niansa-misc/linux
1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
Code Issues Projects Releases Packages Wiki Activity

usb: gadget: udc: core: Prevent soft_connect_store() race

Browse source 
usb_udc_connect_control(), soft_connect_store() and
usb_gadget_deactivate() can potentially race against each other to invoke
usb_gadget_connect()/usb_gadget_disconnect(). To prevent this, guard
udc->started, gadget->allow_connect, gadget->deactivate and
gadget->connect with connect_lock so that ->pullup() is only invoked when
the gadget is bound, started and not deactivated. The routines
usb_gadget_connect_locked(), usb_gadget_disconnect_locked(),
usb_udc_connect_control_locked(), usb_gadget_udc_start_locked(),
usb_gadget_udc_stop_locked() are called with this lock held.

An earlier version of this commit was reverted due to the crash reported in
https://lore.kernel.org/all/ZF4BvgsOyoKxdPFF@francesco-nb.int.toradex.com/.
commit 16737e78d190 ("usb: gadget: udc: core: Offload usb_udc_vbus_handler processing")
addresses the crash reported.

Cc: stable@vger.kernel.org
Fixes: 628ef0d273 ("usb: udc: add usb_udc_vbus_handler")
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Message-ID: <20230609010227.978661-2-badhri@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Badhri Jagan Sridharan 2023-06-09 01:02:27 +00:00 committed by Greg Kroah-Hartman
parent 50966da807
commit 286d9975a8
1 changed files with 106 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

155
drivers/usb/gadget/udc/core.c
View file

@ -40,6 +40,11 @@ static const struct bus_type gadget_bus_type;
* @allow_connect: Indicates whether UDC is allowed to be pulled up. * @allow_connect: Indicates whether UDC is allowed to be pulled up.
* Set/cleared by gadget_(un)bind_driver() after gadget driver is bound or * Set/cleared by gadget_(un)bind_driver() after gadget driver is bound or
* unbound. * unbound.
* @connect_lock: protects udc->started, gadget->connect,
* gadget->allow_connect and gadget->deactivate. The routines
* usb_gadget_connect_locked(), usb_gadget_disconnect_locked(),
* usb_udc_connect_control_locked(), usb_gadget_udc_start_locked() and
* usb_gadget_udc_stop_locked() are called with this lock held.
* *
* This represents the internal data structure which is used by the UDC-class * This represents the internal data structure which is used by the UDC-class
* to hold information about udc driver and gadget together. * to hold information about udc driver and gadget together.
@ -53,6 +58,7 @@ struct usb_udc {
bool started; bool started;
bool allow_connect; bool allow_connect;
struct work_struct vbus_work; struct work_struct vbus_work;
struct mutex connect_lock;
}; };
static struct class *udc_class; static struct class *udc_class;
@ -692,17 +698,8 @@ out:
} }
EXPORT_SYMBOL_GPL(usb_gadget_vbus_disconnect); EXPORT_SYMBOL_GPL(usb_gadget_vbus_disconnect);
/** static int usb_gadget_connect_locked(struct usb_gadget *gadget)
* usb_gadget_connect - software-controlled connect to USB host __must_hold(&gadget->udc->connect_lock)
* @gadget:the peripheral being connected
*
* Enables the D+ (or potentially D-) pullup. The host will start
* enumerating this gadget when the pullup is active and a VBUS session
* is active (the link is powered).
*
* Returns zero on success, else negative errno.
*/
int usb_gadget_connect(struct usb_gadget *gadget)
{ {
int ret = 0; int ret = 0;
@ -711,10 +708,12 @@ int usb_gadget_connect(struct usb_gadget *gadget)
goto out; goto out;
} }
if (gadget->deactivated || !gadget->udc->allow_connect) { if (gadget->deactivated || !gadget->udc->allow_connect || !gadget->udc->started) {
/* /*
* If gadget is deactivated we only save new state. * If the gadget isn't usable (because it is deactivated,
* Gadget will be connected automatically after activation. * unbound, or not yet started), we only save the new state.
* The gadget will be connected automatically when it is
* activated/bound/started.
*/ */
gadget->connected = true; gadget->connected = true;
goto out; goto out;
@ -729,22 +728,31 @@ out:
return ret; return ret;
} }
EXPORT_SYMBOL_GPL(usb_gadget_connect);
/** /**
* usb_gadget_disconnect - software-controlled disconnect from USB host * usb_gadget_connect - software-controlled connect to USB host
* @gadget:the peripheral being disconnected * @gadget:the peripheral being connected
* *
* Disables the D+ (or potentially D-) pullup, which the host may see * Enables the D+ (or potentially D-) pullup. The host will start
* as a disconnect (when a VBUS session is active). Not all systems * enumerating this gadget when the pullup is active and a VBUS session
* support software pullup controls. * is active (the link is powered).
*
* Following a successful disconnect, invoke the ->disconnect() callback
* for the current gadget driver so that UDC drivers don't need to.
* *
* Returns zero on success, else negative errno. * Returns zero on success, else negative errno.
*/ */
int usb_gadget_disconnect(struct usb_gadget *gadget) int usb_gadget_connect(struct usb_gadget *gadget)
{
int ret;
mutex_lock(&gadget->udc->connect_lock);
ret = usb_gadget_connect_locked(gadget);
mutex_unlock(&gadget->udc->connect_lock);
return ret;
}
EXPORT_SYMBOL_GPL(usb_gadget_connect);
static int usb_gadget_disconnect_locked(struct usb_gadget *gadget)
__must_hold(&gadget->udc->connect_lock)
{ {
int ret = 0; int ret = 0;
@ -756,7 +764,7 @@ int usb_gadget_disconnect(struct usb_gadget *gadget)
if (!gadget->connected) if (!gadget->connected)
goto out; goto out;
if (gadget->deactivated) { if (gadget->deactivated || !gadget->udc->started) {
/* /*
* If gadget is deactivated we only save new state. * If gadget is deactivated we only save new state.
* Gadget will stay disconnected after activation. * Gadget will stay disconnected after activation.
@ -779,6 +787,30 @@ out:
return ret; return ret;
} }
/**
* usb_gadget_disconnect - software-controlled disconnect from USB host
* @gadget:the peripheral being disconnected
*
* Disables the D+ (or potentially D-) pullup, which the host may see
* as a disconnect (when a VBUS session is active). Not all systems
* support software pullup controls.
*
* Following a successful disconnect, invoke the ->disconnect() callback
* for the current gadget driver so that UDC drivers don't need to.
*
* Returns zero on success, else negative errno.
*/
int usb_gadget_disconnect(struct usb_gadget *gadget)
{
int ret;
mutex_lock(&gadget->udc->connect_lock);
ret = usb_gadget_disconnect_locked(gadget);
mutex_unlock(&gadget->udc->connect_lock);
return ret;
}
EXPORT_SYMBOL_GPL(usb_gadget_disconnect); EXPORT_SYMBOL_GPL(usb_gadget_disconnect);
/** /**
@ -796,13 +828,14 @@ int usb_gadget_deactivate(struct usb_gadget *gadget)
{ {
int ret = 0; int ret = 0;
mutex_lock(&gadget->udc->connect_lock);
if (gadget->deactivated) if (gadget->deactivated)
goto out; goto unlock;
if (gadget->connected) { if (gadget->connected) {
ret = usb_gadget_disconnect(gadget); ret = usb_gadget_disconnect_locked(gadget);
if (ret) if (ret)
goto out; goto unlock;
/* /*
* If gadget was being connected before deactivation, we want * If gadget was being connected before deactivation, we want
@ -812,7 +845,8 @@ int usb_gadget_deactivate(struct usb_gadget *gadget)
} }
gadget->deactivated = true; gadget->deactivated = true;
out: unlock:
mutex_unlock(&gadget->udc->connect_lock);
trace_usb_gadget_deactivate(gadget, ret); trace_usb_gadget_deactivate(gadget, ret);
return ret; return ret;
@ -832,8 +866,9 @@ int usb_gadget_activate(struct usb_gadget *gadget)
{ {
int ret = 0; int ret = 0;
mutex_lock(&gadget->udc->connect_lock);
if (!gadget->deactivated) if (!gadget->deactivated)
goto out; goto unlock;
gadget->deactivated = false; gadget->deactivated = false;
@ -842,9 +877,11 @@ int usb_gadget_activate(struct usb_gadget *gadget)
* while it was being deactivated, we call usb_gadget_connect(). * while it was being deactivated, we call usb_gadget_connect().
*/ */
if (gadget->connected) if (gadget->connected)
ret = usb_gadget_connect(gadget); ret = usb_gadget_connect_locked(gadget);
mutex_unlock(&gadget->udc->connect_lock);
out: unlock:
mutex_unlock(&gadget->udc->connect_lock);
trace_usb_gadget_activate(gadget, ret); trace_usb_gadget_activate(gadget, ret);
return ret; return ret;
@ -1083,19 +1120,22 @@ EXPORT_SYMBOL_GPL(usb_gadget_set_state);
/* ------------------------------------------------------------------------- */ /* ------------------------------------------------------------------------- */
static void usb_udc_connect_control(struct usb_udc *udc) /* Acquire connect_lock before calling this function. */
static void usb_udc_connect_control_locked(struct usb_udc *udc) __must_hold(&udc->connect_lock)
{ {
if (udc->vbus) if (udc->vbus)
usb_gadget_connect(udc->gadget); usb_gadget_connect_locked(udc->gadget);
else else
usb_gadget_disconnect(udc->gadget); usb_gadget_disconnect_locked(udc->gadget);
} }
static void vbus_event_work(struct work_struct *work) static void vbus_event_work(struct work_struct *work)
{ {
struct usb_udc *udc = container_of(work, struct usb_udc, vbus_work); struct usb_udc *udc = container_of(work, struct usb_udc, vbus_work);
usb_udc_connect_control(udc); mutex_lock(&udc->connect_lock);
usb_udc_connect_control_locked(udc);
mutex_unlock(&udc->connect_lock);
} }
/** /**
@ -1144,7 +1184,7 @@ void usb_gadget_udc_reset(struct usb_gadget *gadget,
EXPORT_SYMBOL_GPL(usb_gadget_udc_reset); EXPORT_SYMBOL_GPL(usb_gadget_udc_reset);
/** /**
* usb_gadget_udc_start - tells usb device controller to start up * usb_gadget_udc_start_locked - tells usb device controller to start up
* @udc: The UDC to be started * @udc: The UDC to be started
* *
* This call is issued by the UDC Class driver when it's about * This call is issued by the UDC Class driver when it's about
@ -1155,8 +1195,11 @@ EXPORT_SYMBOL_GPL(usb_gadget_udc_reset);
* necessary to have it powered on. * necessary to have it powered on.
* *
* Returns zero on success, else negative errno. * Returns zero on success, else negative errno.
*
* Caller should acquire connect_lock before invoking this function.
*/ */
static inline int usb_gadget_udc_start(struct usb_udc *udc) static inline int usb_gadget_udc_start_locked(struct usb_udc *udc)
__must_hold(&udc->connect_lock)
{ {
int ret; int ret;
@ -1173,7 +1216,7 @@ static inline int usb_gadget_udc_start(struct usb_udc *udc)
} }
/** /**
* usb_gadget_udc_stop - tells usb device controller we don't need it anymore * usb_gadget_udc_stop_locked - tells usb device controller we don't need it anymore
* @udc: The UDC to be stopped * @udc: The UDC to be stopped
* *
* This call is issued by the UDC Class driver after calling * This call is issued by the UDC Class driver after calling
@ -1182,8 +1225,11 @@ static inline int usb_gadget_udc_start(struct usb_udc *udc)
* The details are implementation specific, but it can go as * The details are implementation specific, but it can go as
* far as powering off UDC completely and disable its data * far as powering off UDC completely and disable its data
* line pullups. * line pullups.
*
* Caller should acquire connect lock before invoking this function.
*/ */
static inline void usb_gadget_udc_stop(struct usb_udc *udc) static inline void usb_gadget_udc_stop_locked(struct usb_udc *udc)
__must_hold(&udc->connect_lock)
{ {
if (!udc->started) { if (!udc->started) {
dev_err(&udc->dev, "UDC had already stopped\n"); dev_err(&udc->dev, "UDC had already stopped\n");
@ -1342,6 +1388,7 @@ int usb_add_gadget(struct usb_gadget *gadget)
udc->gadget = gadget; udc->gadget = gadget;
gadget->udc = udc; gadget->udc = udc;
mutex_init(&udc->connect_lock);
udc->started = false; udc->started = false;
@ -1545,12 +1592,16 @@ static int gadget_bind_driver(struct device *dev)
if (ret) if (ret)
goto err_bind; goto err_bind;
ret = usb_gadget_udc_start(udc); mutex_lock(&udc->connect_lock);
if (ret) ret = usb_gadget_udc_start_locked(udc);
if (ret) {
mutex_unlock(&udc->connect_lock);
goto err_start; goto err_start;
}
usb_gadget_enable_async_callbacks(udc); usb_gadget_enable_async_callbacks(udc);
udc->allow_connect = true; udc->allow_connect = true;
usb_udc_connect_control(udc); usb_udc_connect_control_locked(udc);
mutex_unlock(&udc->connect_lock);
kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE); kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE);
return 0; return 0;
@ -1583,12 +1634,14 @@ static void gadget_unbind_driver(struct device *dev)
udc->allow_connect = false; udc->allow_connect = false;
cancel_work_sync(&udc->vbus_work); cancel_work_sync(&udc->vbus_work);
usb_gadget_disconnect(gadget); mutex_lock(&udc->connect_lock);
usb_gadget_disconnect_locked(gadget);
usb_gadget_disable_async_callbacks(udc); usb_gadget_disable_async_callbacks(udc);
if (gadget->irq) if (gadget->irq)
synchronize_irq(gadget->irq); synchronize_irq(gadget->irq);
udc->driver->unbind(gadget); udc->driver->unbind(gadget);
usb_gadget_udc_stop(udc); usb_gadget_udc_stop_locked(udc);
mutex_unlock(&udc->connect_lock);
mutex_lock(&udc_lock); mutex_lock(&udc_lock);
driver->is_bound = false; driver->is_bound = false;
@ -1674,11 +1727,15 @@ static ssize_t soft_connect_store(struct device *dev,
} }
if (sysfs_streq(buf, "connect")) { if (sysfs_streq(buf, "connect")) {
usb_gadget_udc_start(udc); mutex_lock(&udc->connect_lock);
usb_gadget_connect(udc->gadget); usb_gadget_udc_start_locked(udc);
usb_gadget_connect_locked(udc->gadget);
mutex_unlock(&udc->connect_lock);
} else if (sysfs_streq(buf, "disconnect")) { } else if (sysfs_streq(buf, "disconnect")) {
usb_gadget_disconnect(udc->gadget); mutex_lock(&udc->connect_lock);
usb_gadget_udc_stop(udc); usb_gadget_disconnect_locked(udc->gadget);
usb_gadget_udc_stop_locked(udc);
mutex_unlock(&udc->connect_lock);
} else { } else {
dev_err(dev, "unsupported command '%s'\n", buf); dev_err(dev, "unsupported command '%s'\n", buf);
ret = -EINVAL; ret = -EINVAL;