Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753270AbdGSIQo convert rfc822-to-8bit (ORCPT ); Wed, 19 Jul 2017 04:16:44 -0400 Received: from mga01.intel.com ([192.55.52.88]:25927 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752951AbdGSIQj (ORCPT ); Wed, 19 Jul 2017 04:16:39 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.40,380,1496127600"; d="scan'208";a="1174295766" From: "He, Bo" To: Felipe Balbi , "linux-kernel@vger.kernel.org" , "linux-usb@vger.kernel.org" CC: "gregkh@linuxfoundation.org" , "peter.chen@nxp.com" , "k.opasiak@samsung.com" , "stefan@agner.ch" , "felixhaedicke@web.de" , "colin.king@canonical.com" , "rogerq@ti.com" , "f.fainelli@gmail.com" , "Zhang, Yanmin" Subject: RE: [PATCH] usb: gadget: udc: fix the kernel NULL pointer in composite_setup Thread-Topic: [PATCH] usb: gadget: udc: fix the kernel NULL pointer in composite_setup Thread-Index: AdL/pu3/TyZUFijXS92FGqU2rslGe///kaGA//5G3KCAAxsOAP//dMLw Date: Wed, 19 Jul 2017 08:13:22 +0000 Message-ID: References: <87pocy81og.fsf@linux.intel.com> <87eftc6f19.fsf@linux.intel.com> In-Reply-To: <87eftc6f19.fsf@linux.intel.com> Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 10.0.102.7 dlp-reaction: no-action x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2559 Lines: 80 The patch I submitted is based on the latest kernel, I checked the latest kernel has the same logic, so I send the patch to LKML. Thanks for your comments. -----Original Message----- From: Felipe Balbi [mailto:balbi@kernel.org] Sent: Wednesday, July 19, 2017 3:51 PM To: He, Bo ; linux-kernel@vger.kernel.org; linux-usb@vger.kernel.org Cc: gregkh@linuxfoundation.org; peter.chen@nxp.com; k.opasiak@samsung.com; stefan@agner.ch; felixhaedicke@web.de; colin.king@canonical.com; rogerq@ti.com; f.fainelli@gmail.com; Zhang, Yanmin Subject: RE: [PATCH] usb: gadget: udc: fix the kernel NULL pointer in composite_setup Hi, (please don't top-post and also break your lines at 80-columns ;-) "He, Bo" writes: > 1. the issue reproduced very rarely, we run reboot test > reproduce the issue, it reproduced two times on two board after > more than 1500 cycles reboot. That's fine, we, somehow, got a use-after-free on the tracepoints. I'm interested in fixing that without touching udc-core since that's a dwc3-only bug. > 2. the kernel version is 4.4, the test case is cold reboot, I think it's not android patches cause it, it's the interrupt thread run after the udc->driver->unbind. Yeah, I need you to try v4.13-rc1. v4.4 is *really* old. I can't accept your patch unless I'm certain the bug still exists. > 3. I check more drivers, like amd5536_udc_stop, at91_stop, > atmel_usba_stop, bcm63xx_udc_stop, s3c_hsudc_stop, all the > interrupt disable will be in the udc_stop(), so we need > guarantee to stop the interrupt then release the resource. Right, we also disable the interrupt on ->udc_stop(). See below: static void __dwc3_gadget_stop(struct dwc3 *dwc) { dwc3_gadget_disable_irq(dwc); __dwc3_gadget_ep_disable(dwc->eps[0]); __dwc3_gadget_ep_disable(dwc->eps[1]); } static int dwc3_gadget_stop(struct usb_gadget *g) { struct dwc3 *dwc = gadget_to_dwc(g); unsigned long flags; int epnum; spin_lock_irqsave(&dwc->lock, flags); if (pm_runtime_suspended(dwc->dev)) goto out; __dwc3_gadget_stop(dwc); for (epnum = 2; epnum < DWC3_ENDPOINTS_NUM; epnum++) { struct dwc3_ep *dep = dwc->eps[epnum]; if (!dep) continue; if (!(dep->flags & DWC3_EP_END_TRANSFER_PENDING)) continue; wait_event_lock_irq(dep->wait_end_transfer, !(dep->flags & DWC3_EP_END_TRANSFER_PENDING), dwc->lock); } out: dwc->gadget_driver = NULL; spin_unlock_irqrestore(&dwc->lock, flags); free_irq(dwc->irq_gadget, dwc->ev_buf); return 0; } -- balbi