From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756718AbbLQP0m (ORCPT <rfc822;w@1wt.eu>);
	Thu, 17 Dec 2015 10:26:42 -0500
Received: from devils.ext.ti.com ([198.47.26.153]:43528 "EHLO
	devils.ext.ti.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751151AbbLQP0l (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 17 Dec 2015 10:26:41 -0500
From: Felipe Balbi <balbi@ti.com>
To: <changbin.du@intel.com>
CC: <gregkh@linuxfoundation.org>, <John.Youn@synopsys.com>,
        <linux-usb@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <lkp@01.org>, <fengguang.wu@intel.com>,
        "Du, Changbin" <changbin.du@intel.com>
Subject: Re: [PATCH v3] usb: gadget: forbid queuing request to a disabled ep
In-Reply-To: <1450346431-8064-1-git-send-email-changbin.du@intel.com>
References: <87h9jifi9x.fsf@saruman.tx.rr.com> <1450346431-8064-1-git-send-email-changbin.du@intel.com>
User-Agent: Notmuch/0.21 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Thu, 17 Dec 2015 09:26:29 -0600
Message-ID: <87bn9pdrkq.fsf@saruman.tx.rr.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1;
	protocol="application/pgp-signature"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


Hi,

changbin.du@intel.com writes:
> From: "Du, Changbin" <changbin.du@intel.com>
>
> Queue a request to disabled ep  doesn't make sense, and induce caller
> make mistakes.
>
> Here is a example for the android mtp gadget function driver. A mem
> corruption can happen on below senario.
> 1) On disconnect, mtp driver disable its EPs,
> 2) During send_file_work and receive_file_work, mtp queues a request
>    to ep. (The mtp driver need improve its synchronization logic!)
> 3) mtp_function_unbind is invoked and all mtp requests are freed.
> 4) when udc process the request queued on step 2, will cause kernel
>    NULL pointer dereference exception.
>
> Signed-off-by: Du, Changbin <changbin.du@intel.com>
> ---
> change from v2: igonre ep0 as it always enabled during usb session.
> change from v1: add WARN_ON_ONCE message.
> ---
>  include/linux/usb/gadget.h | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h
> index 3d583a1..0c5d9ea 100644
> --- a/include/linux/usb/gadget.h
> +++ b/include/linux/usb/gadget.h
> @@ -402,6 +402,9 @@ static inline void usb_ep_free_request(struct usb_ep =
*ep,
>  static inline int usb_ep_queue(struct usb_ep *ep,
>  			       struct usb_request *req, gfp_t gfp_flags)
>  {
> +	if (WARN_ON_ONCE(!ep->enabled && !ep->address))

this will only trigger for a disabled ep0. Are you testing any of your
patches at all ?

=2D-=20
balbi

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWctQmAAoJEIaOsuA1yqREsWoQAJpe80f6fLVglVJcIp2Jw9RP
uejh8aRhSMCH0WdgjSz30TewQyavpH857f2VbxGxSvvNYTlTx5+BMvg5QBuvCzuT
EgvjJHPdSKhhpVEMf3Li+XUv+h7kh5knjZwkIzE4aAQgcFwnEXWU8mnFUOjueO9E
ITcGss/fkElM7ARSmhFFIG+pmqDtvyepvV7EPkZAbVEt0vIQrxTA07Ezx3QwQeqI
b6oP9/JDAMya174p9haJSzpV7X9wyVDN3q9cm8qkKJBxn9pQWnqdQbgNz6KHpRKi
eDMQ6Exw1yC+fw17P6EcuB5TAcrQxnp20jrzXbfPB1procXVXo68n8GEJN9NDilv
09PN1vOgyKHShyqe8o0atPMpPBSfjQV9k11NL0ZMU01gRBC3QZ0CF9L0YCFawu1E
bw9Aez8E0Tt9Zs8XoOJfcfwE9Wh1cCTCe7Ze6NhMKGixc3Se4SWh2McbygWrTOvd
Zmh9hJqnHY83zrLA5HwBJHFS5PuOp1/HWcVmm9hIS/KUvlMEWL0wNEZXZ1YQntU8
tiOf/TBhmZtfSAiXUW68eP8s19Bk9WAQVC3KHgoxMT3SQ058Audx+qvQQXk6avzg
RF8aQL84gHh4yxZGUZGcgU6FwL1F9FwN2MLWqW7v8fw4Tt6NxeOZCUzydxvt/ysR
YUUBi6veUNRG/oVzjUDn
=a/5I
-----END PGP SIGNATURE-----
--=-=-=--