Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp1954845ima; Thu, 25 Oct 2018 07:31:44 -0700 (PDT) X-Google-Smtp-Source: AJdET5cY6QurukapjGJvuEIvannj8yVeQQOVMzT+nd+5xLwlkwOf2fDSuA+wQXdeisMQ6pHeGHxO X-Received: by 2002:a17:902:30f:: with SMTP id 15-v6mr1749108pld.155.1540477904215; Thu, 25 Oct 2018 07:31:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540477904; cv=none; d=google.com; s=arc-20160816; b=BhZB2FDrxVP7/g03VvgIB9QIusFqCGF7FQQrCyIdnkh49hxCex9bvB5s5FlMCEyHSX bfx5PEitdNhCLzQFAWelbQ0vG/Ys7ovqBXnFTUA89o8qFU1lzNlPqGs3CnbRlYCQzQJr nC6okXgUF08KEhr4Ksg5ieayPU0xwuJVXKzXueVftNuPYFQ8fv5hspHi7sHlb4Yl5yiC 7QbX3Ra40HjVC6ZsYbO38sUN2OrScmaotx5BCHF+zXcIh9yBRJIxCpncLPidUa6iYnG8 e8X2FCXoKyQ6P6Dd03O5nhyYHiADgff0kEKidd7lI4e6uKxKD1VmJ4NtU23QNT1bQc1l YiKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=pFcNmtTo7D0+1468y8U2fmWMqpcoa1tzClWgN/Au9nY=; b=Y6YyXyWVMIeleiLn6/QWhcMT6jt9nMn9HRnLzdR45gU/7NVOi39OtUZGPLPINgoVtT DDAYj8Hur/lgwIDkL5JueiES2m8AUedUm3F9XE47TPOgZ+ITF7vhdNUMMvNfgcQo3ksQ 96Mkb3vAol3BCzKRX19TYltE8lhVkDeXx2uiiwS0boDH8IOL5AV2i3Rk4yhhhLY6Af/F Fos1p4dBzjjOuezkySP9hFe+ZwlLFL6ARorII7a61reNZGdpLkSPYYxpxVC+t4oy+hMg uT6wU1AWXPdGFOUKMaGcMVRh47raZ2mgdboE5pJFildLRYMEemd3isfn2IQPQITVNKjh BJHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UTbUue35; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g10-v6si7679666plt.212.2018.10.25.07.31.25; Thu, 25 Oct 2018 07:31:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UTbUue35; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730502AbeJYWwW (ORCPT + 99 others); Thu, 25 Oct 2018 18:52:22 -0400 Received: from mail.kernel.org ([198.145.29.99]:34332 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730453AbeJYWwV (ORCPT ); Thu, 25 Oct 2018 18:52:21 -0400 Received: from sasha-vm.mshome.net (unknown [167.98.65.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 418792085B; Thu, 25 Oct 2018 14:19:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1540477164; bh=4sRq+3OM7JQubnwEYoC91IvPebW59OcGzEcOG53zGZU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UTbUue35cIbuKyZiOoEQirn48pnyX4n+LwgMptCPMNAnOcPUF63BgkBJA4J1ftKWv Zk+0Cg6EZCcx8Gnlfa7SZiaaORDFPRP7WeH/yVnU4c+aK2R3Gx6pPBiFlj34yXn4L+ h8686ZpnBu16BSeTeUn3QR2eswNsBc+QfN7IEsy8= From: Sasha Levin To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Robert Baldyga , Felipe Balbi , Sasha Levin Subject: [PATCH AUTOSEL 3.18 18/98] usb: dwc2: gadget: kill requests with 'force' in s3c_hsotg_udc_stop() Date: Thu, 25 Oct 2018 10:17:33 -0400 Message-Id: <20181025141853.214051-18-sashal@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181025141853.214051-1-sashal@kernel.org> References: <20181025141853.214051-1-sashal@kernel.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Robert Baldyga [ Upstream commit 62f4f0651ce8ef966a0e5b6db6a7a524c268fdd2 ] This makes us sure that all requests are completed before we unbind gadget. There are assumptions in gadget API that all requests have to be completed and leak of complete can break some usb function drivers. For example unbind of ECM function can cause NULL pointer dereference: [ 26.396595] configfs-gadget gadget: unbind function 'cdc_ethernet'/e79c4c00 [ 26.414999] Unable to handle kernel NULL pointer dereference at virtual address 00000000 (...) [ 26.452223] PC is at ecm_unbind+0x6c/0x9c [ 26.456209] LR is at ecm_unbind+0x68/0x9c (...) [ 26.603696] [] (ecm_unbind) from [] (purge_configs_funcs+0x94/0xd8) [ 26.611674] [] (purge_configs_funcs) from [] (configfs_composite_unbind+0x14/0x34) [ 26.620961] [] (configfs_composite_unbind) from [] (usb_gadget_remove_driver+0x68/0x9c) [ 26.630683] [] (usb_gadget_remove_driver) from [] (usb_gadget_unregister_driver+0x64/0x94) [ 26.640664] [] (usb_gadget_unregister_driver) from [] (unregister_gadget+0x20/0x3c) [ 26.650038] [] (unregister_gadget) from [] (gadget_dev_desc_UDC_store+0x80/0xb8) [ 26.659152] [] (gadget_dev_desc_UDC_store) from [] (gadget_info_attr_store+0x1c/0x28) [ 26.668703] [] (gadget_info_attr_store) from [] (configfs_write_file+0xe8/0x148) [ 26.677818] [] (configfs_write_file) from [] (vfs_write+0xb0/0x1a0) [ 26.685801] [] (vfs_write) from [] (SyS_write+0x44/0x84) [ 26.692834] [] (SyS_write) from [] (ret_fast_syscall+0x0/0x30) [ 26.700381] Code: e30409f8 e34c0069 eb07b88d e59430a8 (e5930000) [ 26.706485] ---[ end trace f62a082b323838a2 ]--- It's because in some cases request is still running on endpoint during unbind and kill_all_requests() called from s3c_hsotg_udc_stop() function doesn't cause call of complete() of request. Missing complete() call causes ecm->notify_req equals NULL in ecm_unbind() function, and this is reason of this bug. Similar breaks can be observed in another usb function drivers. This patch fixes this bug forcing usb request completion in when s3c_hsotg_ep_disable() is called from s3c_hsotg_udc_stop(). Acked-by: Paul Zimmerman Signed-off-by: Robert Baldyga Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin --- drivers/usb/dwc2/gadget.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c index 8b5c079c7b7d..cb4c925fb87c 100644 --- a/drivers/usb/dwc2/gadget.c +++ b/drivers/usb/dwc2/gadget.c @@ -2590,7 +2590,7 @@ static int s3c_hsotg_ep_enable(struct usb_ep *ep, * s3c_hsotg_ep_disable - disable given endpoint * @ep: The endpoint to disable. */ -static int s3c_hsotg_ep_disable(struct usb_ep *ep) +static int s3c_hsotg_ep_disable_force(struct usb_ep *ep, bool force) { struct s3c_hsotg_ep *hs_ep = our_ep(ep); struct s3c_hsotg *hsotg = hs_ep->parent; @@ -2611,7 +2611,7 @@ static int s3c_hsotg_ep_disable(struct usb_ep *ep) spin_lock_irqsave(&hsotg->lock, flags); /* terminate all requests with shutdown */ - kill_all_requests(hsotg, hs_ep, -ESHUTDOWN, false); + kill_all_requests(hsotg, hs_ep, -ESHUTDOWN, force); hsotg->fifo_map &= ~(1<fifo_index); hs_ep->fifo_index = 0; @@ -2632,6 +2632,10 @@ static int s3c_hsotg_ep_disable(struct usb_ep *ep) return 0; } +static int s3c_hsotg_ep_disable(struct usb_ep *ep) +{ + return s3c_hsotg_ep_disable_force(ep, false); +} /** * on_list - check request is on the given endpoint * @ep: The endpoint to check. @@ -2933,7 +2937,7 @@ static int s3c_hsotg_udc_stop(struct usb_gadget *gadget, /* all endpoints should be shutdown */ for (ep = 1; ep < hsotg->num_of_eps; ep++) - s3c_hsotg_ep_disable(&hsotg->eps[ep].ep); + s3c_hsotg_ep_disable_force(&hsotg->eps[ep].ep, true); spin_lock_irqsave(&hsotg->lock, flags); -- 2.17.1