On Wed, Feb 26, 2020 at 08:01:52PM +0800, Macpaul Lin wrote:
> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> index ce1d023..192935f 100644
> --- a/drivers/usb/gadget/function/f_fs.c
> +++ b/drivers/usb/gadget/function/f_fs.c
> @@ -715,7 +715,20 @@ static void ffs_epfile_io_complete(struct usb_ep *_ep, struct usb_request *req)
>
> static ssize_t ffs_copy_to_iter(void *data, int data_len, struct iov_iter *iter)
> {
> - ssize_t ret = copy_to_iter(data, data_len, iter);
> + ssize_t ret;
> +
> +#if defined(CONFIG_ARM64)
> + /*
> + * Replace tagged address passed by user space application before
> + * copying.
> + */
> + if (IS_ENABLED(CONFIG_ARM64_TAGGED_ADDR_ABI) &&
> + (iter->type == ITER_IOVEC)) {
> + *(unsigned long *)&iter->iov->iov_base =
> + (unsigned long)untagged_addr(iter->iov->iov_base);
> + }
> +#endif
> + ret = copy_to_iter(data, data_len, iter);
> if (likely(ret == data_len))
> return ret;
I had forgotten that we discussed a similar case already a few months
ago (thanks to Evgenii for pointing out). Do you have this commit
applied to your tree: df325e05a682 ("arm64: Validate tagged addresses in
access_ok() called from kernel threads")?
--
Catalin
