x60/0xac LR is at _raw_spin_lock_irqsave+0x50/0x5c pc : [] lr : [] psr: 80000093 sp : ee7fbee8 ip : 00000100 fp : 00000000 r10: 006000c0 r9 : c10b0ab0 r8 : ee7eb5c0 r7 : ee7eb614 r6 : ee7eb5ec r5 : 000000dc r4 : ee12ac00 r3 : ee12ac24 r2 : 00000200 r1 : 60000013 r0 : ee7eb5ec Flags: Nzcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: 6d5dc04a DAC: 00000051 Process kworker/1:1 (pid: 84, stack limit = 0x(ptrval)) Stack: (0xee7fbee8 to 0xee7fc000) ... [] (rx_fill) from [] (process_one_work+0x200/0x738) [] (process_one_work) from [] (worker_thread+0x2c/0x4c8) [] (worker_thread) from [] (kthread+0x128/0x164) [] (kthread) from [] (ret_from_fork+0x14/0x20) Exception stack(0xee7fbfb0 to 0xee7fbff8) ... ---[ end trace 64480bc835eba7d6 ]--- Fixes: fea14e68ff5e ("usb: gadget: u_ether: use better list accessors") Signed-off-by: Marek Szyprowski Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/u_ether.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) -- 2.17.1 diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index 1000d864929c..0f026d445e31 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -401,12 +401,12 @@ static int alloc_requests(struct eth_dev *dev, struct gether *link, unsigned n) static void rx_fill(struct eth_dev *dev, gfp_t gfp_flags) { struct usb_request *req; - struct usb_request *tmp; unsigned long flags; /* fill unused rxq slots with some skb */ spin_lock_irqsave(&dev->req_lock, flags); - list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) { + while (!list_empty(&dev->rx_reqs)) { + req = list_first_entry(&dev->rx_reqs, struct usb_request, list); list_del_init(&req->list); spin_unlock_irqrestore(&dev->req_lock, flags); @@ -1125,7 +1125,6 @@ void gether_disconnect(struct gether *link) { struct eth_dev *dev = link->ioport; struct usb_request *req; - struct usb_request *tmp; WARN_ON(!dev); if (!dev) @@ -1142,7 +1141,8 @@ void gether_disconnect(struct gether *link) */ usb_ep_disable(link->in_ep); spin_lock(&dev->req_lock); - list_for_each_entry_safe(req, tmp, &dev->tx_reqs, list) { + while (!list_empty(&dev->tx_reqs)) { + req = list_first_entry(&dev->tx_reqs, struct usb_request, list); list_del(&req->list); spin_unlock(&dev->req_lock); @@ -1154,7 +1154,8 @@ void gether_disconnect(struct gether *link) usb_ep_disable(link->out_ep); spin_lock(&dev->req_lock); - list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) { + while (!list_empty(&dev->rx_reqs)) { + req = list_first_entry(&dev->rx_reqs, struct usb_request, list); list_del(&req->list); spin_unlock(&dev->req_lock);