RE: [PATCH v1] usb: dwc3: gadget: sanity check for usb request complete function in ep_enqueue and giveback function.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Balbi,

  Sorry late response due to some other issues.
 1>  Yes, I agree this is one gadget driver bug. 
  Current gadget framework do not have any check about this usb_request->complete pointer per my understanding.
  I think we should add some check in dwc3 OR gadget API like usb_ep_queue() in include/linux/usb/gadget.h.
  I saw in 4.5-rc6 there is some sanity check code in usb_ep_queue. I can move the check from dwc3 to gadget.h.

  2> My current kernel is not vanilla kernel from Linus, I am using one old/modified kernel based on 3.1x.
       But as this bug is point to usb_request->complete is NULL, I think the latest kernel also have the risk to happen.
       My platform is x86 platform.
       And I am not able to reproduce this issue also. 
      From my analysis of call trace, I suspect there is RNDIS gadget function is running with data transfer, also disconnect happen when kernel panic.
      As I am not able to reproduce this issue until now, I am using my supposed way to reproduce this issue:
   
  	Connect device with RNDIS enabled.
   	Run RNDIS transfer using iperf with one Host machine as server and client.
   	Disconnect device when iperf is running.

     To be clear, this is my supposed way, I am not able to reproduce this issue also.

3> So what is your opinion about how to fix this issue?

Thanks!

-----Original Message-----
From: Felipe Balbi [mailto:balbi@xxxxxxxxxx] 
Sent: Friday, February 26, 2016 3:58 PM
To: Tang, Jianqiang <jianqiang.tang@xxxxxxxxx>; Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Cc: linux-usb@xxxxxxxxxxxxxxx; Tang, Jianqiang <jianqiang.tang@xxxxxxxxx>
Subject: Re: [PATCH v1] usb: dwc3: gadget: sanity check for usb request complete function in ep_enqueue and giveback function.


hi,

Tang Jianqiang <jianqiang.tang@xxxxxxxxx> writes:
> From: Jianqiang Tang <jianqiang.tang@xxxxxxxxx>
>
> Do sanity check for usb request complete function as we hit random 
> null pointer kernel panic in giveback function.
>
> From the call trace, show the complete function should be null.
> So we add the sanity check before every usb request queue to dwc3 also 
> before dwc3 giveback the usb request.
>
> Logs:
> BUG: unable to handle kernel NULL pointer dereference at   (null)
> IP: [<  (null)>]   (null)
> Call Trace:
> 	? dwc3_gadget_giveback+0xa5/0x130
> 	? vsnprintf+0x166/0x3d0
> 	dwc3_remove_requests+0x57/0x70
> 	__dwc3_gadget_ep_disable+0x18/0x80
> 	dwc3_gadget_ep_disable+0x79/0x1a0
> 	linkwatch_fire_event+0x4c/0x90
> 	gether_disconnect+0x45/0x1b0
> 	? wake_up_klogd+0x49/0x70
> 	console_unlock+0x295/0x4c0
> 	rndis_disable+0x3d/0x90
> 	preempt_count_add+0x55/0xa0
> 	reset_config+0x3b/0x90
> 	_raw_spin_lock_irqsave+0x25/0x30
> 	composite_disconnect+0x2f/0x50
> 	dwc3_gadget_disconnect_interrupt+0x62/0x90
>
> Signed-off-by: Jianqiang Tang <jianqiang.tang@xxxxxxxxx>

well, this is a gadget driver bug, not a dwc3 bug. This gadget driver deserves to oops so we fix it. Care to provide information on how to reproduce this ? Which kernel did you use ? Which platform ? Are you using a vanilla kernel from Linus ?

cheers

--
balbi
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux