1. Patchew
  2. linux
  3. View series

[PATCH v2] usb: gadget: f_uvc: fix superspeedplus transfer

3090101217@zju.edu.cn posted 1 patch 4 years, 4 months ago 
drivers/usb/gadget/function/f_uvc.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
[PATCH v2] usb: gadget: f_uvc: fix superspeedplus transfer
Posted by 3090101217@zju.edu.cn 4 years, 4 months ago 
From: Jing Leng <jleng@ambarella.com>

UVC driver doesn't set ssp_descriptors in struct usb_function,
If UVC uses superspeedplus UDC (e.g. cdnsp), when
config_ep_by_speed_and_alt is called, the g->speed is
USB_SPEED_SUPER_PLUS, and f->ssp_descriptors is NULL,
So kernel will access NULL pointer of speed_desc.

Call trace:
 config_ep_by_speed_and_alt+0x3c/0x2a0 [libcomposite]
 uvc_function_set_alt+0xd4/0x2e8 [usb_f_uvc]
 set_config.constprop.0+0x154/0x3a0 [libcomposite]
 composite_setup+0x314/0xb44 [libcomposite]
 configfs_composite_setup+0x84/0xb0 [libcomposite]
 cdnsp_ep0_std_request+0x25c/0x470 [cdns3]
 cdnsp_setup_analyze+0x94/0x25c [cdns3]
 cdnsp_handle_event+0xe8/0x23c [cdns3]
 cdnsp_thread_irq_handler+0x58/0xe8 [cdns3]
 irq_thread_fn+0x2c/0xa0
 irq_thread+0x164/0x280
 kthread+0x128/0x134
 ret_from_fork+0x10/0x40

Signed-off-by: Jing Leng <jleng@ambarella.com>
---
 drivers/usb/gadget/function/f_uvc.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
index 71bb5e477dba..8fc9b035481e 100644
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -478,6 +478,7 @@ uvc_copy_descriptors(struct uvc_device *uvc, enum usb_device_speed speed)
 	void *mem;
 
 	switch (speed) {
+	case USB_SPEED_SUPER_PLUS:
 	case USB_SPEED_SUPER:
 		uvc_control_desc = uvc->desc.ss_control;
 		uvc_streaming_cls = uvc->desc.ss_streaming;
@@ -521,7 +522,7 @@ uvc_copy_descriptors(struct uvc_device *uvc, enum usb_device_speed speed)
 	      + uvc_control_ep.bLength + uvc_control_cs_ep.bLength
 	      + uvc_streaming_intf_alt0.bLength;
 
-	if (speed == USB_SPEED_SUPER) {
+	if (speed == USB_SPEED_SUPER || speed == USB_SPEED_SUPER_PLUS) {
 		bytes += uvc_ss_control_comp.bLength;
 		n_desc = 6;
 	} else {
@@ -565,7 +566,7 @@ uvc_copy_descriptors(struct uvc_device *uvc, enum usb_device_speed speed)
 	uvc_control_header->baInterfaceNr[0] = uvc->streaming_intf;
 
 	UVC_COPY_DESCRIPTOR(mem, dst, &uvc_control_ep);
-	if (speed == USB_SPEED_SUPER)
+	if (speed == USB_SPEED_SUPER || speed == USB_SPEED_SUPER_PLUS)
 		UVC_COPY_DESCRIPTOR(mem, dst, &uvc_ss_control_comp);
 
 	UVC_COPY_DESCRIPTOR(mem, dst, &uvc_control_cs_ep);
@@ -727,6 +728,15 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
 		}
 	}
 
+	if (gadget_is_superspeed_plus(c->cdev->gadget)) {
+		f->ssp_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER_PLUS);
+		if (IS_ERR(f->ssp_descriptors)) {
+			ret = PTR_ERR(f->ssp_descriptors);
+			f->ssp_descriptors = NULL;
+			goto error;
+		}
+	}
+
 	/* Preallocate control endpoint request. */
 	uvc->control_req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL);
 	uvc->control_buf = kmalloc(UVC_MAX_REQUEST_SIZE, GFP_KERNEL);
-- 
2.17.1
Re: [PATCH v2] usb: gadget: f_uvc: fix superspeedplus transfer
Posted by Greg KH 4 years, 4 months ago 
On Tue, Feb 15, 2022 at 10:16:47AM +0800, 3090101217@zju.edu.cn wrote:
> From: Jing Leng <jleng@ambarella.com>
> 
> UVC driver doesn't set ssp_descriptors in struct usb_function,
> If UVC uses superspeedplus UDC (e.g. cdnsp), when
> config_ep_by_speed_and_alt is called, the g->speed is
> USB_SPEED_SUPER_PLUS, and f->ssp_descriptors is NULL,
> So kernel will access NULL pointer of speed_desc.
> 
> Call trace:
>  config_ep_by_speed_and_alt+0x3c/0x2a0 [libcomposite]
>  uvc_function_set_alt+0xd4/0x2e8 [usb_f_uvc]
>  set_config.constprop.0+0x154/0x3a0 [libcomposite]
>  composite_setup+0x314/0xb44 [libcomposite]
>  configfs_composite_setup+0x84/0xb0 [libcomposite]
>  cdnsp_ep0_std_request+0x25c/0x470 [cdns3]
>  cdnsp_setup_analyze+0x94/0x25c [cdns3]
>  cdnsp_handle_event+0xe8/0x23c [cdns3]
>  cdnsp_thread_irq_handler+0x58/0xe8 [cdns3]
>  irq_thread_fn+0x2c/0xa0
>  irq_thread+0x164/0x280
>  kthread+0x128/0x134
>  ret_from_fork+0x10/0x40

What does "call trace" here mean?  Is this an error?  Something else?

> 
> Signed-off-by: Jing Leng <jleng@ambarella.com>
> ---
>  drivers/usb/gadget/function/f_uvc.c | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)

You did not read the information that my bot told you to read, for how
to properly version your patches :(

Please go back and do so when you resend all of them.

Also this is not a patch series?  Why not?

thanks,

greg k-h
Re: [PATCH v2] usb: gadget: f_uvc: fix superspeedplus transfer
Posted by 冷静 4 years, 4 months ago 
Hi Greg KH,

Sorry for the trouble, as a new contributor to kernel.
Although I have readed the document that how to submit patches,
I'm still missing some details.

> What does "call trace" here mean?  Is this an error?  Something else?
It is "call trace" when the kernel accessed NULL pointer and handed.

> You did not read the information that my bot told you to read, for how
> to properly version your patches :(
> 
> Please go back and do so when you resend all of them.
> 
> Also this is not a patch series?  Why not?

I readed the bot told, but I still missed it.
The new patch only adds more detailed patch description.
So it is not a patch series.

thanks,

Jing Leng

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.