* [PATCH v2] usb: dwc2: Fix NULL qh in dwc2_queue_transaction
@ 2019-10-23 21:06 Douglas Anderson
2019-10-24 9:48 ` Minas Harutyunyan
0 siblings, 1 reply; 3+ messages in thread
From: Douglas Anderson @ 2019-10-23 21:06 UTC (permalink / raw)
To: Minas Harutyunyan, Greg Kroah-Hartman, Felipe Balbi
Cc: linux-rockchip, stefan.wahren, mka, Alexandru M Stan,
Douglas Anderson, linux-usb, linux-kernel
From: Alexandru M Stan <amstan@chromium.org>
When a usb device disconnects in a certain way, dwc2_queue_transaction
still gets called after dwc2_hcd_cleanup_channels.
dwc2_hcd_cleanup_channels does "channel->qh = NULL;" but
dwc2_queue_transaction still wants to dereference qh.
This adds a check for a null qh.
Signed-off-by: Alexandru M Stan <amstan@chromium.org>
[dianders: rebased to mainline]
Signed-off-by: Douglas Anderson <dianders@chromium.org>
---
While testing a newer version of the Linux kernel on rk3288-veyron
devices we saw a bunch of crashes reported in dwc2_queue_transaction()
where chan->qh was NULL [1]. I don't know how to reproduce those
crashes myself, but I noticed that in our 3.14 kernel we had a patch
that probably fixed it. That patch was sent upstream ages ago [2] but
never landed. Here I've rebased the patch. While I haven't
reproduced the crash myself, it seems fairly likely that this will fix
the problem.
[1] https://crbug.com/1017388
[2] https://lore.kernel.org/r/1442952651-4341-2-git-send-email-amstan@chromium.org
Changes in v2:
- Rebased to mainline
drivers/usb/dwc2/hcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
index 81afe553aa66..b90f858af960 100644
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -2824,7 +2824,7 @@ static int dwc2_queue_transaction(struct dwc2_hsotg *hsotg,
list_move_tail(&chan->split_order_list_entry,
&hsotg->split_order);
- if (hsotg->params.host_dma) {
+ if (hsotg->params.host_dma && chan->qh) {
if (hsotg->params.dma_desc_enable) {
if (!chan->xfer_started ||
chan->ep_type == USB_ENDPOINT_XFER_ISOC) {
--
2.23.0.866.gb869b98d4c-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] usb: dwc2: Fix NULL qh in dwc2_queue_transaction
2019-10-23 21:06 [PATCH v2] usb: dwc2: Fix NULL qh in dwc2_queue_transaction Douglas Anderson
@ 2019-10-24 9:48 ` Minas Harutyunyan
0 siblings, 0 replies; 3+ messages in thread
From: Minas Harutyunyan @ 2019-10-24 9:48 UTC (permalink / raw)
To: Douglas Anderson, Greg Kroah-Hartman, Felipe Balbi
Cc: linux-rockchip, stefan.wahren, mka, Alexandru M Stan, linux-usb,
linux-kernel
On 10/24/2019 1:06 AM, Douglas Anderson wrote:
> From: Alexandru M Stan <amstan@chromium.org>
>
> When a usb device disconnects in a certain way, dwc2_queue_transaction
> still gets called after dwc2_hcd_cleanup_channels.
>
> dwc2_hcd_cleanup_channels does "channel->qh = NULL;" but
> dwc2_queue_transaction still wants to dereference qh.
> This adds a check for a null qh.
>
> Signed-off-by: Alexandru M Stan <amstan@chromium.org>
> [dianders: rebased to mainline]
> Signed-off-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Minas Harutyunyan <hminas@synopsys.com>
> ---
> While testing a newer version of the Linux kernel on rk3288-veyron
> devices we saw a bunch of crashes reported in dwc2_queue_transaction()
> where chan->qh was NULL [1]. I don't know how to reproduce those
> crashes myself, but I noticed that in our 3.14 kernel we had a patch
> that probably fixed it. That patch was sent upstream ages ago [2] but
> never landed. Here I've rebased the patch. While I haven't
> reproduced the crash myself, it seems fairly likely that this will fix
> the problem.
>
> [1] https://urldefense.proofpoint.com/v2/url?u=https-3A__crbug.com_1017388&d=DwIDAQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=cQBKt4q-qzNVC53rNAwuwplH23V61rHQhhULvdLA0U8&m=cnozTly1DtI01pZ4wbwEGSQW3TtCsiwaNUy5sn5vg0w&s=7bOW1FTelQEJnZerIWHWosIBiYT6dvwbsmYTrYyzKfA&e=
> [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__lore.kernel.org_r_1442952651-2D4341-2D2-2Dgit-2Dsend-2Demail-2Damstan-40chromium.org&d=DwIDAQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=cQBKt4q-qzNVC53rNAwuwplH23V61rHQhhULvdLA0U8&m=cnozTly1DtI01pZ4wbwEGSQW3TtCsiwaNUy5sn5vg0w&s=vmZjFVWnsFPU6Sgxw5IpJ-NYIAbDqyW0itJy00MLYSs&e=
>
> Changes in v2:
> - Rebased to mainline
>
> drivers/usb/dwc2/hcd.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
> index 81afe553aa66..b90f858af960 100644
> --- a/drivers/usb/dwc2/hcd.c
> +++ b/drivers/usb/dwc2/hcd.c
> @@ -2824,7 +2824,7 @@ static int dwc2_queue_transaction(struct dwc2_hsotg *hsotg,
> list_move_tail(&chan->split_order_list_entry,
> &hsotg->split_order);
>
> - if (hsotg->params.host_dma) {
> + if (hsotg->params.host_dma && chan->qh) {
> if (hsotg->params.dma_desc_enable) {
> if (!chan->xfer_started ||
> chan->ep_type == USB_ENDPOINT_XFER_ISOC) {
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] usb: dwc2: Fix NULL qh in dwc2_queue_transaction
@ 2019-10-24 9:48 ` Minas Harutyunyan
0 siblings, 0 replies; 3+ messages in thread
From: Minas Harutyunyan @ 2019-10-24 9:48 UTC (permalink / raw)
To: Douglas Anderson, Greg Kroah-Hartman, Felipe Balbi
Cc: linux-rockchip, stefan.wahren, mka, Alexandru M Stan, linux-usb,
linux-kernel
On 10/24/2019 1:06 AM, Douglas Anderson wrote:
> From: Alexandru M Stan <amstan@chromium.org>
>
> When a usb device disconnects in a certain way, dwc2_queue_transaction
> still gets called after dwc2_hcd_cleanup_channels.
>
> dwc2_hcd_cleanup_channels does "channel->qh = NULL;" but
> dwc2_queue_transaction still wants to dereference qh.
> This adds a check for a null qh.
>
> Signed-off-by: Alexandru M Stan <amstan@chromium.org>
> [dianders: rebased to mainline]
> Signed-off-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Minas Harutyunyan <hminas@synopsys.com>
> ---
> While testing a newer version of the Linux kernel on rk3288-veyron
> devices we saw a bunch of crashes reported in dwc2_queue_transaction()
> where chan->qh was NULL [1]. I don't know how to reproduce those
> crashes myself, but I noticed that in our 3.14 kernel we had a patch
> that probably fixed it. That patch was sent upstream ages ago [2] but
> never landed. Here I've rebased the patch. While I haven't
> reproduced the crash myself, it seems fairly likely that this will fix
> the problem.
>
> [1] https://urldefense.proofpoint.com/v2/url?u=https-3A__crbug.com_1017388&d=DwIDAQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=cQBKt4q-qzNVC53rNAwuwplH23V61rHQhhULvdLA0U8&m=cnozTly1DtI01pZ4wbwEGSQW3TtCsiwaNUy5sn5vg0w&s=7bOW1FTelQEJnZerIWHWosIBiYT6dvwbsmYTrYyzKfA&e=
> [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__lore.kernel.org_r_1442952651-2D4341-2D2-2Dgit-2Dsend-2Demail-2Damstan-40chromium.org&d=DwIDAQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=cQBKt4q-qzNVC53rNAwuwplH23V61rHQhhULvdLA0U8&m=cnozTly1DtI01pZ4wbwEGSQW3TtCsiwaNUy5sn5vg0w&s=vmZjFVWnsFPU6Sgxw5IpJ-NYIAbDqyW0itJy00MLYSs&e=
>
> Changes in v2:
> - Rebased to mainline
>
> drivers/usb/dwc2/hcd.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
> index 81afe553aa66..b90f858af960 100644
> --- a/drivers/usb/dwc2/hcd.c
> +++ b/drivers/usb/dwc2/hcd.c
> @@ -2824,7 +2824,7 @@ static int dwc2_queue_transaction(struct dwc2_hsotg *hsotg,
> list_move_tail(&chan->split_order_list_entry,
> &hsotg->split_order);
>
> - if (hsotg->params.host_dma) {
> + if (hsotg->params.host_dma && chan->qh) {
> if (hsotg->params.dma_desc_enable) {
> if (!chan->xfer_started ||
> chan->ep_type == USB_ENDPOINT_XFER_ISOC) {
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-10-24 9:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-23 21:06 [PATCH v2] usb: dwc2: Fix NULL qh in dwc2_queue_transaction Douglas Anderson
2019-10-24 9:48 ` Minas Harutyunyan
2019-10-24 9:48 ` Minas Harutyunyan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.