Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3.0.8 cache fixes #45

Merged
merged 8 commits into from
Jul 7, 2015
Merged

3.0.8 cache fixes #45

merged 8 commits into from
Jul 7, 2015

Conversation

aejsmith
Copy link

@aejsmith aejsmith commented Jul 7, 2015

Cherry pick some cache flushing fixes from the Android branch which fix some issues with JIT compilation.

The first patch in this series is cherry picked from upstream to fix a build failure with newer versions of Perl which I had to pull in to be able to build 3.0.8.

H. Peter Anvin and others added 8 commits July 6, 2015 15:04
defined(@array) is deprecated in Perl and gives off a warning.
Restructure the code to remove that warning.

[ hpa: it would be interesting to revert to the timeconst.bc script.
  It appears that the failures reported by akpm during testing of
  that script was due to a known broken version of make, not a problem
  with bc.  The Makefile rules could probably be restructured to avoid
  the make bug, or it is probably old enough that it doesn't matter. ]

Reported-by: Andi Kleen <[email protected]>
Signed-off-by: H. Peter Anvin <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: <[email protected]>
…ulti-core. The strategy is to flush both dcache and icache on the local CPU by address if the range < cachesize or by index if the range >= cachesize, and to flush the cache by index on all other CPU's.

The other CPU maybe running in different process whit different address mapping,
protected_blast_icache_range_ipi() maybe failed, so flush icache all with
local_r4k_flush_icache_ipi(). But local_r4k_flush_icache_ipi() flush icache all by index,
both flush L1 icache and L2 cache, it slowdown the machine performance.
Ingenic should optimized the routine later.

Change-Id: Ie95e1fcbb0edf12fd18bdfb592bcaacaf1580d05
…ache.h blast_dcache32() remove K0_TO_K1_CHECK(). rjzcache.h fix blast_icache_jz() bug.

Change-Id: I3f23ca4204cb804ee2f986bf0301a4c3e794a845
…. and remove r4k_on_other_cpu(local_r4k_flush_dcache_jz_ipi,0).

Change-Id: I31252f426dba7326cfe1b13dd1aa587e61e411a2
…_WB() for better performance. If user use __flush_cache_all() and then do a DMA transfer, must do SYNC_WB() after do __flush_cache_all().

Change-Id: I55cfbab24b706fab14a9af4f64d24430fbedeb5c
…che_jz_ipi,0) with r4k_on_other_cpu(protected_blast_other_cpu_dcache_range_ipi, &range_addr) for a better performance.

Change-Id: Idbfeecfc3437162f22b62f62d3a28ab19377e42a
…che on other CPUs.

Test result by 2013-10-25:
Flush complete dcache and icache on other CPUs with local_r4k_flush_dcache_jz_ipi()
and local_r4k_flush_icache_jz_ipi(), running flushtest is stable 4days.

Flush dcache_range and icache_range by index on other CPUs,
with protected_blast_other_cpu_dcache_range_ipi() protected_blast_other_cpu_icache_range_ipi(),
fails running flushtest after hours. It should be update in the future.

Change-Id: I3446c92cbc67ab9aa0a1131384bf6f3ba52735b6
Change-Id: Ibca3dbfa88110576823819c7c9200cc86d014dd6
@aejsmith
Copy link
Author

aejsmith commented Jul 7, 2015

This also fixes #21

@ZubairLK
Copy link

ZubairLK commented Jul 7, 2015

cool.

commit messages are pretty horrible. worth cleaning b51bc9f subject at least?

@ZubairLK
Copy link

ZubairLK commented Jul 7, 2015

or is it the exact commit as the android stuff?

@aejsmith
Copy link
Author

aejsmith commented Jul 7, 2015

Of course I wouldn't write commit messages like that ;)

They're cherry picked straight from the Android branch, presumably the same commit messages as they were given in Ingenic's tree.

ZubairLK added a commit that referenced this pull request Jul 7, 2015
3.0.8 cache fixes inherited from android/ingenic.
@ZubairLK ZubairLK merged commit 4c51e3b into MIPS:ci20-v3.0.8 Jul 7, 2015
@aejsmith aejsmith deleted the ci20-v3.0.8-cache branch July 7, 2015 13:47
chrisdearman pushed a commit that referenced this pull request Mar 22, 2017
Only adb, mtp and ptp configurations have been functional
when selected. This patch introduces proper behaviour
when mtp,adb or ptp,adb configurations are selected.

During the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ #10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ #45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
miodragdinic pushed a commit to miodragdinic/CI20_linux that referenced this pull request May 24, 2017
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
pcercuei pushed a commit to OpenDingux/linux that referenced this pull request Jun 5, 2017
Xiaolong Ye's kernel test robot detected the following Oops:
[  299.158991] BUG: scheduling while atomic: mount.nfs/9387/0x00000002
[  299.169587] 2 locks held by mount.nfs/9387:
[  299.176165]  #0:  (nfs_clid_init_mutex){......}, at: [<ffffffff8130cc92>] nfs4_discover_server_trunking+0x47/0x1fc
[  299.201802]  #1:  (&(&nn->nfs_client_lock)->rlock){......}, at: [<ffffffff813125fa>] nfs40_walk_client_list+0x2e9/0x338
[  299.221979] CPU: 0 PID: 9387 Comm: mount.nfs Not tainted 4.11.0-rc7-00021-g14d1bbb MIPS#45
[  299.235584] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
[  299.251176] Call Trace:
[  299.255192]  dump_stack+0x61/0x7e
[  299.260416]  __schedule_bug+0x65/0x74
[  299.266208]  __schedule+0x5d/0x87c
[  299.271883]  schedule+0x89/0x9a
[  299.276937]  schedule_timeout+0x232/0x289
[  299.283223]  ? detach_if_pending+0x10b/0x10b
[  299.289935]  schedule_timeout_uninterruptible+0x2a/0x2c
[  299.298266]  ? put_rpccred+0x3e/0x115
[  299.304327]  ? schedule_timeout_uninterruptible+0x2a/0x2c
[  299.312851]  msleep+0x1e/0x22
[  299.317612]  nfs4_discover_server_trunking+0x102/0x1fc
[  299.325644]  nfs4_init_client+0x13f/0x194

It looks as if we recently added a spin_lock() leak to
nfs40_walk_client_list() when cleaning up the code.

Reported-by: kernel test robot <[email protected]>
Fixes: 14d1bbb ("NFS: Create a common nfs4_match_client() function")
Cc: Anna Schumaker <[email protected]>
Signed-off-by: Trond Myklebust <[email protected]>
pcercuei pushed a commit to OpenDingux/linux that referenced this pull request May 16, 2018
syzbot caught an infinite recursion in nsh_gso_segment().

Problem here is that we need to make sure the NSH header is of
reasonable length.

BUG: MAX_LOCK_DEPTH too low!
turning off the locking correctness validator.
depth: 48  max: 48!
48 locks held by syz-executor0/10189:
 #0:         (ptrval) (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x30f/0x34c0 net/core/dev.c:3517
 #1:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #1:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #2:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #2:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #3:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #3:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #4:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #4:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #5:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #5:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #6:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #6:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #7:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #7:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #8:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #8:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #9:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #9:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #10:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #10:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #11:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #11:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #12:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #12:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #13:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #13:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #14:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #14:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 #15:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 #15:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#16:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#16:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#17:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#17:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#18:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#18:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#19:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#19:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#20:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#20:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#21:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#21:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#22:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#22:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#23:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#23:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#24:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#24:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#25:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#25:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#26:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#26:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#27:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#27:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#28:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#28:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#29:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#29:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#30:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#30:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#31:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#31:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
dccp_close: ABORT with 65423 bytes unread
 MIPS#32:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#32:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#33:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#33:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#34:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#34:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#35:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#35:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#36:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#36:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#37:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#37:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#38:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#38:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#39:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#39:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#40:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#40:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#41:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#41:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#42:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#42:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#43:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#43:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#44:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#44:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#45:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#45:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#46:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#46:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
 MIPS#47:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
 MIPS#47:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
INFO: lockdep is turned off.
CPU: 1 PID: 10189 Comm: syz-executor0 Not tainted 4.17.0-rc2+ MIPS#26
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 __lock_acquire+0x1788/0x5140 kernel/locking/lockdep.c:3449
 lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920
 rcu_lock_acquire include/linux/rcupdate.h:246 [inline]
 rcu_read_lock include/linux/rcupdate.h:632 [inline]
 skb_mac_gso_segment+0x25b/0x720 net/core/dev.c:2789
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
 skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
 __skb_gso_segment+0x3bb/0x870 net/core/dev.c:2865
 skb_gso_segment include/linux/netdevice.h:4025 [inline]
 validate_xmit_skb+0x54d/0xd90 net/core/dev.c:3118
 validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3168
 sch_direct_xmit+0x354/0x11e0 net/sched/sch_generic.c:312
 qdisc_restart net/sched/sch_generic.c:399 [inline]
 __qdisc_run+0x741/0x1af0 net/sched/sch_generic.c:410
 __dev_xmit_skb net/core/dev.c:3243 [inline]
 __dev_queue_xmit+0x28ea/0x34c0 net/core/dev.c:3551
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3616
 packet_snd net/packet/af_packet.c:2951 [inline]
 packet_sendmsg+0x40f8/0x6070 net/packet/af_packet.c:2976
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 __sys_sendto+0x3d7/0x670 net/socket.c:1789
 __do_sys_sendto net/socket.c:1801 [inline]
 __se_sys_sendto net/socket.c:1797 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1797
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: c411ed8 ("nsh: add GSO support")
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Jiri Benc <[email protected]>
Reported-by: syzbot <[email protected]>
Acked-by: Jiri Benc <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
nemunaire pushed a commit to nemunaire/CI20_linux that referenced this pull request Aug 17, 2018
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Sep 11, 2018
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Sep 26, 2018
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Oct 14, 2018
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Nov 23, 2018
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Nov 28, 2018
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Dec 11, 2018
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Jan 1, 2019
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Jan 13, 2019
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Feb 1, 2019
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Feb 12, 2019
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
pcercuei pushed a commit to OpenDingux/linux that referenced this pull request Feb 28, 2019
KASAN has found use-after-free in fixed_mdio_bus_init,
commit 0c692d0 ("drivers/net/phy/mdio_bus.c: call
put_device on device_register() failure") call put_device()
while device_register() fails,give up the last reference
to the device and allow mdiobus_release to be executed
,kfreeing the bus. However in most drives, mdiobus_free
be called to free the bus while mdiobus_register fails.
use-after-free occurs when access bus again, this patch
revert it to let mdiobus_free free the bus.

KASAN report details as below:

BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524

CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ MIPS#45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x65/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
 fixed_mdio_bus_init+0x283/0x1000 [fixed_phy]
 ? 0xffffffffc0e40000
 ? 0xffffffffc0e40000
 ? 0xffffffffc0e40000
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc
R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004

Allocated by task 3524:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143
 fixed_mdio_bus_init+0x163/0x1000 [fixed_phy]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 3524:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
 slab_free_hook mm/slub.c:1409 [inline]
 slab_free_freelist_hook mm/slub.c:1436 [inline]
 slab_free mm/slub.c:2986 [inline]
 kfree+0xe1/0x270 mm/slub.c:3938
 device_release+0x78/0x200 drivers/base/core.c:919
 kobject_cleanup lib/kobject.c:662 [inline]
 kobject_release lib/kobject.c:691 [inline]
 kref_put include/linux/kref.h:67 [inline]
 kobject_put+0x146/0x240 lib/kobject.c:708
 put_device+0x1c/0x30 drivers/base/core.c:2060
 __mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382
 fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881dc824c80
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 248 bytes inside of
 2048-byte region [ffff8881dc824c80, ffff8881dc825480)
The buggy address belongs to the page:
page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Fixes: 0c692d0 ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure")
Signed-off-by: YueHaibing <[email protected]>
Reviewed-by: Andrew Lunn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
pcercuei pushed a commit to OpenDingux/linux that referenced this pull request Jun 2, 2019
KASAN reports this:

BUG: KASAN: global-out-of-bounds in qedi_dbg_err+0xda/0x330 [qedi]
Read of size 31 at addr ffffffffc12b0ae0 by task syz-executor.0/2429

CPU: 0 PID: 2429 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ MIPS#45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x1c4/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 memcpy+0x1f/0x50 mm/kasan/common.c:130
 qedi_dbg_err+0xda/0x330 [qedi]
 ? 0xffffffffc12d0000
 qedi_init+0x118/0x1000 [qedi]
 ? 0xffffffffc12d0000
 ? 0xffffffffc12d0000
 ? 0xffffffffc12d0000
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2d57e55c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bfa0 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003
RBP: 00007f2d57e55c70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2d57e566bc
R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004

The buggy address belongs to the variable:
 __func__.67584+0x0/0xffffffffffffd520 [qedi]

Memory state around the buggy address:
 ffffffffc12b0980: fa fa fa fa 00 04 fa fa fa fa fa fa 00 00 05 fa
 ffffffffc12b0a00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 05 fa fa
> ffffffffc12b0a80: fa fa fa fa 00 06 fa fa fa fa fa fa 00 02 fa fa
                                                          ^
 ffffffffc12b0b00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 03 fa
 ffffffffc12b0b80: fa fa fa fa 00 00 02 fa fa fa fa fa 00 00 04 fa

Currently the qedi_dbg_* family of functions can overrun the end of the
source string if it is less than the destination buffer length because of
the use of a fixed sized memcpy. Remove the memset/memcpy calls to nfunc
and just use func instead as it is always a null terminated string.

Reported-by: Hulk Robot <[email protected]>
Fixes: ace7f46 ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
Signed-off-by: YueHaibing <[email protected]>
Reviewed-by: Dan Carpenter <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
nemunaire pushed a commit to nemunaire/CI20_linux that referenced this pull request Jun 16, 2019
[ Upstream commit 58bdd54 ]

KASAN report this:

BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc]
Read of size 3 at addr 0000000000000000 by task syz-executor.0/5401

CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ MIPS#45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 kasan_report+0x171/0x18d mm/kasan/report.c:321
 memcpy+0x1f/0x50 mm/kasan/common.c:130
 nfc_llcp_build_gb+0x37f/0x540 [nfc]
 nfc_llcp_register_device+0x6eb/0xb50 [nfc]
 nfc_register_device+0x50/0x1d0 [nfc]
 nfcsim_device_new+0x394/0x67d [nfcsim]
 ? 0xffffffffc1080000
 nfcsim_init+0x6b/0x1000 [nfcsim]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9cb79dcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00007f9cb79dcc70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9cb79dd6bc
R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004

nfc_llcp_build_tlv will return NULL on fails, caller should check it,
otherwise will trigger a NULL dereference.

Reported-by: Hulk Robot <[email protected]>
Fixes: eda21f1 ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames")
Fixes: d646960 ("NFC: Initial LLCP support")
Signed-off-by: YueHaibing <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
nemunaire pushed a commit to nemunaire/CI20_linux that referenced this pull request Jun 16, 2019
[ Upstream commit 6ff7b06 ]

KASAN has found use-after-free in fixed_mdio_bus_init,
commit 0c692d0 ("drivers/net/phy/mdio_bus.c: call
put_device on device_register() failure") call put_device()
while device_register() fails,give up the last reference
to the device and allow mdiobus_release to be executed
,kfreeing the bus. However in most drives, mdiobus_free
be called to free the bus while mdiobus_register fails.
use-after-free occurs when access bus again, this patch
revert it to let mdiobus_free free the bus.

KASAN report details as below:

BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524

CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ MIPS#45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x65/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
 fixed_mdio_bus_init+0x283/0x1000 [fixed_phy]
 ? 0xffffffffc0e40000
 ? 0xffffffffc0e40000
 ? 0xffffffffc0e40000
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc
R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004

Allocated by task 3524:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143
 fixed_mdio_bus_init+0x163/0x1000 [fixed_phy]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 3524:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
 slab_free_hook mm/slub.c:1409 [inline]
 slab_free_freelist_hook mm/slub.c:1436 [inline]
 slab_free mm/slub.c:2986 [inline]
 kfree+0xe1/0x270 mm/slub.c:3938
 device_release+0x78/0x200 drivers/base/core.c:919
 kobject_cleanup lib/kobject.c:662 [inline]
 kobject_release lib/kobject.c:691 [inline]
 kref_put include/linux/kref.h:67 [inline]
 kobject_put+0x146/0x240 lib/kobject.c:708
 put_device+0x1c/0x30 drivers/base/core.c:2060
 __mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382
 fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881dc824c80
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 248 bytes inside of
 2048-byte region [ffff8881dc824c80, ffff8881dc825480)
The buggy address belongs to the page:
page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Fixes: 0c692d0 ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure")
Signed-off-by: YueHaibing <[email protected]>
Reviewed-by: Andrew Lunn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
nemunaire pushed a commit to nemunaire/CI20_linux that referenced this pull request Jun 16, 2019
[ Upstream commit 6377f78 ]

KASAN report this:

BUG: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
Read of size 8 at addr ffff8881f41fe5b0 by task syz-executor.0/2806

CPU: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ MIPS#45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x65/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
 remove_proc_entry+0xe8/0x420 fs/proc/generic.c:667
 atalk_proc_exit+0x18/0x820 [appletalk]
 atalk_exit+0xf/0x5a [appletalk]
 __do_sys_delete_module kernel/module.c:1018 [inline]
 __se_sys_delete_module kernel/module.c:961 [inline]
 __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb2de6b9c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200001c0
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb2de6ba6bc
R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff

Allocated by task 2806:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
 slab_post_alloc_hook mm/slab.h:444 [inline]
 slab_alloc_node mm/slub.c:2739 [inline]
 slab_alloc mm/slub.c:2747 [inline]
 kmem_cache_alloc+0xcf/0x250 mm/slub.c:2752
 kmem_cache_zalloc include/linux/slab.h:730 [inline]
 __proc_create+0x30f/0xa20 fs/proc/generic.c:408
 proc_mkdir_data+0x47/0x190 fs/proc/generic.c:469
 0xffffffffc10c01bb
 0xffffffffc10c0166
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 2806:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
 slab_free_hook mm/slub.c:1409 [inline]
 slab_free_freelist_hook mm/slub.c:1436 [inline]
 slab_free mm/slub.c:2986 [inline]
 kmem_cache_free+0xa6/0x2a0 mm/slub.c:3002
 pde_put+0x6e/0x80 fs/proc/generic.c:647
 remove_proc_entry+0x1d3/0x420 fs/proc/generic.c:684
 0xffffffffc10c031c
 0xffffffffc10c0166
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881f41fe500
 which belongs to the cache proc_dir_entry of size 256
The buggy address is located 176 bytes inside of
 256-byte region [ffff8881f41fe500, ffff8881f41fe600)
The buggy address belongs to the page:
page:ffffea0007d07f80 count:1 mapcount:0 mapping:ffff8881f6e69a00 index:0x0
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6e69a00
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881f41fe480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8881f41fe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881f41fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8881f41fe600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8881f41fe680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

It should check the return value of atalk_proc_init fails,
otherwise atalk_exit will trgger use-after-free in pde_subdir_find
while unload the module.This patch fix error cleanup path of atalk_init

Reported-by: Hulk Robot <[email protected]>
Signed-off-by: YueHaibing <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
nemunaire pushed a commit to nemunaire/CI20_linux that referenced this pull request Jun 16, 2019
Before this patch, using multiple active endpoints would not
be possible and would actually be canceling each other out.

The issue was discovered on Android when combining adb, mtp and ptp
configurations together. This patch introduces proper behaviour for
these cases.

Also, during the boot-up the following warning is no longer shown:

[    2.879328] ------------[ cut here ]------------
[    2.883983] WARNING: CPU: 0 PID: 1 at drivers/usb/dwc2/gadget.c:212 s3c_hsotg_init_fifo+0x168/0x1d0()
[    2.893204] insufficient fifo memory
[    2.896602] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.3+ MIPS#10
[    2.904004] Stack : 00000000 800919a0 00000000 00000004 00000006 800913f4 00000000 00000000
          00000000 00000000 80f75a12 00000042 80f75a12 00000042 00000006 00000000
          80e42767 80d7c2e 00000001 00000000 80f73574 8bc90418 80ea0000 01000d00
          80f06704 80b24c00 00000000 80035388 00000006 00000000 80d834a4 8bc99b04
          8bc99b04 80e40000 00000000 00000000 00000000 00000000 00000000 00000000
          ...
[    2.939709] Call Trace:
[    2.942174] [<8001bab0>] show_stack+0xd4/0xf0
[    2.946528] [<80b26c40>] dump_stack+0x70/0xbc
[    2.950880] [<800356bc>] warn_slowpath_common+0x90/0xe8
[    2.956116] [<80035808>] warn_slowpath_fmt+0x3c/0x48
[    2.961075] [<8069b824>] s3c_hsotg_init_fifo+0x168/0x1d0
[    2.966398] [<8069d8fc>] s3c_hsotg_init+0x50/0x9c
[    2.971095] [<806a0388>] dwc2_gadget_init+0x430/0x8c0
[    2.976158] [<806a0df0>] dwc2_driver_probe+0x218/0x2a8
[    2.981291] [<805b935c>] platform_drv_probe+0x64/0x120
[    2.986440] [<805b783c>] really_probe+0xa0/0x278
[    2.991050] [<805b7c78>] driver_probe_device+0x48/0x78
[    2.996197] [<805b7d74>] __driver_attach+0xcc/0xd4
[    3.000980] [<805b5b7c>] bus_for_each_dev+0x7c/0xc4
[    3.005874] [<805b64f8>] bus_add_driver+0x180/0x240
[    3.010743] [<805b8428>] driver_register+0xac/0x154
[    3.015633] [<80ea9e04>] do_one_initcall+0x150/0x1f4
[    3.020589] [<80eaa080>] kernel_init_freeable+0x1d8/0x298
[    3.025998] [<80b23c5c>] kernel_init+0x28/0x158
[    3.030522] [<800153ec>] ret_from_kernel_thread+0x14/0x1c
[    3.035926]
[    3.037412] ---[ end trace cb88537fdc8fa201 ]---

And during configuration transitions (e.g. adb -> mtp,adb)
the following warning is no longer shown:

[ 311.726159] -----------[ cut here ]-----------
[ 311.730817] WARNING: CPU: 0 PID: 0 at drivers/usb/dwc2/gadget.c:1475 s3c_hsotg_rx_data+0x130/0x13c()
[ 311.739931] Modules linked in:
[ 311.742993] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.3+ MIPS#45
[ 311.750199] Stack : 00000000 80080370 00000000 00000004 00000006 00000000 00000000 00000000
00000000 00000000 80f05b02 00000042 80d61010 80e18e20 80d60000 8b408010
80e18927 80d0df6c 00000000 00000000 80f03614 80e18e20 80d60000 8b408010
00250182 80a54f54 80e20cc4 80e20cc8 00000000 00000000 80d14ab8 80dfbacc
80dfbacc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
...
[ 311.785841] Call Trace:
[ 311.788292] [<8001ac28>] show_stack+0xc4/0xe0
[ 311.792650] [<80a56e58>] dump_stack+0x70/0xbc
[ 311.797008] [<80033c14>] warn_slowpath_common+0x88/0xb8
[ 311.802224] [<80033cc8>] warn_slowpath_null+0x18/0x24
[ 311.807266] [<80606a3c>] s3c_hsotg_rx_data+0x130/0x13c
[ 311.812397] [<8060afa4>] s3c_hsotg_irq+0x3b4/0x5e8
[ 311.817183] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.822745] [<80082d4c>] handle_irq_event+0x54/0x98
[ 311.827617] [<80086390>] handle_level_irq+0xe0/0x1c0
[ 311.832572] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.837622] [<804bb680>] jz4740_cascade+0x78/0xac
[ 311.842317] [<80082ab8>] handle_irq_event_percpu+0x90/0x2d0
[ 311.847881] [<80086d18>] handle_percpu_irq+0x8c/0xbc
[ 311.852835] [<800820bc>] generic_handle_irq+0x3c/0x54
[ 311.857878] [<80016c8c>] do_IRQ+0x18/0x2c
[ 311.861879] [<80014c40>] ret_from_irq+0x0/0x4
[ 311.866227] [<80016b20>] mips_cpuidle_wait_enter+0x14/0x34
[ 311.871713] [<806d37b0>] cpuidle_enter_state+0x88/0x2c0
[ 311.876934] [<80074308>] cpu_startup_entry+0x36c/0x484
[ 311.882074] [<80e7dc04>] start_kernel+0x4b8/0x4e0
[ 311.886767]
[ 311.888253] --[ end trace dd7a60dcc5530db3 ]--

Change-Id: Ic8ac37a28913d4314371de0cd446f8a7cc45864d
Signed-off-by: Dragan Cecavac <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Jan 17, 2020
[ Upstream commit 58bdd54 ]

KASAN report this:

BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc]
Read of size 3 at addr 0000000000000000 by task syz-executor.0/5401

CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ MIPS#45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 kasan_report+0x171/0x18d mm/kasan/report.c:321
 memcpy+0x1f/0x50 mm/kasan/common.c:130
 nfc_llcp_build_gb+0x37f/0x540 [nfc]
 nfc_llcp_register_device+0x6eb/0xb50 [nfc]
 nfc_register_device+0x50/0x1d0 [nfc]
 nfcsim_device_new+0x394/0x67d [nfcsim]
 ? 0xffffffffc1080000
 nfcsim_init+0x6b/0x1000 [nfcsim]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9cb79dcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00007f9cb79dcc70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9cb79dd6bc
R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004

nfc_llcp_build_tlv will return NULL on fails, caller should check it,
otherwise will trigger a NULL dereference.

Reported-by: Hulk Robot <[email protected]>
Fixes: eda21f1 ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames")
Fixes: d646960 ("NFC: Initial LLCP support")
Signed-off-by: YueHaibing <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Jan 17, 2020
[ Upstream commit 6ff7b06 ]

KASAN has found use-after-free in fixed_mdio_bus_init,
commit 0c692d0 ("drivers/net/phy/mdio_bus.c: call
put_device on device_register() failure") call put_device()
while device_register() fails,give up the last reference
to the device and allow mdiobus_release to be executed
,kfreeing the bus. However in most drives, mdiobus_free
be called to free the bus while mdiobus_register fails.
use-after-free occurs when access bus again, this patch
revert it to let mdiobus_free free the bus.

KASAN report details as below:

BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524

CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ MIPS#45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x65/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
 fixed_mdio_bus_init+0x283/0x1000 [fixed_phy]
 ? 0xffffffffc0e40000
 ? 0xffffffffc0e40000
 ? 0xffffffffc0e40000
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc
R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004

Allocated by task 3524:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143
 fixed_mdio_bus_init+0x163/0x1000 [fixed_phy]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 3524:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
 slab_free_hook mm/slub.c:1409 [inline]
 slab_free_freelist_hook mm/slub.c:1436 [inline]
 slab_free mm/slub.c:2986 [inline]
 kfree+0xe1/0x270 mm/slub.c:3938
 device_release+0x78/0x200 drivers/base/core.c:919
 kobject_cleanup lib/kobject.c:662 [inline]
 kobject_release lib/kobject.c:691 [inline]
 kref_put include/linux/kref.h:67 [inline]
 kobject_put+0x146/0x240 lib/kobject.c:708
 put_device+0x1c/0x30 drivers/base/core.c:2060
 __mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382
 fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881dc824c80
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 248 bytes inside of
 2048-byte region [ffff8881dc824c80, ffff8881dc825480)
The buggy address belongs to the page:
page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Fixes: 0c692d0 ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure")
Signed-off-by: YueHaibing <[email protected]>
Reviewed-by: Andrew Lunn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
gabrielesvelto pushed a commit to gabrielesvelto/CI20_linux that referenced this pull request Jan 17, 2020
[ Upstream commit 6377f78 ]

KASAN report this:

BUG: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
Read of size 8 at addr ffff8881f41fe5b0 by task syz-executor.0/2806

CPU: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ MIPS#45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x65/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
 remove_proc_entry+0xe8/0x420 fs/proc/generic.c:667
 atalk_proc_exit+0x18/0x820 [appletalk]
 atalk_exit+0xf/0x5a [appletalk]
 __do_sys_delete_module kernel/module.c:1018 [inline]
 __se_sys_delete_module kernel/module.c:961 [inline]
 __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb2de6b9c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200001c0
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb2de6ba6bc
R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff

Allocated by task 2806:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
 slab_post_alloc_hook mm/slab.h:444 [inline]
 slab_alloc_node mm/slub.c:2739 [inline]
 slab_alloc mm/slub.c:2747 [inline]
 kmem_cache_alloc+0xcf/0x250 mm/slub.c:2752
 kmem_cache_zalloc include/linux/slab.h:730 [inline]
 __proc_create+0x30f/0xa20 fs/proc/generic.c:408
 proc_mkdir_data+0x47/0x190 fs/proc/generic.c:469
 0xffffffffc10c01bb
 0xffffffffc10c0166
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 2806:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
 slab_free_hook mm/slub.c:1409 [inline]
 slab_free_freelist_hook mm/slub.c:1436 [inline]
 slab_free mm/slub.c:2986 [inline]
 kmem_cache_free+0xa6/0x2a0 mm/slub.c:3002
 pde_put+0x6e/0x80 fs/proc/generic.c:647
 remove_proc_entry+0x1d3/0x420 fs/proc/generic.c:684
 0xffffffffc10c031c
 0xffffffffc10c0166
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881f41fe500
 which belongs to the cache proc_dir_entry of size 256
The buggy address is located 176 bytes inside of
 256-byte region [ffff8881f41fe500, ffff8881f41fe600)
The buggy address belongs to the page:
page:ffffea0007d07f80 count:1 mapcount:0 mapping:ffff8881f6e69a00 index:0x0
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6e69a00
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881f41fe480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8881f41fe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881f41fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8881f41fe600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8881f41fe680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

It should check the return value of atalk_proc_init fails,
otherwise atalk_exit will trgger use-after-free in pde_subdir_find
while unload the module.This patch fix error cleanup path of atalk_init

Reported-by: Hulk Robot <[email protected]>
Signed-off-by: YueHaibing <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
pcercuei pushed a commit to OpenDingux/linux that referenced this pull request Jan 19, 2021
While mounting a crafted image provided by user, kernel panics due to
the invalid chunk item whose end is less than start.

  [66.387422] loop: module loaded
  [66.389773] loop0: detected capacity change from 262144 to 0
  [66.427708] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 12 /dev/loop0 scanned by mount (613)
  [66.431061] BTRFS info (device loop0): disk space caching is enabled
  [66.431078] BTRFS info (device loop0): has skinny extents
  [66.437101] BTRFS error: insert state: end < start 29360127 37748736
  [66.437136] ------------[ cut here ]------------
  [66.437140] WARNING: CPU: 16 PID: 613 at fs/btrfs/extent_io.c:557 insert_state.cold+0x1a/0x46 [btrfs]
  [66.437369] CPU: 16 PID: 613 Comm: mount Tainted: G           O      5.11.0-rc1-custom MIPS#45
  [66.437374] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
  [66.437378] RIP: 0010:insert_state.cold+0x1a/0x46 [btrfs]
  [66.437420] RSP: 0018:ffff93e5414c3908 EFLAGS: 00010286
  [66.437427] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
  [66.437431] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
  [66.437434] RBP: ffff93e5414c3938 R08: 0000000000000001 R09: 0000000000000001
  [66.437438] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d72aa0
  [66.437441] R13: ffff8ec78bc71628 R14: 0000000000000000 R15: 0000000002400000
  [66.437447] FS:  00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
  [66.437451] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [66.437455] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
  [66.437460] PKRU: 55555554
  [66.437464] Call Trace:
  [66.437475]  set_extent_bit+0x652/0x740 [btrfs]
  [66.437539]  set_extent_bits_nowait+0x1d/0x20 [btrfs]
  [66.437576]  add_extent_mapping+0x1e0/0x2f0 [btrfs]
  [66.437621]  read_one_chunk+0x33c/0x420 [btrfs]
  [66.437674]  btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
  [66.437708]  ? kvm_sched_clock_read+0x18/0x40
  [66.437739]  open_ctree+0xb32/0x1734 [btrfs]
  [66.437781]  ? bdi_register_va+0x1b/0x20
  [66.437788]  ? super_setup_bdi_name+0x79/0xd0
  [66.437810]  btrfs_mount_root.cold+0x12/0xeb [btrfs]
  [66.437854]  ? __kmalloc_track_caller+0x217/0x3b0
  [66.437873]  legacy_get_tree+0x34/0x60
  [66.437880]  vfs_get_tree+0x2d/0xc0
  [66.437888]  vfs_kern_mount.part.0+0x78/0xc0
  [66.437897]  vfs_kern_mount+0x13/0x20
  [66.437902]  btrfs_mount+0x11f/0x3c0 [btrfs]
  [66.437940]  ? kfree+0x5ff/0x670
  [66.437944]  ? __kmalloc_track_caller+0x217/0x3b0
  [66.437962]  legacy_get_tree+0x34/0x60
  [66.437974]  vfs_get_tree+0x2d/0xc0
  [66.437983]  path_mount+0x48c/0xd30
  [66.437998]  __x64_sys_mount+0x108/0x140
  [66.438011]  do_syscall_64+0x38/0x50
  [66.438018]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
  [66.438023] RIP: 0033:0x7f0138827f6e
  [66.438033] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
  [66.438040] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX: 00007f0138827f6e
  [66.438044] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI: 00005593a4a3a6c0
  [66.438047] RBP: 00005593a4a33440 R08: 0000000000000000 R09: 0000000000000001
  [66.438050] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
  [66.438054] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15: 00005593a4a33440
  [66.438078] irq event stamp: 18169
  [66.438082] hardirqs last  enabled at (18175): [<ffffffffb81154bf>] console_unlock+0x4ff/0x5f0
  [66.438088] hardirqs last disabled at (18180): [<ffffffffb8115427>] console_unlock+0x467/0x5f0
  [66.438092] softirqs last  enabled at (16910): [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
  [66.438097] softirqs last disabled at (16905): [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
  [66.438103] ---[ end trace e114b111db64298b ]---
  [66.438107] BTRFS error: found node 12582912 29360127 on insert of 37748736 29360127
  [66.438127] BTRFS critical: panic in extent_io_tree_panic:679: locking error: extent tree was modified by another thread while locked (errno=-17 Object already exists)
  [66.441069] ------------[ cut here ]------------
  [66.441072] kernel BUG at fs/btrfs/extent_io.c:679!
  [66.442064] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
  [66.443018] CPU: 16 PID: 613 Comm: mount Tainted: G        W  O      5.11.0-rc1-custom MIPS#45
  [66.444538] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
  [66.446223] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25 [btrfs]
  [66.450878] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
  [66.451840] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
  [66.453141] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
  [66.454445] RBP: ffff93e5414c3948 R08: 0000000000000001 R09: 0000000000000001
  [66.455743] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d728c0
  [66.457055] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15: 0000000002400000
  [66.458356] FS:  00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
  [66.459841] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [66.460895] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
  [66.462196] PKRU: 55555554
  [66.462692] Call Trace:
  [66.463139]  set_extent_bit.cold+0x30/0x98 [btrfs]
  [66.464049]  set_extent_bits_nowait+0x1d/0x20 [btrfs]
  [66.490466]  add_extent_mapping+0x1e0/0x2f0 [btrfs]
  [66.514097]  read_one_chunk+0x33c/0x420 [btrfs]
  [66.534976]  btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
  [66.555718]  ? kvm_sched_clock_read+0x18/0x40
  [66.575758]  open_ctree+0xb32/0x1734 [btrfs]
  [66.595272]  ? bdi_register_va+0x1b/0x20
  [66.614638]  ? super_setup_bdi_name+0x79/0xd0
  [66.633809]  btrfs_mount_root.cold+0x12/0xeb [btrfs]
  [66.652938]  ? __kmalloc_track_caller+0x217/0x3b0
  [66.671925]  legacy_get_tree+0x34/0x60
  [66.690300]  vfs_get_tree+0x2d/0xc0
  [66.708221]  vfs_kern_mount.part.0+0x78/0xc0
  [66.725808]  vfs_kern_mount+0x13/0x20
  [66.742730]  btrfs_mount+0x11f/0x3c0 [btrfs]
  [66.759350]  ? kfree+0x5ff/0x670
  [66.775441]  ? __kmalloc_track_caller+0x217/0x3b0
  [66.791750]  legacy_get_tree+0x34/0x60
  [66.807494]  vfs_get_tree+0x2d/0xc0
  [66.823349]  path_mount+0x48c/0xd30
  [66.838753]  __x64_sys_mount+0x108/0x140
  [66.854412]  do_syscall_64+0x38/0x50
  [66.869673]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
  [66.885093] RIP: 0033:0x7f0138827f6e
  [66.945613] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
  [66.977214] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX: 00007f0138827f6e
  [66.994266] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI: 00005593a4a3a6c0
  [67.011544] RBP: 00005593a4a33440 R08: 0000000000000000 R09: 0000000000000001
  [67.028836] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
  [67.045812] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15: 00005593a4a33440
  [67.216138] ---[ end trace e114b111db64298c ]---
  [67.237089] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25 [btrfs]
  [67.325317] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
  [67.347946] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
  [67.371343] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
  [67.394757] RBP: ffff93e5414c3948 R08: 0000000000000001 R09: 0000000000000001
  [67.418409] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d728c0
  [67.441906] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15: 0000000002400000
  [67.465436] FS:  00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
  [67.511660] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [67.535047] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
  [67.558449] PKRU: 55555554
  [67.581146] note: mount[613] exited with preempt_count 2

The image has a chunk item which has a logical start 37748736 and length
18446744073701163008 (-8M). The calculated end 29360127 overflows.
EEXIST was caught by insert_state() because of the duplicate end and
extent_io_tree_panic() was called.

Add overflow check of chunk item end to tree checker so it can be
detected early at mount time.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=208929
CC: [email protected] # 4.19+
Reviewed-by: Anand Jain <[email protected]>
Signed-off-by: Su Yue <[email protected]>
Reviewed-by: David Sterba <[email protected]>
Signed-off-by: David Sterba <[email protected]>
pcercuei pushed a commit to OpenDingux/linux that referenced this pull request Apr 12, 2021
xdp_return_frame() may be called outside of NAPI context to return
xdpf back to page_pool. xdp_return_frame() calls __xdp_return() with
napi_direct = false. For page_pool memory model, __xdp_return() calls
xdp_return_frame_no_direct() unconditionally and below false negative
kernel BUG throw happened under preempt-rt build:

[  430.450355] BUG: using smp_processor_id() in preemptible [00000000] code: modprobe/3884
[  430.451678] caller is __xdp_return+0x1ff/0x2e0
[  430.452111] CPU: 0 PID: 3884 Comm: modprobe Tainted: G     U      E     5.12.0-rc2+ MIPS#45

Changes in v2:
 - This patch fixes the issue by making xdp_return_frame_no_direct() is
   only called if napi_direct = true, as recommended for better by
   Jesper Dangaard Brouer. Thanks!

Fixes: 2539650 ("xdp: Helpers for disabling napi_direct of xdp_return_frame")
Signed-off-by: Ong Boon Leong <[email protected]>
Acked-by: Jesper Dangaard Brouer <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
pcercuei pushed a commit to OpenDingux/linux that referenced this pull request Jun 11, 2021
In 'rp2_probe', the driver registers 'rp2_uart_interrupt' then calls
'rp2_fw_cb' through 'request_firmware_nowait'. In 'rp2_fw_cb', if the
firmware don't exists, function just return without initializing ports
of 'rp2_card'. But now the interrupt handler function has been
registered, and when an interrupt comes, 'rp2_uart_interrupt' may access
those ports then causing NULL pointer dereference or other bugs.

Because the driver does some initialization work in 'rp2_fw_cb', in
order to make the driver ready to handle interrupts, 'request_firmware'
should be used instead of asynchronous 'request_firmware_nowait'.

This report reveals it:

INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty MIPS#45
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-
gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xec/0x156 lib/dump_stack.c:118
 assign_lock_key kernel/locking/lockdep.c:727 [inline]
 register_lock_class+0x14e5/0x1ba0 kernel/locking/lockdep.c:753
 __lock_acquire+0x187/0x3750 kernel/locking/lockdep.c:3303
 lock_acquire+0x124/0x340 kernel/locking/lockdep.c:3907
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x32/0x50 kernel/locking/spinlock.c:144
 spin_lock include/linux/spinlock.h:329 [inline]
 rp2_ch_interrupt drivers/tty/serial/rp2.c:466 [inline]
 rp2_asic_interrupt.isra.9+0x15d/0x990 drivers/tty/serial/rp2.c:493
 rp2_uart_interrupt+0x49/0xe0 drivers/tty/serial/rp2.c:504
 __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149
 handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189
 handle_irq_event+0xac/0x140 kernel/irq/handle.c:206
 handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725
 generic_handle_irq_desc include/linux/irqdesc.h:155 [inline]
 handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87
 do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247
 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670
 </IRQ>
RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61
Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 c2 2f 8c 48 89 e5 e8 fb 31 e7 f8
8b 05 75 af 8d 03 85 c0 7e 07 0f 00 2d 8a 61 65 00 fb f4 <5d> c3 90 90 90
90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41
RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde
RAX: 0000000000000000 RBX: ffffffff8bde7e48 RCX: ffffffff88a21285
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2fc200
RBP: ffff88806b71fcc8 R08: fffffbfff185f840 R09: fffffbfff185f840
R10: 0000000000000001 R11: fffffbfff185f840 R12: 0000000000000002
R13: ffffffff8bea18a0 R14: 0000000000000000 R15: 0000000000000000
 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
 default_idle+0x6f/0x360 arch/x86/kernel/process.c:557
 arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548
 default_idle_call+0x3b/0x60 kernel/sched/idle.c:93
 cpuidle_idle_call kernel/sched/idle.c:153 [inline]
 do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263
 cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369
 start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
PGD 8000000056d27067 P4D 8000000056d27067 PUD 56d28067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty MIPS#45
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-
gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:readl arch/x86/include/asm/io.h:59 [inline]
RIP: 0010:rp2_ch_interrupt drivers/tty/serial/rp2.c:472 [inline]
RIP: 0010:rp2_asic_interrupt.isra.9+0x181/0x990 drivers/tty/serial/rp2.c:
493
Code: df e8 43 5d c2 05 48 8d 83 e8 01 00 00 48 89 85 60 ff ff ff 48 c1 e8
03 42 80 3c 30 00 0f 85 aa 07 00 00 48 8b 83 e8 01 00 00 <8b> 40 10 89 c1
89 85 68 ff ff ff 48 8b 83 e8 01 00 00 89 48 10 83
RSP: 0018:ffff88806c287cd0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff88806ade6820 RCX: ffffffff814300b1
RDX: 1ffff1100d5bcd06 RSI: 0000000000000004 RDI: ffff88806ade6820
RBP: ffff88806c287db8 R08: ffffed100d5bcd05 R09: ffffed100d5bcd05
R10: 0000000000000001 R11: ffffed100d5bcd04 R12: ffffc90001e00000
R13: ffff888069654e10 R14: dffffc0000000000 R15: ffff888069654df0
FS:  0000000000000000(0000) GS:ffff88806c280000(0000) knlGS:
0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 000000006892c000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 rp2_uart_interrupt+0x49/0xe0 drivers/tty/serial/rp2.c:504
 __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149
 handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189
 handle_irq_event+0xac/0x140 kernel/irq/handle.c:206
 handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725
 generic_handle_irq_desc include/linux/irqdesc.h:155 [inline]
 handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87
 do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247
 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670
 </IRQ>
RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61
Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 c2 2f 8c 48 89 e5 e8 fb 31 e7
f8 8b 05 75 af 8d 03 85 c0 7e 07 0f 00 2d 8a 61 65 00 fb f4 <5d> c3 90
90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41
RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde
RAX: 0000000000000000 RBX: ffffffff8bde7e48 RCX: ffffffff88a21285
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2fc200
RBP: ffff88806b71fcc8 R08: fffffbfff185f840 R09: fffffbfff185f840
R10: 0000000000000001 R11: fffffbfff185f840 R12: 0000000000000002
R13: ffffffff8bea18a0 R14: 0000000000000000 R15: 0000000000000000
 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
 default_idle+0x6f/0x360 arch/x86/kernel/process.c:557
 arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548
 default_idle_call+0x3b/0x60 kernel/sched/idle.c:93
 cpuidle_idle_call kernel/sched/idle.c:153 [inline]
 do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263
 cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369
 start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
CR2: 0000000000000010
---[ end trace 11804dbb55cb1a64 ]---
RIP: 0010:readl arch/x86/include/asm/io.h:59 [inline]
RIP: 0010:rp2_ch_interrupt drivers/tty/serial/rp2.c:472 [inline]
RIP: 0010:rp2_asic_interrupt.isra.9+0x181/0x990 drivers/tty/serial/rp2.c:
493
Code: df e8 43 5d c2 05 48 8d 83 e8 01 00 00 48 89 85 60 ff ff ff 48 c1
e8 03 42 80 3c 30 00 0f 85 aa 07 00 00 48 8b 83 e8 01 00 00 <8b> 40 10 89
c1 89 85 68 ff ff ff 48 8b 83 e8 01 00 00 89 48 10 83
RSP: 0018:ffff88806c287cd0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff88806ade6820 RCX: ffffffff814300b1
RDX: 1ffff1100d5bcd06 RSI: 0000000000000004 RDI: ffff88806ade6820
RBP: ffff88806c287db8 R08: ffffed100d5bcd05 R09: ffffed100d5bcd05
R10: 0000000000000001 R11: ffffed100d5bcd04 R12: ffffc90001e00000
R13: ffff888069654e10 R14: dffffc0000000000 R15: ffff888069654df0
FS:  0000000000000000(0000) GS:ffff88806c280000(0000) knlGS:
0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 000000006892c000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Reported-by: Zheyu Ma <[email protected]>
Signed-off-by: Zheyu Ma <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: stable <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
pcercuei pushed a commit to OpenDingux/linux that referenced this pull request Jun 11, 2021
Commit c7a2190 ("ice: Remove xsk_buff_pool from VSI structure")
silently introduced a regression and broke the Tx side of AF_XDP in copy
mode. xsk_pool on ice_ring is set only based on the existence of the XDP
prog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed.
That is not something that should happen for copy mode as it should use
the regular data path ice_clean_tx_irq.

This results in a following splat when xdpsock is run in txonly or l2fwd
scenarios in copy mode:

<snip>
[  106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030
[  106.057269] #PF: supervisor read access in kernel mode
[  106.062493] #PF: error_code(0x0000) - not-present page
[  106.067709] PGD 0 P4D 0
[  106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI
[  106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ MIPS#45
[  106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
[  106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50
[  106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c <48> 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00
[  106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206
[  106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800
[  106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800
[  106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800
[  106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff
[  106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018
[  106.157117] FS:  0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000
[  106.165332] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0
[  106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  106.192898] PKRU: 55555554
[  106.195653] Call Trace:
[  106.198143]  <IRQ>
[  106.200196]  ice_clean_tx_irq_zc+0x183/0x2a0 [ice]
[  106.205087]  ice_napi_poll+0x3e/0x590 [ice]
[  106.209356]  __napi_poll+0x2a/0x160
[  106.212911]  net_rx_action+0xd6/0x200
[  106.216634]  __do_softirq+0xbf/0x29b
[  106.220274]  irq_exit_rcu+0x88/0xc0
[  106.223819]  common_interrupt+0x7b/0xa0
[  106.227719]  </IRQ>
[  106.229857]  asm_common_interrupt+0x1e/0x40
</snip>

Fix this by introducing the bitmap of queues that are zero-copy enabled,
where each bit, corresponding to a queue id that xsk pool is being
configured on, will be set/cleared within ice_xsk_pool_{en,dis}able and
checked within ice_xsk_pool(). The latter is a function used for
deciding which napi poll routine is executed.
Idea is being taken from our other drivers such as i40e and ixgbe.

Fixes: c7a2190 ("ice: Remove xsk_buff_pool from VSI structure")
Signed-off-by: Maciej Fijalkowski <[email protected]>
Tested-by: Kiran Bhandare <[email protected]>
Signed-off-by: Tony Nguyen <[email protected]>
pcercuei pushed a commit to OpenDingux/linux that referenced this pull request Nov 29, 2023
There is a UAF when xfstests on cifs:

  BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160
  Read of size 4 at addr ffff88810103fc08 by task cifsd/923

  CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ MIPS#45
  ...
  Call Trace:
   <TASK>
   dump_stack_lvl+0x34/0x44
   print_report+0x171/0x472
   kasan_report+0xad/0x130
   kasan_check_range+0x145/0x1a0
   smb2_is_network_name_deleted+0x27/0x160
   cifs_demultiplex_thread.cold+0x172/0x5a4
   kthread+0x165/0x1a0
   ret_from_fork+0x1f/0x30
   </TASK>

  Allocated by task 923:
   kasan_save_stack+0x1e/0x40
   kasan_set_track+0x21/0x30
   __kasan_slab_alloc+0x54/0x60
   kmem_cache_alloc+0x147/0x320
   mempool_alloc+0xe1/0x260
   cifs_small_buf_get+0x24/0x60
   allocate_buffers+0xa1/0x1c0
   cifs_demultiplex_thread+0x199/0x10d0
   kthread+0x165/0x1a0
   ret_from_fork+0x1f/0x30

  Freed by task 921:
   kasan_save_stack+0x1e/0x40
   kasan_set_track+0x21/0x30
   kasan_save_free_info+0x2a/0x40
   ____kasan_slab_free+0x143/0x1b0
   kmem_cache_free+0xe3/0x4d0
   cifs_small_buf_release+0x29/0x90
   SMB2_negotiate+0x8b7/0x1c60
   smb2_negotiate+0x51/0x70
   cifs_negotiate_protocol+0xf0/0x160
   cifs_get_smb_ses+0x5fa/0x13c0
   mount_get_conns+0x7a/0x750
   cifs_mount+0x103/0xd00
   cifs_smb3_do_mount+0x1dd/0xcb0
   smb3_get_tree+0x1d5/0x300
   vfs_get_tree+0x41/0xf0
   path_mount+0x9b3/0xdd0
   __x64_sys_mount+0x190/0x1d0
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0

The UAF is because:

 mount(pid: 921)               | cifsd(pid: 923)
-------------------------------|-------------------------------
                               | cifs_demultiplex_thread
SMB2_negotiate                 |
 cifs_send_recv                |
  compound_send_recv           |
   smb_send_rqst               |
    wait_for_response          |
     wait_event_state      [1] |
                               |  standard_receive3
                               |   cifs_handle_standard
                               |    handle_mid
                               |     mid->resp_buf = buf;  [2]
                               |     dequeue_mid           [3]
     KILL the process      [4] |
    resp_iov[i].iov_base = buf |
 free_rsp_buf              [5] |
                               |   is_network_name_deleted [6]
                               |   callback

1. After send request to server, wait the response until
    mid->mid_state != SUBMITTED;
2. Receive response from server, and set it to mid;
3. Set the mid state to RECEIVED;
4. Kill the process, the mid state already RECEIVED, get 0;
5. Handle and release the negotiate response;
6. UAF.

It can be easily reproduce with add some delay in [3] - [6].

Only sync call has the problem since async call's callback is
executed in cifsd process.

Add an extra state to mark the mid state to READY before wakeup the
waitter, then it can get the resp safely.

Fixes: ec637e3 ("[CIFS] Avoid extra large buffer allocation (and memcpy) in cifs_readpages")
Reviewed-by: Paulo Alcantara (SUSE) <[email protected]>
Signed-off-by: Zhang Xiaoxu <[email protected]>
Signed-off-by: Steve French <[email protected]>
pcercuei pushed a commit to OpenDingux/linux that referenced this pull request Nov 29, 2023
rtnl_offload_xstats_get_size_hw_s_info_one() conditionalizes the
size-computation for IFLA_OFFLOAD_XSTATS_HW_S_INFO_USED based on whether
or not the device has offload_xstats enabled.

However, rtnl_offload_xstats_fill_hw_s_info_one() is adding the u8 for
that field uncondtionally.

syzkaller triggered a WARNING in rtnl_stats_get due to this:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 754 at net/core/rtnetlink.c:5982 rtnl_stats_get+0x2f4/0x300
Modules linked in:
CPU: 0 PID: 754 Comm: syz-executor148 Not tainted 6.6.0-rc2-g331b78eb12af MIPS#45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:rtnl_stats_get+0x2f4/0x300 net/core/rtnetlink.c:5982
Code: ff ff 89 ee e8 7d 72 50 ff 83 fd a6 74 17 e8 33 6e 50 ff 4c 89 ef be 02 00 00 00 e8 86 00 fa ff e9 7b fe ff ff e8 1c 6e 50 ff <0f> 0b eb e5 e8 73 79 7b 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc900006837c0 EFLAGS: 00010293
RAX: ffffffff81cf7f24 RBX: ffff8881015d9000 RCX: ffff888101815a00
RDX: 0000000000000000 RSI: 00000000ffffffa6 RDI: 00000000ffffffa6
RBP: 00000000ffffffa6 R08: ffffffff81cf7f03 R09: 0000000000000001
R10: ffff888101ba47b9 R11: ffff888101815a00 R12: ffff8881017dae00
R13: ffff8881017dad00 R14: ffffc90000683ab8 R15: ffffffff83c1f740
FS:  00007fbc22dbc740(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000046 CR3: 000000010264e003 CR4: 0000000000170ef0
Call Trace:
 <TASK>
 rtnetlink_rcv_msg+0x677/0x710 net/core/rtnetlink.c:6480
 netlink_rcv_skb+0xea/0x1c0 net/netlink/af_netlink.c:2545
 netlink_unicast+0x430/0x500 net/netlink/af_netlink.c:1342
 netlink_sendmsg+0x4fc/0x620 net/netlink/af_netlink.c:1910
 sock_sendmsg+0xa8/0xd0 net/socket.c:730
 ____sys_sendmsg+0x22a/0x320 net/socket.c:2541
 ___sys_sendmsg+0x143/0x190 net/socket.c:2595
 __x64_sys_sendmsg+0xd8/0x150 net/socket.c:2624
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x7fbc22e8d6a9
Code: 5c c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 37 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007ffc4320e778 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004007d0 RCX: 00007fbc22e8d6a9
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 00000000004007d0
R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffc4320e898
R13: 00007ffc4320e8a8 R14: 00000000004004a0 R15: 00007fbc22fa5a80
 </TASK>
---[ end trace 0000000000000000 ]---

Which didn't happen prior to commit bf9f1ba ("net: add dedicated
kmem_cache for typical/small skb->head") as the skb always was large
enough.

Fixes: 0e7788f ("net: rtnetlink: Add UAPI for obtaining L3 offload xstats")
Signed-off-by: Christoph Paasch <[email protected]>
Reviewed-by: Petr Machata <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants