diff mbox series

[v2] usb: gadget: f_uvc: fix superspeedplus transfer

Message ID 20220215021647.4316-1-3090101217@zju.edu.cn
State Superseded
Headers show
Series [v2] usb: gadget: f_uvc: fix superspeedplus transfer | expand

Commit Message

Jing Leng Feb. 15, 2022, 2:16 a.m. UTC
From: Jing Leng <jleng@ambarella.com>

UVC driver doesn't set ssp_descriptors in struct usb_function,
If UVC uses superspeedplus UDC (e.g. cdnsp), when
config_ep_by_speed_and_alt is called, the g->speed is
USB_SPEED_SUPER_PLUS, and f->ssp_descriptors is NULL,
So kernel will access NULL pointer of speed_desc.

Call trace:
 config_ep_by_speed_and_alt+0x3c/0x2a0 [libcomposite]
 uvc_function_set_alt+0xd4/0x2e8 [usb_f_uvc]
 set_config.constprop.0+0x154/0x3a0 [libcomposite]
 composite_setup+0x314/0xb44 [libcomposite]
 configfs_composite_setup+0x84/0xb0 [libcomposite]
 cdnsp_ep0_std_request+0x25c/0x470 [cdns3]
 cdnsp_setup_analyze+0x94/0x25c [cdns3]
 cdnsp_handle_event+0xe8/0x23c [cdns3]
 cdnsp_thread_irq_handler+0x58/0xe8 [cdns3]
 irq_thread_fn+0x2c/0xa0
 irq_thread+0x164/0x280
 kthread+0x128/0x134
 ret_from_fork+0x10/0x40

Signed-off-by: Jing Leng <jleng@ambarella.com>
---
 drivers/usb/gadget/function/f_uvc.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

Comments

Greg Kroah-Hartman Feb. 15, 2022, 2:07 p.m. UTC | #1
On Tue, Feb 15, 2022 at 10:16:47AM +0800, 3090101217@zju.edu.cn wrote:
> From: Jing Leng <jleng@ambarella.com>
> 
> UVC driver doesn't set ssp_descriptors in struct usb_function,
> If UVC uses superspeedplus UDC (e.g. cdnsp), when
> config_ep_by_speed_and_alt is called, the g->speed is
> USB_SPEED_SUPER_PLUS, and f->ssp_descriptors is NULL,
> So kernel will access NULL pointer of speed_desc.
> 
> Call trace:
>  config_ep_by_speed_and_alt+0x3c/0x2a0 [libcomposite]
>  uvc_function_set_alt+0xd4/0x2e8 [usb_f_uvc]
>  set_config.constprop.0+0x154/0x3a0 [libcomposite]
>  composite_setup+0x314/0xb44 [libcomposite]
>  configfs_composite_setup+0x84/0xb0 [libcomposite]
>  cdnsp_ep0_std_request+0x25c/0x470 [cdns3]
>  cdnsp_setup_analyze+0x94/0x25c [cdns3]
>  cdnsp_handle_event+0xe8/0x23c [cdns3]
>  cdnsp_thread_irq_handler+0x58/0xe8 [cdns3]
>  irq_thread_fn+0x2c/0xa0
>  irq_thread+0x164/0x280
>  kthread+0x128/0x134
>  ret_from_fork+0x10/0x40

What does "call trace" here mean?  Is this an error?  Something else?

> 
> Signed-off-by: Jing Leng <jleng@ambarella.com>
> ---
>  drivers/usb/gadget/function/f_uvc.c | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)

You did not read the information that my bot told you to read, for how
to properly version your patches :(

Please go back and do so when you resend all of them.

Also this is not a patch series?  Why not?

thanks,

greg k-h
Jing Leng Feb. 16, 2022, 2:34 a.m. UTC | #2
Hi Greg KH,

Sorry for the trouble, as a new contributor to kernel.
Although I have readed the document that how to submit patches,
I'm still missing some details.

> What does "call trace" here mean?  Is this an error?  Something else?
It is "call trace" when the kernel accessed NULL pointer and handed.

> You did not read the information that my bot told you to read, for how
> to properly version your patches :(
> 
> Please go back and do so when you resend all of them.
> 
> Also this is not a patch series?  Why not?

I readed the bot told, but I still missed it.
The new patch only adds more detailed patch description.
So it is not a patch series.

thanks,

Jing Leng
Greg Kroah-Hartman Feb. 16, 2022, 10:39 a.m. UTC | #3
On Wed, Feb 16, 2022 at 10:34:00AM +0800, 冷静 wrote:
> Hi Greg KH,
> 
> Sorry for the trouble, as a new contributor to kernel.

That's fine, maybe get some more experience first before trying to add
new features?  Try doing some coding style cleanups in drivers/staging/
or reviewing other people's code submissions first.  That way you can
learn how things work easier.

> Although I have readed the document that how to submit patches,
> I'm still missing some details.
> 
> > What does "call trace" here mean?  Is this an error?  Something else?
> It is "call trace" when the kernel accessed NULL pointer and handed.

I do not understand this, sorry.

> > You did not read the information that my bot told you to read, for how
> > to properly version your patches :(
> > 
> > Please go back and do so when you resend all of them.
> > 
> > Also this is not a patch series?  Why not?
> 
> I readed the bot told, but I still missed it.
> The new patch only adds more detailed patch description.
> So it is not a patch series.

I asked you to make it a patch series.

thanks,

greg k-h
Jing Leng Feb. 17, 2022, 2:57 a.m. UTC | #4
Hi Greg KH,

Sorry for the confusion.

I tested the feature on linux-5.10, it will cause Oops.
The Oops is as follows:
 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
 Mem abort info:
   ESR = 0x96000005
   EC = 0x25: DABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
 Data abort info:
   ISV = 0, ISS = 0x00000005
   CM = 0, WnR = 0
 user pgtable: 4k pages, 39-bit VAs, pgdp=00000001b12cf000
 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
 Internal error: Oops: 96000005 [#1] PREEMPT SMP
 Modules linked in: ...
 CPU: 0 PID: 619 Comm: irq/95-20200080 Tainted: G           O      5.10.61 #2
 Hardware name: Ambarella CV5 TIMN Board (DT)
 pstate: 20c00085 (nzCv daIf +PAN +UAO -TCO BTYPE=--)
 pc : config_ep_by_speed_and_alt+0x3c/0x2a0 [libcomposite]
 lr : config_ep_by_speed+0x14/0x20 [libcomposite]
 sp : ffffffc011dbbac0
 x29: ffffffc011dbbac0 x28: 0000000000000001
 x27: ffffff81b3eb1920 x26: 0000000000000000
 x25: ffffff81b68085e8 x24: ffffff81b3ee4c00
 x23: ffffff81b3d71c40 x22: 0000000000000000
 x21: 0000000000000000 x20: ffffff81b68085e8
 x19: ffffff81b6808000 x18: ffffffc091dbb737
 x17: 0000000000000017 x16: 000000000000000a
 x15: 0000000000000006 x14: ffffffc011dbb73f
 x13: 0000000000000001 x12: ffffffc0109c97e8
 x11: 0000000000000652 x10: 00000000000e5a65
 x9 : ffffffc0109c97e8 x8 : 00000000fffff7ff
 x7 : 00000000000017fd x6 : 0000000000000001
 x5 : ffffff81fb5976a8 x4 : 0000000000000006
 x3 : 0000000000000000 x2 : ffffff81b6838718
 x1 : 0000000000000000 x0 : ffffff81b6838008
 Call trace:
  config_ep_by_speed_and_alt+0x3c/0x2a0 [libcomposite]
  uvc_function_set_alt+0xd4/0x2e8 [usb_f_uvc]
  set_config.constprop.0+0x154/0x3a0 [libcomposite]
  composite_setup+0x314/0xb44 [libcomposite]
  configfs_composite_setup+0x84/0xb0 [libcomposite]
  cdnsp_ep0_std_request+0x25c/0x470 [cdns3]
  cdnsp_setup_analyze+0x94/0x25c [cdns3]
  cdnsp_handle_event+0xe8/0x23c [cdns3]
  cdnsp_thread_irq_handler+0x58/0xe8 [cdns3]
  irq_thread_fn+0x2c/0xa0
  irq_thread+0x164/0x280
  kthread+0x128/0x134
  ret_from_fork+0x10/0x40
 Code: 71000c9f 54000b60 f9400821 52800006 (f9400024)
 ---[ end trace 7d3065b8181de7a6 ]---
 note: irq/95-20200080[619] exited with preempt_count 2
 genirq: exiting task "irq/95-20200080" (619) is an active IRQ thread (irq 95)

But the Oops is fixed in the latest kernel by the following commit:
 commit 16d42759207fc3d1bff7cfd330a08a225e470ba0
 Author: Qihang Hu <huqihang@oppo.com>
 Date:   Wed Nov 10 18:11:29 2021 +0800

     usb: gadget: composite: Show warning if function driver's descriptors are incomplete.

There are some problems with my previous understanding,
so the patch is a feature but not a bug, I will modify the
title and description of the patch and resend it. 

Thanks
Jing Leng
diff mbox series

Patch

diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
index 71bb5e477dba..8fc9b035481e 100644
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -478,6 +478,7 @@  uvc_copy_descriptors(struct uvc_device *uvc, enum usb_device_speed speed)
 	void *mem;
 
 	switch (speed) {
+	case USB_SPEED_SUPER_PLUS:
 	case USB_SPEED_SUPER:
 		uvc_control_desc = uvc->desc.ss_control;
 		uvc_streaming_cls = uvc->desc.ss_streaming;
@@ -521,7 +522,7 @@  uvc_copy_descriptors(struct uvc_device *uvc, enum usb_device_speed speed)
 	      + uvc_control_ep.bLength + uvc_control_cs_ep.bLength
 	      + uvc_streaming_intf_alt0.bLength;
 
-	if (speed == USB_SPEED_SUPER) {
+	if (speed == USB_SPEED_SUPER || speed == USB_SPEED_SUPER_PLUS) {
 		bytes += uvc_ss_control_comp.bLength;
 		n_desc = 6;
 	} else {
@@ -565,7 +566,7 @@  uvc_copy_descriptors(struct uvc_device *uvc, enum usb_device_speed speed)
 	uvc_control_header->baInterfaceNr[0] = uvc->streaming_intf;
 
 	UVC_COPY_DESCRIPTOR(mem, dst, &uvc_control_ep);
-	if (speed == USB_SPEED_SUPER)
+	if (speed == USB_SPEED_SUPER || speed == USB_SPEED_SUPER_PLUS)
 		UVC_COPY_DESCRIPTOR(mem, dst, &uvc_ss_control_comp);
 
 	UVC_COPY_DESCRIPTOR(mem, dst, &uvc_control_cs_ep);
@@ -727,6 +728,15 @@  uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
 		}
 	}
 
+	if (gadget_is_superspeed_plus(c->cdev->gadget)) {
+		f->ssp_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER_PLUS);
+		if (IS_ERR(f->ssp_descriptors)) {
+			ret = PTR_ERR(f->ssp_descriptors);
+			f->ssp_descriptors = NULL;
+			goto error;
+		}
+	}
+
 	/* Preallocate control endpoint request. */
 	uvc->control_req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL);
 	uvc->control_buf = kmalloc(UVC_MAX_REQUEST_SIZE, GFP_KERNEL);