From: Felipe Balbi <balbi@ti.com>
To: <changbin.du@intel.com>, <johnyoun@synopsys.com>
Cc: <gregkh@linuxfoundation.org>, <linux-usb@vger.kernel.org>,
<linux-kernel@vger.kernel.org>,
"Du, Changbin" <changbin.du@intel.com>
Subject: Re: [PATCH 2/2] usb: dwc2: forbid queuing request to a disabled ep
Date: Thu, 10 Dec 2015 11:27:41 -0600 [thread overview]
Message-ID: <87wpsmi582.fsf@saruman.tx.rr.com> (raw)
In-Reply-To: <1448860888-9841-3-git-send-email-changbin.du@intel.com>
[-- Attachment #1: Type: text/plain, Size: 1957 bytes --]
Hi,
changbin.du@intel.com writes:
> From: "Du, Changbin" <changbin.du@intel.com>
>
> Queue a request to disabled ep doesn't make sense, and induce caller
> make mistakes.
>
> Here is a example for the android mtp gadget function driver. A mem
> corruption can happen on below senario.
> 1) On disconnect, mtp driver disable its EPs,
> 2) During send_file_work and receive_file_work, mtp queues a request
> to ep. (The mtp driver need improve its synchronization logic!)
> 3) mtp_function_unbind is invoked and all mtp requests are freed.
> 4) when dwc2 process the request queued on step 2, will cause kernel
> NULL pointer dereference exception.
>
> Signed-off-by: Du, Changbin <changbin.du@intel.com>
> ---
> drivers/usb/dwc2/gadget.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
> index 586bbcd..4d637ab 100644
> --- a/drivers/usb/dwc2/gadget.c
> +++ b/drivers/usb/dwc2/gadget.c
> @@ -786,6 +786,12 @@ static int dwc2_hsotg_ep_queue(struct usb_ep *ep, struct usb_request *req,
> ep->name, req, req->length, req->buf, req->no_interrupt,
> req->zero, req->short_not_ok);
>
> + if (!hs_ep->enabled) {
> + dev_warn(hs->dev, "%s: cannot queue to disabled ep\n",
> + __func__);
similar comment to previous patch:
if (dev_WARN_ONCE(hs->dev, !hs_ep->enabled,
"cannot queue to disabled ep %s\n", hs_ep->name))
> + return -ESHUTDOWN;
> + }
> +
> /* Prevent new request submission when controller is suspended */
> if (hs->lx_state == DWC2_L2) {
> dev_dbg(hs->dev, "%s: don't submit request while suspended\n",
> --
> 2.5.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
balbi
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
next prev parent reply other threads:[~2015-12-10 17:27 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-30 5:21 [PATCH 0/2] Two fix for dwc2 gadget driver changbin.du
2015-11-30 5:21 ` [PATCH 1/2] usb: dwc2: add ep enabled flag to avoid double enable/disable changbin.du
2015-12-10 17:26 ` Felipe Balbi
2015-12-14 3:23 ` Du, Changbin
2015-11-30 5:21 ` [PATCH 2/2] usb: dwc2: forbid queuing request to a disabled ep changbin.du
2015-12-10 17:27 ` Felipe Balbi [this message]
2015-12-03 1:20 ` [PATCH 0/2] Two fix for dwc2 gadget driver John Youn
2015-12-03 4:23 ` Du, Changbin
2015-12-04 7:21 ` [PATCH] usb: gadget: forbid queuing request to a disabled ep changbin.du
2015-12-10 17:28 ` Felipe Balbi
2015-12-14 3:48 ` [PATCH v2] " changbin.du
2015-12-14 10:20 ` Du, Changbin
2015-12-14 10:20 ` Du, Changbin
2015-12-16 16:52 ` Felipe Balbi
2015-12-16 16:52 ` Felipe Balbi
2015-12-17 9:35 ` Du, Changbin
2015-12-17 9:35 ` Du, Changbin
2015-12-17 10:00 ` [PATCH v3] " changbin.du
2015-12-17 10:00 ` changbin.du
2015-12-17 15:26 ` Felipe Balbi
2015-12-17 15:26 ` Felipe Balbi
2015-12-18 7:34 ` Du, Changbin
2015-12-18 7:34 ` Du, Changbin
2015-12-18 7:36 ` [PATCH v4] " changbin.du
2015-12-18 7:36 ` changbin.du
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wpsmi582.fsf@saruman.tx.rr.com \
--to=balbi@ti.com \
--cc=changbin.du@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=johnyoun@synopsys.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.