Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754733AbbLJR1s (ORCPT ); Thu, 10 Dec 2015 12:27:48 -0500 Received: from comal.ext.ti.com ([198.47.26.152]:60418 "EHLO comal.ext.ti.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752410AbbLJR1r (ORCPT ); Thu, 10 Dec 2015 12:27:47 -0500 From: Felipe Balbi To: , CC: , , , "Du, Changbin" Subject: Re: [PATCH 2/2] usb: dwc2: forbid queuing request to a disabled ep In-Reply-To: <1448860888-9841-3-git-send-email-changbin.du@intel.com> References: <1448860888-9841-1-git-send-email-changbin.du@intel.com> <1448860888-9841-3-git-send-email-changbin.du@intel.com> User-Agent: Notmuch/0.21 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu) Date: Thu, 10 Dec 2015 11:27:41 -0600 Message-ID: <87wpsmi582.fsf@saruman.tx.rr.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3140 Lines: 89 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, changbin.du@intel.com writes: > From: "Du, Changbin" > > Queue a request to disabled ep doesn't make sense, and induce caller > make mistakes. > > Here is a example for the android mtp gadget function driver. A mem > corruption can happen on below senario. > 1) On disconnect, mtp driver disable its EPs, > 2) During send_file_work and receive_file_work, mtp queues a request > to ep. (The mtp driver need improve its synchronization logic!) > 3) mtp_function_unbind is invoked and all mtp requests are freed. > 4) when dwc2 process the request queued on step 2, will cause kernel > NULL pointer dereference exception. > > Signed-off-by: Du, Changbin > --- > drivers/usb/dwc2/gadget.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c > index 586bbcd..4d637ab 100644 > --- a/drivers/usb/dwc2/gadget.c > +++ b/drivers/usb/dwc2/gadget.c > @@ -786,6 +786,12 @@ static int dwc2_hsotg_ep_queue(struct usb_ep *ep, st= ruct usb_request *req, > ep->name, req, req->length, req->buf, req->no_interrupt, > req->zero, req->short_not_ok); >=20=20 > + if (!hs_ep->enabled) { > + dev_warn(hs->dev, "%s: cannot queue to disabled ep\n", > + __func__); similar comment to previous patch: if (dev_WARN_ONCE(hs->dev, !hs_ep->enabled, "cannot queue to disabled ep %s\n", hs_ep->name)) > + return -ESHUTDOWN; > + } > + > /* Prevent new request submission when controller is suspended */ > if (hs->lx_state =3D=3D DWC2_L2) { > dev_dbg(hs->dev, "%s: don't submit request while suspended\n", > --=20 > 2.5.0 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ =2D-=20 balbi --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWabYOAAoJEIaOsuA1yqREXhsP/1Jl2hBkNS6U1nruSWAcfSYK HvrjKEUDHmDsIAV4qfFJ2KWLwuLHk/sM4VZ5diwnIRJVHrJeEVhT8Z4+UPUxcFhf I8SVFGbj/DU3wu22ozaAM4+gTzj7XdSfSa4KhNNT0fJHcf5nMaozqTBF3pjflFFz Bx/IdHAknagZtvA136MdCet9jzbN5zkP+VZcoo+90U+qiEMICMZOb3cUC1mijs2S +XDWpGv3S/OZ9EQ0r63E9yqnM2NxxKf+EhgBIaK79c9YYnjFlxsFRYc0xmTnrwFn TdVt3hgJeVPwYm4nEmvjiTgiEUnDcyDZwYD2K2eSh1zneeMadK2AxOiQOD9UO+43 7WTgOEHnU6B6jeGo63Wakv7X5fVMmgJFJTj1PysZRFn4iv4ewn7/cjBjWn5advH7 TEu2TFp7dYi4RENix+xJyuNxb2PmHlKi9pIx0d9LBGnusUJzpR1wbsx7V9rmqtgo 8hKuBiHo9iSfCLlTIjsoCY++uSCY0ZvQhQ6iSpgtGn2jl7GBYH2XiKI1BzpRGOs/ HPAM59kfXP7ghZMy41eAsu06pnEX045DH+NlNI205O4ynVSBVlInTddBn0/hCQ0T zUD8ykn5ccWYwwL8kztvQpNGK7Lh5NSW//fLyiELLwFAymvhFFbzgvA6pzatof/t vr4H9m0zXmKWUYHWaUBE =8fGW -----END PGP SIGNATURE----- --=-=-=-- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/