On Wed, Jul 29, 2020 at 10:14:48AM -0400, Alan Stern wrote: > On Wed, Jul 29, 2020 at 01:47:20AM +0000, Peter Chen wrote: > > On 20-07-28 15:32:46, Alan Stern wrote: > > > Roger: > > > > > > Your commit fac323471df6 ("usb: udc: allow adding and removing the same > > > gadget device") from a few years ago just caught my eye. (I don't > > > recall whether I noticed it at the time.) > > > > > > In any case, we need to talk about it. What you're doing -- > > > unregistering and re-registering the struct device embedded in the > > > gadget structure -- is strictly forbidden by the kernel's device model. > > > It's even mentioned specifically in the kerneldoc for device_add(). > > > > > > Now, I guess doing this would be okay _if_ you took care not to > > > re-register the device until all references to the previous incarnation > > > have been dropped. In particular, setting the structure's memory to 0 > > > should not be done immediately after calling device_unregister() -- > > > which is what the commit does -- but rather in the release routine. > > > > > > Do you know which UDC drivers actually do re-register their gadgets? In > > > particular, do they have their own release routines or do they rely on > > > the default usb_udc_nop_release() provided by the UDC core? > > > > dwc3 and cdns3 gadget driver do that, they use default usb_udc_nop_release() > > provided by the UDC core. The usb_add_gadget_udc is called when the > > controller role switch to device mode (the host VBUS is seen at device > > side), and usb_del_gadget_udc is called when the cable is disconnected > > from host. > > What if the role switches back to host without the cable being > disconnected? > > > > Moving the > > > memset into that routine ought to be okay; leaving it where it is would > > > be a time bomb waiting to go off. I'm suprised it hasn't caused > > > problems already. > > > > I have not seen problem when do hot plug, maybe one second is enough to > > free all resources for gadget device? > > Maybe. I don't know what other parts of the kernel might take a > reference to the gadget's embedded struct device, but it certainly is > not safe to wipe the struct device memory until the last reference > has been dropped. And it is not safe to re-register the gadget until > the memory has been wiped. > > (It used to be that userspace could keep a reference to a device > indefinitely, just by holding open one of its sysfs attribute files. > That may not be true any more, but there may be other ways for > userspace to accomplish the same thing.) Yes, this is tricky, and as you point out, 'struct device' should never be recycled. This should be fixed up properly or there could be real problems as you show. thanks, greg k-h