Currently the USB gadget will be set as bus-powered based solely on whether its bMaxPower is greater than 100mA, but this may miss devices that may legitimately draw less than 100mA but still want to report as bus-powered. Similarly during suspend & resume, USB gadget is incorrectly marked as bus/self powered without checking the bmAttributes field. Fix these by configuring the USB gadget as self or bus powered based on bmAttributes, and explicitly set it as bus-powered if it draws more than 100mA.
Cc: stable@vger.kernel.org Fixes: 5e5caf4fa8d3 ("usb: gadget: composite: Inform controller driver of self-powered") Signed-off-by: Prashanth K prashanth.k@oss.qualcomm.com --- Changes in v2: - Didn't change anything from RFC. - Link to RFC: https://lore.kernel.org/all/20250204105908.2255686-1-prashanth.k@oss.qualcom...
drivers/usb/gadget/composite.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index bdda8c74602d..1fb28bbf6c45 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1050,10 +1050,11 @@ static int set_config(struct usb_composite_dev *cdev, else usb_gadget_set_remote_wakeup(gadget, 0); done: - if (power <= USB_SELF_POWER_VBUS_MAX_DRAW) - usb_gadget_set_selfpowered(gadget); - else + if (power > USB_SELF_POWER_VBUS_MAX_DRAW || + !(c->bmAttributes & USB_CONFIG_ATT_SELFPOWER)) usb_gadget_clear_selfpowered(gadget); + else + usb_gadget_set_selfpowered(gadget);
usb_gadget_vbus_draw(gadget, power); if (result >= 0 && cdev->delayed_status) @@ -2615,7 +2616,9 @@ void composite_suspend(struct usb_gadget *gadget)
cdev->suspended = 1;
- usb_gadget_set_selfpowered(gadget); + if (cdev->config->bmAttributes & USB_CONFIG_ATT_SELFPOWER) + usb_gadget_set_selfpowered(gadget); + usb_gadget_vbus_draw(gadget, 2); }
@@ -2649,8 +2652,11 @@ void composite_resume(struct usb_gadget *gadget) else maxpower = min(maxpower, 900U);
- if (maxpower > USB_SELF_POWER_VBUS_MAX_DRAW) + if (maxpower > USB_SELF_POWER_VBUS_MAX_DRAW || + !(cdev->config->bmAttributes & USB_CONFIG_ATT_SELFPOWER)) usb_gadget_clear_selfpowered(gadget); + else + usb_gadget_set_selfpowered(gadget);
usb_gadget_vbus_draw(gadget, maxpower); } else {
Hi Prashanth,
On 02/17/2025, Prashanth K wrote:
Currently the USB gadget will be set as bus-powered based solely on whether its bMaxPower is greater than 100mA, but this may miss devices that may legitimately draw less than 100mA but still want to report as bus-powered. Similarly during suspend & resume, USB gadget is incorrectly marked as bus/self powered without checking the bmAttributes field. Fix these by configuring the USB gadget as self or bus powered based on bmAttributes, and explicitly set it as bus-powered if it draws more than 100mA.
Cc: stable@vger.kernel.org Fixes: 5e5caf4fa8d3 ("usb: gadget: composite: Inform controller driver of self-powered") Signed-off-by: Prashanth K prashanth.k@oss.qualcomm.com
Changes in v2:
- Didn't change anything from RFC.
- Link to RFC: https://lore.kernel.org/all/20250204105908.2255686-1-prashanth.k@oss.qualcom...
drivers/usb/gadget/composite.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index bdda8c74602d..1fb28bbf6c45 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1050,10 +1050,11 @@ static int set_config(struct usb_composite_dev *cdev, else usb_gadget_set_remote_wakeup(gadget, 0); done:
- if (power <= USB_SELF_POWER_VBUS_MAX_DRAW)
usb_gadget_set_selfpowered(gadget);- else
- if (power > USB_SELF_POWER_VBUS_MAX_DRAW ||
!(c->bmAttributes & USB_CONFIG_ATT_SELFPOWER))- else
usb_gadget_set_selfpowered(gadget);usb_gadget_vbus_draw(gadget, power); if (result >= 0 && cdev->delayed_status) @@ -2615,7 +2616,9 @@ void composite_suspend(struct usb_gadget *gadget) cdev->suspended = 1;
- usb_gadget_set_selfpowered(gadget);
- if (cdev->config->bmAttributes & USB_CONFIG_ATT_SELFPOWER)
usb_gadget_set_selfpowered(gadget);
I'm hitting a null pointer derefence here on my Pixel 6 device on suspend. I haven't dug deep into it how we get here, but in my case `cdev->config` is NULL. This happens immediate after booting my device. I verified that just adding a NULL check fixes the issue and dwc3 gadget can successfully suspend.
Here is the crash stack:
Unable to handle kernel NULL pointer dereference at virtual address 000000000000002a <snip> Modules linked in: tcpci_maxim(E) at24(E) phy_exynos_ufs(E) phy_exynos5_usbdrd(E) dwc3_exynos(E) ufs_exynos(E) i2c_exynos5(E) s3c2410_wdt(E) arm_dsu_pmu(E) simplefb(E) CPU: 0 UID: 0 PID: 885 Comm: irq/118-dwc3 Tainted: G E 6.14.0-rc3-next-20250220-4k-g50a0c754714a-dirty #1 02ae1fc192b79fc15e3493a7f5cb2e58e2817b0a Tainted: [E]=UNSIGNED_MODULE Hardware name: Raven (DT) pstate: a04000c5 (NzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : composite_suspend+0x8c/0xe8 lr : configfs_composite_suspend+0x70/0x80 <snip> Call trace: composite_suspend+0x8c/0xe8 (P) configfs_composite_suspend+0x70/0x80 dwc3_suspend_gadget+0x48/0x64 dwc3_thread_interrupt+0x568/0xbe8 irq_thread_fn+0x30/0xb0 irq_thread+0x174/0x284 kthread+0x130/0x21c ret_from_fork+0x10/0x20
And that decoded at base commit 50a0c754714a (from linux-next):
composite_suspend (drivers/usb/gadget/composite.c:2619) (P) configfs_composite_suspend (drivers/usb/gadget/configfs.c:1939) dwc3_suspend_gadget (include/linux/spinlock.h:351 drivers/usb/dwc3/gadget.c:3962 drivers/usb/dwc3/gadget.c:3957) dwc3_thread_interrupt (drivers/usb/dwc3/gadget.c:4466 drivers/usb/dwc3/gadget.c:4494 drivers/usb/dwc3/gadget.c:4514 drivers/usb/dwc3/gadget.c:4535 drivers/usb/dwc3/gadget.c:4577) irq_thread_fn (kernel/irq/manage.c:1191) irq_thread (kernel/irq/manage.c:1318) kthread (kernel/kthread.c:464) ret_from_fork (arch/arm64/kernel/entry.S:863)
Thanks, Will
- usb_gadget_vbus_draw(gadget, 2);
} @@ -2649,8 +2652,11 @@ void composite_resume(struct usb_gadget *gadget) else maxpower = min(maxpower, 900U);
if (maxpower > USB_SELF_POWER_VBUS_MAX_DRAW)
if (maxpower > USB_SELF_POWER_VBUS_MAX_DRAW ||!(cdev->config->bmAttributes & USB_CONFIG_ATT_SELFPOWER)) usb_gadget_clear_selfpowered(gadget);elseusb_gadget_set_selfpowered(gadget);usb_gadget_vbus_draw(gadget, maxpower); } else { -- 2.25.1
On Thu, Feb 20, 2025 at 10:09:38AM -0800, William McVicker wrote:
Hi Prashanth,
On 02/17/2025, Prashanth K wrote:
Currently the USB gadget will be set as bus-powered based solely on whether its bMaxPower is greater than 100mA, but this may miss devices that may legitimately draw less than 100mA but still want to report as bus-powered. Similarly during suspend & resume, USB gadget is incorrectly marked as bus/self powered without checking the bmAttributes field. Fix these by configuring the USB gadget as self or bus powered based on bmAttributes, and explicitly set it as bus-powered if it draws more than 100mA.
Cc: stable@vger.kernel.org Fixes: 5e5caf4fa8d3 ("usb: gadget: composite: Inform controller driver of self-powered") Signed-off-by: Prashanth K prashanth.k@oss.qualcomm.com
Changes in v2:
- Didn't change anything from RFC.
- Link to RFC: https://lore.kernel.org/all/20250204105908.2255686-1-prashanth.k@oss.qualcom...
drivers/usb/gadget/composite.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index bdda8c74602d..1fb28bbf6c45 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1050,10 +1050,11 @@ static int set_config(struct usb_composite_dev *cdev, else usb_gadget_set_remote_wakeup(gadget, 0); done:
- if (power <= USB_SELF_POWER_VBUS_MAX_DRAW)
usb_gadget_set_selfpowered(gadget);- else
- if (power > USB_SELF_POWER_VBUS_MAX_DRAW ||
!(c->bmAttributes & USB_CONFIG_ATT_SELFPOWER))- else
usb_gadget_set_selfpowered(gadget);usb_gadget_vbus_draw(gadget, power); if (result >= 0 && cdev->delayed_status) @@ -2615,7 +2616,9 @@ void composite_suspend(struct usb_gadget *gadget) cdev->suspended = 1;
- usb_gadget_set_selfpowered(gadget);
- if (cdev->config->bmAttributes & USB_CONFIG_ATT_SELFPOWER)
usb_gadget_set_selfpowered(gadget);I'm hitting a null pointer derefence here on my Pixel 6 device on suspend. I haven't dug deep into it how we get here, but in my case `cdev->config` is NULL. This happens immediate after booting my device. I verified that just adding a NULL check fixes the issue and dwc3 gadget can successfully suspend.
This was just fixed in my tree today with this commit: https://lore.kernel.org/r/20250220120314.3614330-1-m.szyprowski@samsung.com
Hope this helps,
greg k-h
On 02/20/2025, Greg Kroah-Hartman wrote:
On Thu, Feb 20, 2025 at 10:09:38AM -0800, William McVicker wrote:
Hi Prashanth,
On 02/17/2025, Prashanth K wrote:
Currently the USB gadget will be set as bus-powered based solely on whether its bMaxPower is greater than 100mA, but this may miss devices that may legitimately draw less than 100mA but still want to report as bus-powered. Similarly during suspend & resume, USB gadget is incorrectly marked as bus/self powered without checking the bmAttributes field. Fix these by configuring the USB gadget as self or bus powered based on bmAttributes, and explicitly set it as bus-powered if it draws more than 100mA.
Cc: stable@vger.kernel.org Fixes: 5e5caf4fa8d3 ("usb: gadget: composite: Inform controller driver of self-powered") Signed-off-by: Prashanth K prashanth.k@oss.qualcomm.com
Changes in v2:
- Didn't change anything from RFC.
- Link to RFC: https://lore.kernel.org/all/20250204105908.2255686-1-prashanth.k@oss.qualcom...
drivers/usb/gadget/composite.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index bdda8c74602d..1fb28bbf6c45 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1050,10 +1050,11 @@ static int set_config(struct usb_composite_dev *cdev, else usb_gadget_set_remote_wakeup(gadget, 0); done:
- if (power <= USB_SELF_POWER_VBUS_MAX_DRAW)
usb_gadget_set_selfpowered(gadget);- else
- if (power > USB_SELF_POWER_VBUS_MAX_DRAW ||
!(c->bmAttributes & USB_CONFIG_ATT_SELFPOWER))- else
usb_gadget_set_selfpowered(gadget);usb_gadget_vbus_draw(gadget, power); if (result >= 0 && cdev->delayed_status) @@ -2615,7 +2616,9 @@ void composite_suspend(struct usb_gadget *gadget) cdev->suspended = 1;
- usb_gadget_set_selfpowered(gadget);
- if (cdev->config->bmAttributes & USB_CONFIG_ATT_SELFPOWER)
usb_gadget_set_selfpowered(gadget);I'm hitting a null pointer derefence here on my Pixel 6 device on suspend. I haven't dug deep into it how we get here, but in my case `cdev->config` is NULL. This happens immediate after booting my device. I verified that just adding a NULL check fixes the issue and dwc3 gadget can successfully suspend.
This was just fixed in my tree today with this commit: https://lore.kernel.org/r/20250220120314.3614330-1-m.szyprowski@samsung.com
Hope this helps,
greg k-h
Yup, works for me. Thanks!
--Will
Op 17-02-2025 om 13:03 schreef Prashanth K:
Currently the USB gadget will be set as bus-powered based solely on whether its bMaxPower is greater than 100mA, but this may miss devices that may legitimately draw less than 100mA but still want to report as bus-powered. Similarly during suspend & resume, USB gadget is incorrectly marked as bus/self powered without checking the bmAttributes field. Fix these by configuring the USB gadget as self or bus powered based on bmAttributes, and explicitly set it as bus-powered if it draws more than 100mA.
Cc: stable@vger.kernel.org Fixes: 5e5caf4fa8d3 ("usb: gadget: composite: Inform controller driver of self-powered") Signed-off-by: Prashanth K prashanth.k@oss.qualcomm.com
Changes in v2:
Didn't change anything from RFC.
Link to RFC: https://lore.kernel.org/all/20250204105908.2255686-1-prashanth.k@oss.qualcom...
drivers/usb/gadget/composite.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index bdda8c74602d..1fb28bbf6c45 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1050,10 +1050,11 @@ static int set_config(struct usb_composite_dev *cdev, else usb_gadget_set_remote_wakeup(gadget, 0); done:
- if (power <= USB_SELF_POWER_VBUS_MAX_DRAW)
usb_gadget_set_selfpowered(gadget);- else
- if (power > USB_SELF_POWER_VBUS_MAX_DRAW ||
!(c->bmAttributes & USB_CONFIG_ATT_SELFPOWER))
Please check this change again. From line 983-884 there is a `goto done`. in case `c` is NULL. So, there will be a potential NULL pointer dereference with your change.
usb_gadget_clear_selfpowered(gadget);
- else
usb_gadget_set_selfpowered(gadget);usb_gadget_vbus_draw(gadget, power); if (result >= 0 && cdev->delayed_status) [...]
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman -
Kees Bakker -
Prashanth K -
William McVicker