From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933394AbcI1QeZ (ORCPT ); Wed, 28 Sep 2016 12:34:25 -0400 Received: from mail-wm0-f41.google.com ([74.125.82.41]:37099 "EHLO mail-wm0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933278AbcI1QcA (ORCPT ); Wed, 28 Sep 2016 12:32:00 -0400 From: Michal Nazarewicz To: Chen Yu , Felipe Balbi , gregkh@linuxfoundation.org Cc: wangbinghui@hisilicon.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, John Stultz , Amit Pundir , Guodong Xu Subject: Re: BUG: scheduling while atomic in f_fs when gadget remove driver In-Reply-To: <261ada71-8a5d-6e89-7fac-6b6ba88218d7@huawei.com> Organization: http://mina86.com/ References: <205cfce1-d54c-262d-f939-ad9f37b0c52c@huawei.com> <878tud4q6x.fsf@linux.intel.com> <261ada71-8a5d-6e89-7fac-6b6ba88218d7@huawei.com> User-Agent: Notmuch/0.19+53~g2e63a09 (http://notmuchmail.org) Emacs/25.1.50.2 (x86_64-unknown-linux-gnu) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWbfGlUPDDHgE57V0jUupKjgIObY0PLrom9mH4dFRK4gmjPs41MxjOgAAACP0lEQVQ4T23Sv2vbQBQHcBk1xE6WyALX107VUEgmn6+ouUwpEQQ6uRjttkWP4CkBg2M0BQLBdPFZYPsyFYo7qEtKDQ7on+t7+nF2Ux8ahD587717OmNYrOvycHsZ+o2r051wHTHysAvGb8ygvgu4QWT0sCmkgZCIEnlV2X8BtyraazFGDuxhmKSQJMlwHQ7v5MHSNxmz78rfElwAa3ieVD9e+hBhjaPDDG6NgFo2f4wBMNIo5YmRtF0RyDgFjJjlMIWbnuM4x9MMfABGTlN4qgIQB4A1DEyA1BHWtfeWNUMwiVJKoqh97KrkOO+qzgluVYLvFCUKAX73nONeBr7BGMdM6Sg0kuep03VywLaIzRiVr+GAzKlpQIsAFnWAG2e6DT5WmWDiudZMIc6hYrMOmeMQK9WX0B+/RfjzL9DI7Y9/Iayn29Ci0r2i4f9gMimMSZLCDMalgQGU5hnUtqAN0OGvEmO1Wnl0C0wWSCEHnuHBqmygxdxA8oWXwbipoc1EoNR9DqOpBpOJrnr0criQab9ZT4LL+wI+K7GBQH30CrhUruilgP9DRTrhVWZCiAyILP+wiuLeCKGTD6r/nc8LOJcAwR6IBTUs+7CASw3QFZ0MdA2PI3zNziH4ZKVhXCRMBjeZ1DWMekKwDCASwExy+NQ86TaykaDAFHO4aP48y4fIcDM5yOG8GcTLbOyp8A8azjJI93JFd1EA6yN8sSxMQJWoABqniRZVykYgRXErzrdqExAoUrRb0xfRp8p2A/4XmfilTtkDZ4cAAAAASUVORK5CYII= X-Face: -TR8(rDTHy/(xl?SfWd1|3:TTgDIatE^t'vop%*gVg[kn$t{EpK(P"VQ=~T2#ysNmJKN$"yTRLB4YQs$4{[.]Fc1)*O]3+XO^oXM>Q#b^ix,O)Zbn)q[y06$`e3?C)`CwR9y5riE=fv^X@x$y?D:XO6L&x4f-}}I4=VRNwiA^t1-ZrVK^07.Pi/57c_du'& X-PGP: 50751FF4 X-PGP-FP: AC1F 5F5C D418 88F8 CC84 5858 2060 4012 5075 1FF4 X-Hashcash: 1:20:160928:amit.pundir@linaro.org::ZdBgn2NV5sq29fyY:0000000000000000000000000000000000000000sJm X-Hashcash: 1:20:160928:linux-usb@vger.kernel.org::8ESVZp80ppmVaYfE:0000000000000000000000000000000000000pZW X-Hashcash: 1:20:160928:chenyu56@huawei.com::4iZs6XF8+FN+98l4:0000000000000000000000000000000000000000002/eS X-Hashcash: 1:20:160928:guodong.xu@linaro.org::BmjCcV7iGa3nGrXT:000000000000000000000000000000000000000026Pi X-Hashcash: 1:20:160928:john.stultz@linaro.org::ZXJafk52NvIb9mkq:0000000000000000000000000000000000000003HIH X-Hashcash: 1:20:160928:wangbinghui@hisilicon.com::PVtiH4WNHcbdhu05:0000000000000000000000000000000000004xT3 X-Hashcash: 1:20:160928:linux-kernel@vger.kernel.org::/MOKJ20blgYiOmdo:0000000000000000000000000000000005Adi X-Hashcash: 1:20:160928:gregkh@linuxfoundation.org::p2HTOOdN36M5O5aZ:000000000000000000000000000000000008/LS X-Hashcash: 1:20:160928:felipe.balbi@linux.intel.com::4Qhc0KrbHLBiy5Df:000000000000000000000000000000000Khga Date: Wed, 28 Sep 2016 18:31:55 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id u8SGYS1b015998 On Wed, Sep 28 2016, Chen Yu wrote: > I will try to fix it, but I'm engaged in other tasks and can not spend > much time on it. > > Do you have any suggestions about how to fix it? epfile->ep is protected by ffs->eps_lock which brings us to realisation that there is another bug in the code and we need to do this: ------- >8 ------------------------------------------------------------- >>From 0ce6cc5e2440800243eff06c6952cba0f976da2f Mon Sep 17 00:00:00 2001 From: Michal Nazarewicz Date: Wed, 28 Sep 2016 18:10:42 +0200 Subject: [PATCH] usb: gadget: f_fs: edit epfile->ep under lock epfile->ep is protected by ffs->eps_lock (not epfile->mutex) so clear it while holding the spin lock. Signed-off-by: Michal Nazarewicz Fixes: 9353afbbfa7b ("buffer data from ‘oversized’ OUT requests") --- drivers/usb/gadget/function/f_fs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 0aeed85..759f5d4 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1725,17 +1725,17 @@ static void ffs_func_eps_disable(struct ffs_function *func) unsigned long flags; do { - if (epfile) - mutex_lock(&epfile->mutex); spin_lock_irqsave(&func->ffs->eps_lock, flags); /* pending requests get nuked */ if (likely(ep->ep)) usb_ep_disable(ep->ep); ++ep; + if (epfile) + epfile->ep = NULL; spin_unlock_irqrestore(&func->ffs->eps_lock, flags); if (epfile) { - epfile->ep = NULL; + mutex_lock(&epfile->mutex); kfree(epfile->read_buffer); epfile->read_buffer = NULL; mutex_unlock(&epfile->mutex); ------- >8 ------------------------------------------------------------- With that done, the only thing which needs a mutex is epfile->read_buffer. The read_buffer pointer shouldn’t be that big of an issue (it could be protected by the same eps_lock). The real problem is freeing the memory. We cannot do it while __ffs_epfile_read_buffered is reading data from it. We cannot blindly schedule it to happen later either since in the meanwhile __ffs_epfile_read_buffered could have freed it. -- Best regards ミハウ “𝓶𝓲𝓷𝓪86” ナザレヴイツ «If at first you don’t succeed, give up skydiving»