[v2] usb: gadget: Fix double free of device descriptor pointers

From: Hemant Kumar <hemantk@codeaurora.org>

Upon driver unbind usb_free_all_descriptors() function frees all
speed descriptor pointers without setting them to NULL. In case
gadget speed changes (i.e from super speed plus to super speed)
after driver unbind only upto super speed descriptor pointers get
populated. Super speed plus desc still holds the stale (already
freed) pointer. Fix this issue by setting all descriptor pointers
to NULL after freeing them in usb_free_all_descriptors().

Fixes: f5c61225cf29 ("usb: gadget: Update function for SuperSpeedPlus")
cc: stable@vger.kernel.org
Reviewed-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
---
Changes in v2:
 - Add Reviewed-by and Fixes tags
 - CC'ed stable tree

 drivers/usb/gadget/config.c | 4 ++++
 1 file changed, 4 insertions(+)

On 4/22/2021 4:01 AM, Felipe Balbi wrote:
> 

> Hi,

> 

> Wesley Cheng <wcheng@codeaurora.org> writes:

> 

>> From: Hemant Kumar <hemantk@codeaurora.org>

>>

>> Upon driver unbind usb_free_all_descriptors() function frees all

>> speed descriptor pointers without setting them to NULL. In case

>> gadget speed changes (i.e from super speed plus to super speed)

>> after driver unbind only upto super speed descriptor pointers get

>> populated. Super speed plus desc still holds the stale (already

>> freed) pointer. Fix this issue by setting all descriptor pointers

>> to NULL after freeing them in usb_free_all_descriptors().

> 

> could you describe this a little better? How can one trigger this case?

> Is the speed demotion happening after unbinding? It's not clear how to

> cause this bug.

> 

Hi Felipe,

Internally, we have a mechanism to switch the DWC3 core maximum speed
parameter dynamically for displayport use cases.  This issue happens
whenever we have a maximum speed change occur on the USB gadget, which
for DWC3 happens whenever we call gadget init.  When we switch in and
out of host mode, gadget init is being executed, leading to the change
in the USB gadget max speed parameter:

dwc->gadget->max_speed		= dwc->maximum_speed;

I know that configFS gadget has the max_speed sysfs file, which is a
similar mechanism, but I haven't tried to see if we can reproduce the
same issue with it.  Let me see if we can reproduce this with that
configfs speed setting.

Thanks
Wesley Cheng

-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

On 4/23/2021 12:10 PM, Wesley Cheng wrote:
> 

> 

> On 4/22/2021 4:01 AM, Felipe Balbi wrote:

>>

>> Hi,

>>

>> Wesley Cheng <wcheng@codeaurora.org> writes:

>>

>>> From: Hemant Kumar <hemantk@codeaurora.org>

>>>

>>> Upon driver unbind usb_free_all_descriptors() function frees all

>>> speed descriptor pointers without setting them to NULL. In case

>>> gadget speed changes (i.e from super speed plus to super speed)

>>> after driver unbind only upto super speed descriptor pointers get

>>> populated. Super speed plus desc still holds the stale (already

>>> freed) pointer. Fix this issue by setting all descriptor pointers

>>> to NULL after freeing them in usb_free_all_descriptors().

>>

>> could you describe this a little better? How can one trigger this case?

>> Is the speed demotion happening after unbinding? It's not clear how to

>> cause this bug.

>>

> Hi Felipe,

> 

> Internally, we have a mechanism to switch the DWC3 core maximum speed

> parameter dynamically for displayport use cases.  This issue happens

> whenever we have a maximum speed change occur on the USB gadget, which

> for DWC3 happens whenever we call gadget init.  When we switch in and

> out of host mode, gadget init is being executed, leading to the change

> in the USB gadget max speed parameter:

> 

> dwc->gadget->max_speed		= dwc->maximum_speed;

> 

> I know that configFS gadget has the max_speed sysfs file, which is a

> similar mechanism, but I haven't tried to see if we can reproduce the

> same issue with it.  Let me see if we can reproduce this with that

> configfs speed setting.

> 

> Thanks

> Wesley Cheng

> 


Hi Felipe,

So I tried with doing it through the configFS max_speed, but it doesn't
have the same effect, as the setting done in dwc3_gadget_init() will
still be assigning the composite/UDC device's maximum speed to SSP/SS.
This is what the usb_assign_descriptor() uses to determine whether or
not to copy the SSP and SS descriptors.

So in summary, at least for a DWC3 based subsystem, the only way to
reproduce it is if there is a way to dynamically switch the DWC3 core
max speed parameter.

Thanks
Wesley Cheng

-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

Hi,

Wesley Cheng <wcheng@codeaurora.org> writes:
>>>> From: Hemant Kumar <hemantk@codeaurora.org>
>>>>
>>>> Upon driver unbind usb_free_all_descriptors() function frees all
>>>> speed descriptor pointers without setting them to NULL. In case
>>>> gadget speed changes (i.e from super speed plus to super speed)
>>>> after driver unbind only upto super speed descriptor pointers get
>>>> populated. Super speed plus desc still holds the stale (already
>>>> freed) pointer. Fix this issue by setting all descriptor pointers
>>>> to NULL after freeing them in usb_free_all_descriptors().
>>>
>>> could you describe this a little better? How can one trigger this case?
>>> Is the speed demotion happening after unbinding? It's not clear how to
>>> cause this bug.
>>>
>> Hi Felipe,
>> 
>> Internally, we have a mechanism to switch the DWC3 core maximum speed
>> parameter dynamically for displayport use cases.  This issue happens
>> whenever we have a maximum speed change occur on the USB gadget, which
>> for DWC3 happens whenever we call gadget init.  When we switch in and
>> out of host mode, gadget init is being executed, leading to the change
>> in the USB gadget max speed parameter:
>> 
>> dwc->gadget->max_speed		= dwc->maximum_speed;
>> 
>> I know that configFS gadget has the max_speed sysfs file, which is a
>> similar mechanism, but I haven't tried to see if we can reproduce the
>> same issue with it.  Let me see if we can reproduce this with that
>> configfs speed setting.
>> 
>> Thanks
>> Wesley Cheng
>> 
>
> Hi Felipe,
>
> So I tried with doing it through the configFS max_speed, but it doesn't
> have the same effect, as the setting done in dwc3_gadget_init() will
> still be assigning the composite/UDC device's maximum speed to SSP/SS.
> This is what the usb_assign_descriptor() uses to determine whether or
> not to copy the SSP and SS descriptors.
>
> So in summary, at least for a DWC3 based subsystem, the only way to
> reproduce it is if there is a way to dynamically switch the DWC3 core
> max speed parameter.

Could it be that you have a bug in your out-of-tree changes? Perhaps
there's some assumption which your changes aren't guaranteeing.

Hi,

Wesley Cheng <wcheng@codeaurora.org> writes:
> On 4/24/2021 1:05 AM, Felipe Balbi wrote:

>> 

>> Hi,

>> 

>> Wesley Cheng <wcheng@codeaurora.org> writes:

>>>>>> From: Hemant Kumar <hemantk@codeaurora.org>

>>>>>>

>>>>>> Upon driver unbind usb_free_all_descriptors() function frees all

>>>>>> speed descriptor pointers without setting them to NULL. In case

>>>>>> gadget speed changes (i.e from super speed plus to super speed)

>>>>>> after driver unbind only upto super speed descriptor pointers get

>>>>>> populated. Super speed plus desc still holds the stale (already

>>>>>> freed) pointer. Fix this issue by setting all descriptor pointers

>>>>>> to NULL after freeing them in usb_free_all_descriptors().

>>>>>

>>>>> could you describe this a little better? How can one trigger this case?

>>>>> Is the speed demotion happening after unbinding? It's not clear how to

>>>>> cause this bug.

>>>>>

>>>> Hi Felipe,

>>>>

>>>> Internally, we have a mechanism to switch the DWC3 core maximum speed

>>>> parameter dynamically for displayport use cases.  This issue happens

>>>> whenever we have a maximum speed change occur on the USB gadget, which

>>>> for DWC3 happens whenever we call gadget init.  When we switch in and

>>>> out of host mode, gadget init is being executed, leading to the change

>>>> in the USB gadget max speed parameter:

>>>>

>>>> dwc->gadget->max_speed		= dwc->maximum_speed;

>>>>

>>>> I know that configFS gadget has the max_speed sysfs file, which is a

>>>> similar mechanism, but I haven't tried to see if we can reproduce the

>>>> same issue with it.  Let me see if we can reproduce this with that

>>>> configfs speed setting.

>>>>

>>>> Thanks

>>>> Wesley Cheng

>>>>

>>>

>>> Hi Felipe,

>>>

>>> So I tried with doing it through the configFS max_speed, but it doesn't

>>> have the same effect, as the setting done in dwc3_gadget_init() will

>>> still be assigning the composite/UDC device's maximum speed to SSP/SS.

>>> This is what the usb_assign_descriptor() uses to determine whether or

>>> not to copy the SSP and SS descriptors.

>>>

>>> So in summary, at least for a DWC3 based subsystem, the only way to

>>> reproduce it is if there is a way to dynamically switch the DWC3 core

>>> max speed parameter.

>> 

>> Could it be that you have a bug in your out-of-tree changes? Perhaps

>> there's some assumption which your changes aren't guaranteeing.

>> 

> Hi Felipe,

>

> Unless there is a limitation on how the USB gadget max speed can be

> used, i.e. the USB gadget max speed MUST stay the same throughout a

> device's boot period, then our out of tree changes may have the wrong


no, not throughout boot, but it can't change while the device is
enumerated.

> assumptions.  However, I don't see that stated anywhere, and I still

> feel the current usb_assign_descriptors() and usb_free_all_descriptors()

> aren't aligned with one another.  One API decides which descriptors to

> copy based on a parameter, whereas the other just frees all of them

> irrespective.


that's a valid point.

-- 
balbi