From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-usb-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 78F0DC4338F
	for <linux-usb@archiver.kernel.org>; Wed, 25 Aug 2021 09:21:33 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 5461E61037
	for <linux-usb@archiver.kernel.org>; Wed, 25 Aug 2021 09:21:33 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239464AbhHYJWR (ORCPT <rfc822;linux-usb@archiver.kernel.org>);
        Wed, 25 Aug 2021 05:22:17 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53448 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232774AbhHYJWQ (ORCPT
        <rfc822;linux-usb@vger.kernel.org>); Wed, 25 Aug 2021 05:22:16 -0400
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DD01DC061757
        for <linux-usb@vger.kernel.org>; Wed, 25 Aug 2021 02:21:30 -0700 (PDT)
Received: by mail-wr1-x42a.google.com with SMTP id x12so35310350wrr.11
        for <linux-usb@vger.kernel.org>; Wed, 25 Aug 2021 02:21:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=baylibre-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=Nr5ldMTnZyEoaDP2MOUKRrLKy0i/6wxf41UTk8wHlwU=;
        b=joKHoSBSh/xc5IsD6a7mRqzAoEeXrQ5PMN2mYlcQUUre8Xe8qCH8G1K+lW39vIQLws
         b7+7jKxYQTzjK01V7KE/pqqBqKj2Q8jW+9xFoajRHZl0PZ6q3O8msw0Az7dwdiMwYjbn
         pH9+fgQVpHDdLhgs3HhhcJHdB+uk5WgQHSwk8Rqm1AbGrItL6vq4QjR0D0fp8jVoHf7k
         xMTmHGXZcO8Q+cA8a3LWOKm4M78/eVyHfvo/d6t0bCO8pNeyx+dAE6vyWqtoSB3g+2mV
         M/Z/3dle+pqPVd6ULRROGlxVxqqAc68lONvVpS6Aw2WpT6ktfa53mXYFe2hmPmQD91X8
         uERg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=Nr5ldMTnZyEoaDP2MOUKRrLKy0i/6wxf41UTk8wHlwU=;
        b=Nm8GL4bINP17WGAGndfQ1SQyqE4GtcLVPRPdLUz1uRhUCsdokj0BVrj4OHY1lcemIY
         l3Vr3xmxJEK1IuD8uewacsUZg6bH2odKkH8yT8yiuHC6R+oj7gKing4+R4yAEBBtN/P2
         ivRImVfFuVMXlQZzynB3Rf9JJgWKpDdAwlCU20j349lWefSeonsWQoLG5SmP7yw15qX1
         4itQtz22ADuZjSsdXeCbmjTuCOVV2TAXWkr8sn1U0QjUO0gcO2bMjq6fjWUhpB/mQkTo
         6Vvqu4KaSjF5Ql/YhMJ6v53IRjoSSDMKWoW8Ls2bjHd/isfcNNRxk6jbbOUCFZLFmonv
         kS9Q==
X-Gm-Message-State: AOAM533uR7psNc05WBlMT1lPdjlA/grwv3pyBCJhHAiYRltExz8AhylF
        kS0FzaBwBjsA+KbYPDINBk/aOw==
X-Google-Smtp-Source: ABdhPJxO/I02GTgVKK7gQ23noQNpufzJHSm1c8cbXqZTodnZMin+6sXCrqBpGNF86k+aadpFt343DA==
X-Received: by 2002:a05:6000:1569:: with SMTP id 9mr15638215wrz.242.1629883289465;
        Wed, 25 Aug 2021 02:21:29 -0700 (PDT)
Received: from jackdaw.baylibre.local (laubervilliers-658-1-213-31.w90-63.abo.wanadoo.fr. [90.63.244.31])
        by smtp.googlemail.com with ESMTPSA id 18sm5416918wmv.27.2021.08.25.02.21.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 25 Aug 2021 02:21:29 -0700 (PDT)
From:   Jerome Brunet <jbrunet@baylibre.com>
To:     Ferry Toth <fntoth@gmail.com>, Ferry Toth <ftoth@exalondelft.nl>,
        Ruslan Bilovol <ruslan.bilovol@gmail.com>,
        Felipe Balbi <balbi@kernel.org>,
        Pavel Hofman <pavel.hofman@ivitera.com>
Cc:     Jerome Brunet <jbrunet@baylibre.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jack Pham <jackp@codeaurora.org>, linux-kernel@vger.kernel.org,
        linux-usb@vger.kernel.org
Subject: [PATCH] usb: gadget: f_uac2: fixup feedback endpoint stop
Date:   Wed, 25 Aug 2021 11:21:07 +0200
Message-Id: <20210825092107.124419-1-jbrunet@baylibre.com>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20210824201433.11385-1-ftoth@exalondelft.nl>
References: <20210824201433.11385-1-ftoth@exalondelft.nl>
MIME-Version: 1.0
X-Patchwork-Bot: notify
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-usb.vger.kernel.org>
X-Mailing-List: linux-usb@vger.kernel.org

When the uac2 function is stopped, there seems to be an issue with some
platforms (Intel Merrifield at least)

BUG: kernel NULL pointer dereference, address: 0000000000000008
...
RIP: 0010:dwc3_gadget_del_and_unmap_request+0x19/0xe0
...
Call Trace:
 dwc3_remove_requests.constprop.0+0x12f/0x170
 __dwc3_gadget_ep_disable+0x7a/0x160
 dwc3_gadget_ep_disable+0x3d/0xd0
 usb_ep_disable+0x1c/0x70
 u_audio_stop_capture+0x79/0x120 [u_audio]
 afunc_set_alt+0x73/0x80 [usb_f_uac2]
 composite_setup+0x224/0x1b90 [libcomposite]

The issue happens only when the gadget is using the sync type "async", not
"adaptive". This indicates that problem is likely coming from the feedback
endpoint, which is only used with async synchronization mode.

Update the feedback endpoint free function to release the endpoint the same
way it is done for the data endpoint.

Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
---

 Hi Ferry,

 Would you mind trying this before reverting the whole thing ?
 The HW I have did not show the issue so far so I can't really check
 if it helps. Hopefully, it does ...

 drivers/usb/gadget/function/u_audio.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c
index 018dd0978995..63d9340f008e 100644
--- a/drivers/usb/gadget/function/u_audio.c
+++ b/drivers/usb/gadget/function/u_audio.c
@@ -230,7 +230,13 @@ static void u_audio_iso_fback_complete(struct usb_ep *ep,
 	int status = req->status;
 
 	/* i/f shutting down */
-	if (!prm->fb_ep_enabled || req->status == -ESHUTDOWN)
+	if (!prm->fb_ep_enabled) {
+		kfree(req->buf);
+		usb_ep_free_request(ep, req);
+		return;
+	}
+
+	if (req->status == -ESHUTDOWN)
 		return;
 
 	/*
@@ -421,9 +427,10 @@ static inline void free_ep_fback(struct uac_rtd_params *prm, struct usb_ep *ep)
 	prm->fb_ep_enabled = false;
 
 	if (prm->req_fback) {
-		usb_ep_dequeue(ep, prm->req_fback);
-		kfree(prm->req_fback->buf);
-		usb_ep_free_request(ep, prm->req_fback);
+		if (usb_ep_dequeue(ep, prm->req_fback)) {
+			kfree(prm->req_fback->buf);
+			usb_ep_free_request(ep, prm->req_fback);
+		}
 		prm->req_fback = NULL;
 	}
 
-- 
2.33.0