On 2021-06-20 11:46, linyyuan@xxxxxxxxxxxxxx wrote:
On 2021-06-20 10:13, Alan Stern wrote:
On Sat, Jun 19, 2021 at 11:43:08PM +0800, Linyu Yuan wrote:
currently most gadget driver have a pointer to save
struct usb_gadget_driver from upper layer,
it allow upper layer set and unset of the pointer.
there is race that upper layer unset the pointer first,
but gadget driver use the pointer later,
and it cause system crash due to NULL pointer access.
This race has already been fixed in Greg's usb-next branch. See
commit
7dc0c55e9f30 ("USB: UDC core: Add udc_async_callbacks gadget op") and
following commits 04145a03db9d ("USB: UDC: Implement
udc_async_callbacks in dummy-hcd") and b42e8090ba93 ("USB: UDC:
Implement udc_async_callbacks in net2280").
thanks, this is better, lower driver only need change several places.
You just need to write a corresponding patch implementing the
async_callbacks op for dwc3.
yes, i will do.
Alan, i want to discuss your suggestion again in b42e8090ba93 ("USB:
UDC:
Implement udc_async_callbacks in net2280")
+ if (dev->async_callbacks) { ----> if CPU1 saw
this is true
+ spin_unlock(&dev->lock); ---> CPU2 get
lock after this unlock,
it will set async_callbacks to false, then follow call also crash, right
?
+ tmp = dev->driver->setup(&dev->gadget,
&u.r);
+ spin_lock(&dev->lock);
+ }
Alan Stern