Re: [PATCH v2] usb: gadget: Fix double free of device descriptor pointers

From: Wesley Cheng <wcheng@codeaurora.org>
To: Felipe Balbi <balbi@kernel.org>,
	gregkh@linuxfoundation.org, peter.chen@kernel.org
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	Hemant Kumar <hemantk@codeaurora.org>,
	stable@vger.kernel.org
Subject: Re: [PATCH v2] usb: gadget: Fix double free of device descriptor pointers
Date: Sat, 24 Apr 2021 01:37:29 -0700	[thread overview]
Message-ID: <029267dd-69fb-1f07-b6ff-3384d56c9f89@codeaurora.org> (raw)
In-Reply-To: <87sg3gksyy.fsf@kernel.org>

On 4/24/2021 1:05 AM, Felipe Balbi wrote:
> 
> Hi,
> 
> Wesley Cheng <wcheng@codeaurora.org> writes:
>>>>> From: Hemant Kumar <hemantk@codeaurora.org>
>>>>>
>>>>> Upon driver unbind usb_free_all_descriptors() function frees all
>>>>> speed descriptor pointers without setting them to NULL. In case
>>>>> gadget speed changes (i.e from super speed plus to super speed)
>>>>> after driver unbind only upto super speed descriptor pointers get
>>>>> populated. Super speed plus desc still holds the stale (already
>>>>> freed) pointer. Fix this issue by setting all descriptor pointers
>>>>> to NULL after freeing them in usb_free_all_descriptors().
>>>>
>>>> could you describe this a little better? How can one trigger this case?
>>>> Is the speed demotion happening after unbinding? It's not clear how to
>>>> cause this bug.
>>>>
>>> Hi Felipe,
>>>
>>> Internally, we have a mechanism to switch the DWC3 core maximum speed
>>> parameter dynamically for displayport use cases.  This issue happens
>>> whenever we have a maximum speed change occur on the USB gadget, which
>>> for DWC3 happens whenever we call gadget init.  When we switch in and
>>> out of host mode, gadget init is being executed, leading to the change
>>> in the USB gadget max speed parameter:
>>>
>>> dwc->gadget->max_speed		= dwc->maximum_speed;
>>>
>>> I know that configFS gadget has the max_speed sysfs file, which is a
>>> similar mechanism, but I haven't tried to see if we can reproduce the
>>> same issue with it.  Let me see if we can reproduce this with that
>>> configfs speed setting.
>>>
>>> Thanks
>>> Wesley Cheng
>>>
>>
>> Hi Felipe,
>>
>> So I tried with doing it through the configFS max_speed, but it doesn't
>> have the same effect, as the setting done in dwc3_gadget_init() will
>> still be assigning the composite/UDC device's maximum speed to SSP/SS.
>> This is what the usb_assign_descriptor() uses to determine whether or
>> not to copy the SSP and SS descriptors.
>>
>> So in summary, at least for a DWC3 based subsystem, the only way to
>> reproduce it is if there is a way to dynamically switch the DWC3 core
>> max speed parameter.
> 
> Could it be that you have a bug in your out-of-tree changes? Perhaps
> there's some assumption which your changes aren't guaranteeing.
> 
Hi Felipe,

Unless there is a limitation on how the USB gadget max speed can be
used, i.e. the USB gadget max speed MUST stay the same throughout a
device's boot period, then our out of tree changes may have the wrong
assumptions.  However, I don't see that stated anywhere, and I still
feel the current usb_assign_descriptors() and usb_free_all_descriptors()
aren't aligned with one another.  One API decides which descriptors to
copy based on a parameter, whereas the other just frees all of them
irrespective.

Thanks
Wesley Cheng

-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project