do not try to set cancel function in synchronous operations in
ffs_epfile_{read,write}_iter.
With, 70e60d917 gadget/function/f_fs.c: switch to ->{read,write}_iter()
if CONFIG_AIO is disable there is no problem as kiocb_set_cancel_fn
is a nop, with this option enabled it will try to use ctx that is not
allocated for synchronous operations. And for that will dereference a
null at the set cancel function in any synchronous read/write.
A simplified trace of the callstack (for the write case):
BUG: unable to handle kernel NULL pointer dereference at 00000000000000e8
IP: [<ffffffff810f6510>] kiocb_set_cancel_fn+0x20/0x50
Call Trace:
[<ffffffffa0022a40>] ffs_name_dev+0x4980/0x4c1d [usb_f_fs]
[<ffffffff8107f550>] ? perf_event_fork+0x10/0x20
[<ffffffff81033432>] ? copy_process.part.65+0xbe2/0x1580
[<ffffffff810bba2b>] new_sync_write+0x7b/0xb0
[<ffffffff810bc01d>] vfs_write+0xad/0x1d0
[<ffffffff810bc705>] SyS_write+0x45/0xc0
[<ffffffff81034221>] ? SyS_clone+0x11/0x20
[<ffffffff813ee8bc>] ? stub_clone+0x6c/0x90
[<ffffffff813ee5f0>] system_call_fastpath+0x12/0x17
Signed-off-by: Rui Miguel Silva <[email protected]>
---
changes v1 -> v2:
* Requested by Felipe Balbi:
- add a more complete log message
- include Al Viro in cc.
drivers/usb/gadget/function/f_fs.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/f_fs.c
b/drivers/usb/gadget/function/f_fs.c
index 6bdb570..fa538fa 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -925,7 +925,8 @@ static ssize_t ffs_epfile_write_iter(struct kiocb *kiocb,
struct iov_iter *from)
kiocb->private = p;
- kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
+ if (p->aio)
+ kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
res = ffs_epfile_io(kiocb->ki_filp, p);
if (res == -EIOCBQUEUED)
@@ -969,7 +970,8 @@ static ssize_t ffs_epfile_read_iter(struct kiocb *kiocb,
struct iov_iter *to)
kiocb->private = p;
- kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
+ if (p->aio)
+ kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
res = ffs_epfile_io(kiocb->ki_filp, p);
if (res == -EIOCBQUEUED)
--
2.4.0
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
