Re: [PATCH] usb: gadget: f_fs: Fix kernel panic for SuperSpeed

From: Jim Lin
Date: Mon Apr 25 2016 - 07:33:15 EST

Next message: Arnd Bergmann: "Re: [PATCH 3/5] ARM: dts: introduce MPS2 AN385/AN386"
Previous message: Yakir Yang: "[PATCH v1 0/8] Add RK3399 eDP support and fix some bugs to analogix_dp driver."
Next in thread: Felipe Balbi: "Re: [PATCH] usb: gadget: f_fs: Fix kernel panic for SuperSpeed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2016å04æ22æ 19:52, Felipe Balbi wrote:

* PGP Signed by an unknown key

Hi Jim,

Jim Lin <jilin@xxxxxxxxxx> writes:

Android N adds os_desc_compat in v2_descriptor by init_functionfs()
(system/core/adb/usb_linux_client.cpp) to support automatic install
of MTP driver on Windows for USB device mode.

Current __ffs_data_do_os_desc() of f_fs.c will check reserved1 field
and return -EINVAL.
This results in a second adb_write of usb_linux_client.cpp
(system/core/adb/) which doesn't have ss_descriptors filled.
Then later kernel_panic (composite.c) occurs when ss_descriptors
as a pointer with NULL is being accessed.

where exactly in composite.c are we dereferencing a NULL pointer ?

In set_config

for (; *descriptors; ++descriptors) {

Here is the link which shows reserved (at offset 1, e.g., Function Section 2) as 1.
https://msdn.microsoft.com/en-us/library/windows/hardware/gg463179.aspx

Is this happening on set_config() ? If that's the case, why is
gadget->speed set to USB_SPEED_SUPER to start with ? Your controller
should already have negotiated highspeed which means
function_descriptors() should have returned highspeed descriptors, not a
NULL superspeed.

Care to explain why you haven't negotiated Highspeed ? The only thing I
can think of is that you're using a Superspeed-capable peripheral
controller (dwc3?) with maximum-speed set to Superspeed, with a
Superspeed-capable cable connected to an XHCI PC, but loading a
high-speed gadget driver (which you got from Android, written with f_fs)
and this gadget doesn't tell composite that its maximum speed is
Highspeed, instead of super-speed.

We can add a check, sure, to avoid a kernel oops; however, you should
really fix up the gadget implementation and/or set dwc3's maximum-speed
property accordingly.

Can you check if this patch makes your scenario work while still being
fully functional ?

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index de9ffd60fcfa..3d3cdc5ed20d 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -66,20 +66,36 @@ function_descriptors(struct usb_function *f,
{
struct usb_descriptor_header **descriptors;
+ /*
+ * NOTE: we try to help gadget drivers which might not be setting
+ * max_speed appropriately.
+ */
+
switch (speed) {
case USB_SPEED_SUPER_PLUS:
descriptors = f->ssp_descriptors;
- break;
+ if (descriptors)
+ break;
+ /* FALLTHROUGH */
case USB_SPEED_SUPER:
descriptors = f->ss_descriptors;
- break;
+ if (descriptors)
+ break;
+ /* FALLTHROUGH */
case USB_SPEED_HIGH:
descriptors = f->hs_descriptors;
- break;
+ if (descriptors)
+ break;
+ /* FALLTHROUGH */
default:
descriptors = f->fs_descriptors;
}
+ /*
+ * if we can't find any descriptors at all, then this gadget deserves to
+ * Oops with a NULL pointer dereference
+ */
+
return descriptors;
}

After trying your change, no kernel panic, but SuperSpeed device (device mode) is not enumerated by ubuntu 14.04 USB 3.0 host controller as MTP device with USB3.0 cable.

--nvpublic

Next message: Arnd Bergmann: "Re: [PATCH 3/5] ARM: dts: introduce MPS2 AN385/AN386"
Previous message: Yakir Yang: "[PATCH v1 0/8] Add RK3399 eDP support and fix some bugs to analogix_dp driver."
Next in thread: Felipe Balbi: "Re: [PATCH] usb: gadget: f_fs: Fix kernel panic for SuperSpeed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]