From a127f4f228104d391a6aa62a9a57b2ba697f90c2 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Fri, 26 Jan 2018 15:39:00 +0000 Subject: USB: gadget: function: remove redundant initialization of 'tv_nexus' Pointer tv_nexus is being initialized a value and this is never read and is later being updated with the same value. Remove the redundant initialization so that the assignment to tv_nexus is performed later and more local to when it is being read. Cleans up clang warning: drivers/usb/gadget/function/f_tcm.c:1097:25: warning: Value stored to 'tv_nexus' during its initialization is never read Signed-off-by: Colin Ian King Signed-off-by: Felipe Balbi --- drivers/usb/gadget/function/f_tcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/usb/gadget/function') diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c index da81cf16b850..d78dbb73bde8 100644 --- a/drivers/usb/gadget/function/f_tcm.c +++ b/drivers/usb/gadget/function/f_tcm.c @@ -1094,7 +1094,7 @@ static int usbg_submit_command(struct f_uas *fu, struct command_iu *cmd_iu = cmdbuf; struct usbg_cmd *cmd; struct usbg_tpg *tpg = fu->tpg; - struct tcm_usbg_nexus *tv_nexus = tpg->tpg_nexus; + struct tcm_usbg_nexus *tv_nexus; u32 cmd_len; u16 scsi_tag; -- cgit v1.2.1 From 4058ebf33cb0be88ca516f968eda24ab7b6b93e4 Mon Sep 17 00:00:00 2001 From: Lars-Peter Clausen Date: Fri, 12 Jan 2018 11:05:02 +0100 Subject: usb: gadget: ffs: Execute copy_to_user() with USER_DS set When using a AIO read() operation on the function FS gadget driver a URB is submitted asynchronously and on URB completion the received data is copied to the userspace buffer associated with the read operation. This is done from a kernel worker thread invoking copy_to_user() (through copy_to_iter()). And while the user space process memory is made available to the kernel thread using use_mm(), some architecture require in addition to this that the operation runs with USER_DS set. Otherwise the userspace memory access will fail. For example on ARM64 with Privileged Access Never (PAN) and User Access Override (UAO) enabled the following crash occurs. Internal error: Accessing user space memory with fs=KERNEL_DS: 9600004f [#1] SMP Modules linked in: CPU: 2 PID: 1636 Comm: kworker/2:1 Not tainted 4.9.0-04081-g8ab2dfb-dirty #487 Hardware name: ZynqMP ZCU102 Rev1.0 (DT) Workqueue: events ffs_user_copy_worker task: ffffffc87afc8080 task.stack: ffffffc87a00c000 PC is at __arch_copy_to_user+0x190/0x220 LR is at copy_to_iter+0x78/0x3c8 [...] [] __arch_copy_to_user+0x190/0x220 [] ffs_user_copy_worker+0x70/0x130 [] process_one_work+0x1dc/0x460 [] worker_thread+0x50/0x4b0 [] kthread+0xd8/0xf0 [] ret_from_fork+0x10/0x50 Address this by placing a set_fs(USER_DS) before of the copy operation and revert it again once the copy operation has finished. This patch is analogous to commit d7ffde35e31a ("vhost: use USER_DS in vhost_worker thread") which addresses the same underlying issue. Signed-off-by: Lars-Peter Clausen Signed-off-by: Felipe Balbi --- drivers/usb/gadget/function/f_fs.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'drivers/usb/gadget/function') diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index c2592d883f67..e33e8ca5a120 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -758,9 +758,13 @@ static void ffs_user_copy_worker(struct work_struct *work) bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD; if (io_data->read && ret > 0) { + mm_segment_t oldfs = get_fs(); + + set_fs(USER_DS); use_mm(io_data->mm); ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data); unuse_mm(io_data->mm); + set_fs(oldfs); } io_data->kiocb->ki_complete(io_data->kiocb, ret, ret); -- cgit v1.2.1 From 946ef68ad4e45aa048a5fb41ce8823ed29da866a Mon Sep 17 00:00:00 2001 From: Lars-Peter Clausen Date: Fri, 12 Jan 2018 11:26:16 +0100 Subject: usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS Some UDC drivers (like the DWC3) expect that the response to a setup() request is queued from within the setup function itself so that it is available as soon as setup() has completed. Upon receiving a setup request the function fs driver creates an event that is made available to userspace. And only once userspace has acknowledged that event the response to the setup request is queued. So it violates the requirement of those UDC drivers and random failures can be observed. This is basically a race condition and if userspace is able to read the event and queue the response fast enough all is good. But if it is not, for example because other processes are currently scheduled to run, the USB host that sent the setup request will observe an error. To avoid this the gadget framework provides the USB_GADGET_DELAYED_STATUS return code. If a setup() callback returns this value the UDC driver is aware that response is not yet available and can uses the appropriate methods to handle this case. Since in the case of function fs the response will never be available when the setup() function returns make sure that this status code is used. This fixed random occasional failures that were previously observed on a DWC3 based system under high system load. Signed-off-by: Lars-Peter Clausen Signed-off-by: Felipe Balbi --- drivers/usb/gadget/function/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/usb/gadget/function') diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index e33e8ca5a120..fb2a027f0208 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -3243,7 +3243,7 @@ static int ffs_func_setup(struct usb_function *f, __ffs_event_add(ffs, FUNCTIONFS_SETUP); spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); - return 0; + return USB_GADGET_DELAYED_STATUS; } static bool ffs_func_req_match(struct usb_function *f, -- cgit v1.2.1