From patchwork Wed May 27 10:41:31 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rui Miguel Silva <rui.silva@linaro.org>
X-Patchwork-Id: 49010
Return-Path: <patchwork-forward+bncBCMYNK7ZQYBRBBV7S2VQKGQEUNBEJYA@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-lb0-f200.google.com (mail-lb0-f200.google.com
 [209.85.217.200])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 4D236214B4
 for <linaro@patches.linaro.org>; Wed, 27 May 2015 10:42:15 +0000 (UTC)
Received: by lbcak1 with SMTP id ak1sf1708295lbc.2
 for <linaro@patches.linaro.org>; Wed, 27 May 2015 03:42:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject
 :date:message-id:sender:precedence:list-id:x-original-sender
 :x-original-authentication-results:mailing-list:list-post:list-help
 :list-archive:list-unsubscribe;
 bh=bPY0uzI7OfFI5cOr46/PtZU/f2WEMQ1zWKsNyOXuCFc=;
 b=IOF1gbcDYujJ+4N4+QiZCuGtkYt/OQiSCNkAQzff9Zkyy5OmyRg69e+kV3PV1eHBZL
 rHKx5SyzPqbbm+JdVEpHcLgnX3QVOTqzzWggbnTk9+9hamRrIlxm/NB70VE3M2pgyZ+Z
 Mi1hINyPzCgW69qqjrN/ZUwO6hfAvVz1R2q2w2NdUWF+fZpd57qHcntVzIHSDAJQsUHg
 0DblkbGVkw9v9J9oCosnNakAf5XIhbFuciinw05keWcqiknI3F3VyB1EQnDQlAB0WaEf
 QWlpGQJB2EWE6bCT/cYiasTxp9t7/Vjlz8Qqb5e9zToekg+dMU7ZuQT+OSFoyvLUERua
 lYtA==
X-Gm-Message-State: ALoCoQnUUVhyLayVduWOVfW035FbE0stcnq3nIlxJZIkssqjTsGsjbvBvkdwCitJtQPuA+8BifbF
X-Received: by 10.152.8.17 with SMTP id n17mr31713749laa.0.1432723334241;
 Wed, 27 May 2015 03:42:14 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.5.202 with SMTP id u10ls27504lau.6.gmail;
 Wed, 27 May 2015 03:42:14 -0700 (PDT)
X-Received: by 10.152.43.168 with SMTP id x8mr27534926lal.79.1432723334094; 
 Wed, 27 May 2015 03:42:14 -0700 (PDT)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com.
 [209.85.217.182]) by mx.google.com with ESMTPS id
 xg7si13340757lbb.48.2015.05.27.03.42.14
 for <patchwork-forward@linaro.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 27 May 2015 03:42:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.217.182 as permitted sender) client-ip=209.85.217.182; 
Received: by lbcue7 with SMTP id ue7so4252777lbc.0
 for <patchwork-forward@linaro.org>;
 Wed, 27 May 2015 03:42:14 -0700 (PDT)
X-Received: by 10.112.132.102 with SMTP id ot6mr11205964lbb.72.1432723333937; 
 Wed, 27 May 2015 03:42:13 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.108.230 with SMTP id hn6csp261412lbb;
 Wed, 27 May 2015 03:42:12 -0700 (PDT)
X-Received: by 10.68.252.233 with SMTP id zv9mr57095999pbc.109.1432723332085; 
 Wed, 27 May 2015 03:42:12 -0700 (PDT)
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 h4si25351027pdi.136.2015.05.27.03.42.11; 
 Wed, 27 May 2015 03:42:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 linux-usb-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1752426AbbE0KmI (ORCPT <rfc822;usman.ahmad@linaro.org>
 + 4 others); Wed, 27 May 2015 06:42:08 -0400
Received: from mail-wi0-f173.google.com ([209.85.212.173]:35715 "EHLO
 mail-wi0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1751676AbbE0KmF (ORCPT
 <rfc822; linux-usb@vger.kernel.org>); Wed, 27 May 2015 06:42:05 -0400
Received: by wicmx19 with SMTP id mx19so106418403wic.0
 for <linux-usb@vger.kernel.org>; Wed, 27 May 2015 03:42:04 -0700 (PDT)
X-Received: by 10.194.205.37 with SMTP id ld5mr58967161wjc.14.1432723324018; 
 Wed, 27 May 2015 03:42:04 -0700 (PDT)
Received: from arch-late.dtvresearch.loc (a95-92-118-66.cpe.netcabo.pt.
 [95.92.118.66]) by mx.google.com with ESMTPSA id
 gi14sm26202352wjc.42.2015.05.27.03.42.01
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 27 May 2015 03:42:03 -0700 (PDT)
From: Rui Miguel Silva <rui.silva@linaro.org>
To: Felipe Balbi <balbi@ti.com>
Cc: linux-usb@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Al Viro <viro@zeniv.linux.org.uk>, Rui Miguel Silva <rui.silva@linaro.org>
Subject: [PATCH] usb: gadget: f_fs: do not set cancel function on
 synchronous {read, write}
Date: Wed, 27 May 2015 11:41:31 +0100
Message-Id: <1432723291-1831-1-git-send-email-rui.silva@linaro.org>
X-Mailer: git-send-email 2.4.0
Sender: linux-usb-owner@vger.kernel.org
Precedence: list
List-ID: <patchwork-forward.linaro.org>
X-Mailing-List: linux-usb@vger.kernel.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: rui.silva@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.217.182 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>

do not try to set cancel function in synchronous operations in
ffs_epfile_{read,write}_iter.

With, 70e60d917 gadget/function/f_fs.c: switch to ->{read,write}_iter()
if CONFIG_AIO is disable there is no problem as kiocb_set_cancel_fn
is a nop, with this option enabled it will try to use ctx that is not
allocated for synchronous operations. And for that will dereference a
null at the set cancel function in any synchronous read/write.

A simplified trace of the callstack (for the write case):
BUG: unable to handle kernel NULL pointer dereference at 00000000000000e8
IP: [<ffffffff810f6510>] kiocb_set_cancel_fn+0x20/0x50

Call Trace:
[<ffffffffa0022a40>] ffs_name_dev+0x4980/0x4c1d [usb_f_fs]
[<ffffffff8107f550>] ? perf_event_fork+0x10/0x20
[<ffffffff81033432>] ? copy_process.part.65+0xbe2/0x1580
[<ffffffff810bba2b>] new_sync_write+0x7b/0xb0
[<ffffffff810bc01d>] vfs_write+0xad/0x1d0
[<ffffffff810bc705>] SyS_write+0x45/0xc0
[<ffffffff81034221>] ? SyS_clone+0x11/0x20
[<ffffffff813ee8bc>] ? stub_clone+0x6c/0x90
[<ffffffff813ee5f0>] system_call_fastpath+0x12/0x17

Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
---
changes v1 -> v2:
 * Requested by Felipe Balbi:
   - add a more complete log message
   - include Al Viro in cc.

 drivers/usb/gadget/function/f_fs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 6bdb570..fa538fa 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -925,7 +925,8 @@ static ssize_t ffs_epfile_write_iter(struct kiocb *kiocb, struct iov_iter *from)
 
 	kiocb->private = p;
 
-	kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
+	if (p->aio)
+		kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
 
 	res = ffs_epfile_io(kiocb->ki_filp, p);
 	if (res == -EIOCBQUEUED)
@@ -969,7 +970,8 @@ static ssize_t ffs_epfile_read_iter(struct kiocb *kiocb, struct iov_iter *to)
 
 	kiocb->private = p;
 
-	kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
+	if (p->aio)
+		kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
 
 	res = ffs_epfile_io(kiocb->ki_filp, p);
 	if (res == -EIOCBQUEUED)