On 02/08/2016 12:12 PM, Marek Szyprowski wrote:
Since commit 855ed04a3758b205e84b269f92d26ab36ed8e2f7 ("usb: gadget:
udc-core: independent registration of gadgets and gadget drivers") gadget
drivers can not assume that UDC drivers are already available on their
initialization. This broke the HACK, which was used in gadgetfs driver,
to get UDC controller name. This patch removes this hack and replaces it
by additional function in the UDC core (which is usefully only for legacy
drivers, please don't use it in the new code).
Signed-off-by: Marek Szyprowski <m.szyprowski@xxxxxxxxxxx>
---
Vegard: Could you check if this patch fixes your issue with gadgetfs and NULL
pointer dereference?
Best regards,
Marek Szyprowski
---
[snip patch]
Thanks for the patch, I gave it a try.
Firstly, it changes /dev/gadget/dummy_udc into /dev/gadget/dummy_udc.0
so it may break some userspace expectations (I don't really know).
Secondly, I still get this crash which looks a lot like what I
originally reported:
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] DEBUG_PAGEALLOC KASAN
CPU: 0 PID: 35 Comm: afl-fuzz Not tainted 4.5.0-rc2 #1
task: ffff8800003b6900 ti: ffff88000c840000 task.ti: ffff88000c840000
RIP: 0010:[<ffffffff81388536>] [<ffffffff81388536>] __list_del_entry+0x86/0x1d0
RSP: 0018:ffff88000c847da8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff81a13f08
RDX: 0000000000000000 RSI: 0000000000000061 RDI: ffffffff81a13f10
RBP: ffff88000c847dc0 R08: 0000000000000246 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffffff81a13e40 R15: ffff88000c83c500
FS: 00007ffff7ff2740(0000) GS:ffffffff8193f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffff78c53a0 CR3: 000000000c850000 CR4: 00000000001406b0
Stack:
ffffffff81a13e40 ffffffff81a13f08 ffffffff81a118e0 ffff88000c847dd8
ffffffff8138868d ffffffff81a11638 ffff88000c847e10 ffffffff81523a5d
ffffffff817f62a0 ffff880000277a40 ffff88000c83c510 ffff88000c83c520
Call Trace:
[<ffffffff8138868d>] list_del+0xd/0x70
[<ffffffff81523a5d>] usb_gadget_unregister_driver+0x11d/0x240
[<ffffffff81533c34>] dev_release+0x44/0x110
[<ffffffff811f0ccb>] __fput+0x11b/0x490
[<ffffffff811f10a9>] ____fput+0x9/0x10
[<ffffffff810c8881>] task_work_run+0xf1/0x190
[<ffffffff811ea9ea>] ? filp_close+0x8a/0xe0
[<ffffffff81001c3c>] exit_to_usermode_loop+0xec/0x100
[<ffffffff81002531>] syscall_return_slowpath+0x91/0xc0
[<ffffffff817a4389>] int_ret_from_sys_call+0x25/0x8f
Code: c4 0f 84 94 00 00 00 48 b8 00 02 00 00 00 00 ad de 48 39 c3 0f 84 a5 00 00 00 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 e8 00 00 00 4c 8b 03 4c 39 c1 0f 85 9b 00 00
RIP [<ffffffff81388536>] __list_del_entry+0x86/0x1d0
RSP <ffff88000c847da8>
---[ end trace 9a6416535ca1ec01 ]---
I am more than happy to try other patches :-) Thanks,