[PATCH] ehci-hcd: Disable memory-write-invalidate when the driver is removed

Signed-off-by: Jia-Ju Bai --- drivers/usb/host/ehci-hcd.c |2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c index 48c92bf..c02ec42 100644 --- a/drivers/usb/host/ehci-hcd.c +++ b/drivers/usb/host/ehci-hcd.c @@ -422,6 +422,7

[PATCH] ehci-hcd: Cleanup memory resources when ehci_halt fails

Signed-off-by: Jia-Ju Bai --- drivers/usb/host/ehci-hcd.c |4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c index 48c92bf..015b411 100644 --- a/drivers/usb/host/ehci-hcd.c +++ b/drivers/usb/host/ehci-hcd.c

[PATCH v2] ehci-hcd: Disable memory-write-invalidate when the driver is removed

to remove the pci driver. This function calls pci_clear_mwi and usb_hcd_pci_remove, which can fix the problem. Signed-off-by: Jia-Ju Bai --- drivers/usb/host/ehci-pci.c |8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/ehci-pci.c b/drivers/usb/host/

Re: [PATCH] ehci-hcd: Cleanup memory resources when ehci_halt fails

On 12/29/2015 12:04 AM, Alan Stern wrote: On Mon, 28 Dec 2015, Jia-Ju Bai wrote: Please add a changelog. Signed-off-by: Jia-Ju Bai --- drivers/usb/host/ehci-hcd.c |4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci

[PATCH] ehci-hcd: Cleanup memory resources when ehci_halt fails

The driver calls ehci_mem_init to allocate memory resources. But these resources are not freed when ehci_halt fails. This patch adds "ehci_mem_cleanup" in error handling code to fix this problem. Signed-off-by: Jia-Ju Bai --- drivers/usb/host/ehci-hcd.c |4 +++- 1 file

[PATCH v2] ehci-hcd: Cleanup memory resources when ehci_halt fails

The driver calls ehci_mem_init to allocate memory resources. But these resources are not freed when ehci_halt fails. This patch adds "ehci_mem_cleanup" in error handling code to fix this problem. Signed-off-by: Jia-Ju Bai --- drivers/usb/host/ehci-hcd.c |4 +++- 1 file

[PATCH v2] ehci-hcd: Disable memory-write-invalidate when the driver is removed

to remove the pci driver. This function calls pci_clear_mwi and usb_hcd_pci_remove, which can fix the problem. Signed-off-by: Jia-Ju Bai --- drivers/usb/host/ehci-pci.c |8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/ehci-pci.c b/drivers/usb/host/

Potential bugs found in usb_storage

re_resources is failed. [7] The same situation with [1] will happen, when scsi_add_host in usb_stor_probe2 is failed. Could you help me check these findings? Thank you very much, and I'm looking forward to your reply. -- Best wishes! Jia-Ju Bai -- To unsubscribe from this list: send the lin

[BUG] usb: xhci: Possible resource leaks when xhci_run() fails

ci_setup(). Thus, there are two possible ways of fixing bugs: 1) Call xhci_stop() when xhci_run() is going to fail (like the ohci driver) 2) Move all resource-allocation operations into xhci_run() (like the uhci driver). I am not sure whether these ways are correct, so I only report bugs. These bugs are found by a runtime fuzzing tool named FIZZER written by us. Best wishes, Jia-Ju Bai

Re: [BUG] usb: xhci: Possible resource leaks when xhci_run() fails

On 2019/5/15 0:55, Greg KH wrote: On Tue, May 14, 2019 at 10:58:05PM +0800, Jia-Ju Bai wrote: xhci_pci_setup() is assigned to hc_driver.reset; xhci_run() is assigned to hc_driver.start(); xhci_stop() is assigned to hc_driver.stop(). xhci_pci_setup() calls xhci_gen_setup, which calls

[PATCH] usb: xhci: Possible resource leaks when xhci_run() fails

, xhci_mem_cleanup() is called in error handling code of xhci_run(), to release the allocated resources. These bugs are found by a runtime fuzzing tool named FIZZER written by us. Signed-off-by: Jia-Ju Bai --- drivers/usb/host/xhci.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deleti

[PATCH] usb: musb: Fix a possible null-pointer dereference in musb_handle_intr_connect()

rence may occur. To fix this bug, musb->hcd is checked before calling musb_host_poke_root_hub(). This bug is found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai --- drivers/usb/musb/musb_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git

[PATCH] usb: storage: sddr55: Fix a possible null-pointer dereference in sddr55_transport()

cur. To fix this bug, info->lba_to_pba is checked before being used. This bug is found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai --- drivers/usb/storage/sddr55.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/storage/sddr55.

Re: [PATCH] usb: storage: sddr55: Fix a possible null-pointer dereference in sddr55_transport()

On 2019/7/29 19:15, Oliver Neukum wrote: Am Montag, den 29.07.2019, 18:05 +0800 schrieb Jia-Ju Bai: Hi, In sddr55_transport(), there is an if statement on line 836 to check whether info->lba_to_pba is NULL: if (info->lba_to_pba == NULL || ...) When info->lba_to_pba is NU

[PATCH v2] usb: storage: sddr55: Fix a possible null-pointer dereference in sddr55_transport()

cur. To fix this bug, info->lba_to_pba is checked before being used. This bug is found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai --- v2: * Avoid uninitialized access of pba. Thank Oliver for helpful advice. --- drivers/usb/storage/sddr55.c | 2 +- 1 file chang

Re: [PATCH v2] usb: storage: sddr55: Fix a possible null-pointer dereference in sddr55_transport()

Sorry, I forgot to send to Oliver, so send it again. On 2019/7/29 19:49, Jia-Ju Bai wrote: In sddr55_transport(), there is an if statement on line 836 to check whether info->lba_to_pba is NULL: if (info->lba_to_pba == NULL || ...) When info->lba_to_pba is NULL, it is used on

[PATCH] usb: storage: Replace mdelay with msleep in init_freecom

msleep() to avoid busy waiting. This is found by a static analysis tool named DCNS written by myself. And I also manually check it. Signed-off-by: Jia-Ju Bai --- drivers/usb/storage/freecom.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/storage/freecom.

[PATCH 1/2] usb: isp1760: Replace mdelay with msleep in isp1760_init_core

replaced with msleep() to avoid busy waiting. This is found by a static analysis tool named DCNS written by myself. And I also manually check it. Signed-off-by: Jia-Ju Bai --- drivers/usb/isp1760/isp1760-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/isp17

[PATCH 2/2] usb: isp1760: Replace mdelay with msleep in isp1760_stop

check it Signed-off-by: Jia-Ju Bai --- drivers/usb/isp1760/isp1760-hcd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/isp1760/isp1760-hcd.c b/drivers/usb/isp1760/isp1760-hcd.c index 8e59e0c..5599310 100644 --- a/drivers/usb/isp1760/isp1760-hcd.c +++ b/drivers/us

[PATCH] net: usb: hso: Replace GFP_ATOMIC with GFP_KERNEL in hso_create_device

is not necessary and can be replaced with GFP_KERNEL, which can sleep and improve the possibility of sucessful allocation. This is found by a static analysis tool named DCNS written by myself. And I also manually check it. Signed-off-by: Jia-Ju Bai --- drivers/net/usb/hso.c | 2 +- 1 file changed

[PATCH] usb: storage: Fix a possible data race in uas_queuecommand_lck

mnd->scsi_done". To fix this data race, the write operations on line 634-635 should be also protected by the lock. Signed-off-by: Jia-Ju Bai --- drivers/usb/storage/uas.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/usb/storage/uas.c b/drivers/usb/s

Re: [usb-storage] [PATCH] usb: storage: Fix a possible data race in uas_queuecommand_lck

On 2018/5/8 16:27, Oliver Neukum wrote: Am Dienstag, den 08.05.2018, 15:47 +0800 schrieb Jia-Ju Bai: The write operations to "cmnd->result" and "cmnd->scsi_done" are protected by the lock on line 642-643, but the write operations to these data on line 634-635 are

[BUG] drivers/usb/host/isp116x-hcd: a possible sleep-in-atomic bug in isp116x_start

may sleep I do not find a good way to fix it, so I only report. This possible bug is found by my static analysis tool (DSAC) and checked by my code review. Thanks, Jia-Ju Bai -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a mess

[BUG] kaweth: a possible sleep-in-atomic bug in kaweth_start_xmit

eep usb_kill_urb --> may sleep I do not find a good way to fix it, so I only report. This possible bug is found by my static analysis tool (DSAC) and checked by my code review. Thanks, Jia-Ju Bai -- To unsubscribe from this list: send the line "unsubscribe linux-usb"

[PATCH] usb/io_edgeport: Fix a possible sleep-in-atomic bug in edge_bulk_in_callback

usb_kill_urb --> may sleep To fix it, usb_kill_urb() is removed from the error path after usb_submit_urb() fails. This possible bug is found by my static analysis tool (DSAC) and checked by my code review. Signed-off-by: Jia-Ju Bai --- drivers/usb/serial/io_edgeport.c |1 - 1 file chan

Re: [BUG] usb/io_edgeport: a possible sleep-in-atomic bug in edge_bulk_in_callback

Okay, I had submitted a patch yesterday. You can have a look :) Thanks, Jia-Ju Bai On 2017/12/13 19:38, Johan Hovold wrote: [ +CC: linux-usb] On Wed, Dec 13, 2017 at 06:22:26PM +0800, Jia-Ju Bai wrote: According to drivers/usb/serial/io_edgeport.c, the driver may sleep under a spinlock. The

[PATCH] gadget: Fix a sleep-in-atomic bug

The driver may sleep under a spin lock, and the function call path is: ffs_epfile_io (acquire the lock by spin_lock_irq) usb_ep_alloc_request(GFP_KERNEL) --> may sleep To fix it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC". Signed-off-by: Jia-Ju Bai --- drivers/usb

[PATCH] usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()

wdm_in_callback() is a completion handler function for the USB driver. So it should not sleep. To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC. This bug is found by my static analysis tool DSAC. Signed-off-by: Jia-Ju Bai --- drivers/usb/class/cdc-wdm.c | 2 +- 1 file changed, 1

[PATCH v2] usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()

. Signed-off-by: Jia-Ju Bai --- v2: * Add more description. --- drivers/usb/class/cdc-wdm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c index a0d284ef3f40..632a2bfabc08 100644 --- a/drivers/usb/class/cdc-wdm.c +++ b

[PATCH] usb: misc: uss720: Fix two sleep-in-atomic-context bugs

function pointer call is used. To fix these bugs, GFP_KERNEL is replaced with GFP_ATOMIC. These bugs are found by my static analysis tool DSAC. Signed-off-by: Jia-Ju Bai --- drivers/usb/misc/uss720.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/misc/uss720

[PATCH] usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame()

/usbusx2yaudio.c, 366: i_usX2Y_urb_complete in i_usX2Y_subs_startup Note that [FUNC_PTR] means a function pointer call is used. To fix this bug, msleep() is replaced with mdelay(). This bug is found by my static analysis tool DSAC. Signed-off-by: Jia-Ju Bai --- drivers/usb/host/u132

Re: [PATCH v2] usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()

On 2018/9/11 15:49, Sebastian Andrzej Siewior wrote: On 2018-09-01 16:12:10 [+0800], Jia-Ju Bai wrote: wdm_in_callback() is a completion handler function for the USB driver. So it should not sleep. But it calls service_outstanding_interrupt(), which calls usb_submit_urb() with GFP_KERNEL

[PATCH] usb: gadget: udc: fotg210-udc: Fix a sleep-in-atomic-context bug in fotg210_get_status()

is found by my static analysis tool DSAC. Signed-off-by: Jia-Ju Bai --- drivers/usb/gadget/udc/fotg210-udc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c index 53a48f561458..c51510803d1f 100644

[PATCH] r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable()

ted by a spinlock, but the free operation is not protected by this spinlock, thus a concurrency use-after-free bug may occur. To fix this bug, the spin-lock and spin-unlock function calls in r8a66597_endpoint_disable() are moved to protect the free operation. Signed-off-by: Jia-Ju Bai --- drive

Re: [PATCH] r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable()

On 2018/12/18 19:11, Greg KH wrote: On Tue, Dec 18, 2018 at 06:00:20PM +0800, Jia-Ju Bai wrote: The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may be concurrently executed. The two functions both access a possible shared variable "hep->hcpriv". This share

[PATCH v2] usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable()

ted by a spinlock, but the free operation is not protected by this spinlock, thus a concurrency use-after-free bug may occur. To fix this bug, the spin-lock and spin-unlock function calls in r8a66597_endpoint_disable() are moved to protect the free operation. Signed-off-by: Jia-Ju Bai --- v2: *

[BUG] usb: serial: garmin_gps: A possible concurrency use-after-free bug

urb->transfer_buffer; Thus, a concurrency use-after-free bug may occur. This possible bug is found by a static analysis tool written by myself. Best wishes, Jia-Ju Bai

Re: [BUG] usb: serial: garmin_gps: A possible concurrency use-after-free bug

On 2018/12/20 21:46, Johan Hovold wrote: On Thu, Dec 20, 2018 at 09:41:16PM +0800, Jia-Ju Bai wrote: In drivers/usb/serial/garmin_gps.c, the functions garmin_read_bulk_callback() and garmin_write_bulk_callback() may be concurrently executed. In garmin_write_bulk_callback() on line 969