Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2981099pxj; Sun, 20 Jun 2021 06:51:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyVjsXXmlvcO8Li5akaVuKJ3MNMKT+GkeSXFAS2/RSfIQGWnoL1MvAEiU9CXZEDLMlKGqsm X-Received: by 2002:a05:6402:2552:: with SMTP id l18mr16212515edb.166.1624197070828; Sun, 20 Jun 2021 06:51:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624197070; cv=none; d=google.com; s=arc-20160816; b=WMbwGJ7wrYd2lZkM4q5ioWwgmm67exm1bCSb0Z2900OtfHlOv2LWzS8cgpwNmLOOvX 1sEAaJ6YyoIAJfKYxWsD1GIen9+11/qwvSKRkwP3L6X5bGpxGah05rXE/KtNdu/et4Kx Ujesu8mgL2kxLhvXQg111/zD7D/T+9CEoKqCnYoh98aAvTfUGIzfx1ezGJ22pleYwUii 7eAr8UYn8YaS4cA+venBnlB0+5E83RqchEbVNE6RktGB7zbnnjGer6F0duNCKYre00qW kuoPMsI3cLpAeG5MQL+tmjEpP7FZCCWchCQo641Pw/uTGb5uJbqQkMQE3VVPryZu0kK+ JwXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=Cqv8LJC9WhzIjCPGL0+Cx13TngVDR8RIqs4U3PDdG5Y=; b=C6CM/RXaur6gdWJTnGnJhcvm5HTkVthPomZZwryE+mc1JkqX29GUAqkyjb0sEXDu4R Z4iRnzVsCtBPyN5HqromHO4hun1fN5SFRdCrNyjDuj2XE/o/q/faoxsiG4Tl5AoZuEPM HQ7ogVdA2dqJJZsGvAl9F5zeZW5QNUkDVKgjl4qhietATVha7zhhGSscC1r60JpT6sT1 0XK1/Okjbqmc5mbOBPvuV1QVAVRr/dKYWiy9UcFP8UgyIUWRepc74f4U3atgry87KGKL OVz8KrBlBXJXYiraYOgMsFajKND8FilXBj6qE6e4fCl2xP2QlCFORNf3X5e1R9r1JMIt fJOA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o17si7675901eju.179.2021.06.20.06.50.46; Sun, 20 Jun 2021 06:51:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229621AbhFTNt5 (ORCPT + 99 others); Sun, 20 Jun 2021 09:49:57 -0400 Received: from netrider.rowland.org ([192.131.102.5]:58685 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S229600AbhFTNt4 (ORCPT ); Sun, 20 Jun 2021 09:49:56 -0400 Received: (qmail 377833 invoked by uid 1000); 20 Jun 2021 09:47:43 -0400 Date: Sun, 20 Jun 2021 09:47:43 -0400 From: Alan Stern To: linyyuan@codeaurora.org Cc: Felipe Balbi , Thinh Nguyen , Greg Kroah-Hartman , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Jack Pham Subject: Re: [PATCH v3 1/2] usb: udc: core: hide struct usb_gadget_driver to gadget driver Message-ID: <20210620134743.GA377492@rowland.harvard.edu> References: <20210619154309.52127-1-linyyuan@codeaurora.org> <20210619154309.52127-2-linyyuan@codeaurora.org> <20210620021337.GA361976@rowland.harvard.edu> <42b3ebc2316495328e2d0061af81ef17@codeaurora.org> <018a4e222c2c3d6f5ca63b5f2036f8d8@codeaurora.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <018a4e222c2c3d6f5ca63b5f2036f8d8@codeaurora.org> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jun 20, 2021 at 11:53:18AM +0800, linyyuan@codeaurora.org wrote: > On 2021-06-20 11:46, linyyuan@codeaurora.org wrote: > > On 2021-06-20 10:13, Alan Stern wrote: > > > On Sat, Jun 19, 2021 at 11:43:08PM +0800, Linyu Yuan wrote: > > > > currently most gadget driver have a pointer to save > > > > struct usb_gadget_driver from upper layer, > > > > it allow upper layer set and unset of the pointer. > > > > > > > > there is race that upper layer unset the pointer first, > > > > but gadget driver use the pointer later, > > > > and it cause system crash due to NULL pointer access. > > > > > > This race has already been fixed in Greg's usb-next branch. See > > > commit > > > 7dc0c55e9f30 ("USB: UDC core: Add udc_async_callbacks gadget op") and > > > following commits 04145a03db9d ("USB: UDC: Implement > > > udc_async_callbacks in dummy-hcd") and b42e8090ba93 ("USB: UDC: > > > Implement udc_async_callbacks in net2280"). > > > > > thanks, this is better, lower driver only need change several places. > > > You just need to write a corresponding patch implementing the > > > async_callbacks op for dwc3. > > yes, i will do. > > > > Alan, i want to discuss your suggestion again in b42e8090ba93 ("USB: UDC: > Implement udc_async_callbacks in net2280") > > + if (dev->async_callbacks) { ----> if CPU1 saw this > is true > + spin_unlock(&dev->lock); ---> CPU2 get lock > after this unlock, > it will set async_callbacks to false, then follow call also crash, right ? > + tmp = dev->driver->setup(&dev->gadget, > &u.r); > + spin_lock(&dev->lock); > + } No, this is okay. The reason is because usb_gadget_remove_driver (CPU2 in your example) does this: usb_gadget_disable_async_callbacks(udc); if (udc->gadget->irq) synchronize_irq(udc->gadget->irq); udc->driver->unbind(udc->gadget); usb_gadget_udc_stop(udc); The synchronize_irq call will make CPU2 wait until CPU1 has finished handling the interrupt for the setup packet. The system won't crash, because dev->driver->setup will be called before unbind and udc_stop instead of after. Alan Stern