[PATCH 4.9 062/111] USB: net2280: Fix erroneous synchronization change

From: Greg Kroah-Hartman
Date: Mon Sep 24 2018 - 08:04:28 EST

4.9-stable review patch. If anyone has any objections, please let me know.


From: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>

commit dec3c23c9aa1815f07d98ae0375b4cbc10971e13 upstream.

Commit f16443a034c7 ("USB: gadgetfs, dummy-hcd, net2280: fix locking
for callbacks") was based on a serious misunderstanding. It
introduced regressions into both the dummy-hcd and net2280 drivers.

The problem in dummy-hcd was fixed by commit 7dbd8f4cabd9 ("USB:
dummy-hcd: Fix erroneous synchronization change"), but the problem in
net2280 remains. Namely: the ->disconnect(), ->suspend(), ->resume(),
and ->reset() callbacks must be invoked without the private lock held;
otherwise a deadlock will occur when the callback routine tries to
interact with the UDC driver.

This patch largely is a reversion of the relevant parts of
f16443a034c7. It also drops the private lock around the calls to
->suspend() and ->resume() (something the earlier patch forgot to do).
This is safe from races with device interrupts because it occurs
within the interrupt handler.

Finally, the patch changes where the ->disconnect() callback is
invoked when net2280_pullup() turns the pullup off. Rather than
making the callback from within stop_activity() at a time when dropping
the private lock could be unsafe, the callback is moved to a point
after the lock has already been dropped.

Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
Fixes: f16443a034c7 ("USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks")
Reported-by: D. Ziesche <dziesche@xxxxxxx>
Tested-by: D. Ziesche <dziesche@xxxxxxx>
CC: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Felipe Balbi <felipe.balbi@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

drivers/usb/gadget/udc/net2280.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/udc/net2280.c
+++ b/drivers/usb/gadget/udc/net2280.c
@@ -1549,11 +1549,14 @@ static int net2280_pullup(struct usb_gad
writel(tmp | BIT(USB_DETECT_ENABLE), &dev->usb->usbctl);
} else {
writel(tmp & ~BIT(USB_DETECT_ENABLE), &dev->usb->usbctl);
- stop_activity(dev, dev->driver);
+ stop_activity(dev, NULL);

spin_unlock_irqrestore(&dev->lock, flags);

+ if (!is_on && dev->driver)
+ dev->driver->disconnect(&dev->gadget);
return 0;

@@ -2470,8 +2473,11 @@ static void stop_activity(struct net2280

/* report disconnect; the driver is already quiesced */
- if (driver)
+ if (driver) {
+ spin_unlock(&dev->lock);
+ spin_lock(&dev->lock);
+ }

@@ -3345,6 +3351,8 @@ next_endpoints:

static void handle_stat1_irqs(struct net2280 *dev, u32 stat)
struct net2280_ep *ep;
u32 tmp, num, mask, scratch;
@@ -3385,12 +3393,14 @@ static void handle_stat1_irqs(struct net
if (disconnect || reset) {
stop_activity(dev, dev->driver);
+ spin_unlock(&dev->lock);
if (reset)
(&dev->gadget, dev->driver);
+ spin_lock(&dev->lock);
@@ -3409,6 +3419,7 @@ static void handle_stat1_irqs(struct net
if (stat & tmp) {
writel(tmp, &dev->regs->irqstat1);
+ spin_unlock(&dev->lock);
if (dev->driver->suspend)
@@ -3419,6 +3430,7 @@ static void handle_stat1_irqs(struct net
/* at high speed, note erratum 0133 */
+ spin_lock(&dev->lock);
stat &= ~tmp;