Message ID | 20240725010419.314430-2-crwulff@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 973a57891608a98e894db2887f278777f564de18 |
Headers | show |
Series | [v2] usb: gadget: core: Check for unset descriptor | expand |
On Wed, Jul 24, 2024 at 09:04:20PM -0400, crwulff@gmail.com wrote: > From: Chris Wulff <crwulff@gmail.com> > > Make sure the descriptor has been set before looking at maxpacket. > This fixes a null pointer panic in this case. > > This may happen if the gadget doesn't properly set up the endpoint > for the current speed, or the gadget descriptors are malformed and > the descriptor for the speed/endpoint are not found. > > No current gadget driver is known to have this problem, but this > may cause a hard-to-find bug during development of new gadgets. > > Fixes: 54f83b8c8ea9 ("USB: gadget: Reject endpoints with 0 maxpacket value") > Cc: stable@vger.kernel.org > Signed-off-by: Chris Wulff <crwulff@gmail.com> > --- > v2: Added WARN_ONCE message & clarification on causes > v1: https://lore.kernel.org/all/20240721192048.3530097-2-crwulff@gmail.com/ > --- > drivers/usb/gadget/udc/core.c | 10 ++++------ > 1 file changed, 4 insertions(+), 6 deletions(-) > > diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c > index 2dfae7a17b3f..81f9140f3681 100644 > --- a/drivers/usb/gadget/udc/core.c > +++ b/drivers/usb/gadget/udc/core.c > @@ -118,12 +118,10 @@ int usb_ep_enable(struct usb_ep *ep) > goto out; > > /* UDC drivers can't handle endpoints with maxpacket size 0 */ > - if (usb_endpoint_maxp(ep->desc) == 0) { > - /* > - * We should log an error message here, but we can't call > - * dev_err() because there's no way to find the gadget > - * given only ep. > - */ > + if (!ep->desc || usb_endpoint_maxp(ep->desc) == 0) { > + WARN_ONCE(1, "%s: ep%d (%s) has %s\n", __func__, ep->address, ep->name, > + (!ep->desc) ? "NULL descriptor" : "maxpacket 0"); So you just rebooted a machine that hit this, that's not good at all. Please log the error and recover, don't crash a system (remember, panic-on-warn is enabled in billions of Linux systems.) thanks, greg k-h
On Thu, Jul 25, 2024 at 06:56:19AM +0200, Greg Kroah-Hartman wrote: > On Wed, Jul 24, 2024 at 09:04:20PM -0400, crwulff@gmail.com wrote: > > From: Chris Wulff <crwulff@gmail.com> > > > > Make sure the descriptor has been set before looking at maxpacket. > > This fixes a null pointer panic in this case. > > > > This may happen if the gadget doesn't properly set up the endpoint > > for the current speed, or the gadget descriptors are malformed and > > the descriptor for the speed/endpoint are not found. > > > > No current gadget driver is known to have this problem, but this > > may cause a hard-to-find bug during development of new gadgets. > > > > Fixes: 54f83b8c8ea9 ("USB: gadget: Reject endpoints with 0 maxpacket value") > > Cc: stable@vger.kernel.org > > Signed-off-by: Chris Wulff <crwulff@gmail.com> > > --- > > v2: Added WARN_ONCE message & clarification on causes > > v1: https://lore.kernel.org/all/20240721192048.3530097-2-crwulff@gmail.com/ > > --- > > drivers/usb/gadget/udc/core.c | 10 ++++------ > > 1 file changed, 4 insertions(+), 6 deletions(-) > > > > diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c > > index 2dfae7a17b3f..81f9140f3681 100644 > > --- a/drivers/usb/gadget/udc/core.c > > +++ b/drivers/usb/gadget/udc/core.c > > @@ -118,12 +118,10 @@ int usb_ep_enable(struct usb_ep *ep) > > goto out; > > > > /* UDC drivers can't handle endpoints with maxpacket size 0 */ > > - if (usb_endpoint_maxp(ep->desc) == 0) { > > - /* > > - * We should log an error message here, but we can't call > > - * dev_err() because there's no way to find the gadget > > - * given only ep. > > - */ > > + if (!ep->desc || usb_endpoint_maxp(ep->desc) == 0) { > > + WARN_ONCE(1, "%s: ep%d (%s) has %s\n", __func__, ep->address, ep->name, > > + (!ep->desc) ? "NULL descriptor" : "maxpacket 0"); > > So you just rebooted a machine that hit this, that's not good at all. > Please log the error and recover, don't crash a system (remember, > panic-on-warn is enabled in billions of Linux systems.) That should not be a problem. This WARN_ONCE is expected never to be triggered except by a buggy gadget driver. It's a debugging tool; the developer will get an indication in the kernel log of where the problem is instead of just a panic. However, if you feel strongly about this, Chris probably won't mind changing it to pr_err() plus dump_stack() instead of WARN_ONCE(). Alan Stern
On Thu, Jul 25, 2024 at 02:23:25PM -0400, Alan Stern wrote: > On Thu, Jul 25, 2024 at 06:56:19AM +0200, Greg Kroah-Hartman wrote: > > On Wed, Jul 24, 2024 at 09:04:20PM -0400, crwulff@gmail.com wrote: > > > From: Chris Wulff <crwulff@gmail.com> > > > > > > Make sure the descriptor has been set before looking at maxpacket. > > > This fixes a null pointer panic in this case. > > > > > > This may happen if the gadget doesn't properly set up the endpoint > > > for the current speed, or the gadget descriptors are malformed and > > > the descriptor for the speed/endpoint are not found. > > > > > > No current gadget driver is known to have this problem, but this > > > may cause a hard-to-find bug during development of new gadgets. > > > > > > Fixes: 54f83b8c8ea9 ("USB: gadget: Reject endpoints with 0 maxpacket value") > > > Cc: stable@vger.kernel.org > > > Signed-off-by: Chris Wulff <crwulff@gmail.com> > > > --- > > > v2: Added WARN_ONCE message & clarification on causes > > > v1: https://lore.kernel.org/all/20240721192048.3530097-2-crwulff@gmail.com/ > > > --- > > > drivers/usb/gadget/udc/core.c | 10 ++++------ > > > 1 file changed, 4 insertions(+), 6 deletions(-) > > > > > > diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c > > > index 2dfae7a17b3f..81f9140f3681 100644 > > > --- a/drivers/usb/gadget/udc/core.c > > > +++ b/drivers/usb/gadget/udc/core.c > > > @@ -118,12 +118,10 @@ int usb_ep_enable(struct usb_ep *ep) > > > goto out; > > > > > > /* UDC drivers can't handle endpoints with maxpacket size 0 */ > > > - if (usb_endpoint_maxp(ep->desc) == 0) { > > > - /* > > > - * We should log an error message here, but we can't call > > > - * dev_err() because there's no way to find the gadget > > > - * given only ep. > > > - */ > > > + if (!ep->desc || usb_endpoint_maxp(ep->desc) == 0) { > > > + WARN_ONCE(1, "%s: ep%d (%s) has %s\n", __func__, ep->address, ep->name, > > > + (!ep->desc) ? "NULL descriptor" : "maxpacket 0"); > > > > So you just rebooted a machine that hit this, that's not good at all. > > Please log the error and recover, don't crash a system (remember, > > panic-on-warn is enabled in billions of Linux systems.) > > That should not be a problem. This WARN_ONCE is expected never to be > triggered except by a buggy gadget driver. It's a debugging tool; the > developer will get an indication in the kernel log of where the problem > is instead of just a panic. Ok, if this can never be hit by a user action, then it's ok to leave as-is, it wasn't obvious to me that this is the case, sorry. I'll queue this up after -rc1 is out. thanks, greg k-h
diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c index 2dfae7a17b3f..81f9140f3681 100644 --- a/drivers/usb/gadget/udc/core.c +++ b/drivers/usb/gadget/udc/core.c @@ -118,12 +118,10 @@ int usb_ep_enable(struct usb_ep *ep) goto out; /* UDC drivers can't handle endpoints with maxpacket size 0 */ - if (usb_endpoint_maxp(ep->desc) == 0) { - /* - * We should log an error message here, but we can't call - * dev_err() because there's no way to find the gadget - * given only ep. - */ + if (!ep->desc || usb_endpoint_maxp(ep->desc) == 0) { + WARN_ONCE(1, "%s: ep%d (%s) has %s\n", __func__, ep->address, ep->name, + (!ep->desc) ? "NULL descriptor" : "maxpacket 0"); + ret = -EINVAL; goto out; }