On 20-02-23 23:49:07, Macpaul Lin wrote: > This issue was found when adbd trying to open functionfs with AIO mode. > Usually, we need to set "setprop sys.usb.ffs.aio_compat 0" to enable > adbd with AIO mode on Android. > > When adbd is opening functionfs, it will try to read 24 bytes at the > fisrt read I/O control. If this reading has been failed, adbd will %s/fisrt/first > try to send FUNCTIONFS_CLEAR_HALT to functionfs. When adbd is in AIO > mode, functionfs will be acted with asyncronized I/O path. After the > successful read transfer has been completed by gadget hardware, the > following series of functions will be called. > ffs_epfile_async_io_complete() -> ffs_user_copy_worker() -> > copy_to_iter() -> _copy_to_iter() -> copyout() -> > iterate_and_advance() -> iterate_iovec() > > Adding debug trace to these functions, it has been found that in > copyout(), access_ok() will check if the user space address is valid > to write. However if CONFIG_ARM64_TAGGED_ADDR_ABI is enabled, adbd > always passes user space address start with "0x3C" to gdaget's AIO %s/gdaget/gadget > blocks. This tagged address will cause access_ok() check always fail. > Which causes later calculation in iterate_iovec() turn zero. > Copyout() won't copy data to userspace since the length to be copied > "v.iov_len" will be zero. Finally leads ffs_copy_to_iter() always return > -EFAULT, causes adbd cannot open functionfs and send > FUNCTIONFS_CLEAR_HALT. > > Signed-off-by: Macpaul Lin <macpaul.lin@xxxxxxxxxxxx> > --- > Changes for v2: > - Fix build error for 32-bit load. An #if defined(CONFIG_ARM64) still need > for avoiding undeclared defines. > > drivers/usb/gadget/function/f_fs.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c > index ce1d023..728c260 100644 > --- a/drivers/usb/gadget/function/f_fs.c > +++ b/drivers/usb/gadget/function/f_fs.c > @@ -35,6 +35,7 @@ > #include <linux/mmu_context.h> > #include <linux/poll.h> > #include <linux/eventfd.h> > +#include <linux/thread_info.h> > > #include "u_fs.h" > #include "u_f.h" > @@ -826,6 +827,10 @@ static void ffs_user_copy_worker(struct work_struct *work) > if (io_data->read && ret > 0) { > mm_segment_t oldfs = get_fs(); > > +#if defined(CONFIG_ARM64) > + if (IS_ENABLED(CONFIG_ARM64_TAGGED_ADDR_ABI)) > + set_thread_flag(TIF_TAGGED_ADDR); > +#endif > set_fs(USER_DS); > use_mm(io_data->mm); > ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data); > -- > 1.7.9.5 -- Thanks, Peter Chen