> > On Thu, Jul 16, 2015 at 04:04:28PM +0800, Peter Chen wrote: > > At some unexpected cases, the host may send the non-core control > > request before the configruation has been established, so the > > cdev->config is still NULL, then below NULL pointer dereference issue > > problem will occur. Although the udc driver can handle non-core > > control request beforhand, we still need composite core can handle some > exceptions and without system crash. > > > > I meet this issue when I connect one board which supports USB OTG 2.0 > > (SRP & HNP), this board uses an internal bsp code, and another > > B-device uses the latest upstream mode which supports USB OTG not very > > well, so when the host sends the SET_FEATURE for > > USB_DEVICE_A_HNP_SUPPORT request (non-core control req00.03 v0004 > > i0000 l0), the udc driver does not handle it, and the composite driver > > takes it as a unknown request, it tries to get functions within configuration > before checking configuration's valid. > > > > root@imx6sxsabresd:~# modprobe g_mass_storage file=/dev/mmcblk0p1 > removable=1 > > [ 41.994328] Number of LUNs=8 > > [ 41.997260] Mass Storage Function, version: 2009/09/11 > > [ 42.004301] LUN: removable file: (no medium) > > [ 42.012441] Number of LUNs=1 > > [ 42.016179] LUN: removable file: /dev/mmcblk0p1 > > [ 42.020855] Number of LUNs=1 > > [ 42.028315] g_mass_storage gadget: Mass Storage Gadget, version: > 2009/09/11 > > [ 42.035395] g_mass_storage gadget: userspace failed to provide > iSerialNumber > > [ 42.042559] g_mass_storage gadget: g_mass_storage ready > > root@imx6sxsabresd:~# > > root@imx6sxsabresd:~# [ 43.735411] Unable to handle kernel NULL pointer > dereference at virtual address 00000028 > > [ 43.743523] pgd = 80004000 > > [ 43.746237] [00000028] *pgd=00000000 > > [ 43.749840] Internal error: Oops: 17 [#1] SMP ARM > > [ 43.754551] Modules linked in: g_mass_storage usb_f_mass_storage > libcomposite configfs evbug > > [ 43.763096] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.2.0-rc1-00007- > ga577f1b-dirty #358 > > [ 43.771278] Hardware name: Freescale i.MX6 SoloX (Device Tree) > > [ 43.777118] task: 80c9a9f8 ti: 80c94000 task.ti: 80c94000 > > [ 43.782558] PC is at composite_setup+0xe4/0x18d4 [libcomposite] > > [ 43.788484] LR is at 0x1 > > [ 43.791025] pc : [<7f0120e4>] lr : [<00000001>] psr: 600b0193 > > [ 43.791025] sp : 80c95d30 ip : 00000000 fp : 80c95d94 > > [ 43.802507] r10: 80c95dc8 r9 : 00000004 r8 : 00000000 > > [ 43.807738] r7 : 00000000 r6 : bd0c82d0 r5 : bd3fdb00 r4 : bd3fd080 > > [ 43.814269] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : 00000003 > > [ 43.820803] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment > kernel > > [ 43.828205] Control: 10c5387d Table: bbc0c04a DAC: 00000015 > > [ 43.833958] Process swapper/0 (pid: 0, stack limit = 0x80c94210) > > [ 43.839970] Stack: (0x80c95d30 to 0x80c96000) > > [ 43.844336] 5d20: 808bc300 8007bf24 00000001 00000000 > > [ 43.852523] 5d40: 8056b280 80c95d50 00000000 600b0193 80c95d94 bd0c8014 > bd0c8010 00000000 > > [ 43.860710] 5d60: 00082001 808bc5c8 600b0193 bd0c8014 bd0c8010 00080001 > 00082001 bd0c8568 > > [ 43.868896] 5d80: bd0c9010 c0876140 80c95dfc 80c95d98 8056c0ec 7f01200c > bd0c8568 bd0c8014 > > [ 43.877083] 5da0: 00000001 00000000 bd0c9010 00000000 800787b8 bd0c8010 > 00000000 80075e2c > > [ 43.885270] 5dc0: 00000001 00000080 00040300 00000000 80c95dfc bd0c8010 > 0b242f20 bd0c9010 > > [ 43.893456] 5de0: 00000000 00000000 80d42428 80d4243c 80c95e1c 80c95e00 > 805684e4 8056b8ec > > [ 43.901643] 5e00: 8056847c bd064bc0 be1cf264 00000116 80c95e5c 80c95e20 > 800849ec 80568488 > > [ 43.909829] 5e20: be1cf264 bd064bc0 be1cf200 00000000 600b0193 be1cf200 > be1cf264 bd064bc0 > > [ 43.918015] 5e40: 00000000 00000001 be01e000 808c0640 80c95e7c 80c95e60 > 80084bec 800849a4 > > [ 43.926202] 5e60: 00000000 be1cf200 be1cf264 80ca3798 80c95e9c 80c95e80 > 800881a0 80084ba8 > > [ 43.934389] 5e80: 800880c4 00000116 00000116 80c972d4 80c95eb4 80c95ea0 > 80083f4c 800880d0 > > [ 43.942576] 5ea0: 00000125 80c90654 80c95edc 80c95eb8 800842a4 80083f20 > 80c95f00 c080e10c > > [ 43.950762] 5ec0: 80c974bc c080e100 80c969c4 80c60278 80c95efc 80c95ee0 > 800095a8 8008423c > > [ 43.958949] 5ee0: 800115d4 200b0013 ffffffff 80c95f34 80c95f54 80c95f00 > 80015be4 80009584 > > [ 43.967135] 5f00: 00000001 00000001 00000000 80025fc0 80c94000 80c96a10 > 00000001 80d429c8 > > [ 43.975322] 5f20: 80c969c4 80c60278 808c0640 80c95f54 80c95f18 80c95f48 > 80075a14 800115d4 > > [ 43.983509] 5f40: 200b0013 ffffffff 80c95f64 80c95f58 8007010c 800115b0 > 80c95f84 80c95f68 > > [ 43.991696] 5f60: 80070264 800700e8 80c95f84 80c8e3e4 808b7854 80c96900 > 80c95fac 80c95f88 > > [ 43.999883] 5f80: 808ac968 80070128 00000000 00000000 808ac834 ffffffff > 80d5c050 80d5c000 > > [ 44.008070] 5fa0: 80c95ff4 80c95fb0 80be5cd0 808ac840 ffffffff ffffffff > 00000000 80be56ec > > [ 44.016255] 5fc0: 00000000 80c60278 00000000 80d5c294 80c969ac 80c60274 > 80c9c420 8000406a > > [ 44.024441] 5fe0: 412fc09a 00000000 00000000 80c95ff8 8000807c 80be596c > 00000000 00000000 > > [ 44.032621] Backtrace: > > [ 44.035122] [<7f012000>] (composite_setup [libcomposite]) from > [<8056c0ec>] (udc_irq+0x80c/0xe68) > > [ 44.044000] r10:c0876140 r9:bd0c9010 r8:bd0c8568 r7:00082001 r6:00080001 > r5:bd0c8010 > > [ 44.051916] r4:bd0c8014 > > [ 44.054483] [<8056b8e0>] (udc_irq) from [<805684e4>] (ci_irq+0x68/0x160) > > [ 44.061189] r10:80d4243c r9:80d42428 r8:00000000 r7:00000000 r6:bd0c9010 > r5:0b242f20 > > [ 44.069106] r4:bd0c8010 > > [ 44.071672] [<8056847c>] (ci_irq) from [<800849ec>] > (handle_irq_event_percpu+0x54/0x204) > > [ 44.079765] r6:00000116 r5:be1cf264 r4:bd064bc0 r3:8056847c > > [ 44.085500] [<80084998>] (handle_irq_event_percpu) from [<80084bec>] > (handle_irq_event+0x50/0x74) > > [ 44.094376] r10:808c0640 r9:be01e000 r8:00000001 r7:00000000 r6:bd064bc0 > r5:be1cf264 > > [ 44.102291] r4:be1cf200 > > [ 44.104854] [<80084b9c>] (handle_irq_event) from [<800881a0>] > (handle_fasteoi_irq+0xdc/0x1c4) > > [ 44.113383] r6:80ca3798 r5:be1cf264 r4:be1cf200 r3:00000000 > > [ 44.119117] [<800880c4>] (handle_fasteoi_irq) from [<80083f4c>] > (generic_handle_irq+0x38/0x4c) > > [ 44.127732] r6:80c972d4 r5:00000116 r4:00000116 r3:800880c4 > > [ 44.133465] [<80083f14>] (generic_handle_irq) from [<800842a4>] > (__handle_domain_irq+0x74/0xf0) > > [ 44.142167] r4:80c90654 r3:00000125 > > [ 44.145788] [<80084230>] (__handle_domain_irq) from [<800095a8>] > (gic_handle_irq+0x30/0x70) > > [ 44.154142] r9:80c60278 r8:80c969c4 r7:c080e100 r6:80c974bc r5:c080e10c > r4:80c95f00 > > [ 44.161977] [<80009578>] (gic_handle_irq) from [<80015be4>] > (__irq_svc+0x44/0x5c) > > [ 44.169465] Exception stack(0x80c95f00 to 0x80c95f48) > > [ 44.174527] 5f00: 00000001 00000001 00000000 80025fc0 80c94000 80c96a10 > 00000001 80d429c8 > > [ 44.182714] 5f20: 80c969c4 80c60278 808c0640 80c95f54 80c95f18 80c95f48 > 80075a14 800115d4 > > [ 44.190895] 5f40: 200b0013 ffffffff > > [ 44.194388] r7:80c95f34 r6:ffffffff r5:200b0013 r4:800115d4 > > [ 44.200137] [<800115a4>] (arch_cpu_idle) from [<8007010c>] > (default_idle_call+0x30/0x40) > > [ 44.208243] [<800700dc>] (default_idle_call) from [<80070264>] > (cpu_startup_entry+0x148/0x270) > > [ 44.216869] [<8007011c>] (cpu_startup_entry) from [<808ac968>] > (rest_init+0x134/0x170) > > [ 44.224790] r7:80c96900 > > [ 44.227354] [<808ac834>] (rest_init) from [<80be5cd0>] > (start_kernel+0x370/0x3e8) > > [ 44.234842] r5:80d5c000 r4:80d5c050 > > [ 44.238458] [<80be5960>] (start_kernel) from [<8000807c>] (0x8000807c) > > [ 44.244995] Code: e3130001 1a000039 e594200c e1a03002 (e5b35028) > > [ 44.251100] ---[ end trace 48ab8610ac76d0a2 ]--- > > [ 44.255725] Kernel panic - not syncing: Fatal exception in interrupt > > [ 44.262092] ---[ end Kernel panic - not syncing: Fatal exception in interrupt > > > > Cc: <stable@xxxxxxxxxxxxxxx> #v3.14+ > > Cc: Jun Li <jun.li@xxxxxxxxxxxxx> > > Cc: Roger Quadros <rogerq@xxxxxx> > > Signed-off-by: Peter Chen <peter.chen@xxxxxxxxxxxxx> > > --- > > drivers/usb/gadget/composite.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/drivers/usb/gadget/composite.c > > b/drivers/usb/gadget/composite.c index 4e3447b..dc836b3 100644 > > --- a/drivers/usb/gadget/composite.c > > +++ b/drivers/usb/gadget/composite.c > > @@ -1758,6 +1758,8 @@ unknown: > > * take such requests too, if that's ever needed: to work > > * in config 0, etc. > > */ > > + if (!cdev->config) > > + break; > > list_for_each_entry(f, &cdev->config->functions, list) > > if (f->req_match && f->req_match(f, ctrl)) > > goto try_fun_setup; > > -- > > 1.9.1 > > > > For this case, could be better if fix it like A_ALT_HNP_SUPPORT > in chipidea/udc.c? Like I mentioned at commit log, changing udc driver can fix this specific case, but composite core should handle any unexpected requests well, without any crashes. Peter -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
