| Message ID | 20210812171652.23803-1-semen.protsenko@linaro.org |
|---|---|
| Headers | show |
| Series | usb: dwc3: Fix DRD role switch | expand |
On Thu, Aug 12, 2021 at 08:16:45PM +0300, Sam Protsenko wrote: > This patch series pulls the patch ae7e86108b12 ("usb: dwc3: Stop active > transfers before halting the controller") and some fixes/dependencies > for that patch. It's needed to fix the actual panic I observed when > doing role switch with USB2.0 Dual Role Device controller. Next > procedure can be used to reproduce the panic: > > 1. Boot in peripheral role > 2. Configure RNDIS gadget, perform ping, stop ping > 3. Switch to host role > 4. Kernel panic occurs > > Kernel panic happens because gadget->udc->driver->disconnect() (which > is configfs_composite_disconnect()) is not called from > usb_gadget_disconnect() function, due to timeout condition in > dwc3_gadget_run_stop(), which leads to not called rndis_disable(). And > although previously created endpoints are not valid anymore, > eth_start_xmit() gets called and tries to use those, which leads to > invalid memory access. This patch fixes timeout condition, so next > call chain doesn't fail anymore, and RNDIS uninitialized properly on > gadget to host role switch: > > <<<<<<<<<<<<<<<<<<<< cut here >>>>>>>>>>>>>>>>>>> > usb_role_switch_set_role() > v > dwc3_usb_role_switch_set() > v > dwc3_set_mode() > v > __dwc3_set_mode() > v > dwc3_gadget_exit() > v > usb_del_gadget_udc() > v > usb_gadget_remove_driver() > v > usb_gadget_disconnect() > v > // THIS IS NOT CALLED because gadget->ops->pullup() = > // dwc3_gadget_pullup() returns -ETIMEDOUT (-110) > gadget->udc->driver->disconnect() > // = configfs_composite_disconnect() > v > composite_disconnect() > v > reset_config() > v > foreach (f : function) : f->disable > v > rndis_disable() > v > gether_disconnect() > v > usb_ep_disable(), > dev->port_usb = NULL > <<<<<<<<<<<<<<<<<<<< cut here >>>>>>>>>>>>>>>>>>> > > Most of these patches are already applied in stable-5.10. > > Wesley Cheng (7): > usb: dwc3: Stop active transfers before halting the controller > usb: dwc3: gadget: Allow runtime suspend if UDC unbinded > usb: dwc3: gadget: Restart DWC3 gadget when enabling pullup > usb: dwc3: gadget: Prevent EP queuing while stopping transfers > usb: dwc3: gadget: Clear DEP flags after stop transfers in ep disable > usb: dwc3: gadget: Disable gadget IRQ during pullup disable > usb: dwc3: gadget: Avoid runtime resume if disabling pullup > > drivers/usb/dwc3/ep0.c | 2 +- > drivers/usb/dwc3/gadget.c | 118 +++++++++++++++++++++++++++++++------- > 2 files changed, 99 insertions(+), 21 deletions(-) > > -- > 2.30.2 Now queued up. In the future, please put your own signed-off-by on these patches, as you were forwarding them on to us. thanks, greg k-h
This patch series pulls the patch ae7e86108b12 ("usb: dwc3: Stop active transfers before halting the controller") and some fixes/dependencies for that patch. It's needed to fix the actual panic I observed when doing role switch with USB2.0 Dual Role Device controller. Next procedure can be used to reproduce the panic: 1. Boot in peripheral role 2. Configure RNDIS gadget, perform ping, stop ping 3. Switch to host role 4. Kernel panic occurs Kernel panic happens because gadget->udc->driver->disconnect() (which is configfs_composite_disconnect()) is not called from usb_gadget_disconnect() function, due to timeout condition in dwc3_gadget_run_stop(), which leads to not called rndis_disable(). And although previously created endpoints are not valid anymore, eth_start_xmit() gets called and tries to use those, which leads to invalid memory access. This patch fixes timeout condition, so next call chain doesn't fail anymore, and RNDIS uninitialized properly on gadget to host role switch: <<<<<<<<<<<<<<<<<<<< cut here >>>>>>>>>>>>>>>>>>> usb_role_switch_set_role() v dwc3_usb_role_switch_set() v dwc3_set_mode() v __dwc3_set_mode() v dwc3_gadget_exit() v usb_del_gadget_udc() v usb_gadget_remove_driver() v usb_gadget_disconnect() v // THIS IS NOT CALLED because gadget->ops->pullup() = // dwc3_gadget_pullup() returns -ETIMEDOUT (-110) gadget->udc->driver->disconnect() // = configfs_composite_disconnect() v composite_disconnect() v reset_config() v foreach (f : function) : f->disable v rndis_disable() v gether_disconnect() v usb_ep_disable(), dev->port_usb = NULL <<<<<<<<<<<<<<<<<<<< cut here >>>>>>>>>>>>>>>>>>> Most of these patches are already applied in stable-5.10. Wesley Cheng (7): usb: dwc3: Stop active transfers before halting the controller usb: dwc3: gadget: Allow runtime suspend if UDC unbinded usb: dwc3: gadget: Restart DWC3 gadget when enabling pullup usb: dwc3: gadget: Prevent EP queuing while stopping transfers usb: dwc3: gadget: Clear DEP flags after stop transfers in ep disable usb: dwc3: gadget: Disable gadget IRQ during pullup disable usb: dwc3: gadget: Avoid runtime resume if disabling pullup drivers/usb/dwc3/ep0.c | 2 +- drivers/usb/dwc3/gadget.c | 118 +++++++++++++++++++++++++++++++------- 2 files changed, 99 insertions(+), 21 deletions(-) -- 2.30.2