On Sun, Sep 3, 2017 at 2:12 PM, Michal Nazarewicz <mina86@xxxxxxxxxx> wrote:
> On Thu, Aug 31 2017, Kees Cook wrote:
>> With timer initialization made earlier at the start, there is no reason
>> to make del_timer_sync() calls conditionally, there by removing the
>> assignments and tests of the .data field.
>>
>> Cc: Felipe Balbi <balbi@xxxxxxxxxx>
>> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
>> Cc: Raviteja Garimella <raviteja.garimella@xxxxxxxxxxxx>
>> Cc: Michal Nazarewicz <mina86@xxxxxxxxxx>
>> Cc: "Gustavo A. R. Silva" <garsilva@xxxxxxxxxxxxxx>
>> Cc: linux-usb@xxxxxxxxxxxxxxx
>> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
>> ---
>> drivers/usb/gadget/udc/snps_udc_core.c | 16 +++++-----------
>> 1 file changed, 5 insertions(+), 11 deletions(-)
>>
>> diff --git a/drivers/usb/gadget/udc/snps_udc_core.c b/drivers/usb/gadget/udc/snps_udc_core.c
>> index 5460e5ba1c3c..1607e901e16b 100644
>> --- a/drivers/usb/gadget/udc/snps_udc_core.c
>> +++ b/drivers/usb/gadget/udc/snps_udc_core.c
>> @@ -3067,14 +3067,12 @@ void udc_remove(struct udc *dev)
>> stop_timer++;
>> if (timer_pending(&udc_timer))
>> wait_for_completion(&on_exit);
>> - if (udc_timer.data)
>> - del_timer_sync(&udc_timer);
>> + del_timer_sync(&udc_timer);
>> /* remove pollstall timer */
>> stop_pollstall_timer++;
>> if (timer_pending(&udc_pollstall_timer))
>> wait_for_completion(&on_pollstall_exit);
>> - if (udc_pollstall_timer.data)
>> - del_timer_sync(&udc_pollstall_timer);
>> + del_timer_sync(&udc_pollstall_timer);
>> udc = NULL;
>> }
>> EXPORT_SYMBOL_GPL(udc_remove);
>> @@ -3164,9 +3162,9 @@ int udc_probe(struct udc *dev)
>> u32 reg;
>> int retval;
>>
>> - /* mark timer as not initialized */
>> - udc_timer.data = 0;
>> - udc_pollstall_timer.data = 0;
>> + /* timer init */
>> + setup_timer(&udc_timer, udc_timer_function, 0);
>> + setup_timer(&udc_pollstall_timer, udc_pollstall_timer_function, 0);
>>
>> /* device struct setup */
>> dev->gadget.ops = &udc_ops;
>> @@ -3206,10 +3204,6 @@ int udc_probe(struct udc *dev)
>> if (retval)
>> goto finished;
>>
>> - /* timer init */
>> - setup_timer(&udc_timer, udc_timer_function, 1);
>> - setup_timer(&udc_pollstall_timer, udc_pollstall_timer_function, 1);
>> -
>> /* set SD */
>> reg = readl(&dev->regs->ctl);
>> reg |= AMD_BIT(UDC_DEVCTL_SD);
>
>
> Stupid question, is the check in udc_remove even necessary?
>
> udc_probe is called from udc_plat_probe:
>
> if (udc_probe(udc)) {
> ret = -ENODEV;
> goto exit_dma;
> }
>
> If the call fails, udc_plat_probe cleans up after itself and noticeably
> *does not* call udc_remove. As far as I understand, if probe callback
> fails, remove callback is *not* called. Meanwhile, udc_remove is called
> from the remove callback which is udc_plat_remove. So, udc_remove can
> be called only if udc_probe succeeds.
>
> It seems to me that a better patch is:
>
> --- a/drivers/usb/gadget/udc/snps_udc_core.c
> +++ b/drivers/usb/gadget/udc/snps_udc_core.c
> @@ -3067,14 +3067,12 @@ void udc_remove(struct udc *dev)
> stop_timer++;
> if (timer_pending(&udc_timer))
> wait_for_completion(&on_exit);
> - if (udc_timer.data)
> - del_timer_sync(&udc_timer);
> + del_timer_sync(&udc_timer);
> /* remove pollstall timer */
> stop_pollstall_timer++;
> if (timer_pending(&udc_pollstall_timer))
> wait_for_completion(&on_pollstall_exit);
> - if (udc_pollstall_timer.data)
> - del_timer_sync(&udc_pollstall_timer);
> + del_timer_sync(&udc_pollstall_timer);
> udc = NULL;
> }
> EXPORT_SYMBOL_GPL(udc_remove);
> @@ -3164,9 +3162,9 @@ int udc_probe(struct udc *dev)
> u32 reg;
> int retval;
>
> - /* mark timer as not initialized */
> - udc_timer.data = 0;
> - udc_pollstall_timer.data = 0;
> -
> /* device struct setup */
> dev->gadget.ops = &udc_ops;
>
Okay, sounds good. I'll adjust the patch. Thanks!
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
