Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4162036ybl;
        Mon, 13 Jan 2020 08:53:34 -0800 (PST)
X-Google-Smtp-Source: APXvYqwa6iORBZT8AlJH8l/luO5MWAfGzQcPpkw9MYmJOlDeJIonlUCjN5MwWs2aJqfkMHKRinNV
X-Received: by 2002:aca:2114:: with SMTP id 20mr13820200oiz.9.1578934414376;
        Mon, 13 Jan 2020 08:53:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578934414; cv=none;
        d=google.com; s=arc-20160816;
        b=jATL29NRsdFNhOvHKtvOZKG1ctxDy2VW0pvjCjr9T6ZERlfaxLfWm6MCMMQhqWhWk7
         M82DCObVHTSn+FZXgbFQXv/baGzbJHOtuesw3F/LHc58EFz4bZnN4xI+CQ6i2QSvrfo8
         8rnSU588jPn17ohozbEGSKhYLUPKD7H4U0mwdpvjAsaBn/FhAyB8CEsr5u5OSIvsAAhp
         AO7y5yCHn9951Py5ORd8jMloPeC1Z2mEspNAV6eH/d8xEYHOEncNPrCoMHV/XiFKWpiy
         GQ2HfegxxVmEMLdQo11bXXQKRlNSu462KY84O+oDMiXywb7c2MaAZ++m7UlVU++NmecZ
         iBqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date;
        bh=g6gLwaC7e22B8ZZSlbtCABb1lDrt8oPeaAxeB5sC22M=;
        b=z24AbQR0EWc/MIhbPs0mEe0JbOVJ4Tki9huDGS+wOSnKkl5Y0OKnVM2H2kWtvfOI4l
         BuLCutUfkN8Uv8t5cYmFVgwrD4/YZ48UYngdsAH3BrtlVk5RMz+AwbYBWu8p4r6eJLhw
         x/ftDtlf7LEhYjTpNMCz9H7uNtCkqL2Yd24jEDNchRej9tXyQqq8AzeqQkkSOKRhCCwA
         0aT5WbzzmOCn2F5FeBAE+/PUdty1CxOOHkG7K23IE6clFd/ugM42N9m+6PmaA782GrEG
         7udvK9GRUy6VDCGA6bm7rg21z9HLdSsNWh7I2AT4n/lla7FjUyLs8uYX/hz/L9sG5CZf
         pvYQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i17si7119764ota.82.2020.01.13.08.53.21;
        Mon, 13 Jan 2020 08:53:34 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728783AbgAMQuy (ORCPT <rfc822;schlichte.alexander@gmail.com>
        + 99 others); Mon, 13 Jan 2020 11:50:54 -0500
Received: from iolanthe.rowland.org ([192.131.102.54]:56352 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1726567AbgAMQuy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Jan 2020 11:50:54 -0500
Received: (qmail 2814 invoked by uid 2102); 13 Jan 2020 11:50:53 -0500
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 13 Jan 2020 11:50:53 -0500
Date:   Mon, 13 Jan 2020 11:50:53 -0500 (EST)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To:     Andrey Konovalov <andreyknvl@google.com>
cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Felipe Balbi <balbi@kernel.org>,
        USB list <linux-usb@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Jonathan Corbet <corbet@lwn.net>,
        Dmitry Vyukov <dvyukov@google.com>,
        Alexander Potapenko <glider@google.com>,
        Marco Elver <elver@google.com>
Subject: Re: [PATCH v4 1/1] usb: gadget: add raw-gadget interface
In-Reply-To: <CAAeHK+z2+_UHNp4_D2iL9FzPtDoU1YBohCaDJG8sAy12uc_-ew@mail.gmail.com>
Message-ID: <Pine.LNX.4.44L0.2001131049090.1502-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 13 Jan 2020, Andrey Konovalov wrote:

> I've also found an issue, but I'm not sure if that is the bug in Raw
> Gadget, or in the gadget layer (in the former case I'll add this fix
> to v5 as well). What I believe I'm seeing is
> __fput()->usb_gadget_unregister_driver()->usb_gadget_remove_driver()->gadget_unbind()
> racing with dummy_timer()->gadget_setup(). In my case it results in
> gadget_unbind() doing set_gadget_data(gadget, NULL), and then
> gadget_setup() dereferencing get_gadget_data(gadget).
> 
> Alan, does it look possible for those two functions to race? Should
> this be prevented by the gadget layer, or should I use some kind of
> locking in my gadget driver to prevent this?

In your situation this race shouldn't happen, because before
udc->driver->unbind() is invoked we call usb_gadget_disconnect().  If
that routine succeeds -- which it always does under dummy-hcd -- then
there can't be any more setup callbacks, because find_endpoint() will
always return NULL (the is_active() test fails; see the various
set_link_state* routines).  So I don't see how you could have ended up
with the race you describe.

However, a real UDC might not be able to perform a disconnect under
software control.  In that case usb_gadget_disconnect() would not
change the pullup state, and there would be a real possibility of a
setup callback racing with an unbind callback.  This seems like a 
genuine problem and I can't think of a solution offhand.

What we would need is a way to tell the UDC driver to stop invoking
gadget callbacks, _before_ the UDC driver's stop callback gets called.
Maybe this should be merged into the pullup callback somehow.

Alan Stern