From patchwork Fri Oct 17 17:10:04 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Felipe Balbi <balbi@ti.com>
X-Patchwork-Id: 38913
Return-Path: <patchwork-forward+bncBC5M7T4HYEKRBGM3QWRAKGQEERU37UA@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-la0-f72.google.com (mail-la0-f72.google.com
 [209.85.215.72])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id DCF83202DB
 for <linaro@patches.linaro.org>; Fri, 17 Oct 2014 17:10:50 +0000 (UTC)
Received: by mail-la0-f72.google.com with SMTP id gq15sf710618lab.7
 for <linaro@patches.linaro.org>; Fri, 17 Oct 2014 10:10:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:delivered-to:from:to:cc:subject:date:message-id
 :in-reply-to:references:mime-version:sender:precedence:list-id
 :x-original-sender:x-original-authentication-results:mailing-list
 :list-post:list-help:list-archive:list-unsubscribe:content-type;
 bh=0keKaV6P+P0A8CNhV1kTNpQs7mk2VxOlvxbUWz0miPI=;
 b=dnUb1QcZA2CmathLau0NPq/r8Ur+1Fac2xAnC/7vpQj9PEUGmTYWz6Psv9A1pkGdOT
 FgPSeCxwZkeV0lM6R0QlqQr0sgiE2DS0R6srGDXwb1/uC2OKQZphTNY7TON/GhEp29JB
 qnMFDMkteTmzQ5LN1phNiqnsdSq2YAI0Y5HhrRQLZQ+QhaMHxF1jz3w0svxVuoMsFWN9
 in+oN9j/jQN5QzrfTGu4DIY8Vr1CxrKXK9modwVrSeY/hwM0iJ+f1LY1hV89GMHz/Z4b
 5D/qi+3mCTyDQhNhNOAIlFEQAYbxpB/NcrGfsZ0alagz/GyQ2k/q369a09/7KsunC9km
 GmgA==
X-Gm-Message-State: ALoCoQmlEswjVITbF6gukTiUK/z+ZixwmB+0qndm1roKf+EfvC634z9n8aNhuDEsHZlSWjY2W0Pb
X-Received: by 10.112.97.35 with SMTP id dx3mr14624lbb.20.1413565849724;
 Fri, 17 Oct 2014 10:10:49 -0700 (PDT)
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.234.167 with SMTP id uf7ls279604lac.100.gmail;
 Fri, 17 Oct 2014 10:10:49 -0700 (PDT)
X-Received: by 10.112.128.162 with SMTP id np2mr10327779lbb.78.1413565849448; 
 Fri, 17 Oct 2014 10:10:49 -0700 (PDT)
Received: from mail-la0-f41.google.com (mail-la0-f41.google.com.
 [209.85.215.41]) by mx.google.com with ESMTPS id
 ao5si2975060lbc.58.2014.10.17.10.10.49
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Fri, 17 Oct 2014 10:10:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.41 as permitted sender) client-ip=209.85.215.41; 
Received: by mail-la0-f41.google.com with SMTP id pn19so1067227lab.28
 for <patchwork-forward@linaro.org>;
 Fri, 17 Oct 2014 10:10:49 -0700 (PDT)
X-Received: by 10.152.5.38 with SMTP id p6mr5580424lap.44.1413565849255;
 Fri, 17 Oct 2014 10:10:49 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.84.229 with SMTP id c5csp266762lbz;
 Fri, 17 Oct 2014 10:10:48 -0700 (PDT)
X-Received: by 10.70.92.3 with SMTP id ci3mr9649781pdb.41.1413565847748;
 Fri, 17 Oct 2014 10:10:47 -0700 (PDT)
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 gl5si1534967pbc.229.2014.10.17.10.10.47 for <multiple recipients>;
 Fri, 17 Oct 2014 10:10:47 -0700 (PDT)
Received-SPF: none (google.com: linux-usb-owner@vger.kernel.org does not
 designate permitted sender hosts) client-ip=209.132.180.67; 
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1753598AbaJQRKp (ORCPT <rfc822;amit.pundir@linaro.org>
 + 3 others); Fri, 17 Oct 2014 13:10:45 -0400
Received: from devils.ext.ti.com ([198.47.26.153]:36013 "EHLO
 devils.ext.ti.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1753589AbaJQRKo (ORCPT
 <rfc822; linux-usb@vger.kernel.org>); Fri, 17 Oct 2014 13:10:44 -0400
Received: from dflxv15.itg.ti.com ([128.247.5.124])
 by devils.ext.ti.com (8.13.7/8.13.7) with ESMTP id s9HHAhM4024923;
 Fri, 17 Oct 2014 12:10:43 -0500
Received: from DLEE71.ent.ti.com (dlee71.ent.ti.com [157.170.170.114])
 by dflxv15.itg.ti.com (8.14.3/8.13.8) with ESMTP id s9HHAhab023271;
 Fri, 17 Oct 2014 12:10:43 -0500
Received: from dflp32.itg.ti.com (10.64.6.15) by DLEE71.ent.ti.com
 (157.170.170.114) with Microsoft SMTP Server id 14.3.174.1;
 Fri, 17 Oct 2014 12:10:43 -0500
Received: from localhost (ileax41-snat.itg.ti.com [10.172.224.153])	by
 dflp32.itg.ti.com (8.14.3/8.13.8) with ESMTP id s9HHAgnJ022979;
 Fri, 17 Oct 2014 12:10:43 -0500
From: Felipe Balbi <balbi@ti.com>
To: Linux USB Mailing List <linux-usb@vger.kernel.org>
CC: Felipe Balbi <balbi@ti.com>, <stable@vger.kernel.org>
Subject: [PATCH 28/28] usb: gadget: udc: core: fix kernel oops with
 soft-connect
Date: Fri, 17 Oct 2014 12:10:04 -0500
Message-ID: <1413565804-13061-29-git-send-email-balbi@ti.com>
X-Mailer: git-send-email 2.1.0.GIT
In-Reply-To: <1413565804-13061-1-git-send-email-balbi@ti.com>
References: <1413565804-13061-1-git-send-email-balbi@ti.com>
MIME-Version: 1.0
Sender: linux-usb-owner@vger.kernel.org
Precedence: list
List-ID: <patchwork-forward.linaro.org>
X-Mailing-List: linux-usb@vger.kernel.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: balbi@ti.com
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.41 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>

Currently, there's no guarantee that udc->driver
will be valid when using soft_connect sysfs
interface. In fact, we can very easily trigger
a NULL pointer dereference by trying to disconnect
when a gadget driver isn't loaded.

Fix this bug:

~# echo disconnect > soft_connect
[   33.685743] Unable to handle kernel NULL pointer dereference at virtual address 00000014
[   33.694221] pgd = ed0cc000
[   33.697174] [00000014] *pgd=ae351831, *pte=00000000, *ppte=00000000
[   33.703766] Internal error: Oops: 17 [#1] SMP ARM
[   33.708697] Modules linked in: xhci_plat_hcd xhci_hcd snd_soc_davinci_mcasp snd_soc_tlv320aic3x snd_soc_edma snd_soc_omap snd_soc_evm snd_soc_core dwc3 snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd lis3lv02d_i2c matrix_keypad lis3lv02d dwc3_omap input_polldev soundcore
[   33.734372] CPU: 0 PID: 1457 Comm: bash Not tainted 3.17.0-09740-ga93416e-dirty #345
[   33.742457] task: ee71ce00 ti: ee68a000 task.ti: ee68a000
[   33.748116] PC is at usb_udc_softconn_store+0xa4/0xec
[   33.753416] LR is at mark_held_locks+0x78/0x90
[   33.758057] pc : [<c04df128>]    lr : [<c00896a4>]    psr: 20000013
[   33.758057] sp : ee68bec8  ip : c0c00008  fp : ee68bee4
[   33.770050] r10: ee6b394c  r9 : ee68bf80  r8 : ee6062c0
[   33.775508] r7 : 00000000  r6 : ee6062c0  r5 : 0000000b  r4 : ee739408
[   33.782346] r3 : 00000000  r2 : 00000000  r1 : ee71d390  r0 : ee664170
[   33.789168] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[   33.796636] Control: 10c5387d  Table: ad0cc059  DAC: 00000015
[   33.802638] Process bash (pid: 1457, stack limit = 0xee68a248)
[   33.808740] Stack: (0xee68bec8 to 0xee68c000)
[   33.813299] bec0:                   0000000b c0411284 ee6062c0 00000000 ee68bef4 ee68bee8
[   33.821862] bee0: c04112ac c04df090 ee68bf14 ee68bef8 c01c2868 c0411290 0000000b ee6b3940
[   33.830419] bf00: 00000000 00000000 ee68bf4c ee68bf18 c01c1a24 c01c2818 00000000 00000000
[   33.838990] bf20: ee61b940 ee2f47c0 0000000b 000ce408 ee68bf80 c000f304 ee68a000 00000000
[   33.847544] bf40: ee68bf7c ee68bf50 c0152dd8 c01c1960 ee68bf7c c0170af8 ee68bf7c ee2f47c0
[   33.856099] bf60: ee2f47c0 000ce408 0000000b c000f304 ee68bfa4 ee68bf80 c0153330 c0152d34
[   33.864653] bf80: 00000000 00000000 0000000b 000ce408 b6e7fb50 00000004 00000000 ee68bfa8
[   33.873204] bfa0: c000f080 c01532e8 0000000b 000ce408 00000001 000ce408 0000000b 00000000
[   33.881763] bfc0: 0000000b 000ce408 b6e7fb50 00000004 0000000b 00000000 000c5758 00000000
[   33.890319] bfe0: 00000000 bec2c924 b6de422d b6e1d226 40000030 00000001 75716d2f 00657565
[   33.898890] [<c04df128>] (usb_udc_softconn_store) from [<c04112ac>] (dev_attr_store+0x28/0x34)
[   33.907920] [<c04112ac>] (dev_attr_store) from [<c01c2868>] (sysfs_kf_write+0x5c/0x60)
[   33.916200] [<c01c2868>] (sysfs_kf_write) from [<c01c1a24>] (kernfs_fop_write+0xd0/0x194)
[   33.924773] [<c01c1a24>] (kernfs_fop_write) from [<c0152dd8>] (vfs_write+0xb0/0x1bc)
[   33.932874] [<c0152dd8>] (vfs_write) from [<c0153330>] (SyS_write+0x54/0xb0)
[   33.940247] [<c0153330>] (SyS_write) from [<c000f080>] (ret_fast_syscall+0x0/0x48)
[   33.948160] Code: e1a01007 e12fff33 e5140004 e5143008 (e5933014)
[   33.954625] ---[ end trace f849bead94eab7ea ]---

Fixes: 2ccea03 (usb: gadget: introduce UDC Class)
Cc: <stable@vger.kernel.org> # v3.1+
Signed-off-by: Felipe Balbi <balbi@ti.com>
---
 drivers/usb/gadget/udc/udc-core.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/gadget/udc/udc-core.c b/drivers/usb/gadget/udc/udc-core.c
index f107bb6..f205465 100644
--- a/drivers/usb/gadget/udc/udc-core.c
+++ b/drivers/usb/gadget/udc/udc-core.c
@@ -507,6 +507,11 @@ static ssize_t usb_udc_softconn_store(struct device *dev,
 {
 	struct usb_udc		*udc = container_of(dev, struct usb_udc, dev);
 
+	if (!udc->driver) {
+		dev_err(dev, "soft-connect without a gadget driver\n");
+		return -EOPNOTSUPP;
+	}
+
 	if (sysfs_streq(buf, "connect")) {
 		usb_gadget_udc_start(udc->gadget, udc->driver);
 		usb_gadget_connect(udc->gadget);