Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754847AbbLJR24 (ORCPT ); Thu, 10 Dec 2015 12:28:56 -0500 Received: from devils.ext.ti.com ([198.47.26.153]:34907 "EHLO devils.ext.ti.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754150AbbLJR2x (ORCPT ); Thu, 10 Dec 2015 12:28:53 -0500 From: Felipe Balbi To: CC: , , , , "Du, Changbin" Subject: Re: [PATCH] usb: gadget: forbid queuing request to a disabled ep In-Reply-To: <1449213676-27334-1-git-send-email-changbin.du@intel.com> References: <0C18FE92A7765D4EB9EE5D38D86A563A01DE83B2@SHSMSX103.ccr.corp.intel.com> <1449213676-27334-1-git-send-email-changbin.du@intel.com> User-Agent: Notmuch/0.21 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu) Date: Thu, 10 Dec 2015 11:28:48 -0600 Message-ID: <87twnqi567.fsf@saruman.tx.rr.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2920 Lines: 88 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, changbin.du@intel.com writes: > From: "Du, Changbin" > > Queue a request to disabled ep doesn't make sense, and induce caller > make mistakes. > > Here is a example for the android mtp gadget function driver. A mem > corruption can happen on below senario. > 1) On disconnect, mtp driver disable its EPs, > 2) During send_file_work and receive_file_work, mtp queues a request > to ep. (The mtp driver need improve its synchronization logic!) > 3) mtp_function_unbind is invoked and all mtp requests are freed. > 4) when udc process the request queued on step 2, will cause kernel > NULL pointer dereference exception. > > Signed-off-by: Du, Changbin > --- > This patch is seprated from below patches because gadget layer has > added the 'enabled' flag in v4.4. so abandon it and submit new one. > [PATCH 0/2] Two fix for dwc2 gadget driver > usb: dwc2: add ep enabled flag to avoid double enable/disable > usb: dwc2: forbid queuing request to a disabled ep > > --- > include/linux/usb/gadget.h | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h > index 3d583a1..d813bd2 100644 > --- a/include/linux/usb/gadget.h > +++ b/include/linux/usb/gadget.h > @@ -402,6 +402,9 @@ static inline void usb_ep_free_request(struct usb_ep = *ep, > static inline int usb_ep_queue(struct usb_ep *ep, > struct usb_request *req, gfp_t gfp_flags) > { > + if (!ep->enabled) > + return -ESHUTDOWN; same warn here: if (WARN_ON_ONCE(!ep->enabled)) return -ESHUTDOWN; > + > return ep->ops->queue(ep, req, gfp_flags); > } >=20=20 > --=20 > 2.5.0 > =2D-=20 balbi --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWabZQAAoJEIaOsuA1yqREWUQQAJunyYNg79buh7Wt6NscrgCq KNt9HY39JRM2RIym1PwRSIYS5Po18gdjoIcEIlx+MfJBcgfN4g4NENBoc8Utuo77 femmmqX95Vk1Xi3IWcC5czOPPdCVhTXenzNzV0qA7uIgC91V+KrHAtBkik8EvX4a b0IxNmwr/H9RRG4MkJOlh7g2Vwvr3Jmtjey9dCL4w9M7JRKhue+GGB3FhNqY4dtQ R6GMr2EG1rGnZUyAPxwKq7ckK4r0k1K+Z9d98/rpa6gGsl5LBszB2rdKYZLZ21iM oeNJLc+So8LgRHsea/gjHDxYqmIYuOmkQulU3M9J0v02xkhMBKXV3yEsDjNd3D0t oZwgeavxhDeRiA/w29u0HU4i0GWlxqChFZN3J1icmJZ71c7MIWRsHK5TKbivYo2P hO1wMVRMBm4Kp2p6FPzZaKUTUkE1c+E88cGVbI34CPBqy1dlPem0utC/3qBdo7b4 K5eThxjvSp8Z420J0k7jXjUU/+cNAzn/NXY4ifX8TW7FaTXKbwbZN2f4dj8HN7tu Kzlsmru5Hv9LzO6lAFlvC7Eaq/++PRSXpP1z87ZJpS7j3b8SjAF6LAXPhXd9stRs MjLatHlZQWAzeP4JvDO0I8XHHmSllJfYs6Guv8f2k/fKGuzE0UoU4v0WgKddwb8Q vVefGP3LdLAoLwcKROCl =3k3D -----END PGP SIGNATURE----- --=-=-=-- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/