Re: [PATCH v2] usb: gadget: Fix double free of device descriptor pointers

[Wesley Cheng]

On 4/22/2021 4:01 AM, Felipe Balbi wrote:
> 
> Hi,
> 
> Wesley Cheng <wcheng@xxxxxxxxxxxxxx> writes:
> 
>> From: Hemant Kumar <hemantk@xxxxxxxxxxxxxx>
>>
>> Upon driver unbind usb_free_all_descriptors() function frees all
>> speed descriptor pointers without setting them to NULL. In case
>> gadget speed changes (i.e from super speed plus to super speed)
>> after driver unbind only upto super speed descriptor pointers get
>> populated. Super speed plus desc still holds the stale (already
>> freed) pointer. Fix this issue by setting all descriptor pointers
>> to NULL after freeing them in usb_free_all_descriptors().
> 
> could you describe this a little better? How can one trigger this case?
> Is the speed demotion happening after unbinding? It's not clear how to
> cause this bug.
> 
Hi Felipe,

Internally, we have a mechanism to switch the DWC3 core maximum speed
parameter dynamically for displayport use cases.  This issue happens
whenever we have a maximum speed change occur on the USB gadget, which
for DWC3 happens whenever we call gadget init.  When we switch in and
out of host mode, gadget init is being executed, leading to the change
in the USB gadget max speed parameter:

dwc->gadget->max_speed		= dwc->maximum_speed;

I know that configFS gadget has the max_speed sysfs file, which is a
similar mechanism, but I haven't tried to see if we can reproduce the
same issue with it.  Let me see if we can reproduce this with that
configfs speed setting.

Thanks
Wesley Cheng

-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project