From: balbi@kernel.org (Felipe Balbi)
To: linux-arm-kernel@lists.infradead.org
Subject: usb: gadget: Kernel panic (NULL pointer dereference) when using fsl_udc2_core on i.MX31 PDK
Date: Tue, 24 Jan 2017 20:34:56 +0200 [thread overview]
Message-ID: <877f5k9ui7.fsf@linux.intel.com> (raw)
In-Reply-To: <CAM=E1R7U4GP52z_wE0yMpkEYBB7KpiWSWXG28xQMM61wtzJygw@mail.gmail.com>
Hi,
Magnus Lilja <lilja.magnus@gmail.com> writes:
>> Magnus Lilja <lilja.magnus@gmail.com> writes:
>>>> Magnus Lilja <lilja.magnus@gmail.com> writes:
>>>>>>> I tried the fsl_udc_core gadget driver on the i.MX31 PDK board and got a
>>>>>>> kernel panic (NULL pointer dereference) when connecting the USB cable. I
>>>>>>> had the g_serial module loaded as well.
>>>>>>>
>>>>>>> The NULL pointer panic comes from gadget/udc/core.c
>>>>>>> usb_gadget_giveback_request() which calls req->complete() and in some
>>>>>>> cases req->complete is NULL.
>>>>>>>
>>>>>>> Commit 304f7e5e1d08 ("usb: gadget: Refactor request completion") changed
>>>>>>> fsl_udc2_core.c (and several other files) and in fsl_udc2_core.c a check
>>>>>>> that req->complete is non-NULL was removed:
>>>>>>>
>>>>>>> --- a/drivers/usb/gadget/udc/fsl_udc_core.c
>>>>>>> +++ b/drivers/usb/gadget/udc/fsl_udc_core.c
>>>>>>> @@ -197,10 +197,8 @@ __acquires(ep->udc->lock)
>>>>>>> ep->stopped = 1;
>>>>>>>
>>>>>>> spin_unlock(&ep->udc->lock);
>>>>>>> - /* complete() is from gadget layer,
>>>>>>> - * eg fsg->bulk_in_complete() */
>>>>>>> - if (req->req.complete)
>>>>>>> - req->req.complete(&ep->ep, &req->req);
>>>>>>> +
>>>>>>> + usb_gadget_giveback_request(&ep->ep, &req->req);
>>>>>>>
>>>>>>> spin_lock(&ep->udc->lock);
>>>>>>> ep->stopped = stopped;
>>>>>>>
>>>>>>> If I re-introduce the check (either in fsl_udc_core.c or core.c) at
>>>>>>> least USB gadget operation using g_serial seems to work just fine.
>>>>>>>
>>>>>>> I don't know the logic in detail to understand whether this is a proper
>>>>>>> fix or if there is some other more problem with the fls_udc_core driver.
>>>>>>> Does anyone have input in this matter?
>>>>>>>
>>>>>>> I can produce a proper patch that fixes this problem by re-introducing
>>>>>>> the check (in either fsl_udc_core.c or core.c) if that is a proper
>>>>>>> solution and I can also assist in testing other fixes to the problem.
>>>>>>
>>>>>> ->complete() is supposed to be mandatory. Which gadget do you have that
>>>>>> ->doesn't set ->complete() to a valid function pointer?
>>>>>
>>>>> I'm modprobing g_serial so the following modules are loaded (using my patch):
>>>>>
>>>>> ~ # lsmod
>>>>> usb_f_acm
>>>>> u_serial
>>>>> g_serial
>>>>> libcomposite
>>>>> configfs
>>>>> fsl_usb2_udc
>>>>
>>>> okay, can you figure out which request is coming without ->complete()
>>>> set? To which endpoint is this request being queued? It would be nice to
>>>> know these details. Maybe this is an old bug which ought to be fixed.
>>>
>>> Sure, I can try figure that out. Any input to make the debug of the
>>> faster is appreciated if you have any.
>>
>> well, the easiest way is to add something like:
>>
>> if (!req->complete)
>> dump_stack();
>>
>> to fsl udc driver. Then you would know who queued the request without
>> ->complete. A slightly better approach would be to:
>>
>> if (WARN(!req->complete,
>> "%s: queueing request without ->complete\n", ep->name))
>> return;
>>
>> Or something like that.
>
> Well, I think I found it.
>
> fsl_udc_core.c:ep0_prime_status() sets req->req.complete = NULL before
> it queues a transfer and my printk()'s indicate that this is indeed
> the offending function.
>
> fsl_udc_core.c:ch9getstatus() also sets complete to NULL but in my
> tests right now I haven't seen that one.
>
> So it's an internal problem in the fsl_udc_core.c file.
seems like it. It's rather odd that fsl_udc doesn't wanna know about
completion of Status stage. Oh well, I guess in this case it doesn't
matter if you add a complete function or reinstate the previous check
for valid complete.
If you decide to reinstate the check, please add a comment above the
check explaining that fsl_udc itself queues requests with NULL
->complete().
I must say, however, that I would suggest adding a complete callback
since that will help us BUG with NULL pointer deref on bad gadget
drivers ;-)
--
balbi
next prev parent reply other threads:[~2017-01-24 18:34 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-17 21:21 usb: gadget: Kernel panic (NULL pointer dereference) when using fsl_udc2_core on i.MX31 PDK Magnus Lilja
2017-01-23 11:51 ` Felipe Balbi
2017-01-23 17:34 ` Magnus Lilja
2017-01-24 8:52 ` Felipe Balbi
2017-01-24 9:41 ` Magnus Lilja
2017-01-24 10:54 ` Felipe Balbi
2017-01-24 18:24 ` Magnus Lilja
2017-01-24 18:34 ` Felipe Balbi [this message]
2017-01-24 18:40 ` Magnus Lilja
2017-01-25 10:51 ` Felipe Balbi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877f5k9ui7.fsf@linux.intel.com \
--to=balbi@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).