From patchwork Mon Nov 19 15:49:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marek Szyprowski X-Patchwork-Id: 151487 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp2821829ljp; Mon, 19 Nov 2018 07:49:14 -0800 (PST) X-Google-Smtp-Source: AJdET5f3qGe5Bg2Vl5fdV/+DBvZsngGHKeVYRXYooCbYzGn1cFxqJ7CUb/0tQ0svf6sdBXCf+FWP X-Received: by 2002:a62:4105:: with SMTP id o5-v6mr22988630pfa.85.1542642554661; Mon, 19 Nov 2018 07:49:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542642554; cv=none; d=google.com; s=arc-20160816; b=ph/IBHRETusBQy7WhiUYUevKS46cXrjWszvxtGCwFLy+aDP9vniNos1liMKiMh36li CEzT4A1VdkvTFWiF5yP1Vh9hcrrOpAEx2kJujtw147g7vLVSNvWcp8jTJlBjtx6H7dF/ VjO/Pm1DZLF11yHLyf0/gTIV6gpTxtGeSjrAlbyrmL+xS/6j4rvKCS95CjGdVxiKZyPB WrJad8PMo92xc2fRF6+6efcjRk3HTj9+iduRWdGbY1fH0MMnnPzipaPVpwiBolRH3gtf 81iAFP4Td496x5jbkYYUOBqvFQ8BrIsb5AA8ifaxMo7528QIHtouz8GxPV+K3r6+2Lvq o/5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:cms-type:message-id:date :subject:cc:to:from:dkim-signature:dkim-filter; bh=U61DFbqU4/j/S6HZQ/0L8qEvnKt6ffKePJTCPev7DvQ=; b=gcyQfBlF2/lyEKUKdT9nbg2QL0nlpA7YamhidN0ySejWa7bdbgxYfXYarI7jf9WXoT 6X7GhVQuGULpIDnr4MprTjU+nrBGNi8NBvjaoFMMTzCuU+xCnpwo4nk20dOb2bUfOCz/ alGcv8j7g5lmjrU2ir9jvsaMA0GFQfH5PKKSb0+Wah3JqHe8bA8NcmIdbGiphbUphZnd HK/rdXP6UB7UHkKdyB8TTSHOnrjcs+z0FyNmz+P+2oXLSETdnNcg6R6P+rOz7tM6d6Pb efiEvwKV4kuzE6fl2uSKagFOoYSA1PaFeTVLU8kdFisGC2j5Npnwg6nC0QEWYOevvGoy psaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b=KLQpjX1I; spf=pass (google.com: best guess record for domain of linux-samsung-soc-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-samsung-soc-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i12si24200202pgq.466.2018.11.19.07.49.14; Mon, 19 Nov 2018 07:49:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-samsung-soc-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b=KLQpjX1I; spf=pass (google.com: best guess record for domain of linux-samsung-soc-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-samsung-soc-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729852AbeKTCNM (ORCPT + 3 others); Mon, 19 Nov 2018 21:13:12 -0500 Received: from mailout2.w1.samsung.com ([210.118.77.12]:58038 "EHLO mailout2.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729669AbeKTCNM (ORCPT ); Mon, 19 Nov 2018 21:13:12 -0500 Received: from eucas1p2.samsung.com (unknown [182.198.249.207]) by mailout2.w1.samsung.com (KnoxPortal) with ESMTP id 20181119154911euoutp023f4e15263c4a1fd88aaba53e0479c7b3~okTo2T01n0109601096euoutp02F; Mon, 19 Nov 2018 15:49:11 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout2.w1.samsung.com 20181119154911euoutp023f4e15263c4a1fd88aaba53e0479c7b3~okTo2T01n0109601096euoutp02F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1542642551; bh=U61DFbqU4/j/S6HZQ/0L8qEvnKt6ffKePJTCPev7DvQ=; h=From:To:Cc:Subject:Date:References:From; b=KLQpjX1IZLdu3CXJSuO28JsDhR+hRM9UBGEIVL+fKN2rseSK0PvCn+Mp9pPOiBnhs EgSMGAbvScVda5eqGhFQzkp5cEvet/c8ky9hdS3mRpTpg/l8ly3HCZXrJ9KIN0rjmG 5OYClDQkJUZfDtbHg8EBdS99PM0pmnBcOrUj49gw= Received: from eusmges1new.samsung.com (unknown [203.254.199.242]) by eucas1p1.samsung.com (KnoxPortal) with ESMTP id 20181119154911eucas1p14c853424f8d7d65b3a6807c759d4d3dd~okToYizm11409314093eucas1p16; Mon, 19 Nov 2018 15:49:11 +0000 (GMT) Received: from eucas1p1.samsung.com ( [182.198.249.206]) by eusmges1new.samsung.com (EUCPMTA) with SMTP id 0B.57.04441.67BD2FB5; Mon, 19 Nov 2018 15:49:10 +0000 (GMT) Received: from eusmgms2.samsung.com (unknown [182.198.249.180]) by eucas1p2.samsung.com (KnoxPortal) with ESMTP id 20181119154910eucas1p2ff5c6609b22365b20ef6e57fe599ec33~okTntEUpD1949019490eucas1p2G; Mon, 19 Nov 2018 15:49:10 +0000 (GMT) X-AuditID: cbfec7f2-5c9ff70000001159-8e-5bf2db76bc25 Received: from eusync1.samsung.com ( [203.254.199.211]) by eusmgms2.samsung.com (EUCPMTA) with SMTP id 11.0A.04128.67BD2FB5; Mon, 19 Nov 2018 15:49:10 +0000 (GMT) Received: from AMDC2765.digital.local ([106.116.147.25]) by eusync1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0PIG00EAJ6LU8W60@eusync1.samsung.com>; Mon, 19 Nov 2018 15:49:10 +0000 (GMT) From: Marek Szyprowski To: linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, linux-samsung-soc@vger.kernel.org Cc: Marek Szyprowski , Greg Kroah-Hartman , Felipe Balbi , Bartlomiej Zolnierkiewicz Subject: [PATCH] usb: gadget: u_ether: fix unsafe list iteration Date: Mon, 19 Nov 2018 16:49:05 +0100 Message-id: <20181119154905.17685-1-m.szyprowski@samsung.com> X-Mailer: git-send-email 2.17.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprFIsWRmVeSWpSXmKPExsWy7djPc7pltz9FG6zo0LfYOGM9q8Wxtifs Fs2L17NZXN41h81ixvl9TBaLlrUyW6w9cpfdgd1j06pONo/9c9ewe/RtWcXo8XmTXABLFJdN SmpOZllqkb5dAlfGre1PWQoWyFbM7F3J1sB4SKKLkZNDQsBEYt7qNaxdjFwcQgIrGCUe3ZnH COF8ZpT4MfMCC0zVt3sL2CASyxglvvSsY4FwGpgkXs1ZxApSxSZgKNH1tosNxBYRSJA4sXc7 WAezwG5GiVUf1zGCJIQFHCTWffoPZrMIqEp8nfoerIFXwFZi262ZTBDr5CVWbzjADNIsIfCQ VeJV80l2iISLxM0zMxkhbGGJV8e3QMVlJC5P7maBaGhmlGifMYsdwulhlNg6ZwcbRJW1xOHj F8FuZRbgk5i0bTrQCg6gOK9ER5sQRImHxPKtz8EWCAnESkz5tYp5AqPEAkaGVYziqaXFuemp xYZ5qeV6xYm5xaV56XrJ+bmbGIExdvrf8U87GL9eSjrEKMDBqMTDK3H8Y7QQa2JZcWXuIUYJ DmYlEd6AZZ+ihXhTEiurUovy44tKc1KLDzFKc7AoifNWMzyIFhJITyxJzU5NLUgtgskycXBK NTCyz9jLzqU7eeGN4IXbT+5ZK9D+rKhhufK002YXeMWCu/OMagoOBfOtFOSxaf31gOVK14r4 T8bBr2MDlhUIeNYv93p6rS5I5v4U8/UFutvEOjVUT5WIiXybu/+VnMjDHP87rZ3t8SF9yq// Xju2X/qdpFp5k3xgrvNl00LV6eWlNhq/Xlo4CCixFGckGmoxFxUnAgDgC/NtrQIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFJMWRmVeSWpSXmKPExsVy+t/xy7pltz9FG3TuFLbYOGM9q8Wxtifs Fs2L17NZXN41h81ixvl9TBaLlrUyW6w9cpfdgd1j06pONo/9c9ewe/RtWcXo8XmTXABLFJdN SmpOZllqkb5dAlfGre1PWQoWyFbM7F3J1sB4SKKLkZNDQsBE4tu9BWwgtpDAEkaJ30vSuxi5 gOwmJonWZ19YQRJsAoYSXW+7wIpEBBIkLm6cyQhSxCywl1Hiw6ROsCJhAQeJdZ/+M4LYLAKq El+nvgdr4BWwldh2ayYTxDZ5idUbDjBPYORawMiwilEktbQ4Nz232EivODG3uDQvXS85P3cT IzAEth37uWUHY9e74EOMAhyMSjy8B458jBZiTSwrrsw9xCjBwawkwhuw7FO0EG9KYmVValF+ fFFpTmrxIUZpDhYlcd7zBpVRQgLpiSWp2ampBalFMFkmDk6pBsYJs2fXeZb5vfF4E/KHy0nm QvH3/GtHz1zqNDQ4odqzr++W2dcJC17NcM9/0XW4znf2+l+tIWHaYumCvYHf63/7XZt2SSHZ pat1rZeETalQsW11/EkfgYlGwvO3djnNS+jVSTDpY8zM8Zki9eDdGZ5Nle9Py/MrGEet+Mdd kvvn1ZVPmyL4eJRYijMSDbWYi4oTAWJPOr39AQAA X-CMS-MailID: 20181119154910eucas1p2ff5c6609b22365b20ef6e57fe599ec33 X-Msg-Generator: CA CMS-TYPE: 201P X-CMS-RootMailID: 20181119154910eucas1p2ff5c6609b22365b20ef6e57fe599ec33 References: Sender: linux-samsung-soc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-samsung-soc@vger.kernel.org list_for_each_entry_safe() is not safe for deleting entries from the list if the spin lock, which protects it, is released and reacquired during the list iteration. Fix this issue by replacing this construction with a simple check if list is empty and removing the first entry in each iteration. This is almost equivalent to a revert of the commit mentioned in the Fixes: tag. This patch fixes following issue: --->8--- Unable to handle kernel NULL pointer dereference at virtual address 00000104 pgd = (ptrval) [00000104] *pgd=00000000 Internal error: Oops: 817 [#1] PREEMPT SMP ARM Modules linked in: CPU: 1 PID: 84 Comm: kworker/1:1 Not tainted 4.20.0-rc2-next-20181114-00009-g8266b35ec404 #1061 Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) Workqueue: events eth_work PC is at rx_fill+0x60/0xac LR is at _raw_spin_lock_irqsave+0x50/0x5c pc : [] lr : [] psr: 80000093 sp : ee7fbee8 ip : 00000100 fp : 00000000 r10: 006000c0 r9 : c10b0ab0 r8 : ee7eb5c0 r7 : ee7eb614 r6 : ee7eb5ec r5 : 000000dc r4 : ee12ac00 r3 : ee12ac24 r2 : 00000200 r1 : 60000013 r0 : ee7eb5ec Flags: Nzcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: 6d5dc04a DAC: 00000051 Process kworker/1:1 (pid: 84, stack limit = 0x(ptrval)) Stack: (0xee7fbee8 to 0xee7fc000) ... [] (rx_fill) from [] (process_one_work+0x200/0x738) [] (process_one_work) from [] (worker_thread+0x2c/0x4c8) [] (worker_thread) from [] (kthread+0x128/0x164) [] (kthread) from [] (ret_from_fork+0x14/0x20) Exception stack(0xee7fbfb0 to 0xee7fbff8) ... ---[ end trace 64480bc835eba7d6 ]--- Fixes: fea14e68ff5e ("usb: gadget: u_ether: use better list accessors") Signed-off-by: Marek Szyprowski --- drivers/usb/gadget/function/u_ether.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) -- 2.17.1 diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index 1000d864929c..0f026d445e31 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -401,12 +401,12 @@ static int alloc_requests(struct eth_dev *dev, struct gether *link, unsigned n) static void rx_fill(struct eth_dev *dev, gfp_t gfp_flags) { struct usb_request *req; - struct usb_request *tmp; unsigned long flags; /* fill unused rxq slots with some skb */ spin_lock_irqsave(&dev->req_lock, flags); - list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) { + while (!list_empty(&dev->rx_reqs)) { + req = list_first_entry(&dev->rx_reqs, struct usb_request, list); list_del_init(&req->list); spin_unlock_irqrestore(&dev->req_lock, flags); @@ -1125,7 +1125,6 @@ void gether_disconnect(struct gether *link) { struct eth_dev *dev = link->ioport; struct usb_request *req; - struct usb_request *tmp; WARN_ON(!dev); if (!dev) @@ -1142,7 +1141,8 @@ void gether_disconnect(struct gether *link) */ usb_ep_disable(link->in_ep); spin_lock(&dev->req_lock); - list_for_each_entry_safe(req, tmp, &dev->tx_reqs, list) { + while (!list_empty(&dev->tx_reqs)) { + req = list_first_entry(&dev->tx_reqs, struct usb_request, list); list_del(&req->list); spin_unlock(&dev->req_lock); @@ -1154,7 +1154,8 @@ void gether_disconnect(struct gether *link) usb_ep_disable(link->out_ep); spin_lock(&dev->req_lock); - list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) { + while (!list_empty(&dev->rx_reqs)) { + req = list_first_entry(&dev->rx_reqs, struct usb_request, list); list_del(&req->list); spin_unlock(&dev->req_lock);