On 4/22/2021 4:01 AM, Felipe Balbi wrote:
Hi,
Wesley Cheng wcheng@codeaurora.org writes:
From: Hemant Kumar hemantk@codeaurora.org
Upon driver unbind usb_free_all_descriptors() function frees all speed descriptor pointers without setting them to NULL. In case gadget speed changes (i.e from super speed plus to super speed) after driver unbind only upto super speed descriptor pointers get populated. Super speed plus desc still holds the stale (already freed) pointer. Fix this issue by setting all descriptor pointers to NULL after freeing them in usb_free_all_descriptors().
could you describe this a little better? How can one trigger this case? Is the speed demotion happening after unbinding? It's not clear how to cause this bug.
Hi Felipe,
Internally, we have a mechanism to switch the DWC3 core maximum speed parameter dynamically for displayport use cases. This issue happens whenever we have a maximum speed change occur on the USB gadget, which for DWC3 happens whenever we call gadget init. When we switch in and out of host mode, gadget init is being executed, leading to the change in the USB gadget max speed parameter:
dwc->gadget->max_speed = dwc->maximum_speed;
I know that configFS gadget has the max_speed sysfs file, which is a similar mechanism, but I haven't tried to see if we can reproduce the same issue with it. Let me see if we can reproduce this with that configfs speed setting.
Thanks Wesley Cheng