mbox series

[GIT,PULL] USB fixes for 5.9-rc3

Message ID 20200826134315.GA3882506@kroah.com (mailing list archive)
State Mainlined
Commit 6f0306d1bfbc4d3e3fcfb949ee2c4af21071920a
Headers show
Series [GIT,PULL] USB fixes for 5.9-rc3 | expand

Pull-request

git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3

Message

Greg Kroah-Hartman Aug. 26, 2020, 1:43 p.m. UTC
The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:

  Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3

for you to fetch changes up to 23e26d0577535f5ffe4ff8ed6d06e009553c0bca:

  usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures (2020-08-25 16:02:35 +0200)

----------------------------------------------------------------
USB fixes for 5.9-rc3

Here are a small set of USB fixes for 5.9-rc3.

Like most set of USB bugfixes, they include the usual:
	- usb gadget driver fixes
	- xhci driver fixes
	- typec fixes
	- new qurks and ids
	- fixes for USB patches merged in 5.9-rc1

Nothing huge, all of these have been in linux-next with no reported
issues:

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

----------------------------------------------------------------
Alan Stern (1):
      USB: yurex: Fix bad gfp argument

Andy Shevchenko (1):
      usb: hcd: Fix use after free in usb_hcd_pci_remove()

Badhri Jagan Sridharan (1):
      usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures

Bastien Nocera (2):
      USB: Also match device drivers using the ->match vfunc
      USB: Fix device driver race

Brooke Basile (2):
      USB: gadget: u_f: add overflow checks to VLA macros
      USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()

Christophe JAILLET (1):
      usb: gadget: f_tcm: Fix some resource leaks in some error paths

Ding Hui (1):
      xhci: Always restore EP_SOFT_CLEAR_TOGGLE even if ep reset failed

Evgeny Novikov (1):
      USB: lvtest: return proper error code in probe

Greg Kroah-Hartman (1):
      Merge tag 'fixes-for-v5.9-rc2' of git://git.kernel.org/.../balbi/usb into usb-linus

Hans de Goede (4):
      usb: typec: ucsi: Fix AB BA lock inversion
      usb: typec: ucsi: Fix 2 unlocked ucsi_run_command calls
      usb: typec: ucsi: Rework ppm_lock handling
      usb: typec: ucsi: Hold con->lock for the entire duration of ucsi_register_port()

Heikki Krogerus (1):
      tools: usb: move to tools buildsystem

JC Kuo (2):
      usb: host: xhci-tegra: otg usb2/usb3 port init
      usb: host: xhci-tegra: fix tegra_xusb_get_phy()

Kai-Heng Feng (2):
      USB: quirks: Add no-lpm quirk for another Raydium touchscreen
      xhci: Do warm-reset when both CAS and XDEV_RESUME are set

Li Jun (1):
      usb: host: xhci: fix ep context print mismatch in debugfs

M. Vefa Bicakci (1):
      usbip: Implement a match function to fix usbip

Thinh Nguyen (4):
      usb: dwc3: gadget: Don't setup more than requested
      usb: dwc3: gadget: Fix handling ZLP
      usb: dwc3: gadget: Handle ZLP for sg requests
      usb: uas: Add quirk for PNY Pro Elite

Tom Rix (1):
      USB: cdc-acm: rework notification_buffer resizing

Vinod Koul (1):
      usb: renesas-xhci: remove version check

周琰杰 (Zhou Yanjie) (1):
      USB: PHY: JZ4770: Fix static checker warning.

 drivers/usb/class/cdc-acm.c          |  22 ++++---
 drivers/usb/core/driver.c            |  40 ++++++++++++-
 drivers/usb/core/generic.c           |   5 +-
 drivers/usb/core/hcd-pci.c           |   5 +-
 drivers/usb/core/quirks.c            |   2 +
 drivers/usb/dwc3/gadget.c            | 107 +++++++++++++++++++++++++++++------
 drivers/usb/gadget/function/f_ncm.c  |  81 ++++++++++++++++++++++----
 drivers/usb/gadget/function/f_tcm.c  |   7 ++-
 drivers/usb/gadget/u_f.h             |  38 +++++++++----
 drivers/usb/host/xhci-debugfs.c      |   8 +--
 drivers/usb/host/xhci-hub.c          |  19 ++++---
 drivers/usb/host/xhci-pci-renesas.c  |  19 +------
 drivers/usb/host/xhci-tegra.c        |   4 +-
 drivers/usb/host/xhci.c              |   3 +-
 drivers/usb/misc/lvstest.c           |   2 +-
 drivers/usb/misc/yurex.c             |   2 +-
 drivers/usb/phy/phy-jz4770.c         |   1 +
 drivers/usb/storage/unusual_uas.h    |   7 +++
 drivers/usb/typec/tcpm/tcpm.c        |  28 ++++++++-
 drivers/usb/typec/ucsi/displayport.c |   9 +--
 drivers/usb/typec/ucsi/ucsi.c        | 103 +++++++++++++++++----------------
 drivers/usb/usbip/stub_dev.c         |   6 ++
 tools/usb/Build                      |   2 +
 tools/usb/Makefile                   |  53 ++++++++++++++---
 24 files changed, 408 insertions(+), 165 deletions(-)
 create mode 100644 tools/usb/Build

Comments

Marek Szyprowski Aug. 26, 2020, 3:02 p.m. UTC | #1
Hi Greg,

On 26.08.2020 15:43, Greg KH wrote:
> The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
>
>    Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
>
> are available in the Git repository at:
>
>    git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3
>
> for you to fetch changes up to 23e26d0577535f5ffe4ff8ed6d06e009553c0bca:
>
>    usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures (2020-08-25 16:02:35 +0200)
>
> ----------------------------------------------------------------
> USB fixes for 5.9-rc3
>
> Here are a small set of USB fixes for 5.9-rc3.
>
> Like most set of USB bugfixes, they include the usual:
> 	- usb gadget driver fixes
> 	- xhci driver fixes
> 	- typec fixes
> 	- new qurks and ids
> 	- fixes for USB patches merged in 5.9-rc1
>
> Nothing huge, all of these have been in linux-next with no reported
> issues:
>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> ----------------------------------------------------------------
> Alan Stern (1):
>        USB: yurex: Fix bad gfp argument
>
> Andy Shevchenko (1):
>        usb: hcd: Fix use after free in usb_hcd_pci_remove()
>
> Badhri Jagan Sridharan (1):
>        usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures
>
> Bastien Nocera (2):
>        USB: Also match device drivers using the ->match vfunc
>        USB: Fix device driver race
>
> Brooke Basile (2):
>        USB: gadget: u_f: add overflow checks to VLA macros

Sorry, but the above patch breaks USB Ethernet Gadget operation. It also 
didn't get the proper testing in linux-next (next-20200826 is the first 
one with this patch).

This is how it explodes on Samsung Exynos (ARM 32bit) based board with 
g_ether module loaded:

------------[ cut here ]------------
kernel BUG at mm/slub.c:4116!
Internal error: Oops - BUG: 0 [#1] SMP ARM
Modules linked in: usb_f_ecm g_ether(+) usb_f_rndis u_ether libcomposite 
panel_samsung_s6e8aa0 s5p_csis s5p_fimc exynos4_is_common v4l2_fwnode 
max8997_regulator rtc_max8997 leds_max8997 max8
emless mms114 governor_simpleondemand s5p_mfc lima gpu_sched s5p_jpeg 
v4l2_mem2mem videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 
videobuf2_common phy_exynos_usb2 exynosdrm analogix_dp
  s3c2410_wdt
CPU: 0 PID: 616 Comm: modprobe Not tainted 5.9.0-rc1-00026-gb1cd1b65afba 
#9023
Hardware name: Samsung Exynos (Flattened Device Tree)
PC is at kfree+0x234/0x268
LR is at config_item_set_name+0x60/0xb0
...
Process modprobe (pid: 616, stack limit = 0x(ptrval))
...
[<c0494248>] (kfree) from [<c05347a0>] (config_item_set_name+0x60/0xb0)
[<c05347a0>] (config_item_set_name) from [<c0534844>] 
(config_group_init_type_name+0x1c/0x50)
[<c0534844>] (config_group_init_type_name) from [<bf14bc18>] 
(usb_os_desc_prepare_interf_dir+0x54/0x124 [libcomposite])
[<bf14bc18>] (usb_os_desc_prepare_interf_dir [libcomposite]) from 
[<bf15af9c>] (rndis_alloc_inst+0x100/0x150 [usb_f_rndis])
[<bf15af9c>] (rndis_alloc_inst [usb_f_rndis]) from [<bf1499dc>] 
(try_get_usb_function_instance+0x88/0xa4 [libcomposite])
[<bf1499dc>] (try_get_usb_function_instance [libcomposite]) from 
[<bf149ad8>] (usb_get_function_instance+0xc/0x44 [libcomposite])
[<bf149ad8>] (usb_get_function_instance [libcomposite]) from 
[<bf114164>] (eth_bind+0xdc/0x34c [g_ether])
[<bf114164>] (eth_bind [g_ether]) from [<bf1497cc>] 
(composite_bind+0x78/0x1a8 [libcomposite])
[<bf1497cc>] (composite_bind [libcomposite]) from [<c0c62a0c>] 
(udc_bind_to_driver+0x60/0x108)
[<c0c62a0c>] (udc_bind_to_driver) from [<c0c62ed8>] 
(usb_gadget_probe_driver+0x100/0x158)
[<c0c62ed8>] (usb_gadget_probe_driver) from [<c0301fd0>] 
(do_one_initcall+0x54/0x220)
[<c0301fd0>] (do_one_initcall) from [<c03de390>] (do_init_module+0x60/0x210)
[<c03de390>] (do_init_module) from [<c03dd0d4>] (load_module+0x2078/0x24c0)
[<c03dd0d4>] (load_module) from [<c03dd758>] (sys_finit_module+0xc8/0xd8)
[<c03dd758>] (sys_finit_module) from [<c03000c0>] 
(ret_fast_syscall+0x0/0x54)
Exception stack(0xedd1dfa8 to 0xedd1dff0)
...
---[ end trace 0dc21d79c1880545 ]---

I also didn't manage to find any mailing list, where this patch has been 
initially posted...


>        USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()
>
> Christophe JAILLET (1):
>        usb: gadget: f_tcm: Fix some resource leaks in some error paths
>
> Ding Hui (1):
>        xhci: Always restore EP_SOFT_CLEAR_TOGGLE even if ep reset failed
>
> Evgeny Novikov (1):
>        USB: lvtest: return proper error code in probe
>
> Greg Kroah-Hartman (1):
>        Merge tag 'fixes-for-v5.9-rc2' of git://git.kernel.org/.../balbi/usb into usb-linus
>
> Hans de Goede (4):
>        usb: typec: ucsi: Fix AB BA lock inversion
>        usb: typec: ucsi: Fix 2 unlocked ucsi_run_command calls
>        usb: typec: ucsi: Rework ppm_lock handling
>        usb: typec: ucsi: Hold con->lock for the entire duration of ucsi_register_port()
>
> Heikki Krogerus (1):
>        tools: usb: move to tools buildsystem
>
> JC Kuo (2):
>        usb: host: xhci-tegra: otg usb2/usb3 port init
>        usb: host: xhci-tegra: fix tegra_xusb_get_phy()
>
> Kai-Heng Feng (2):
>        USB: quirks: Add no-lpm quirk for another Raydium touchscreen
>        xhci: Do warm-reset when both CAS and XDEV_RESUME are set
>
> Li Jun (1):
>        usb: host: xhci: fix ep context print mismatch in debugfs
>
> M. Vefa Bicakci (1):
>        usbip: Implement a match function to fix usbip
>
> Thinh Nguyen (4):
>        usb: dwc3: gadget: Don't setup more than requested
>        usb: dwc3: gadget: Fix handling ZLP
>        usb: dwc3: gadget: Handle ZLP for sg requests
>        usb: uas: Add quirk for PNY Pro Elite
>
> Tom Rix (1):
>        USB: cdc-acm: rework notification_buffer resizing
>
> Vinod Koul (1):
>        usb: renesas-xhci: remove version check
>
> 周琰杰 (Zhou Yanjie) (1):
>        USB: PHY: JZ4770: Fix static checker warning.
>
>   drivers/usb/class/cdc-acm.c          |  22 ++++---
>   drivers/usb/core/driver.c            |  40 ++++++++++++-
>   drivers/usb/core/generic.c           |   5 +-
>   drivers/usb/core/hcd-pci.c           |   5 +-
>   drivers/usb/core/quirks.c            |   2 +
>   drivers/usb/dwc3/gadget.c            | 107 +++++++++++++++++++++++++++++------
>   drivers/usb/gadget/function/f_ncm.c  |  81 ++++++++++++++++++++++----
>   drivers/usb/gadget/function/f_tcm.c  |   7 ++-
>   drivers/usb/gadget/u_f.h             |  38 +++++++++----
>   drivers/usb/host/xhci-debugfs.c      |   8 +--
>   drivers/usb/host/xhci-hub.c          |  19 ++++---
>   drivers/usb/host/xhci-pci-renesas.c  |  19 +------
>   drivers/usb/host/xhci-tegra.c        |   4 +-
>   drivers/usb/host/xhci.c              |   3 +-
>   drivers/usb/misc/lvstest.c           |   2 +-
>   drivers/usb/misc/yurex.c             |   2 +-
>   drivers/usb/phy/phy-jz4770.c         |   1 +
>   drivers/usb/storage/unusual_uas.h    |   7 +++
>   drivers/usb/typec/tcpm/tcpm.c        |  28 ++++++++-
>   drivers/usb/typec/ucsi/displayport.c |   9 +--
>   drivers/usb/typec/ucsi/ucsi.c        | 103 +++++++++++++++++----------------
>   drivers/usb/usbip/stub_dev.c         |   6 ++
>   tools/usb/Build                      |   2 +
>   tools/usb/Makefile                   |  53 ++++++++++++++---
>   24 files changed, 408 insertions(+), 165 deletions(-)
>   create mode 100644 tools/usb/Build
>
>
Best regards
Greg Kroah-Hartman Aug. 26, 2020, 3:33 p.m. UTC | #2
On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> Hi Greg,
> 
> On 26.08.2020 15:43, Greg KH wrote:
> > The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
> >
> >    Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
> >
> > are available in the Git repository at:
> >
> >    git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3
> >
> > for you to fetch changes up to 23e26d0577535f5ffe4ff8ed6d06e009553c0bca:
> >
> >    usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures (2020-08-25 16:02:35 +0200)
> >
> > ----------------------------------------------------------------
> > USB fixes for 5.9-rc3
> >
> > Here are a small set of USB fixes for 5.9-rc3.
> >
> > Like most set of USB bugfixes, they include the usual:
> > 	- usb gadget driver fixes
> > 	- xhci driver fixes
> > 	- typec fixes
> > 	- new qurks and ids
> > 	- fixes for USB patches merged in 5.9-rc1
> >
> > Nothing huge, all of these have been in linux-next with no reported
> > issues:
> >
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >
> > ----------------------------------------------------------------
> > Alan Stern (1):
> >        USB: yurex: Fix bad gfp argument
> >
> > Andy Shevchenko (1):
> >        usb: hcd: Fix use after free in usb_hcd_pci_remove()
> >
> > Badhri Jagan Sridharan (1):
> >        usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures
> >
> > Bastien Nocera (2):
> >        USB: Also match device drivers using the ->match vfunc
> >        USB: Fix device driver race
> >
> > Brooke Basile (2):
> >        USB: gadget: u_f: add overflow checks to VLA macros
> 
> Sorry, but the above patch breaks USB Ethernet Gadget operation. It also 
> didn't get the proper testing in linux-next (next-20200826 is the first 
> one with this patch).
> 
> This is how it explodes on Samsung Exynos (ARM 32bit) based board with 
> g_ether module loaded:
> 
> ------------[ cut here ]------------
> kernel BUG at mm/slub.c:4116!

Why is slub.c erroring?  How is this related to freeing memory?

> Internal error: Oops - BUG: 0 [#1] SMP ARM
> Modules linked in: usb_f_ecm g_ether(+) usb_f_rndis u_ether libcomposite 
> panel_samsung_s6e8aa0 s5p_csis s5p_fimc exynos4_is_common v4l2_fwnode 
> max8997_regulator rtc_max8997 leds_max8997 max8
> emless mms114 governor_simpleondemand s5p_mfc lima gpu_sched s5p_jpeg 
> v4l2_mem2mem videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 
> videobuf2_common phy_exynos_usb2 exynosdrm analogix_dp
>   s3c2410_wdt
> CPU: 0 PID: 616 Comm: modprobe Not tainted 5.9.0-rc1-00026-gb1cd1b65afba 
> #9023
> Hardware name: Samsung Exynos (Flattened Device Tree)
> PC is at kfree+0x234/0x268
> LR is at config_item_set_name+0x60/0xb0
> ...
> Process modprobe (pid: 616, stack limit = 0x(ptrval))
> ...
> [<c0494248>] (kfree) from [<c05347a0>] (config_item_set_name+0x60/0xb0)
> [<c05347a0>] (config_item_set_name) from [<c0534844>] 
> (config_group_init_type_name+0x1c/0x50)

Odd, for a "normal" descriptor, the logic should have remained the same
as without this patch.

What does the descriptor definition of your device look like that it
triggers this traceback?

> [<c0534844>] (config_group_init_type_name) from [<bf14bc18>] 
> (usb_os_desc_prepare_interf_dir+0x54/0x124 [libcomposite])
> [<bf14bc18>] (usb_os_desc_prepare_interf_dir [libcomposite]) from 
> [<bf15af9c>] (rndis_alloc_inst+0x100/0x150 [usb_f_rndis])
> [<bf15af9c>] (rndis_alloc_inst [usb_f_rndis]) from [<bf1499dc>] 
> (try_get_usb_function_instance+0x88/0xa4 [libcomposite])
> [<bf1499dc>] (try_get_usb_function_instance [libcomposite]) from 
> [<bf149ad8>] (usb_get_function_instance+0xc/0x44 [libcomposite])
> [<bf149ad8>] (usb_get_function_instance [libcomposite]) from 
> [<bf114164>] (eth_bind+0xdc/0x34c [g_ether])
> [<bf114164>] (eth_bind [g_ether]) from [<bf1497cc>] 
> (composite_bind+0x78/0x1a8 [libcomposite])
> [<bf1497cc>] (composite_bind [libcomposite]) from [<c0c62a0c>] 
> (udc_bind_to_driver+0x60/0x108)
> [<c0c62a0c>] (udc_bind_to_driver) from [<c0c62ed8>] 
> (usb_gadget_probe_driver+0x100/0x158)
> [<c0c62ed8>] (usb_gadget_probe_driver) from [<c0301fd0>] 
> (do_one_initcall+0x54/0x220)
> [<c0301fd0>] (do_one_initcall) from [<c03de390>] (do_init_module+0x60/0x210)
> [<c03de390>] (do_init_module) from [<c03dd0d4>] (load_module+0x2078/0x24c0)
> [<c03dd0d4>] (load_module) from [<c03dd758>] (sys_finit_module+0xc8/0xd8)
> [<c03dd758>] (sys_finit_module) from [<c03000c0>] 
> (ret_fast_syscall+0x0/0x54)
> Exception stack(0xedd1dfa8 to 0xedd1dff0)
> ...
> ---[ end trace 0dc21d79c1880545 ]---

Brooke, any ideas?

thanks,

greg k-h
Andy Shevchenko Aug. 26, 2020, 3:53 p.m. UTC | #3
On Wed, Aug 26, 2020 at 6:36 PM Greg KH <gregkh@linuxfoundation.org> wrote:
> On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> > On 26.08.2020 15:43, Greg KH wrote:

> > > Brooke Basile (2):
> > >        USB: gadget: u_f: add overflow checks to VLA macros
> >
> > Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
> > didn't get the proper testing in linux-next (next-20200826 is the first
> > one with this patch).
> >
> > This is how it explodes on Samsung Exynos (ARM 32bit) based board with
> > g_ether module loaded:

> Odd, for a "normal" descriptor, the logic should have remained the same
> as without this patch.

> Brooke, any ideas?

I have an idea.

Does below fix this?
Kees Cook Aug. 26, 2020, 3:57 p.m. UTC | #4
On Wed, Aug 26, 2020 at 05:33:47PM +0200, Greg KH wrote:
> On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> > Hi Greg,
> > 
> > On 26.08.2020 15:43, Greg KH wrote:
> > > The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
> > >
> > >    Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
> > >
> > > are available in the Git repository at:
> > >
> > >    git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3
> > >
> > > for you to fetch changes up to 23e26d0577535f5ffe4ff8ed6d06e009553c0bca:
> > >
> > >    usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures (2020-08-25 16:02:35 +0200)
> > >
> > > ----------------------------------------------------------------
> > > USB fixes for 5.9-rc3
> > >
> > > Here are a small set of USB fixes for 5.9-rc3.
> > >
> > > Like most set of USB bugfixes, they include the usual:
> > > 	- usb gadget driver fixes
> > > 	- xhci driver fixes
> > > 	- typec fixes
> > > 	- new qurks and ids
> > > 	- fixes for USB patches merged in 5.9-rc1
> > >
> > > Nothing huge, all of these have been in linux-next with no reported
> > > issues:
> > >
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > >
> > > ----------------------------------------------------------------
> > > Alan Stern (1):
> > >        USB: yurex: Fix bad gfp argument
> > >
> > > Andy Shevchenko (1):
> > >        usb: hcd: Fix use after free in usb_hcd_pci_remove()
> > >
> > > Badhri Jagan Sridharan (1):
> > >        usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures
> > >
> > > Bastien Nocera (2):
> > >        USB: Also match device drivers using the ->match vfunc
> > >        USB: Fix device driver race
> > >
> > > Brooke Basile (2):
> > >        USB: gadget: u_f: add overflow checks to VLA macros
> > 
> > Sorry, but the above patch breaks USB Ethernet Gadget operation. It also 
> > didn't get the proper testing in linux-next (next-20200826 is the first 
> > one with this patch).
> > 
> > This is how it explodes on Samsung Exynos (ARM 32bit) based board with 
> > g_ether module loaded:
> > 
> > ------------[ cut here ]------------
> > kernel BUG at mm/slub.c:4116!
> 
> Why is slub.c erroring?  How is this related to freeing memory?

I assume this is related to the size calculations in the VLA macros...
nothing _looks_ wrong with that patch, but obviously something is. :)
Hmmm
Andy Shevchenko Aug. 26, 2020, 4:14 p.m. UTC | #5
On Wed, Aug 26, 2020 at 7:00 PM Kees Cook <keescook@chromium.org> wrote:
> On Wed, Aug 26, 2020 at 05:33:47PM +0200, Greg KH wrote:
> > On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> > > On 26.08.2020 15:43, Greg KH wrote:

...

> > Why is slub.c erroring?  How is this related to freeing memory?
>
> I assume this is related to the size calculations in the VLA macros...
> nothing _looks_ wrong with that patch, but obviously something is. :)
> Hmmm

What about the idea I have shared above? (summary: different scope of
two offset variables, and thus outer one is always 0)
Greg Kroah-Hartman Aug. 26, 2020, 4:16 p.m. UTC | #6
On Wed, Aug 26, 2020 at 06:53:02PM +0300, Andy Shevchenko wrote:
> On Wed, Aug 26, 2020 at 6:36 PM Greg KH <gregkh@linuxfoundation.org> wrote:
> > On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> > > On 26.08.2020 15:43, Greg KH wrote:
> 
> > > > Brooke Basile (2):
> > > >        USB: gadget: u_f: add overflow checks to VLA macros
> > >
> > > Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
> > > didn't get the proper testing in linux-next (next-20200826 is the first
> > > one with this patch).
> > >
> > > This is how it explodes on Samsung Exynos (ARM 32bit) based board with
> > > g_ether module loaded:
> 
> > Odd, for a "normal" descriptor, the logic should have remained the same
> > as without this patch.
> 
> > Brooke, any ideas?
> 
> I have an idea.
> 
> Does below fix this?
> 
> 
> -- 
> With Best Regards,
> Andy Shevchenko

> diff --git a/drivers/usb/gadget/u_f.h b/drivers/usb/gadget/u_f.h
> index df4e1dcb357d..0b5c5f0dd073 100644
> --- a/drivers/usb/gadget/u_f.h
> +++ b/drivers/usb/gadget/u_f.h
> @@ -25,8 +25,8 @@
>  		size_t offset = 0;					       \
>  		if (groupname##__next != SIZE_MAX) {			       \
>  			size_t align_mask = __alignof__(type) - 1;	       \
> -			size_t offset = (groupname##__next + align_mask)       \
> -					 & ~align_mask;			       \
> +			offset = (groupname##__next + align_mask) &	       \
> +				  ~align_mask;				       \
>  			size_t size = array_size(n, sizeof(type));	       \
>  			if (check_add_overflow(offset, size,		       \
>  					       &groupname##__next)) {          \
> @@ -43,8 +43,8 @@
>  		size_t offset = 0;						\
>  		if (groupname##__next != SIZE_MAX) {				\
>  			size_t align_mask = __alignof__(type) - 1;		\
> -			size_t offset = (groupname##__next + align_mask)	\
> -					 & ~align_mask;				\
> +			offset = (groupname##__next + align_mask) &		\
> +				  ~align_mask;					\
>  			if (check_add_overflow(offset, groupname##_##name##__sz,\
>  							&groupname##__next)) {	\
>  				groupname##__next = SIZE_MAX;			\

Oh wow, yeah, that should fix the problem, but would be good to get
confirmation...

thanks,

greg k-h
Marek Szyprowski Aug. 26, 2020, 4:17 p.m. UTC | #7
Hi Andy,

On 26.08.2020 17:53, Andy Shevchenko wrote:
> On Wed, Aug 26, 2020 at 6:36 PM Greg KH <gregkh@linuxfoundation.org> wrote:
>> On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
>>> On 26.08.2020 15:43, Greg KH wrote:
>>>
>>>> Brooke Basile (2):
>>>>         USB: gadget: u_f: add overflow checks to VLA macros
>>> Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
>>> didn't get the proper testing in linux-next (next-20200826 is the first
>>> one with this patch).
>>>
>>> This is how it explodes on Samsung Exynos (ARM 32bit) based board with
>>> g_ether module loaded:
>> Odd, for a "normal" descriptor, the logic should have remained the same
>> as without this patch.
>> Brooke, any ideas?
> I have an idea.
>
> Does below fix this?

Yep, that's it. I've also moved offset assignment in the first part 
after size_t size = array_size(n, sizeof(type));

Feel free to add:

Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>

Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>

Thanks!

Best regards
Andy Shevchenko Aug. 26, 2020, 4:19 p.m. UTC | #8
On Wed, Aug 26, 2020 at 7:17 PM Marek Szyprowski
<m.szyprowski@samsung.com> wrote:
> On 26.08.2020 17:53, Andy Shevchenko wrote:
> > On Wed, Aug 26, 2020 at 6:36 PM Greg KH <gregkh@linuxfoundation.org> wrote:
> >> On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> >>> On 26.08.2020 15:43, Greg KH wrote:
> >>>
> >>>> Brooke Basile (2):
> >>>>         USB: gadget: u_f: add overflow checks to VLA macros
> >>> Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
> >>> didn't get the proper testing in linux-next (next-20200826 is the first
> >>> one with this patch).
> >>>
> >>> This is how it explodes on Samsung Exynos (ARM 32bit) based board with
> >>> g_ether module loaded:
> >> Odd, for a "normal" descriptor, the logic should have remained the same
> >> as without this patch.
> >> Brooke, any ideas?
> > I have an idea.
> >
> > Does below fix this?
>
> Yep, that's it. I've also moved offset assignment in the first part
> after size_t size = array_size(n, sizeof(type));
>
> Feel free to add:
>
> Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
>
> Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>

Will send a formal patch soon. Thanks for reporting and testing!
Linus Torvalds Aug. 26, 2020, 5:18 p.m. UTC | #9
On Wed, Aug 26, 2020 at 6:43 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> USB fixes for 5.9-rc3

I'm dropping this, since it seems to break things more than it fixes.

I see that the breakage is already figured out, but I'll just wait for
the next fixes pull with the fix for the problem.

                Linus
Brooke Basile Aug. 26, 2020, 5:20 p.m. UTC | #10
On 8/26/20 12:17 PM, Marek Szyprowski wrote:
> Hi Andy,
> 
> On 26.08.2020 17:53, Andy Shevchenko wrote:
>> On Wed, Aug 26, 2020 at 6:36 PM Greg KH <gregkh@linuxfoundation.org> wrote:
>>> On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
>>>> On 26.08.2020 15:43, Greg KH wrote:
>>>>
>>>>> Brooke Basile (2):
>>>>>          USB: gadget: u_f: add overflow checks to VLA macros
>>>> Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
>>>> didn't get the proper testing in linux-next (next-20200826 is the first
>>>> one with this patch).
>>>>
>>>> This is how it explodes on Samsung Exynos (ARM 32bit) based board with
>>>> g_ether module loaded:
>>> Odd, for a "normal" descriptor, the logic should have remained the same
>>> as without this patch.
>>> Brooke, any ideas?
>> I have an idea.
>>
>> Does below fix this?
> 
> Yep, that's it. I've also moved offset assignment in the first part
> after size_t size = array_size(n, sizeof(type));
> 
> Feel free to add:
> 
> Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
> 
> Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
> 
> Thanks!
> 
> Best regards
> 
Ah, I see.  My apologies, I don't know how I was able to miss something 
like this when building/testing...

Thank you for testing and reporting the issue.

Best,
Brooke Basile
Greg Kroah-Hartman Aug. 26, 2020, 7:13 p.m. UTC | #11
On Wed, Aug 26, 2020 at 10:18:23AM -0700, Linus Torvalds wrote:
> On Wed, Aug 26, 2020 at 6:43 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > USB fixes for 5.9-rc3
> 
> I'm dropping this, since it seems to break things more than it fixes.
> 
> I see that the breakage is already figured out, but I'll just wait for
> the next fixes pull with the fix for the problem.

No worries, I'll fix this up and send a new pull request later this
week, sorry for the trouble,

greg k-h
Krzysztof Kozlowski Aug. 27, 2020, 7:51 a.m. UTC | #12
On Wed, 26 Aug 2020 at 17:03, Marek Szyprowski <m.szyprowski@samsung.com> wrote:
>
> Hi Greg,
>
> On 26.08.2020 15:43, Greg KH wrote:
> > The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
> >
> >    Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
> >
> > are available in the Git repository at:
> >
> >    git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3
> >
> > for you to fetch changes up to 23e26d0577535f5ffe4ff8ed6d06e009553c0bca:
> >
> >    usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures (2020-08-25 16:02:35 +0200)
> >
> > ----------------------------------------------------------------
> > USB fixes for 5.9-rc3
> >
> > Here are a small set of USB fixes for 5.9-rc3.
> >
> > Like most set of USB bugfixes, they include the usual:
> >       - usb gadget driver fixes
> >       - xhci driver fixes
> >       - typec fixes
> >       - new qurks and ids
> >       - fixes for USB patches merged in 5.9-rc1
> >
> > Nothing huge, all of these have been in linux-next with no reported
> > issues:
> >
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >
> > ----------------------------------------------------------------
> > Alan Stern (1):
> >        USB: yurex: Fix bad gfp argument
> >
> > Andy Shevchenko (1):
> >        usb: hcd: Fix use after free in usb_hcd_pci_remove()
> >
> > Badhri Jagan Sridharan (1):
> >        usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures
> >
> > Bastien Nocera (2):
> >        USB: Also match device drivers using the ->match vfunc
> >        USB: Fix device driver race
> >
> > Brooke Basile (2):
> >        USB: gadget: u_f: add overflow checks to VLA macros
>
> Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
> didn't get the proper testing in linux-next (next-20200826 is the first
> one with this patch).
>

Hi Greg,

I have a different question - why is this patch not findable on any
LKML lists? lore.kernel.org does not have it. Neither has mine inbox
tracking most of the lists (also main linux-kernel). Maybe subject
changed?

Do we have another process of sending patches for fast inclusion in
the Linux kernel? Is addressing a HW vulnerability?

Best regards,
Krzysztof
pr-tracker-bot@kernel.org Aug. 30, 2020, 7:15 p.m. UTC | #13
The pull request you sent on Wed, 26 Aug 2020 15:43:15 +0200:

> git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/068834a2773b6a12805105cfadbb3d4229fc6e0a

Thank you!