From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Ming Lei <tom.leiming@gmail.com>,
David Brownell <dbrownell@users.sourceforge.net>,
Anand Gadiyar <gadiyar@ti.com>,
Mike Frysinger <vapier@gentoo.org>,
Sergei Shtylyov <sshtylyov@ru.mvista.com>,
Felipe Balbi <balbi@ti.com>
Subject: [08/66] usb: musb: gadget: fix kernel panic if using out ep with FIFO_TXRX style
Date: Fri, 22 Oct 2010 11:34:35 -0700 [thread overview]
Message-ID: <20101022183556.959789610@clark.site> (raw)
In-Reply-To: <20101022183711.GA23214@kroah.com>
2.6.32-stable review patch. If anyone has any objections, please let us know.
------------------
From: Ming Lei <tom.leiming@gmail.com>
commit bd2e74d657fc7d514881cc2117e323790b257914 upstream.
For shared fifo hw endpoint(with FIFO_TXRX style), only ep_in
field of musb_hw_ep is intialized in musb_g_init_endpoints, and
ep_out is not initialized, but musb_g_rx and rxstate may access
ep_out field of musb_hw_ep by the method below:
musb_ep = &musb->endpoints[epnum].ep_out
which can cause the kernel panic[1] below, this patch fixes the issue
by getting 'musb_ep' from '&musb->endpoints[epnum].ep_in' for shared fifo
endpoint.
[1], kernel panic
[root@OMAP3EVM /]# musb_interrupt 1583: ** IRQ peripheral usb0008 tx0000 rx4000
musb_stage0_irq 460: <== Power=f0, DevCtl=99, int_usb=0x8
musb_g_rx 772: <== (null), rxcsr 4007 ffffffe8
musb_g_rx 786: iso overrun on ffffffe8
Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = c0004000
[00000008] *pgd=00000000
Internal error: Oops: 17 [#1] PREEMPT
last sysfs file: /sys/devices/platform/musb_hdrc/usb1/usb_device/usbdev1.1/dev
Modules linked in: g_zero
CPU: 0 Tainted: G W (2.6.35-rc6-gkh-wl+ #92)
PC is at musb_g_rx+0xfc/0x2ec
LR is at vprintk+0x3f4/0x458
pc : [<c02c07a4>] lr : [<c006ccb0>] psr: 20000193
sp : c760bd78 ip : c03c9d70 fp : c760bdbc
r10: 00000000 r9 : fa0ab1e0 r8 : 0000000e
r7 : c7e80158 r6 : ffffffe8 r5 : 00000001 r4 : 00004003
r3 : 00010003 r2 : c760bcd8 r1 : c03cd030 r0 : 0000002e
Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
Control: 10c5387d Table: 8778c019 DAC: 00000017
Process kmemleak (pid: 421, stack limit = 0xc760a2e8)
Stack: (0xc760bd78 to 0xc760c000)
bd60: ffffffe8 c04b1b58
bd80: ffffffe8 c7c01ac0 00000000 c7e80d24 c0084238 00000001 00000001 c7e80158
bda0: 0000000e 00000008 00000099 000000f0 c760be04 c760bdc0 c02bcd68 c02c06b4
bdc0: 00000099 00000008 00004000 c760bdd8 c03cc4f8 00000000 00000002 c7e80158
bde0: c7d2e300 60000193 c760a000 0000005c 00000000 00000000 c760be24 c760be08
be00: c02bcecc c02bc1ac c7d2e300 c7d2e300 0000005c c760a000 c760be54 c760be28
be20: c00ad698 c02bce6c 00000000 c7d2e300 c067c258 0000005c c067c294 00000001
be40: c760a000 00000000 c760be74 c760be58 c00af984 c00ad5fc 0000005c 00000000
be60: 00000000 00000002 c760be8c c760be78 c0039080 c00af8d0 ffffffff fa200000
be80: c760beec c760be90 c0039b6c c003900c 00000001 00000000 c7d1e240 00000000
bea0: 00000000 c068bae8 00000000 60000013 00000001 00000000 00000000 c760beec
bec0: c0064ecc c760bed8 c00ff7d0 c003a0a8 60000013 ffffffff 00000000 c068bae8
bee0: c760bf24 c760bef0 c00ff7d0 c0064ec4 00000001 00000000 c00ff700 00000000
bf00: c0087f00 00000000 60000013 c0d76a70 c0e23795 00000001 c760bf4c c760bf28
bf20: c00ffdd8 c00ff70c c068bb08 c068bae8 60000013 c0100938 c068bb30 00000000
bf40: c760bf84 c760bf50 c010014c c00ffd84 00000001 00000000 c010000c 00012c00
bf60: c7c33f04 00012c00 c7c33f04 00000000 c0100938 00000000 c760bf9c c760bf88
bf80: c01009a8 c0100018 c760bfa8 c7c33f04 c760bff4 c760bfa0 c0088000 c0100944
bfa0: c760bf98 00000000 00000000 00000001 dead4ead ffffffff ffffffff c08ba2bc
bfc0: 00000000 c049e7fa 00000000 c0087f70 c760bfd0 c760bfd0 c7c33f04 c0087f70
bfe0: c006f5e8 00000013 00000000 c760bff8 c006f5e8 c0087f7c 7f0004ff df2000ff
Backtrace:
[<c02c06a8>] (musb_g_rx+0x0/0x2ec) from [<c02bcd68>] (musb_interrupt+0xbc8/0xcc0)
[<c02bc1a0>] (musb_interrupt+0x0/0xcc0) from [<c02bcecc>] (generic_interrupt+0x6c/0x84)
[<c02bce60>] (generic_interrupt+0x0/0x84) from [<c00ad698>] (handle_IRQ_event+0xa8/0x1ec)
r7:c760a000 r6:0000005c r5:c7d2e300 r4:c7d2e300
[<c00ad5f0>] (handle_IRQ_event+0x0/0x1ec) from [<c00af984>] (handle_level_irq+0xc0/0x13c)
[<c00af8c4>] (handle_level_irq+0x0/0x13c) from [<c0039080>] (asm_do_IRQ+0x80/0xa0)
r7:00000002 r6:00000000 r5:00000000 r4:0000005c
[<c0039000>] (asm_do_IRQ+0x0/0xa0) from [<c0039b6c>] (__irq_svc+0x4c/0xb4)
Exception stack(0xc760be90 to 0xc760bed8)
be80: 00000001 00000000 c7d1e240 00000000
bea0: 00000000 c068bae8 00000000 60000013 00000001 00000000 00000000 c760beec
bec0: c0064ecc c760bed8 c00ff7d0 c003a0a8 60000013 ffffffff
r5:fa200000 r4:ffffffff
[<c0064eb8>] (sub_preempt_count+0x0/0x100) from [<c00ff7d0>] (find_and_get_object+0xd0/0x110)
r5:c068bae8 r4:00000000
[<c00ff700>] (find_and_get_object+0x0/0x110) from [<c00ffdd8>] (scan_block+0x60/0x104)
r8:00000001 r7:c0e23795 r6:c0d76a70 r5:60000013 r4:00000000
[<c00ffd78>] (scan_block+0x0/0x104) from [<c010014c>] (kmemleak_scan+0x140/0x484)
[<c010000c>] (kmemleak_scan+0x0/0x484) from [<c01009a8>] (kmemleak_scan_thread+0x70/0xcc)
r8:00000000 r7:c0100938 r6:00000000 r5:c7c33f04 r4:00012c00
[<c0100938>] (kmemleak_scan_thread+0x0/0xcc) from [<c0088000>] (kthread+0x90/0x98)
r5:c7c33f04 r4:c760bfa8
[<c0087f70>] (kthread+0x0/0x98) from [<c006f5e8>] (do_exit+0x0/0x684)
r7:00000013 r6:c006f5e8 r5:c0087f70 r4:c7c33f04
Code: e3002312 e58d6000 e2833e16 eb0422d5 (e5963020)
---[ end trace f3d5e96f75c297b7 ]---
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Reviewed-by: Sergei Shtylyov <sshtylyov@mvista.com>
Cc: David Brownell <dbrownell@users.sourceforge.net>
Cc: Anand Gadiyar <gadiyar@ti.com>
Cc: Mike Frysinger <vapier@gentoo.org>
Cc: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/musb/musb_gadget.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -577,11 +577,19 @@ static void rxstate(struct musb *musb, s
{
const u8 epnum = req->epnum;
struct usb_request *request = &req->request;
- struct musb_ep *musb_ep = &musb->endpoints[epnum].ep_out;
+ struct musb_ep *musb_ep;
void __iomem *epio = musb->endpoints[epnum].regs;
unsigned fifo_count = 0;
- u16 len = musb_ep->packet_sz;
+ u16 len;
u16 csr = musb_readw(epio, MUSB_RXCSR);
+ struct musb_hw_ep *hw_ep = &musb->endpoints[epnum];
+
+ if (hw_ep->is_shared_fifo)
+ musb_ep = &hw_ep->ep_in;
+ else
+ musb_ep = &hw_ep->ep_out;
+
+ len = musb_ep->packet_sz;
/* We shouldn't get here while DMA is active, but we do... */
if (dma_channel_status(musb_ep->dma) == MUSB_DMA_STATUS_BUSY) {
@@ -749,9 +757,15 @@ void musb_g_rx(struct musb *musb, u8 epn
u16 csr;
struct usb_request *request;
void __iomem *mbase = musb->mregs;
- struct musb_ep *musb_ep = &musb->endpoints[epnum].ep_out;
+ struct musb_ep *musb_ep;
void __iomem *epio = musb->endpoints[epnum].regs;
struct dma_channel *dma;
+ struct musb_hw_ep *hw_ep = &musb->endpoints[epnum];
+
+ if (hw_ep->is_shared_fifo)
+ musb_ep = &hw_ep->ep_in;
+ else
+ musb_ep = &hw_ep->ep_out;
musb_ep_select(mbase, epnum);
next prev parent reply other threads:[~2010-10-22 18:54 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-22 18:37 [00/66] 2.6.32.25-stable review Greg KH
2010-10-22 18:34 ` [01/66] x86, cpu: After uncapping CPUID, re-run CPU feature detection Greg KH
2010-10-22 18:34 ` [02/66] ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory Greg KH
2010-10-22 18:34 ` [03/66] ALSA: oxygen: fix analog capture on Claro halo cards Greg KH
2010-10-22 18:34 ` [04/66] ALSA: hda - Add Dell Latitude E6400 model quirk Greg KH
2010-10-22 18:34 ` [05/66] ALSA: prevent heap corruption in snd_ctl_new() Greg KH
2010-10-22 18:34 ` [06/66] ALSA: rawmidi: fix oops (use after free) when unloading a driver module Greg KH
2010-10-22 18:34 ` [07/66] USB: fix bug in initialization of interface minor numbers Greg KH
2010-10-22 18:34 ` Greg KH [this message]
2010-10-22 18:34 ` [09/66] usb: musb: gadget: restart request on clearing endpoint halt Greg KH
2010-10-22 18:34 ` [10/66] oprofile: Add Support for Intel CPU Family 6 / Model 29 Greg KH
2010-10-22 18:34 ` [11/66] RDMA/cxgb3: Turn off RX coalescing for iWARP connections Greg KH
2010-10-22 18:34 ` [12/66] mmc: sdhci-s3c: fix NULL ptr access in sdhci_s3c_remove Greg KH
2010-10-22 18:34 ` [13/66] x86/amd-iommu: Set iommu configuration flags in enable-loop Greg KH
2010-10-22 18:34 ` [14/66] x86/amd-iommu: Fix rounding-bug in __unmap_single Greg KH
2010-10-22 18:34 ` [15/66] x86/amd-iommu: Work around S3 BIOS bug Greg KH
2010-10-22 18:34 ` [16/66] tracing/x86: Dont use mcount in pvclock.c Greg KH
2010-10-22 18:34 ` [17/66] tracing/x86: Dont use mcount in kvmclock.c Greg KH
2010-10-22 18:34 ` [18/66] v4l1: fix 32-bit compat microcode loading translation Greg KH
2010-10-22 18:34 ` [19/66] V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0) Greg KH
2010-10-22 18:34 ` [20/66] V4L/DVB (13966): DVB-T regression fix for saa7134 cards Greg KH
2010-10-22 18:34 ` [21/66] Input: joydev - fix JSIOCSAXMAP ioctl Greg KH
2010-10-22 18:34 ` [22/66] x86, hpet: Fix bogus error check in hpet_assign_irq() Greg KH
2010-10-22 18:34 ` [23/66] x86, irq: Plug memory leak in sparse irq Greg KH
2010-10-22 18:34 ` [24/66] ubd: fix incorrect sector handling during request restart Greg KH
2010-10-22 18:34 ` [25/66] ring-buffer: Fix typo of time extends per page Greg KH
2010-10-22 18:34 ` [26/66] dmaengine: fix interrupt clearing for mv_xor Greg KH
2010-10-22 18:34 ` [27/66] hrtimer: Preserve timer state in remove_hrtimer() Greg KH
2010-10-22 18:34 ` [28/66] i2c-pca: Fix waitforcompletion() return value Greg KH
2010-10-22 18:34 ` [29/66] ocfs2: Dont walk off the end of fast symlinks Greg KH
2010-10-22 18:34 ` [30/66] wext: fix potential private ioctl memory content leak Greg KH
2010-10-22 18:34 ` [31/66] atl1: fix resume Greg KH
2010-10-22 18:34 ` [32/66] x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order Greg KH
2010-10-22 18:35 ` [33/66] De-pessimize rds_page_copy_user Greg KH
2010-10-22 18:35 ` [34/66] drm/radeon: fix PCI ID 5657 to be an RV410 Greg KH
2010-10-22 18:35 ` [35/66] xfrm4: strip ECN and IP Precedence bits in policy lookup Greg KH
2010-10-22 18:35 ` [36/66] tcp: Fix >4GB writes on 64-bit Greg KH
2010-10-22 18:35 ` [37/66] net: Fix the condition passed to sk_wait_event() Greg KH
2010-10-22 18:35 ` [38/66] Phonet: Correct header retrieval after pskb_may_pull Greg KH
2010-10-22 18:35 ` [39/66] net: Fix IPv6 PMTU disc. w/ asymmetric routes Greg KH
2010-10-22 18:35 ` [40/66] ip: fix truesize mismatch in ip fragmentation Greg KH
2010-10-22 18:35 ` [41/66] net: clear heap allocations for privileged ethtool actions Greg KH
2010-10-22 18:35 ` [42/66] tcp: Fix race in tcp_poll Greg KH
2010-10-22 18:35 ` [43/66] netxen: dont set skb->truesize Greg KH
2010-10-22 18:35 ` [44/66] rose: Fix signedness issues wrt. digi count Greg KH
2010-10-22 18:35 ` [45/66] net: blackhole route should always be recalculated Greg KH
2010-10-22 18:35 ` [46/66] skge: add quirk to limit DMA Greg KH
2010-10-22 18:35 ` [47/66] r8169: allocate with GFP_KERNEL flag when able to sleep Greg KH
2010-10-22 18:35 ` [48/66] [SCSI] bsg: fix incorrect device_status value Greg KH
2010-10-22 18:35 ` [49/66] r6040: fix r6040_multicast_list Greg KH
2010-10-22 18:35 ` [50/66] r6040: Fix multicast list iteration when hash filter is used Greg KH
2010-10-22 18:35 ` [51/66] powerpc: Initialise paca->kstack before early_setup_secondary Greg KH
2010-10-22 18:35 ` [52/66] powerpc: Dont use kernel stack with translation off Greg KH
2010-10-22 18:35 ` [53/66] b44: fix carrier detection on bind Greg KH
2010-10-22 18:35 ` [54/66] ACPI: enable repeated PCIEXP wakeup by clearing PCIEXP_WAKE_STS on resume Greg KH
2010-10-22 18:35 ` [55/66] intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang Greg KH
2010-10-22 18:35 ` [56/66] ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355 Greg KH
2010-10-22 18:35 ` [57/66] ACPI: delete ZEPTO idle=nomwait DMI quirk Greg KH
2010-10-22 18:35 ` [58/66] ACPI: Disable Windows Vista compatibility for Toshiba P305D Greg KH
2010-10-22 18:35 ` [59/66] x86: detect scattered cpuid features earlier Greg KH
2010-10-22 18:35 ` [60/66] fix 2.6.32.23 suspend regression caused by commit 6f6198a Greg KH
2010-10-22 18:35 ` [61/66] setup_arg_pages: diagnose excessive argument size Greg KH
2010-10-22 18:35 ` [62/66] execve: improve interactivity with large arguments Greg KH
2010-10-22 18:35 ` [63/66] execve: make responsive to SIGKILL " Greg KH
2010-10-22 18:35 ` [64/66] Phonet: disable network namespace support Greg KH
2010-10-22 21:22 ` Ben Hutchings
2010-10-25 7:43 ` Rémi Denis-Courmont
2010-10-22 18:35 ` [65/66] mm: Move vma_stack_continue into mm.h Greg KH
2010-10-22 18:35 ` [66/66] drivers/hwmon/coretemp.c: detect the thermal sensors by CPUID Greg KH
2010-10-23 9:27 ` Jean Delvare
2010-10-23 16:06 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101022183556.959789610@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=balbi@ti.com \
--cc=dbrownell@users.sourceforge.net \
--cc=gadiyar@ti.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sshtylyov@ru.mvista.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=tom.leiming@gmail.com \
--cc=torvalds@linux-foundation.org \
--cc=vapier@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).