From: balbi@kernel.org (Felipe Balbi)
To: linux-arm-kernel@lists.infradead.org
Subject: usb: gadget: Kernel panic (NULL pointer dereference) when using fsl_udc2_core on i.MX31 PDK
Date: Mon, 23 Jan 2017 13:51:26 +0200 [thread overview]
Message-ID: <87k29m6lkx.fsf@linux.intel.com> (raw)
In-Reply-To: <f984e50b-0e64-88ef-2f53-b8da2a62daf0@gmail.com>
Hi,
Magnus Lilja <lilja.magnus@gmail.com> writes:
> Hi
>
> I tried the fsl_udc_core gadget driver on the i.MX31 PDK board and got a
> kernel panic (NULL pointer dereference) when connecting the USB cable. I
> had the g_serial module loaded as well.
>
> The NULL pointer panic comes from gadget/udc/core.c
> usb_gadget_giveback_request() which calls req->complete() and in some
> cases req->complete is NULL.
>
> Commit 304f7e5e1d08 ("usb: gadget: Refactor request completion") changed
> fsl_udc2_core.c (and several other files) and in fsl_udc2_core.c a check
> that req->complete is non-NULL was removed:
>
> --- a/drivers/usb/gadget/udc/fsl_udc_core.c
> +++ b/drivers/usb/gadget/udc/fsl_udc_core.c
> @@ -197,10 +197,8 @@ __acquires(ep->udc->lock)
> ep->stopped = 1;
>
> spin_unlock(&ep->udc->lock);
> - /* complete() is from gadget layer,
> - * eg fsg->bulk_in_complete() */
> - if (req->req.complete)
> - req->req.complete(&ep->ep, &req->req);
> +
> + usb_gadget_giveback_request(&ep->ep, &req->req);
>
> spin_lock(&ep->udc->lock);
> ep->stopped = stopped;
>
> If I re-introduce the check (either in fsl_udc_core.c or core.c) at
> least USB gadget operation using g_serial seems to work just fine.
>
> I don't know the logic in detail to understand whether this is a proper
> fix or if there is some other more problem with the fls_udc_core driver.
> Does anyone have input in this matter?
>
> I can produce a proper patch that fixes this problem by re-introducing
> the check (in either fsl_udc_core.c or core.c) if that is a proper
> solution and I can also assist in testing other fixes to the problem.
->complete() is supposed to be mandatory. Which gadget do you have that
->doesn't set ->complete() to a valid function pointer?
--
balbi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20170123/6f63a215/attachment.sig>
next prev parent reply other threads:[~2017-01-23 11:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-17 21:21 usb: gadget: Kernel panic (NULL pointer dereference) when using fsl_udc2_core on i.MX31 PDK Magnus Lilja
2017-01-23 11:51 ` Felipe Balbi [this message]
2017-01-23 17:34 ` Magnus Lilja
2017-01-24 8:52 ` Felipe Balbi
2017-01-24 9:41 ` Magnus Lilja
2017-01-24 10:54 ` Felipe Balbi
2017-01-24 18:24 ` Magnus Lilja
2017-01-24 18:34 ` Felipe Balbi
2017-01-24 18:40 ` Magnus Lilja
2017-01-25 10:51 ` Felipe Balbi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k29m6lkx.fsf@linux.intel.com \
--to=balbi@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.