From: balbi@kernel.org (Felipe Balbi)
To: linux-arm-kernel@lists.infradead.org
Subject: usb: gadget: Kernel panic (NULL pointer dereference) when using fsl_udc2_core on i.MX31 PDK
Date: Tue, 24 Jan 2017 20:34:56 +0200 [thread overview]
Message-ID: <877f5k9ui7.fsf@linux.intel.com> (raw)
In-Reply-To: <CAM=E1R7U4GP52z_wE0yMpkEYBB7KpiWSWXG28xQMM61wtzJygw@mail.gmail.com>
Hi,
Magnus Lilja <lilja.magnus@gmail.com> writes:
>> Magnus Lilja <lilja.magnus@gmail.com> writes:
>>>> Magnus Lilja <lilja.magnus@gmail.com> writes:
>>>>>>> I tried the fsl_udc_core gadget driver on the i.MX31 PDK board and got a
>>>>>>> kernel panic (NULL pointer dereference) when connecting the USB cable. I
>>>>>>> had the g_serial module loaded as well.
>>>>>>>
>>>>>>> The NULL pointer panic comes from gadget/udc/core.c
>>>>>>> usb_gadget_giveback_request() which calls req->complete() and in some
>>>>>>> cases req->complete is NULL.
>>>>>>>
>>>>>>> Commit 304f7e5e1d08 ("usb: gadget: Refactor request completion") changed
>>>>>>> fsl_udc2_core.c (and several other files) and in fsl_udc2_core.c a check
>>>>>>> that req->complete is non-NULL was removed:
>>>>>>>
>>>>>>> --- a/drivers/usb/gadget/udc/fsl_udc_core.c
>>>>>>> +++ b/drivers/usb/gadget/udc/fsl_udc_core.c
>>>>>>> @@ -197,10 +197,8 @@ __acquires(ep->udc->lock)
>>>>>>> ep->stopped = 1;
>>>>>>>
>>>>>>> spin_unlock(&ep->udc->lock);
>>>>>>> - /* complete() is from gadget layer,
>>>>>>> - * eg fsg->bulk_in_complete() */
>>>>>>> - if (req->req.complete)
>>>>>>> - req->req.complete(&ep->ep, &req->req);
>>>>>>> +
>>>>>>> + usb_gadget_giveback_request(&ep->ep, &req->req);
>>>>>>>
>>>>>>> spin_lock(&ep->udc->lock);
>>>>>>> ep->stopped = stopped;
>>>>>>>
>>>>>>> If I re-introduce the check (either in fsl_udc_core.c or core.c) at
>>>>>>> least USB gadget operation using g_serial seems to work just fine.
>>>>>>>
>>>>>>> I don't know the logic in detail to understand whether this is a proper
>>>>>>> fix or if there is some other more problem with the fls_udc_core driver.
>>>>>>> Does anyone have input in this matter?
>>>>>>>
>>>>>>> I can produce a proper patch that fixes this problem by re-introducing
>>>>>>> the check (in either fsl_udc_core.c or core.c) if that is a proper
>>>>>>> solution and I can also assist in testing other fixes to the problem.
>>>>>>
>>>>>> ->complete() is supposed to be mandatory. Which gadget do you have that
>>>>>> ->doesn't set ->complete() to a valid function pointer?
>>>>>
>>>>> I'm modprobing g_serial so the following modules are loaded (using my patch):
>>>>>
>>>>> ~ # lsmod
>>>>> usb_f_acm
>>>>> u_serial
>>>>> g_serial
>>>>> libcomposite
>>>>> configfs
>>>>> fsl_usb2_udc
>>>>
>>>> okay, can you figure out which request is coming without ->complete()
>>>> set? To which endpoint is this request being queued? It would be nice to
>>>> know these details. Maybe this is an old bug which ought to be fixed.
>>>
>>> Sure, I can try figure that out. Any input to make the debug of the
>>> faster is appreciated if you have any.
>>
>> well, the easiest way is to add something like:
>>
>> if (!req->complete)
>> dump_stack();
>>
>> to fsl udc driver. Then you would know who queued the request without
>> ->complete. A slightly better approach would be to:
>>
>> if (WARN(!req->complete,
>> "%s: queueing request without ->complete\n", ep->name))
>> return;
>>
>> Or something like that.
>
> Well, I think I found it.
>
> fsl_udc_core.c:ep0_prime_status() sets req->req.complete = NULL before
> it queues a transfer and my printk()'s indicate that this is indeed
> the offending function.
>
> fsl_udc_core.c:ch9getstatus() also sets complete to NULL but in my
> tests right now I haven't seen that one.
>
> So it's an internal problem in the fsl_udc_core.c file.
seems like it. It's rather odd that fsl_udc doesn't wanna know about
completion of Status stage. Oh well, I guess in this case it doesn't
matter if you add a complete function or reinstate the previous check
for valid complete.
If you decide to reinstate the check, please add a comment above the
check explaining that fsl_udc itself queues requests with NULL
->complete().
I must say, however, that I would suggest adding a complete callback
since that will help us BUG with NULL pointer deref on bad gadget
drivers ;-)
--
balbi
next prev parent reply other threads:[~2017-01-24 18:34 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-17 21:21 usb: gadget: Kernel panic (NULL pointer dereference) when using fsl_udc2_core on i.MX31 PDK Magnus Lilja
2017-01-23 11:51 ` Felipe Balbi
2017-01-23 17:34 ` Magnus Lilja
2017-01-24 8:52 ` Felipe Balbi
2017-01-24 9:41 ` Magnus Lilja
2017-01-24 10:54 ` Felipe Balbi
2017-01-24 18:24 ` Magnus Lilja
2017-01-24 18:34 ` Felipe Balbi [this message]
2017-01-24 18:40 ` Magnus Lilja
2017-01-25 10:51 ` Felipe Balbi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877f5k9ui7.fsf@linux.intel.com \
--to=balbi@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.