Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp431959pxm; Wed, 23 Feb 2022 03:42:52 -0800 (PST) X-Google-Smtp-Source: ABdhPJwYRmVad/BSOMAQtIflGEzdxAZbDuq+kG4A2rcSFa/q9Kbkm+qlXza/pyqUtNHlTYkYsTTs X-Received: by 2002:a17:906:dc8c:b0:6d5:826c:6850 with SMTP id cs12-20020a170906dc8c00b006d5826c6850mr3205730ejc.514.1645616572294; Wed, 23 Feb 2022 03:42:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645616572; cv=none; d=google.com; s=arc-20160816; b=xp7w6WeZttPP9OKXM6p0YeqBg+8zC/JxZV0Xcv6KjEJb1nHlSfeUXiqNR4ff20BIAS jM8uFzZDej9I73YVuf0s4aMq/iowU61eaP8vEMHI//tBoAhz3IDaG+yCgKqDNpa4vvrs hWIFduTfnfFpcd9F8mo0owbgrkWPksnjoObvr1SNhRcmFMHGL1p32oZdIBzwYVNRO15L F2Ts3aH+R+L9gnZJD7T10exO2HqO9n5/HOWso5u2Gk6tWFzfvjL6FJpQ7rSJhmHg+lKd CkADFlexzMFbCjWBqn64uuVq7d6HfCM9fESp2CKjTSEYsx7DmyJQgMuXcj4z6cQa2FYJ RKqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=XE2uJRgDNx1OqsKYkWTFHuk32gD01FUaPfvkpmgVI78=; b=WByUvHgowhzzLHa8qshkYygjpMVD2V+SK1rKFAXYla4OXSD/d049GCsmPBiqvlc5qv 2g+B/4tMoJu0O4rdVVZqXUvLghM1dJ56iZ9IEGptSET0DfFQdSLuQcBBSkeGXrDlGRzB HdJPP4L9knsB6MsX36LPzXDX8ftJuyUx3mpUcW8lfPDf/6e7i5oDbC7hvwewdh1hIJdA 0QWpZsouSrUVqbwEzCjC0laIt5khmf1lcdz0pPFJoZpBwYkm3djbWOF9h9jVItmUjQwh 8icgKgllu7hXdMic3TxAo3fcWBheErdIbvQsao37AHX/caTkG+4Wj3PbhhALGY+ylJWG x80A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcdkim header.b=ggDz6njM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w6si12487041edv.513.2022.02.23.03.42.29; Wed, 23 Feb 2022 03:42:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcdkim header.b=ggDz6njM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229835AbiBWFAs (ORCPT + 99 others); Wed, 23 Feb 2022 00:00:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35910 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229456AbiBWFAq (ORCPT ); Wed, 23 Feb 2022 00:00:46 -0500 Received: from alexa-out-sd-02.qualcomm.com (alexa-out-sd-02.qualcomm.com [199.106.114.39]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4DDB060CC3; Tue, 22 Feb 2022 21:00:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; i=@quicinc.com; q=dns/txt; s=qcdkim; t=1645592419; x=1677128419; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=XE2uJRgDNx1OqsKYkWTFHuk32gD01FUaPfvkpmgVI78=; b=ggDz6njMq/Fiid8b+k1K8Wd8trrkLHt/aiVxU1imIrk3cx/y+VSTIygV 2ng7E1WyxAIU8Yd2VZD8ed6bgzHFVzuDdhSuGOv99vbEs8Hq1pY/YVUxW FaB+VLs6uspL8sAWCr4erX4hYV2xUok4Z5PKt+82J0gYI8KoPg/4c7lSJ A=; Received: from unknown (HELO ironmsg01-sd.qualcomm.com) ([10.53.140.141]) by alexa-out-sd-02.qualcomm.com with ESMTP; 22 Feb 2022 21:00:19 -0800 X-QCInternal: smtphost Received: from nasanex01c.na.qualcomm.com ([10.47.97.222]) by ironmsg01-sd.qualcomm.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Feb 2022 21:00:18 -0800 Received: from nalasex01a.na.qualcomm.com (10.47.209.196) by nasanex01c.na.qualcomm.com (10.47.97.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.15; Tue, 22 Feb 2022 21:00:17 -0800 Received: from hu-pkondeti-hyd.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.15; Tue, 22 Feb 2022 21:00:14 -0800 Date: Wed, 23 Feb 2022 10:30:10 +0530 From: Pavan Kondeti To: Daehwan Jung CC: Felipe Balbi , Greg Kroah-Hartman , Muchun Song , "Andrew Morton" , Christian Brauner , Stephen Rothwell , , open list Subject: Re: usb: gadget: rndis: add spinlock for rndis response list Message-ID: <20220223050010.GA20891@hu-pkondeti-hyd.qualcomm.com> References: <1645507768-77687-1-git-send-email-dh10.jung@samsung.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <1645507768-77687-1-git-send-email-dh10.jung@samsung.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01a.na.qualcomm.com (10.47.209.196) X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 22, 2022 at 02:29:28PM +0900, Daehwan Jung wrote: > There's no lock for rndis response list. It could cause list corruption > if there're two different list_add at the same time like below. > It's better to add in rndis_add_response / rndis_free_response > / rndis_get_next_response to prevent any race condition on response list. > > [ 361.894299] [1: irq/191-dwc3:16979] list_add corruption. > next->prev should be prev (ffffff80651764d0), > but was ffffff883dc36f80. (next=ffffff80651764d0). > > [ 361.904380] [1: irq/191-dwc3:16979] Call trace: > [ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90 > [ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0 > [ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84 > [ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4 > [ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60 > [ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0 > [ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc > [ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc > [ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec > [ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c > This is just one context. what about the other contexts? Interested to see the different contexts under which this list is being manipulated. From the f_rndis perspective, this list is touched from setup and disconnect callbacks. so are those two contexts not serialized from the UDC? not saying we don't need lock, but would be good to record that information in the change log. > Fixes: f6281af9d62e ("usb: gadget: rndis: use list_for_each_entry_safe") > Signed-off-by: Daehwan Jung > --- > drivers/usb/gadget/function/rndis.c | 8 ++++++++ > drivers/usb/gadget/function/rndis.h | 1 + > 2 files changed, 9 insertions(+) > > diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c > index 431d5a7..79fd994 100644 > --- a/drivers/usb/gadget/function/rndis.c > +++ b/drivers/usb/gadget/function/rndis.c > @@ -919,6 +919,7 @@ struct rndis_params *rndis_register(void (*resp_avail)(void *v), void *v) > params->resp_avail = resp_avail; > params->v = v; > INIT_LIST_HEAD(¶ms->resp_queue); > + spin_lock_init(¶ms->resp_lock); > pr_debug("%s: configNr = %d\n", __func__, i); > > return params; > @@ -1012,12 +1013,14 @@ void rndis_free_response(struct rndis_params *params, u8 *buf) > { > rndis_resp_t *r, *n; > > + spin_lock(¶ms->resp_lock); > list_for_each_entry_safe(r, n, ¶ms->resp_queue, list) { > if (r->buf == buf) { > list_del(&r->list); > kfree(r); > } > } > + spin_unlock(¶ms->resp_lock); > } > EXPORT_SYMBOL_GPL(rndis_free_response); Are you sure that this lock is not acquired from any interrupt context from other contexts? Also would it be true for all UDC? some UDC may call setup from hadirq context and disconnect in process context etc or vice versa. we don't want to acquire lock without disabling interrupts in that case. Thanks, Pavan