From nobody Wed Apr 1 08:15:25 2026 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4CA4E38F92D for ; Tue, 31 Mar 2026 18:48:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774982935; cv=none; b=l4HCxdtyifzKT0hyrXneLjao90riiLCsPrfqAGLE29eRnINf2NmUSzYkrXglQrtPKtcY8WfsmB+OcA3EbLHvbjCPfBI8OFS7zK1ZQtz0/pUZRPJYVwB+Uzz1xPdCO0DvCCx+nLOdag+xGzu+BW2WlKZ/FcF6+Kq8uhw9acJ7Dfc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774982935; c=relaxed/simple; bh=5JbE6jefY687MMjL40pD4pcEGJW9XrtiRSZzHPD8v9c=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=BQ9ugrqTPhqU5Z9pIj/2Saj2BR0cD0UtEGKQRPxPQeyDGvyWfMu0H+TadcVoNEBCve4UU3TfjFO9V8bUU0ufttzGNFMk2iFnuHCZO/sRNhgfnszvcKt5k52t1Hd2hU4x1xd/1Os+CzgOG2MfJ3DzwNKo0wF+dVAzGAxyt7o7MFQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LHlQ5yIC; arc=none smtp.client-ip=209.85.128.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LHlQ5yIC" Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-487035181a7so40649965e9.2 for ; Tue, 31 Mar 2026 11:48:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774982933; x=1775587733; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=k3jBPBKWUkAe3aZwB1cI7MtT5GZiZL2spoEeWYwX3yI=; b=LHlQ5yICzNykXmUSYY1XGRAjeAE1rf5qjEN80UDvvZ4Y1Ty6dqyLdcuI/7y2y+d39q lK0oV34oXS48rt3dP9OlzSIWL6hSZbQXQ3Z4JXVsWAZWRcmvzXw5fJpqsOAShMoKrc6z 3l8PBYUsYEAMAqs+9CwVlJpCJxq4TeYL5fBvjOqEuAhkSTmhaZTYi53+wj6ePQrjt1XN DaY50KY5cA1B6jlLHlPTBVTwU1Sw/o9zaHt1P2OeAKNCJqXQHyFQtXPvzYUWeZXh3y7L ubkyXBFdDciQxZ5eRv/JukN+u95bHq6qg8+Qj/weeiCwTUD0pJ8ViOkN3Gx4pswT4fjB IXiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774982933; x=1775587733; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=k3jBPBKWUkAe3aZwB1cI7MtT5GZiZL2spoEeWYwX3yI=; b=jjgiejJ+xTP4mIwL4Ss7Oh7pnqXJugtNloZ+EmjA8yusK2nPjhE+NZiiMnanvp6zHZ tZwsDl8OsMmzzmhhRsDVhR5kalw7jBepE4IEM5yD1SV1OxGp5PLy0mdrIaUKOp5NmWLs Fa+kf6s41PkcfR+IhQ/Kqv9nEksm9MCSCAXSCxweSkNJ1BppDo9rcbaGHreh25dukHMb mIkOd4N1Tv+KcLiT5ryF/8h2cyNPwThLpSxe3TCYkhbMlhxf0E2+CUazLmwPly3eP6mP 1HJArBkOe34xIiGJXgor8JWRefdIt5s3jZxgnpAtW/UDDoYik2Y+4GghVhxufSbUHpGA KR/g== X-Forwarded-Encrypted: i=1; AJvYcCUtAl+wB09K0UrbnUgkUfQiX2SHjaa2YWhi9gLCBGWRah81mL6C4H5pzfEyaMJsAqvFhY3xHMZXnr338Pk=@vger.kernel.org X-Gm-Message-State: AOJu0YwW7B7HBBGbGXe2VyG2MKONbZdhCOxqgaDKNS1CetLwziIUennA wii8riTPKrW04G9/iFFfINWEDBiuqDLqGbNiz5X41tUlbJ2UsQeNytVM X-Gm-Gg: ATEYQzxdwbEL72Gf+X4Xf0/cymR6saZmITEtD+Mi1c2bnvt7dwozAx4M5X9KTYhBiMP E6b4NeP5KLG4Ygv2+JBDm1muSJ4N+J8k+RgdJZ/p20dc4PSDQXDJ7856WxR9tmmhQcjuCe4Kb0V Uypi3DiyA0WGWYOpRI3SvTNTEzE25JnOkL9O/LqtSpQS19om+4o4vcLDZglItsrr3bHZ3uKnFMW PIT0M8b8b4QAVEqaO+dO5vaAj5UK9/Hvf1JvbiKO8vT1jDqBp0gAMHZTFZzpnaiUGDsiQ42A1Iw hghKnIz9YPObe5wfhSeWeS6K/1t1CwHtT6LmyfXtiuxMo/qbnUJiRkrHKOmcGFXdB0KMJezEC0e v5FepiZWnonyjYklJRGhRpuy1jq0Narccf3JJXgx1+ClbypvTV5eT+0AECZtT4L+tQm6DWweXOc 1Dp6a412tpVYZ5rCqHSAw3tvCWYMe2co/Lklj5gKU8LSsAkpkx+avjHB9bmREeqpnO0h4a0B8u/ DOtz6heY6kxy2T7vnuU0Idm1LLFf8PummEkScAC23sJpGYUwyv52vHru2odq2U7HWHClS+zFnsg dLR+VYzUH+EJDjs= X-Received: by 2002:a05:600c:8819:b0:486:fa9c:185 with SMTP id 5b1f17b1804b1-488835e311bmr8274885e9.31.1774982932467; Tue, 31 Mar 2026 11:48:52 -0700 (PDT) Received: from toolbox.fritz.box (p200300c717487f00c8918a114afa5d8c.dip0.t-ipconnect.de. [2003:c7:1748:7f00:c891:8a11:4afa:5d8c]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4887a633f23sm23935075e9.0.2026.03.31.11.48.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Mar 2026 11:48:51 -0700 (PDT) From: Michael Zimmermann To: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Michael Zimmermann Subject: [PATCH] usb: gadget: f_hid: move list and spinlock inits from bind to alloc Date: Tue, 31 Mar 2026 20:48:44 +0200 Message-ID: <20260331184844.2388761-1-sigmaepsilon92@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind the UDC - use the fd in EPOLL_CTL_DEL When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported within remove_wait_queue (via ep_remove_wait_queue). After some debugging I found out that the queues, which f_hid registers via poll_wait were the problem. These were initialized using init_waitqueue_head inside hidg_bind. So effectively, the bind function re-initialized the queues while there were still items in them. The solution is to move the initialization from hidg_bind to hidg_alloc to extend their lifetimes to the lifetime of the function instance. Additionally, I found many other possibly problematic init calls in the bind function, which I moved as well. Signed-off-by: Michael Zimmermann --- drivers/usb/gadget/function/f_hid.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/funct= ion/f_hid.c index 8812ebf33d14b..e5ccaec7750cd 100644 --- a/drivers/usb/gadget/function/f_hid.c +++ b/drivers/usb/gadget/function/f_hid.c @@ -1262,17 +1262,8 @@ static int hidg_bind(struct usb_configuration *c, st= ruct usb_function *f) if (status) goto fail; =20 - spin_lock_init(&hidg->write_spinlock); hidg->write_pending =3D 1; hidg->req =3D NULL; - spin_lock_init(&hidg->read_spinlock); - spin_lock_init(&hidg->get_report_spinlock); - init_waitqueue_head(&hidg->write_queue); - init_waitqueue_head(&hidg->read_queue); - init_waitqueue_head(&hidg->get_queue); - init_waitqueue_head(&hidg->get_id_queue); - INIT_LIST_HEAD(&hidg->completed_out_req); - INIT_LIST_HEAD(&hidg->report_list); =20 INIT_WORK(&hidg->work, get_report_workqueue_handler); hidg->workqueue =3D alloc_workqueue("report_work", @@ -1608,6 +1599,16 @@ static struct usb_function *hidg_alloc(struct usb_fu= nction_instance *fi) =20 mutex_lock(&opts->lock); =20 + spin_lock_init(&hidg->write_spinlock); + spin_lock_init(&hidg->read_spinlock); + spin_lock_init(&hidg->get_report_spinlock); + init_waitqueue_head(&hidg->write_queue); + init_waitqueue_head(&hidg->read_queue); + init_waitqueue_head(&hidg->get_queue); + init_waitqueue_head(&hidg->get_id_queue); + INIT_LIST_HEAD(&hidg->completed_out_req); + INIT_LIST_HEAD(&hidg->report_list); + device_initialize(&hidg->dev); hidg->dev.release =3D hidg_release; hidg->dev.class =3D &hidg_class; --=20 2.53.0