From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753260AbdKFKEV (ORCPT <rfc822;w@1wt.eu>);
        Mon, 6 Nov 2017 05:04:21 -0500
Received: from szxga05-in.huawei.com ([45.249.212.191]:10014 "EHLO
        szxga05-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752810AbdKFKES (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 6 Nov 2017 05:04:18 -0500
Subject: Re: [PATCH v2] usb:xhci fix panic in
 xhci_free_virt_devices_depth_first
To: Greg KH <gregkh@linuxfoundation.org>
References: <20171106082023.116787-1-chenyu56@huawei.com>
 <20171106083152.GB7087@kroah.com>
CC: <wangbinghui@hisilicon.com>, <mathias.nyman@intel.com>,
        <linux-usb@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <fanning4@hisilicon.com>, <lirui39@hisilicon.com>,
        <yangdi10@hisilicon.com>, <groeck@google.com>,
        <john.stultz@linaro.org>
From: Chen Yu <chenyu56@huawei.com>
Message-ID: <4a9bb4fa-6e49-7d48-2127-2721bc806255@huawei.com>
Date: Mon, 6 Nov 2017 18:03:08 +0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <20171106083152.GB7087@kroah.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.142.63.192]
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0),
        refid=str=0001.0A020205.5A00339F.00FB,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0,
        ip=0.0.0.0,
        so=2014-11-16 11:51:01,
        dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: d8f8b609eb133ec87fe8b7403a49ae0e
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

On 2017/11/6 16:31, Greg KH wrote:
> On Mon, Nov 06, 2017 at 04:20:23PM +0800, Yu Chen wrote:
>> From: Yu Chen <chenyu56@huawei.com>
>>
>> Check vdev->real_port 0 to avoid panic
>> [    9.261347] [<ffffff800884a390>] xhci_free_virt_devices_depth_first+0x58/0x108
>> [    9.261352] [<ffffff800884a814>] xhci_mem_cleanup+0x1bc/0x570
>> [    9.261355] [<ffffff8008842de8>] xhci_stop+0x140/0x1c8
>> [    9.261365] [<ffffff80087ed304>] usb_remove_hcd+0xfc/0x1d0
>> [    9.261369] [<ffffff80088551c4>] xhci_plat_remove+0x6c/0xa8
>> [    9.261377] [<ffffff80086e928c>] platform_drv_remove+0x2c/0x70
>> [    9.261384] [<ffffff80086e6ea0>] __device_release_driver+0x80/0x108
>> [    9.261387] [<ffffff80086e7a1c>] device_release_driver+0x2c/0x40
>> [    9.261392] [<ffffff80086e5f28>] bus_remove_device+0xe0/0x120
>> [    9.261396] [<ffffff80086e2e34>] device_del+0x114/0x210
>> [    9.261399] [<ffffff80086e9e00>] platform_device_del+0x30/0xa0
>> [    9.261403] [<ffffff8008810bdc>] dwc3_otg_work+0x204/0x488
>> [    9.261407] [<ffffff80088133fc>] event_work+0x304/0x5b8
>> [    9.261414] [<ffffff80080e31b0>] process_one_work+0x148/0x490
>> [    9.261417] [<ffffff80080e3548>] worker_thread+0x50/0x4a0
>> [    9.261421] [<ffffff80080e9ea0>] kthread+0xe8/0x100
>> [    9.261427] [<ffffff8008083680>] ret_from_fork+0x10/0x50
>>
>> The problem can occur if xhci_plat_remove() is called shortly after
>> xhci_plat_probe(). While xhci_free_virt_devices_depth_first been
>> called before the device has been setup and get real_port initialized.
>> The problem occurred on Hikey960 and was reproduced by Guenter Roeck
>> on Kevin with chromeos-4.4.
>>
>> Cc: Guenter Roeck <groeck@google.com>
>> Signed-off-by: Fan Ning <fanning4@hisilicon.com>
>> Signed-off-by: Li Rui <lirui39@hisilicon.com>
>> Signed-off-by: yangdi <yangdi10@hisilicon.com>
>> Signed-off-by: Yu Chen <chenyu56@huawei.com>
>>
>> ---
>>  drivers/usb/host/xhci-mem.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
>> index 2a82c927ded2..0361b4a58f59 100644
>> --- a/drivers/usb/host/xhci-mem.c
>> +++ b/drivers/usb/host/xhci-mem.c
>> @@ -947,6 +947,9 @@ void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_id)
>>  	if (!vdev)
>>  		return;
>>  
>> +	if (WARN_ON(!vdev->real_port))
> 
> Ok, now you are sending a lot of mess to the kernel log, so what can a
> user do about it?
> 
> How can this ever happen?  Is it a hardware error, or a kernel driver
> logic error?
> 
> thanks,
> 
> greg k-h
> 
> .
> 

The problem is a driver logic error, it can reproduced if xhci_plat_remove() is
called shortly after xhci_plat_probe() while xhci_alloc_virt_device has been called
but real_port has not been initialized in xhci_setup_addressable_virt_dev.
A simple process is as below:
	xhci_plat_probe()
               |
	usb_add_hcd()					xhci_plat_remove()
	       |						|
	find some device				usb_remove_hcd()
	       |						|
	hub_port_connect() -> usb_alloc_dev()		usb_disconnect()
	       |						|
	before hub_enable_device()			xhci_stop()
								|
							xhci_mem_cleanup()
								|
							xhci_free_virt_devices_depth_first()
								|
							real_port is 0 access xhci->rh_bw[vdev->real_port-1]

The problem came from https://bugs.96boards.org/show_bug.cgi?id=535
Also look at crbug.com/700041