* [PATCH] fix panic at pwq_activate_delayed_work.
@ 2018-08-01 10:14 ` He, Bo
0 siblings, 0 replies; 2+ messages in thread
From: He, Bo @ 2018-08-01 10:14 UTC (permalink / raw)
To: linux-usb, linux-kernel
Cc: balbi, gregkh, jackp, plr.vincent, Zhang, Yanmin, Zhang, Jun, Bai, Jie A
the kernel panic is one regression with the patch:
usb: gadget: ffs: Fix BUG when userland exits with submitted AIO transfers
the kernel panic is followed the list corrupt warning:
WARNING: CPU: 0 PID: 1430 at ../../../../../../kernel/4.14/lib/list_debug.c:28 __list_add_valid+0x53/0x80
Workqueue: adb ffs_aio_cancel_worker
task: ffff880076ebe080 task.stack: ffffc90001864000
RIP: 0010:__list_add_valid+0x53/0x80
Call Trace:
insert_work+0x51/0xc0
__queue_work+0x10e/0x430
queue_work_on+0x71/0x80
ffs_epfile_async_io_complete+0x4b/0x50
usb_gadget_giveback_request+0x29/0x90
dwc3_gadget_giveback+0x3a/0x50 [dwc3]
dwc3_gadget_ep_dequeue+0x92/0x300 [dwc3]
usb_ep_dequeue+0x23/0x90
ffs_aio_cancel_worker+0x16/0x20
process_one_work+0x186/0x3e0
worker_thread+0x3d/0x3b0
kthread+0x132/0x150
ret_from_fork+0x3a/0x50
the root cause is there is race between ffs_epfile_async_io_complete()
and ffs_aio_cancel() queue the ffs->io_completion_wq.
ffs_epfile_async_io_complete() is safe to hold the eps_lock
with the below backtrace:
ffs_epfile_async_io_complete+0x25/0x70
usb_gadget_giveback_request+0x29/0x90
dwc3_gadget_giveback+0x3a/0x50 [dwc3]
__dwc3_gadget_ep_disable+0x5c/0x270 [dwc3]
dwc3_gadget_ep_disable+0x42/0xf0 [dwc3]
usb_ep_disable+0x24/0xa0
ffs_func_eps_disable.isra.15+0x5f/0xb0
the patch add eps_lock to protect the io_completion_wq in ffs_aio_cancel.
Signed-off-by: he, bo <bo.he@intel.com>
Signed-off-by: Bai, Jie A <jie.a.bai@intel.com>
---
drivers/usb/gadget/function/f_fs.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 3ada83d..45ade26 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1091,6 +1091,8 @@ static int ffs_aio_cancel(struct kiocb *kiocb)
ENTER();
+ spin_lock_irq(&ffs->eps_lock);
+
if (likely(io_data && io_data->ep && io_data->req)) {
INIT_WORK(&io_data->cancellation_work, ffs_aio_cancel_worker);
queue_work(ffs->io_completion_wq, &io_data->cancellation_work);
@@ -1099,6 +1101,8 @@ static int ffs_aio_cancel(struct kiocb *kiocb)
value = -EINVAL;
}
+ spin_unlock_irq(&ffs->eps_lock);
+
return value;
}
--
2.7.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* fix panic at pwq_activate_delayed_work.
@ 2018-08-01 10:14 ` He, Bo
0 siblings, 0 replies; 2+ messages in thread
From: He, Bo @ 2018-08-01 10:14 UTC (permalink / raw)
To: linux-usb, linux-kernel
Cc: balbi, gregkh, jackp, plr.vincent, Zhang, Yanmin, Zhang, Jun, Bai, Jie A
the kernel panic is one regression with the patch:
usb: gadget: ffs: Fix BUG when userland exits with submitted AIO transfers
the kernel panic is followed the list corrupt warning:
WARNING: CPU: 0 PID: 1430 at ../../../../../../kernel/4.14/lib/list_debug.c:28 __list_add_valid+0x53/0x80
Workqueue: adb ffs_aio_cancel_worker
task: ffff880076ebe080 task.stack: ffffc90001864000
RIP: 0010:__list_add_valid+0x53/0x80
Call Trace:
insert_work+0x51/0xc0
__queue_work+0x10e/0x430
queue_work_on+0x71/0x80
ffs_epfile_async_io_complete+0x4b/0x50
usb_gadget_giveback_request+0x29/0x90
dwc3_gadget_giveback+0x3a/0x50 [dwc3]
dwc3_gadget_ep_dequeue+0x92/0x300 [dwc3]
usb_ep_dequeue+0x23/0x90
ffs_aio_cancel_worker+0x16/0x20
process_one_work+0x186/0x3e0
worker_thread+0x3d/0x3b0
kthread+0x132/0x150
ret_from_fork+0x3a/0x50
the root cause is there is race between ffs_epfile_async_io_complete()
and ffs_aio_cancel() queue the ffs->io_completion_wq.
ffs_epfile_async_io_complete() is safe to hold the eps_lock
with the below backtrace:
ffs_epfile_async_io_complete+0x25/0x70
usb_gadget_giveback_request+0x29/0x90
dwc3_gadget_giveback+0x3a/0x50 [dwc3]
__dwc3_gadget_ep_disable+0x5c/0x270 [dwc3]
dwc3_gadget_ep_disable+0x42/0xf0 [dwc3]
usb_ep_disable+0x24/0xa0
ffs_func_eps_disable.isra.15+0x5f/0xb0
the patch add eps_lock to protect the io_completion_wq in ffs_aio_cancel.
Signed-off-by: he, bo <bo.he@intel.com>
Signed-off-by: Bai, Jie A <jie.a.bai@intel.com>
---
drivers/usb/gadget/function/f_fs.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 3ada83d..45ade26 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1091,6 +1091,8 @@ static int ffs_aio_cancel(struct kiocb *kiocb)
ENTER();
+ spin_lock_irq(&ffs->eps_lock);
+
if (likely(io_data && io_data->ep && io_data->req)) {
INIT_WORK(&io_data->cancellation_work, ffs_aio_cancel_worker);
queue_work(ffs->io_completion_wq, &io_data->cancellation_work);
@@ -1099,6 +1101,8 @@ static int ffs_aio_cancel(struct kiocb *kiocb)
value = -EINVAL;
}
+ spin_unlock_irq(&ffs->eps_lock);
+
return value;
}
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-08-01 10:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-01 10:14 [PATCH] fix panic at pwq_activate_delayed_work He, Bo
2018-08-01 10:14 ` He, Bo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.