Re: [PATCH] usb: gadget: avoid using gadget after freed

From: Felipe Balbi <balbi@kernel.org>
To: Lianwei Wang <lianwei.wang@gmail.com>
Cc: linux-usb@vger.kernel.org, gregkh@linuxfoundation.org
Subject: Re: [PATCH] usb: gadget: avoid using gadget after freed
Date: Tue, 18 Jun 2019 10:21:49 +0300	[thread overview]
Message-ID: <87d0jbgxyq.fsf@linux.intel.com> (raw)
In-Reply-To: <CAJFUiJh4zQDvnS7BhUam14LtUrb5ad=hiukQgiYbOiUZs4zVcg@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3173 bytes --]

Hi,

Lianwei Wang <lianwei.wang@gmail.com> writes:
> On Mon, Jun 17, 2019 at 5:40 AM Felipe Balbi <balbi@kernel.org> wrote:
>>
>> Lianwei Wang <lianwei.wang@gmail.com> writes:
>>
>> > The udc and gadget device will be deleted when udc device is
>> > disconnected and the related function will be unbind with it.
>> >
>> > But if the configfs is not deleted, then the function object
>> > will be kept and the bound status is kept true.
>> >
>> > Then after udc device is connected again and a new udc and
>> > gadget objects will be created and passed to bind interface.
>> > But because the bound is still true, the new gadget is not
>> > updated to netdev and a previous freed gadget will be used
>> > in netdev after bind.
>> >
>> > To fix this using after freed issue, always set the gadget
>> > object to netdev in bind interface.
>> >
>> > Signed-off-by: Lianwei Wang <lianwei.wang@gmail.com>
>>
>> I can't actually understand what's the problem here. The gadget is not
>> deleted when we disconnect the cable.
>>
>> --
>> balbi
>
> The issue was observed with a dual-role capable USB controller (e.g. Intel
> XHCI controller), which has the ability to switch role between host and device
> mode. The gadget is deleted when we switch role to device mode from host
> mode. See below log:
> # echo p > /sys/devices/pci0000:00/0000:00:15.1/intel-cht-otg.0/mux_state #(4.4)

oh, so you're using a modified tree :-) Then we can't really help.

> [   41.170891] intel-cht-otg intel-cht-otg.0: p: set PERIPHERAL mode
> [   41.171895] dwc3 dwc3.0.auto: DWC3 OTG Notify USB_EVENT_VBUS
> [   41.187420] dwc3 dwc3.0.auto: dwc3_resume_common
> [   41.191192] usb 1-1: USB disconnect, device number 3
> [   41.191284] usb 1-1.1: USB disconnect, device number 4
> [   41.218958] usb 1-1.5: USB disconnect, device number 5
> [   41.238117] android_work: sent uevent USB_STATE=CONFIGURED
> [   41.240572] android_work: sent uevent USB_STATE=DISCONNECTED

What is this android_work. That doesn't exist upstream.

> [   41.263285] platform dabr_udc.0: unregister gadget driver 'configfs-gadget'
> [   41.263413] configfs-gadget gadget: unbind function 'Function FS
> Gadget'/ffff8801db049e38
> [   41.263969] configfs-gadget gadget: unbind function
> 'cdc_network'/ffff8801d8897400
> [   41.325943] dabridge 1-1.5:1.0: Port 3 VBUS OFF
> [   41.720957] dabr_udc deleted
> [   41.721097] dabridge 1-5 deleted
>
> The UDC and gadget will be deleted after switch role to device mode.
> And they will be
> created as new object when switching back to host mode. At this time
> the bind in function
> driver (e.g. f_ncm) will not set the new gadget.
>
> For kernel 4.19+, the role switch command will be:
>   echo "device" > /sys/class/usb_role/intel_xhci_usb_sw-role-switch/role
>
> The latest Intel role switch kernel driver can be found here:
>   https://elixir.bootlin.com/linux/v5.2-rc5/source/drivers/usb/roles/intel-xhci-usb-role-switch.c

Right, please test against v5.2-rc5 and show me the problem on that
kernel. I can't apply patches for problems that may not even exist in
upstream, sorry.

-- 
balbi

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]