usb: gadget: ffs: Execute copy_to_user() with USER_DS set
PD#161764: usb: gadget: ffs: Execute copy_to_user() with USER_DS set
When using a AIO read() operation on the function FS gadget driver a URB is
submitted asynchronously and on URB completion the received data is copied
to the userspace buffer associated with the read operation.
This is done from a kernel worker thread invoking copy_to_user() (through
copy_to_iter()). And while the user space process memory is made available
to the kernel thread using use_mm(), some architecture require in addition
to this that the operation runs with USER_DS set. Otherwise the userspace
memory access will fail.
For example on ARM64 with Privileged Access Never (PAN) and User Access
Override (UAO) enabled the following crash occurs.
Address this by placing a set_fs(USER_DS) before of the copy operation
and revert it again once the copy operation has finished.
Change-Id: If523dac82905057607d3007de6a3974102d51e3f
Signed-off-by: Yue Wang <yue.wang@amlogic.com>