Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp75496imu; Thu, 8 Nov 2018 15:06:40 -0800 (PST) X-Google-Smtp-Source: AJdET5d/CJZ8yGFURQjDBcL2Q0zYCuDRxmHKlenEQLOw/0d80lCO22Tp26GOHkugfC/sn1szA/tw X-Received: by 2002:a17:902:c5:: with SMTP id a63-v6mr6479006pla.201.1541718400151; Thu, 08 Nov 2018 15:06:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541718400; cv=none; d=google.com; s=arc-20160816; b=NAnZgBF/5i/s/5gRSlzw4O1Q3QomSY8fv1QTsDddK6D5YIMyoNQJiKjcWG4NmguvEz 2mguxDDwswIJxaCoXAuzRxB9alsbqMkXOTHwFCdydxCBWo4RuI6LmqQDiOuwUdcsIvQb 0BWfIvCCqsdwtLrTT9hWVgYZu9I1fZ9DCLIZIwZn9ZUCcMzQBOtzYPnDvlWU6n8slEjA JXmJaEUCR/O3f42biz2IenIBatEfMQ3sHAjSE08jxhvP4d0y33c8bbXu+c75uxYzKK6b utHi0YkVsI81NwLn8797G3EswHIvyQr0SVVXpgya7Vr8hIzEpQ9ZyRJ/wK12cDI7n9Cc DEyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KitoJz6t3KwuitTn4+FszlXVmGTgCD/9EhMCGjucbw0=; b=NbYaSQTC1Ki4C6ICxsIf4iufR/C0K+lK2YL1LEyK1m+nYHU1ufUKaZP6IqTtlCslO/ hms8lNT3XBqOIuFfuNX/pLooyfXaQBL6+MKeqr0ztZQ/EP4vNFVuL8aTFnUAcUzUxtFv K3HixLpQZQfKg8+dEOOIncMz62hxblwyhHzakx4AhLrztwbT7kBnwm3jPD6k4w3BWXFX XcbRmdKrklR8eRel68bGzKkHou989R++TGS4Dm6fB0uc9Cdkyq7jyTu9z9GmvF0mtH4Y s7jRdxnWPVZ2vEOiXzq5WiD3NGlCiMOtX/HAcAavq66A6jyp+6dTJXa4R+Dd8JbSoU9w j3QQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qJuyGOzk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31-v6si5490456plj.36.2018.11.08.15.06.25; Thu, 08 Nov 2018 15:06:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qJuyGOzk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728304AbeKIHcL (ORCPT + 99 others); Fri, 9 Nov 2018 02:32:11 -0500 Received: from mail.kernel.org ([198.145.29.99]:46888 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728247AbeKIHcG (ORCPT ); Fri, 9 Nov 2018 02:32:06 -0500 Received: from localhost (unknown [208.72.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0E52C2089A; Thu, 8 Nov 2018 21:54:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541714079; bh=8amLbs7YRojqTwzPBX7Xy+U4PcOF/99tig2RE4ZyNic=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qJuyGOzk2+cK+UH3blwNpfYg+ySCOwW2d/S0TvDgmNkVXReoySurSa/KsSloNAinY c64BbFjF1SZapAIEaX+rTPIaKh2j697Q8JkET9v/5QD8aeGPkGhfmp7AvEqWgtHd2u 0rT/LfgmriiYdzj4RltEfLR3AcBuDR+HvrjwvXUU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paul Zimmerman , Robert Baldyga , Felipe Balbi , Sasha Levin Subject: [PATCH 3.18 048/144] usb: dwc2: gadget: kill requests with force in s3c_hsotg_udc_stop() Date: Thu, 8 Nov 2018 13:50:19 -0800 Message-Id: <20181108215058.326996998@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181108215054.826084593@linuxfoundation.org> References: <20181108215054.826084593@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 62f4f0651ce8ef966a0e5b6db6a7a524c268fdd2 ] This makes us sure that all requests are completed before we unbind gadget. There are assumptions in gadget API that all requests have to be completed and leak of complete can break some usb function drivers. For example unbind of ECM function can cause NULL pointer dereference: [ 26.396595] configfs-gadget gadget: unbind function 'cdc_ethernet'/e79c4c00 [ 26.414999] Unable to handle kernel NULL pointer dereference at virtual address 00000000 (...) [ 26.452223] PC is at ecm_unbind+0x6c/0x9c [ 26.456209] LR is at ecm_unbind+0x68/0x9c (...) [ 26.603696] [] (ecm_unbind) from [] (purge_configs_funcs+0x94/0xd8) [ 26.611674] [] (purge_configs_funcs) from [] (configfs_composite_unbind+0x14/0x34) [ 26.620961] [] (configfs_composite_unbind) from [] (usb_gadget_remove_driver+0x68/0x9c) [ 26.630683] [] (usb_gadget_remove_driver) from [] (usb_gadget_unregister_driver+0x64/0x94) [ 26.640664] [] (usb_gadget_unregister_driver) from [] (unregister_gadget+0x20/0x3c) [ 26.650038] [] (unregister_gadget) from [] (gadget_dev_desc_UDC_store+0x80/0xb8) [ 26.659152] [] (gadget_dev_desc_UDC_store) from [] (gadget_info_attr_store+0x1c/0x28) [ 26.668703] [] (gadget_info_attr_store) from [] (configfs_write_file+0xe8/0x148) [ 26.677818] [] (configfs_write_file) from [] (vfs_write+0xb0/0x1a0) [ 26.685801] [] (vfs_write) from [] (SyS_write+0x44/0x84) [ 26.692834] [] (SyS_write) from [] (ret_fast_syscall+0x0/0x30) [ 26.700381] Code: e30409f8 e34c0069 eb07b88d e59430a8 (e5930000) [ 26.706485] ---[ end trace f62a082b323838a2 ]--- It's because in some cases request is still running on endpoint during unbind and kill_all_requests() called from s3c_hsotg_udc_stop() function doesn't cause call of complete() of request. Missing complete() call causes ecm->notify_req equals NULL in ecm_unbind() function, and this is reason of this bug. Similar breaks can be observed in another usb function drivers. This patch fixes this bug forcing usb request completion in when s3c_hsotg_ep_disable() is called from s3c_hsotg_udc_stop(). Acked-by: Paul Zimmerman Signed-off-by: Robert Baldyga Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin --- drivers/usb/dwc2/gadget.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c index 8b5c079c7b7d..cb4c925fb87c 100644 --- a/drivers/usb/dwc2/gadget.c +++ b/drivers/usb/dwc2/gadget.c @@ -2590,7 +2590,7 @@ error: * s3c_hsotg_ep_disable - disable given endpoint * @ep: The endpoint to disable. */ -static int s3c_hsotg_ep_disable(struct usb_ep *ep) +static int s3c_hsotg_ep_disable_force(struct usb_ep *ep, bool force) { struct s3c_hsotg_ep *hs_ep = our_ep(ep); struct s3c_hsotg *hsotg = hs_ep->parent; @@ -2611,7 +2611,7 @@ static int s3c_hsotg_ep_disable(struct usb_ep *ep) spin_lock_irqsave(&hsotg->lock, flags); /* terminate all requests with shutdown */ - kill_all_requests(hsotg, hs_ep, -ESHUTDOWN, false); + kill_all_requests(hsotg, hs_ep, -ESHUTDOWN, force); hsotg->fifo_map &= ~(1<fifo_index); hs_ep->fifo_index = 0; @@ -2632,6 +2632,10 @@ static int s3c_hsotg_ep_disable(struct usb_ep *ep) return 0; } +static int s3c_hsotg_ep_disable(struct usb_ep *ep) +{ + return s3c_hsotg_ep_disable_force(ep, false); +} /** * on_list - check request is on the given endpoint * @ep: The endpoint to check. @@ -2933,7 +2937,7 @@ static int s3c_hsotg_udc_stop(struct usb_gadget *gadget, /* all endpoints should be shutdown */ for (ep = 1; ep < hsotg->num_of_eps; ep++) - s3c_hsotg_ep_disable(&hsotg->eps[ep].ep); + s3c_hsotg_ep_disable_force(&hsotg->eps[ep].ep, true); spin_lock_irqsave(&hsotg->lock, flags); -- 2.17.1