Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3684968pxv; Mon, 28 Jun 2021 10:14:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz2tUq31tTDgPGMLcoI6jxqH9wyNAjJ4fJjIRs21KItzVpwoMuaBlK+5M9UWeg6pLk5Jgwf X-Received: by 2002:a17:906:1796:: with SMTP id t22mr24685361eje.304.1624900468106; Mon, 28 Jun 2021 10:14:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624900468; cv=none; d=google.com; s=arc-20160816; b=MjQmCjiNLO8blsp4ZxE7CxOeHjdHHcI0HGqQef3fdy53rb4aDGcGxZXq7JZEpN3Xvb z99t2E4Vd+qfNy4x5NX02Z2sjofUgysF6LcOZou2Jcv3ksKDQmm3OE8jsUmOCuFQs1qw Qb4MlPaUBVnRMQEhb1Ztet9ernufV7feRroeQEW5inzVqDOynwGf/1+JLlMjmHc2UNdW CvkOAcInxf4Ns3YSZnq3hN4qUkUr4Y5kYzbiUcI5qd+flgcQLYyvCmt1TjnQ+dD0p7Yi N/2xZ4dWUVmJSUG7/uDYqLIKn/FIIBt+CSc6Psc0sBmyrvz4BaM9pHSbn7L9tNnCaxWh tc1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=Q1RfiCpXezGbRdKdtuJZH7rkfwbnhUs6++V//xHE1T8=; b=y5sJqBYA2zlJiXo4TOTKITcJC67K4M8igwnfzfygjgl+MuafkdwA9Q5vn5Oj2CVvh2 kqqTdv5UcMqbd3DRv5/zXEOHW1oGMxPCmyS17w9N7WpN5ZzGEXi3OcjGyhqD+ifgzEfy q6rsbBXeM6htofjRRm68VmXdHE/eE46ppm7dUmkhmYh3QYWuhkmvejjStz187Ka9ewEn w9KPVljYPOQl9Oi9EF9+/X7Q236gUvFznbqV9ZxRTLfEVODf76U68bFvVw9iOSJ1MoYx gpO3uuovItHMJmwvrXKUccbBiUeBsL+68X/LLQli7vOjweOhiIgaRbyfJvAkKygB6KCx Ofgg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c18si15056411ede.436.2021.06.28.10.14.03; Mon, 28 Jun 2021 10:14:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232364AbhF1OMz (ORCPT + 99 others); Mon, 28 Jun 2021 10:12:55 -0400 Received: from netrider.rowland.org ([192.131.102.5]:53219 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S230033AbhF1OMy (ORCPT ); Mon, 28 Jun 2021 10:12:54 -0400 Received: (qmail 657388 invoked by uid 1000); 28 Jun 2021 10:10:27 -0400 Date: Mon, 28 Jun 2021 10:10:27 -0400 From: Alan Stern To: linyyuan@codeaurora.org Cc: Felipe Balbi , Thinh Nguyen , Greg Kroah-Hartman , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Jack Pham Subject: Re: [PATCH] usb: dwc3: fix race of usb_gadget_driver operation Message-ID: <20210628141027.GA656159@rowland.harvard.edu> References: <20210625104415.8072-1-linyyuan@codeaurora.org> <20210625163707.GC574023@rowland.harvard.edu> <20210626150304.GA601624@rowland.harvard.edu> <1d1f06763c7cdeb67264128537c6a8f4@codeaurora.org> <20210627140903.GB624763@rowland.harvard.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 28, 2021 at 05:36:22PM +0800, linyyuan@codeaurora.org wrote: > On 2021-06-27 22:09, Alan Stern wrote: > > > > CPU0 CPU1 > > ---- ---- > > usb_gadget_remove_driver runs > > Calls synchronize_irq > > synchronize_irq returns > > Calls udc_driver_unbind > > IRQ happens for disconnect > > Handler unlocks dwc->lock > > Calls dwc->gadget_driver->disconnect > > Gadget driver has already been unbound > > and is not prepared to handle a > > callback, so it crashes > > Calls usb_gadget_udc_stop > > dwc->gadget_driver is > > set to NULL > > > > Without the async_callbacks mechanism, the gadget driver can get a > > callback at the wrong time (after it has been unbound), which might > > cause it to crash. > 1. do you think we need to back to my original patch, > https://lore.kernel.org/linux-usb/20210619154309.52127-1-linyyuan@codeaurora.org/T/#t No, I think the async_callbacks approach is slightly better. > i think we can add the spin lock or mutex lock to protect this kind of race > from UDC layer, it will be easy understanding. We don't actually need a lock or mutex to fix this problem. We just need to make the remove_driver sequence issue two calls to the UDC driver rather than just one: async_callbacks and udc_stop. > 2. if you insist this kind of change, how to change following code in dwc3 ? > if (dwc->gadget_driver && dwc->gadget_driver->disconnect) { > > 2.1 if (dwc->async_callbacks && dwc->gadget_driver->disconnect) { > or > 2.2 if (dwc->async_callbacks && vdwc->gadget_driver && > dwc->gadget_driver->disconnect) { Either one would be okay. If async_callbacks is enabled then dwc->gadget_driver should never be NULL, but it won't hurt to check. After all, disconnect does not occur often and it doesn't need to run extremely quickly. Alan Stern