Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753703AbcC3NW4 (ORCPT <rfc822;w@1wt.eu>);
	Wed, 30 Mar 2016 09:22:56 -0400
Received: from mga14.intel.com ([192.55.52.115]:16266 "EHLO mga14.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753243AbcC3NWz (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 30 Mar 2016 09:22:55 -0400
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.24,416,1455004800"; 
   d="asc'?scan'208";a="944468953"
From: Felipe Balbi <felipe.balbi@linux.intel.com>
To: John Keeping <john@metanate.com>, John Youn <johnyoun@synopsys.com>
Cc: John Keeping <john@metanate.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] usb: dwc2: gadget: avoid null dereference on incomplete transfer
In-Reply-To: <1457983214-4317-1-git-send-email-john@metanate.com>
References: <1457983214-4317-1-git-send-email-john@metanate.com>
User-Agent: Notmuch/0.21+96~g9bbc54b (http://notmuchmail.org) Emacs/25.0.90.3 (x86_64-pc-linux-gnu)
Date: Wed, 30 Mar 2016 16:21:02 +0300
Message-ID: <87k2kkhzk1.fsf@intel.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3242
Lines: 103

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


Hi,

John Keeping <john@metanate.com> writes:
> Setting up a gadget with the uac2 function results in:
>
>   Unable to handle kernel NULL pointer dereference at virtual address 000=
00058
>   ...
>   PC is at dwc2_hsotg_irq+0x7f0/0x908
>   LR is at dwc2_hsotg_irq+0x4c/0x908
>   Backtrace:
>   [<c03cd5fc>] (dwc2_hsotg_irq) from [<c00814fc>] (handle_irq_event_percp=
u+0x130/0x3ec)
>   [<c00813cc>] (handle_irq_event_percpu) from [<c0081800>] (handle_irq_ev=
ent+0x48/0x6c)
>
> In all other loops we already skip endpoints that are null, so do so
> here as well.
>
> Signed-off-by: John Keeping <john@metanate.com>
> ---
>  drivers/usb/dwc2/gadget.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
> index 0abf73c..df43ec0 100644
> --- a/drivers/usb/dwc2/gadget.c
> +++ b/drivers/usb/dwc2/gadget.c
> @@ -2606,7 +2606,9 @@ irq_retry:
>  		for (idx =3D 1; idx < hsotg->num_of_eps; idx++) {
>  			hs_ep =3D hsotg->eps_in[idx];
>=20=20
> -			if (!hs_ep->isochronous || hs_ep->has_correct_parity)
> +			if (!hs_ep ||
> +			    !hs_ep->isochronous ||
> +			    hs_ep->has_correct_parity)

this is fine (even though choice of where to break line is a bit odd),
but I have a question about how the rest of the code works (a bit
off-topic, sorry)

>  				continue;
>=20=20
>  			epctl_reg =3D DIEPCTL(idx);

So, this means that the first ISO endpoint without correct parity will
be used. Isn't this a bit fragile ? What happens when you use a device
with several different interfaces using several different endpoints ?

Isn't there a register where we can check which physical endpoint
generated the IRQ ? Seems like you really wanna check what:

#define DIEPINT(_a)			HSOTG_REG(0x908 + ((_a) * 0x20))

say about eps_in[idx].

> @@ -2623,7 +2625,9 @@ irq_retry:
>  		for (idx =3D 1; idx < hsotg->num_of_eps; idx++) {
>  			hs_ep =3D hsotg->eps_out[idx];
>=20=20
> -			if (!hs_ep->isochronous || hs_ep->has_correct_parity)
> +			if (!hs_ep ||
> +			    !hs_ep->isochronous ||
> +			    hs_ep->has_correct_parity)
>  				continue;
>=20=20
>  			epctl_reg =3D DOEPCTL(idx);

ditto for eps_out[idx] and:

#define DOEPINT(_a)			HSOTG_REG(0xB08 + ((_a) * 0x20))

comments ?

=2D-=20
balbi

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJW+9K/AAoJEIaOsuA1yqREy3IP/jThSpxqI6EYF1y4bKlszAHu
gf+cTyGbI5jssoPVKTzh3+79mzZOz8mssTN6Oh/e5GtUknYeafAIE1E+QllWpcCW
dSd1j8Evd/bEj47pzX15VLYFchpK8VKnTgzDWAJGQBhJ8NR+qItfEUbo5SqWMfbh
piVO1x3vhqMKdPp3+uvAd+32A4JrMp3nxgzNrwtZ5gHQ9PdeGgnbtjf4OfK/rLEy
qz+pdHoW9Kfy2VinInH/+EnURuJySMQ1Ve5PgnKikWr9LalQATilXlkmXTdBDDNm
YEr+OCncOUDvsZuQF6SycoSVzASEOehV3zOacvvjhv0ft6t1FcgOqHcClVjBcutN
fjocr/t4hyl5qJ8lsm3m86XauykTBXEkXHzajb5vsZt4eCuHd6rzE/UQOM1SNWkZ
99N00T0LrFSyL58PIJY/ntEMV+H8ah9vOLuo585PrhPyops6KcggWjhe/0I2Fhu9
iDjh1IvZTzeNCemmyYnOVd1yGocq2pZ6wOYsrXkg1ouk1uqoJPxvypo0VgYWWlr6
peCiqkZSbnoAQnTQ06d/oP7wm1m/LHKquxK0Ffbn/x2mneOJ3tWUGo1EfuRMJaKw
ngIIJl+anNF8bnH0N7MqCUf5HGCA0dTt9FaFXftke5LJPFJhDyHaTcJlsWatov8f
r1s3RgRgcIdHO4frH8Cw
=vM5H
-----END PGP SIGNATURE-----
--=-=-=--