Re: [PATCH] usb: gadget: f_fs: Fix kernel panic for SuperSpeed

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Felipe Balbi <balbi@kernel.org>
To: Jim Lin <jilin@nvidia.com>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	Jim Lin <jilin@nvidia.com>
Subject: Re: [PATCH] usb: gadget: f_fs: Fix kernel panic for SuperSpeed
Date: Fri, 22 Apr 2016 14:52:52 +0300	[thread overview]
Message-ID: <87bn51uagb.fsf@intel.com> (raw)
In-Reply-To: <1461321780-3226-1-git-send-email-jilin@nvidia.com>

[-- Attachment #1: Type: text/plain, Size: 2716 bytes --]

Hi Jim,

Jim Lin <jilin@nvidia.com> writes:
> Android N adds os_desc_compat in v2_descriptor by init_functionfs()
> (system/core/adb/usb_linux_client.cpp) to support automatic install
> of MTP driver on Windows for USB device mode.
>
> Current __ffs_data_do_os_desc() of f_fs.c will check reserved1 field
> and return -EINVAL.
> This results in a second adb_write of usb_linux_client.cpp
> (system/core/adb/) which doesn't have ss_descriptors filled.
> Then later kernel_panic (composite.c) occurs when ss_descriptors
> as a pointer with NULL is being accessed.

where exactly in composite.c are we dereferencing a NULL pointer ?

Is this happening on set_config() ? If that's the case, why is
gadget->speed set to USB_SPEED_SUPER to start with ? Your controller
should already have negotiated highspeed which means
function_descriptors() should have returned highspeed descriptors, not a
NULL superspeed.

Care to explain why you haven't negotiated Highspeed ? The only thing I
can think of is that you're using a Superspeed-capable peripheral
controller (dwc3?) with maximum-speed set to Superspeed, with a
Superspeed-capable cable connected to an XHCI PC, but loading a
high-speed gadget driver (which you got from Android, written with f_fs)
and this gadget doesn't tell composite that its maximum speed is
Highspeed, instead of super-speed.

We can add a check, sure, to avoid a kernel oops; however, you should
really fix up the gadget implementation and/or set dwc3's maximum-speed
property accordingly.

Can you check if this patch makes your scenario work while still being
fully functional ?

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index de9ffd60fcfa..3d3cdc5ed20d 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -66,20 +66,36 @@ function_descriptors(struct usb_function *f,
 {
 	struct usb_descriptor_header **descriptors;

+	/*
+	 * NOTE: we try to help gadget drivers which might not be setting
+	 * max_speed appropriately.
+	 */
+
 	switch (speed) {
 	case USB_SPEED_SUPER_PLUS:
 		descriptors = f->ssp_descriptors;
-		break;
+		if (descriptors)
+			break;
+		/* FALLTHROUGH */
 	case USB_SPEED_SUPER:
 		descriptors = f->ss_descriptors;
-		break;
+		if (descriptors)
+			break;
+		/* FALLTHROUGH */
 	case USB_SPEED_HIGH:
 		descriptors = f->hs_descriptors;
-		break;
+		if (descriptors)
+			break;
+		/* FALLTHROUGH */
 	default:
 		descriptors = f->fs_descriptors;
 	}

+	/*
+	 * if we can't find any descriptors at all, then this gadget deserves to
+	 * Oops with a NULL pointer dereference
+	 */
+
 	return descriptors;
 }

-- 
balbi

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

next prev parent reply	other threads:[~2016-04-22 11:54 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-22 10:43 [PATCH] usb: gadget: f_fs: Fix kernel panic for SuperSpeed Jim Lin
2016-04-22 11:21 ` Lars-Peter Clausen
2016-04-22 11:52 ` Felipe Balbi [this message]
2016-04-25 11:32   ` Jim Lin
2016-04-25 12:01     ` Felipe Balbi
2016-04-26  8:49       ` Jim Lin
2016-04-28 11:16         ` Jim Lin
2016-04-28 12:21         ` Felipe Balbi
2016-04-29 11:27           ` Jim Lin
2016-04-29 11:57             ` Felipe Balbi
2016-05-04  8:07               ` Jim Lin
2016-05-04 10:37                 ` Felipe Balbi
2016-05-05 10:35                   ` Jim Lin
2016-05-06  6:44                     ` Felipe Balbi
2016-05-06  2:37                   ` Jim Lin
2016-04-29 15:28           ` Mathias Nyman
2016-05-02  6:23             ` Felipe Balbi

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:de9ffd60fcf dfblob:3d3cdc5ed20 )
 OR (
bs:"Re: [PATCH] usb: gadget: f_fs: Fix kernel panic for SuperSpeed" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87bn51uagb.fsf@intel.com \
    --to=balbi@kernel.org \
    --cc=jilin@nvidia.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.