On Mon, Jan 27, 2025 at 5:44 PM Thinh Nguyen <Thinh.Nguyen@xxxxxxxxxxxx> wrote:
>
> On Wed, Jan 22, 2025, Roy Luo wrote:
> > `dwc3_gadget_soft_disconnect` function, called as part of
>
> The dwc3_gadget_soft_disconnect() isn't directly part of
> device_del(&gadget->dev). It should be part of disconnect.
>
> Can you provide the full sequence of events so I can have more context?
> The handling of the flushing of gadget->work should not be part of the
> dwc3.
Yes, it's a part of disconnect, and disconnect is a part of gadget unbind.
Let me try my best to explain. Here's the call stack for usb_del_gadget:
-> usb_del_gadget
-> flush_work(&gadget->work)
-> device_del
-> bus_remove_device
-> device_release_driver
-> gadget_unbind_driver
-> usb_gadget_disconnect_locked
-> dwc3_gadget_pullup
-> dwc3_gadget_soft_disconnect
-> usb_gadget_set_state
-> schedule_work(&gadget->work)
Then when usb_put_gadget is called, gadget could be freed before
gadget->work is executed.
-> usb_put_gadget
-> put_device
-> kobject_put
-> device_release
-> dwc_gadget_release
-> kfree(gadget)
>
> Since the patch above is now in the mainline, may need to add a stable
> tag.
Ack, will cc stable in the next revision.
Regards,
Roy Luo
