review.tizen.org Git - platform/kernel/linux-amlogic.git/commit

author	Yue Wang <yue.wang@amlogic.com>
	Thu, 15 Mar 2018 02:28:35 +0000 (10:28 +0800)
committer	Jianxin Pan <jianxin.pan@amlogic.com>
	Fri, 16 Mar 2018 09:44:35 +0000 (01:44 -0800)
commit	3af713f88a72dc86455863c31214943796fccc19
tree	7703486f884c64c29665cb87de91dc49641a84a1	tree \| snapshot
parent	b75aec8be8a601a79a6bb09de273eb85006a3a4e	commit \| diff

usb: gadget: ffs: Execute copy_to_user() with USER_DS set

PD#161764: usb: gadget: ffs: Execute copy_to_user() with USER_DS set

When using a AIO read() operation on the function FS gadget driver a URB is
submitted asynchronously and on URB completion the received data is copied
to the userspace buffer associated with the read operation.

This is done from a kernel worker thread invoking copy_to_user() (through
copy_to_iter()). And while the user space process memory is made available
to the kernel thread using use_mm(), some architecture require in addition
to this that the operation runs with USER_DS set. Otherwise the userspace
memory access will fail.

For example on ARM64 with Privileged Access Never (PAN) and User Access
Override (UAO) enabled the following crash occurs.

Address this by placing a set_fs(USER_DS) before of the copy operation
and revert it again once the copy operation has finished.

Change-Id: If523dac82905057607d3007de6a3974102d51e3f
Signed-off-by: Yue Wang <yue.wang@amlogic.com>