Re: [PATCH v2] usb: gadget: Fix double free of device descriptor pointers

[Felipe Balbi <balbi@kernel.org>]

[-- Attachment #1: Type: text/plain, Size: 2241 bytes --]


Hi,

Wesley Cheng <wcheng@codeaurora.org> writes:
>>>> From: Hemant Kumar <hemantk@codeaurora.org>
>>>>
>>>> Upon driver unbind usb_free_all_descriptors() function frees all
>>>> speed descriptor pointers without setting them to NULL. In case
>>>> gadget speed changes (i.e from super speed plus to super speed)
>>>> after driver unbind only upto super speed descriptor pointers get
>>>> populated. Super speed plus desc still holds the stale (already
>>>> freed) pointer. Fix this issue by setting all descriptor pointers
>>>> to NULL after freeing them in usb_free_all_descriptors().
>>>
>>> could you describe this a little better? How can one trigger this case?
>>> Is the speed demotion happening after unbinding? It's not clear how to
>>> cause this bug.
>>>
>> Hi Felipe,
>> 
>> Internally, we have a mechanism to switch the DWC3 core maximum speed
>> parameter dynamically for displayport use cases.  This issue happens
>> whenever we have a maximum speed change occur on the USB gadget, which
>> for DWC3 happens whenever we call gadget init.  When we switch in and
>> out of host mode, gadget init is being executed, leading to the change
>> in the USB gadget max speed parameter:
>> 
>> dwc->gadget->max_speed		= dwc->maximum_speed;
>> 
>> I know that configFS gadget has the max_speed sysfs file, which is a
>> similar mechanism, but I haven't tried to see if we can reproduce the
>> same issue with it.  Let me see if we can reproduce this with that
>> configfs speed setting.
>> 
>> Thanks
>> Wesley Cheng
>> 
>
> Hi Felipe,
>
> So I tried with doing it through the configFS max_speed, but it doesn't
> have the same effect, as the setting done in dwc3_gadget_init() will
> still be assigning the composite/UDC device's maximum speed to SSP/SS.
> This is what the usb_assign_descriptor() uses to determine whether or
> not to copy the SSP and SS descriptors.
>
> So in summary, at least for a DWC3 based subsystem, the only way to
> reproduce it is if there is a way to dynamically switch the DWC3 core
> max speed parameter.

Could it be that you have a bug in your out-of-tree changes? Perhaps
there's some assumption which your changes aren't guaranteeing.

-- 
balbi

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 857 bytes --]