linux-sg2042/drivers/usb/dwc2
Robert Baldyga 62f4f0651c usb: dwc2: gadget: kill requests with 'force' in s3c_hsotg_udc_stop()
This makes us sure that all requests are completed before we unbind
gadget. There are assumptions in gadget API that all requests have to
be completed and leak of complete can break some usb function drivers.

For example unbind of ECM function can cause NULL pointer dereference:

[   26.396595] configfs-gadget gadget: unbind function
'cdc_ethernet'/e79c4c00
[   26.414999] Unable to handle kernel NULL pointer dereference at
virtual address 00000000
(...)
[   26.452223] PC is at ecm_unbind+0x6c/0x9c
[   26.456209] LR is at ecm_unbind+0x68/0x9c
(...)
[   26.603696] [<c033fdb4>] (ecm_unbind) from [<c033661c>]
(purge_configs_funcs+0x94/0xd8)
[   26.611674] [<c033661c>] (purge_configs_funcs) from [<c0336674>]
(configfs_composite_unbind+0x14/0x34)
[   26.620961] [<c0336674>] (configfs_composite_unbind) from
[<c0337124>] (usb_gadget_remove_driver+0x68/0x9c)
[   26.630683] [<c0337124>] (usb_gadget_remove_driver) from [<c03376c8>]
(usb_gadget_unregister_driver+0x64/0x94)
[   26.640664] [<c03376c8>] (usb_gadget_unregister_driver) from
[<c0336be8>] (unregister_gadget+0x20/0x3c)
[   26.650038] [<c0336be8>] (unregister_gadget) from [<c0336c84>]
(gadget_dev_desc_UDC_store+0x80/0xb8)
[   26.659152] [<c0336c84>] (gadget_dev_desc_UDC_store) from
[<c0335120>] (gadget_info_attr_store+0x1c/0x28)
[   26.668703] [<c0335120>] (gadget_info_attr_store) from [<c012135c>]
(configfs_write_file+0xe8/0x148)
[   26.677818] [<c012135c>] (configfs_write_file) from [<c00c8dd4>]
(vfs_write+0xb0/0x1a0)
[   26.685801] [<c00c8dd4>] (vfs_write) from [<c00c91b8>]
(SyS_write+0x44/0x84)
[   26.692834] [<c00c91b8>] (SyS_write) from [<c000e560>]
(ret_fast_syscall+0x0/0x30)
[   26.700381] Code: e30409f8 e34c0069 eb07b88d e59430a8 (e5930000)
[   26.706485] ---[ end trace f62a082b323838a2 ]---

It's because in some cases request is still running on endpoint during
unbind and kill_all_requests() called from s3c_hsotg_udc_stop() function
doesn't cause call of complete() of request. Missing complete() call
causes ecm->notify_req equals NULL in ecm_unbind() function, and this
is reason of this bug.

Similar breaks can be observed in another usb function drivers.

This patch fixes this bug forcing usb request completion in when
s3c_hsotg_ep_disable() is called from s3c_hsotg_udc_stop().

Acked-by: Paul Zimmerman <paulz@synopsys.com>
Signed-off-by: Robert Baldyga <r.baldyga@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2014-12-22 10:28:55 -06:00
..
Kconfig usb: dwc2: Update Kconfig to support dual-role 2014-11-14 15:00:07 -06:00
Makefile usb: dwc2: Update Kconfig to support dual-role 2014-11-14 15:00:07 -06:00
core.c usb: dwc2: Update common interrupt handler to call gadget interrupt handler 2014-11-14 14:59:48 -06:00
core.h usb: dwc2: gadget: rework suspend/resume code to correctly restore gadget state 2014-11-21 09:07:42 -06:00
core_intr.c usb: dwc2: gadget: rework disconnect event handling 2014-11-21 09:07:34 -06:00
gadget.c usb: dwc2: gadget: kill requests with 'force' in s3c_hsotg_udc_stop() 2014-12-22 10:28:55 -06:00
hcd.c usb: dwc2: move usb_disabled() call to host driver only 2014-11-14 15:00:03 -06:00
hcd.h usb: dwc2: Move gadget probe function into platform code 2014-11-14 14:59:32 -06:00
hcd_ddma.c
hcd_intr.c usb: dwc2: handle DMA buffer unmapping sanely 2014-09-19 16:17:58 -07:00
hcd_queue.c usb: dwc2: handle DMA buffer unmapping sanely 2014-09-19 16:17:58 -07:00
hw.h usb: dwc2: add defines to support s3c-hsotg driver 2014-04-24 13:12:43 -07:00
pci.c usb: dwc2: Update common interrupt handler to call gadget interrupt handler 2014-11-14 14:59:48 -06:00
platform.c usb: dwc2: Fix build warning when CONFIG_PM_SLEEP=n 2014-11-25 08:47:04 -06:00