From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753140AbdKFLcf (ORCPT <rfc822;w@1wt.eu>);
        Mon, 6 Nov 2017 06:32:35 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:40248 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752887AbdKFLcc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 6 Nov 2017 06:32:32 -0500
Date: Mon, 6 Nov 2017 12:32:44 +0100
From: Greg KH <gregkh@linuxfoundation.org>
To: Chen Yu <chenyu56@huawei.com>
Cc: wangbinghui@hisilicon.com, mathias.nyman@intel.com,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        fanning4@hisilicon.com, lirui39@hisilicon.com, yangdi10@hisilicon.com,
        groeck@google.com, john.stultz@linaro.org
Subject: Re: [PATCH v2] usb:xhci fix panic in
 xhci_free_virt_devices_depth_first
Message-ID: <20171106113244.GB20217@kroah.com>
References: <20171106082023.116787-1-chenyu56@huawei.com>
 <20171106083152.GB7087@kroah.com>
 <4a9bb4fa-6e49-7d48-2127-2721bc806255@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4a9bb4fa-6e49-7d48-2127-2721bc806255@huawei.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Nov 06, 2017 at 06:03:08PM +0800, Chen Yu wrote:
> Hi,
> 
> On 2017/11/6 16:31, Greg KH wrote:
> > On Mon, Nov 06, 2017 at 04:20:23PM +0800, Yu Chen wrote:
> >> From: Yu Chen <chenyu56@huawei.com>
> >>
> >> Check vdev->real_port 0 to avoid panic
> >> [    9.261347] [<ffffff800884a390>] xhci_free_virt_devices_depth_first+0x58/0x108
> >> [    9.261352] [<ffffff800884a814>] xhci_mem_cleanup+0x1bc/0x570
> >> [    9.261355] [<ffffff8008842de8>] xhci_stop+0x140/0x1c8
> >> [    9.261365] [<ffffff80087ed304>] usb_remove_hcd+0xfc/0x1d0
> >> [    9.261369] [<ffffff80088551c4>] xhci_plat_remove+0x6c/0xa8
> >> [    9.261377] [<ffffff80086e928c>] platform_drv_remove+0x2c/0x70
> >> [    9.261384] [<ffffff80086e6ea0>] __device_release_driver+0x80/0x108
> >> [    9.261387] [<ffffff80086e7a1c>] device_release_driver+0x2c/0x40
> >> [    9.261392] [<ffffff80086e5f28>] bus_remove_device+0xe0/0x120
> >> [    9.261396] [<ffffff80086e2e34>] device_del+0x114/0x210
> >> [    9.261399] [<ffffff80086e9e00>] platform_device_del+0x30/0xa0
> >> [    9.261403] [<ffffff8008810bdc>] dwc3_otg_work+0x204/0x488
> >> [    9.261407] [<ffffff80088133fc>] event_work+0x304/0x5b8
> >> [    9.261414] [<ffffff80080e31b0>] process_one_work+0x148/0x490
> >> [    9.261417] [<ffffff80080e3548>] worker_thread+0x50/0x4a0
> >> [    9.261421] [<ffffff80080e9ea0>] kthread+0xe8/0x100
> >> [    9.261427] [<ffffff8008083680>] ret_from_fork+0x10/0x50
> >>
> >> The problem can occur if xhci_plat_remove() is called shortly after
> >> xhci_plat_probe(). While xhci_free_virt_devices_depth_first been
> >> called before the device has been setup and get real_port initialized.
> >> The problem occurred on Hikey960 and was reproduced by Guenter Roeck
> >> on Kevin with chromeos-4.4.
> >>
> >> Cc: Guenter Roeck <groeck@google.com>
> >> Signed-off-by: Fan Ning <fanning4@hisilicon.com>
> >> Signed-off-by: Li Rui <lirui39@hisilicon.com>
> >> Signed-off-by: yangdi <yangdi10@hisilicon.com>
> >> Signed-off-by: Yu Chen <chenyu56@huawei.com>
> >>
> >> ---
> >>  drivers/usb/host/xhci-mem.c | 4 ++++
> >>  1 file changed, 4 insertions(+)
> >>
> >> diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
> >> index 2a82c927ded2..0361b4a58f59 100644
> >> --- a/drivers/usb/host/xhci-mem.c
> >> +++ b/drivers/usb/host/xhci-mem.c
> >> @@ -947,6 +947,9 @@ void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_id)
> >>  	if (!vdev)
> >>  		return;
> >>  
> >> +	if (WARN_ON(!vdev->real_port))
> > 
> > Ok, now you are sending a lot of mess to the kernel log, so what can a
> > user do about it?
> > 
> > How can this ever happen?  Is it a hardware error, or a kernel driver
> > logic error?
> > 
> > thanks,
> > 
> > greg k-h
> > 
> > .
> > 
> 
> The problem is a driver logic error, it can reproduced if xhci_plat_remove() is
> called shortly after xhci_plat_probe() while xhci_alloc_virt_device has been called
> but real_port has not been initialized in xhci_setup_addressable_virt_dev.

Who is calling xhci_plat_remove() like this?

> A simple process is as below:
> 	xhci_plat_probe()
>                |
> 	usb_add_hcd()					xhci_plat_remove()
> 	       |						|
> 	find some device				usb_remove_hcd()
> 	       |						|
> 	hub_port_connect() -> usb_alloc_dev()		usb_disconnect()
> 	       |						|
> 	before hub_enable_device()			xhci_stop()
> 								|
> 							xhci_mem_cleanup()
> 								|
> 							xhci_free_virt_devices_depth_first()
> 								|
> 							real_port is 0 access xhci->rh_bw[vdev->real_port-1]
> 
> The problem came from https://bugs.96boards.org/show_bug.cgi?id=535
> Also look at crbug.com/700041

Then the bug needs to be fixed, throwing a huge kernel trace message
into the kernel log is not "fixing" the problem at all, right?

thanks,

greg k-h