stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] usb: mtu3: fix panic in mtu3_gadget_disconnect()
@ 2020-07-31  6:36 Macpaul Lin
  2020-07-31  8:57 ` [PATCH v2] " Macpaul Lin
  0 siblings, 1 reply; 8+ messages in thread
From: Macpaul Lin @ 2020-07-31  6:36 UTC (permalink / raw)
  To: Chunfeng Yun, Eddie Hung, Greg Kroah-Hartman, Matthias Brugger,
	linux-usb, linux-arm-kernel, linux-mediatek, linux-kernel
  Cc: Mediatek WSD Upstream, Macpaul Lin, Macpaul Lin, stable

This patch fixes a possible issue when mtu3_gadget_stop()
already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect().

Backtrace:
[<ffffff9008161974>] notifier_call_chain+0xa4/0x128
[<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138
[<ffffff9008162ec0>] notify_die+0xb0/0x120
[<ffffff900809e340>] die+0x1f8/0x5d0
[<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280
[<ffffff90080d04dc>] do_bad_area+0x44/0x140
[<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90
[<ffffff9008080a78>] do_mem_abort+0xb8/0x258
[<ffffff90080849d0>] el1_da+0x24/0x3c
[<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128
[<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18
[<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0
[<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138
[<ffffff90082acc44>] handle_irq_event+0xac/0x148
[<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568
[<ffffff90082a8708>] generic_handle_irq+0x48/0x68
[<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740
[<ffffff90080819f4>] gic_handle_irq+0x14c/0x250
[<ffffff9008084cec>] el1_irq+0xec/0x194
[<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0
[<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238
[<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0
[<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270
[<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148
[<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0
[<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0
[<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460
[<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68
[<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878
[<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8
[<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898
[<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108
[<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580
[<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0
[<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920
[<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820
[<ffffff900863c754>] SyS_ioctl+0x8c/0xa0

Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
Cc: stable@vger.kernel.org
---
 drivers/usb/mtu3/mtu3_gadget.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
index 68ea4395f871..f20fb83b3239 100644
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -843,7 +843,12 @@ void mtu3_gadget_disconnect(struct mtu3 *mtu)
 	dev_dbg(mtu->dev, "gadget DISCONNECT\n");
 	if (mtu->gadget_driver && mtu->gadget_driver->disconnect) {
 		spin_unlock(&mtu->lock);
-		mtu->gadget_driver->disconnect(&mtu->g);
+		/*
+		 * avoid kernel panic because mtu3_gadget_stop() assigned NULL
+		 * to mtu->gadget_driver.
+		 */
+		if (mtu->gadget_driver && mtu->gadget_driver->disconnect)
+			mtu->gadget_driver->disconnect(&mtu->g);
 		spin_lock(&mtu->lock);
 	}
 
-- 
2.18.0

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [PATCH v2] usb: mtu3: fix panic in mtu3_gadget_disconnect()
  2020-07-31  6:36 [PATCH] usb: mtu3: fix panic in mtu3_gadget_disconnect() Macpaul Lin
@ 2020-07-31  8:57 ` Macpaul Lin
  2020-07-31 14:22   ` Alan Stern
  2020-08-27  9:22   ` [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop() Macpaul Lin
  0 siblings, 2 replies; 8+ messages in thread
From: Macpaul Lin @ 2020-07-31  8:57 UTC (permalink / raw)
  To: Chunfeng Yun, Eddie Hung, Greg Kroah-Hartman, Matthias Brugger,
	linux-usb, linux-arm-kernel, linux-mediatek, linux-kernel
  Cc: Mediatek WSD Upstream, Macpaul Lin, Macpaul Lin, stable

This patch fixes a possible issue when mtu3_gadget_stop()
already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect().

[<ffffff9008161974>] notifier_call_chain+0xa4/0x128
[<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138
[<ffffff9008162ec0>] notify_die+0xb0/0x120
[<ffffff900809e340>] die+0x1f8/0x5d0
[<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280
[<ffffff90080d04dc>] do_bad_area+0x44/0x140
[<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90
[<ffffff9008080a78>] do_mem_abort+0xb8/0x258
[<ffffff90080849d0>] el1_da+0x24/0x3c
[<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128
[<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18
[<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0
[<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138
[<ffffff90082acc44>] handle_irq_event+0xac/0x148
[<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568
[<ffffff90082a8708>] generic_handle_irq+0x48/0x68
[<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740
[<ffffff90080819f4>] gic_handle_irq+0x14c/0x250
[<ffffff9008084cec>] el1_irq+0xec/0x194
[<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0
[<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238
[<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0
[<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270
[<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148
[<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0
[<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0
[<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460
[<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68
[<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878
[<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8
[<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898
[<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108
[<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580
[<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0
[<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920
[<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820
[<ffffff900863c754>] SyS_ioctl+0x8c/0xa0

Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
Cc: stable@vger.kernel.org
---
Changes for v2:
  - Check mtu_gadget_driver out of spin_lock might still not work.
    We use a temporary pointer to keep the callback function.

 drivers/usb/mtu3/mtu3_gadget.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
index 68ea4395f871..40cb6626f496 100644
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -840,10 +840,17 @@ void mtu3_gadget_suspend(struct mtu3 *mtu)
 /* called when VBUS drops below session threshold, and in other cases */
 void mtu3_gadget_disconnect(struct mtu3 *mtu)
 {
+	struct usb_gadget_driver *driver;
+
 	dev_dbg(mtu->dev, "gadget DISCONNECT\n");
 	if (mtu->gadget_driver && mtu->gadget_driver->disconnect) {
+		driver = mtu->gadget_driver;
 		spin_unlock(&mtu->lock);
-		mtu->gadget_driver->disconnect(&mtu->g);
+		/*
+		 * avoid kernel panic because mtu3_gadget_stop() assigned NULL
+		 * to mtu->gadget_driver.
+		 */
+		driver->disconnect(&mtu->g);
 		spin_lock(&mtu->lock);
 	}
 
-- 
2.18.0

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] usb: mtu3: fix panic in mtu3_gadget_disconnect()
  2020-07-31  8:57 ` [PATCH v2] " Macpaul Lin
@ 2020-07-31 14:22   ` Alan Stern
  2020-08-27  9:22   ` [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop() Macpaul Lin
  1 sibling, 0 replies; 8+ messages in thread
From: Alan Stern @ 2020-07-31 14:22 UTC (permalink / raw)
  To: Macpaul Lin
  Cc: Chunfeng Yun, Eddie Hung, Greg Kroah-Hartman, Matthias Brugger,
	linux-usb, linux-arm-kernel, linux-mediatek, linux-kernel,
	Mediatek WSD Upstream, Macpaul Lin, stable

On Fri, Jul 31, 2020 at 04:57:58PM +0800, Macpaul Lin wrote:
> This patch fixes a possible issue when mtu3_gadget_stop()
> already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect().

> 
> Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
> Cc: stable@vger.kernel.org
> ---
> Changes for v2:
>   - Check mtu_gadget_driver out of spin_lock might still not work.
>     We use a temporary pointer to keep the callback function.
> 
>  drivers/usb/mtu3/mtu3_gadget.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
> index 68ea4395f871..40cb6626f496 100644
> --- a/drivers/usb/mtu3/mtu3_gadget.c
> +++ b/drivers/usb/mtu3/mtu3_gadget.c
> @@ -840,10 +840,17 @@ void mtu3_gadget_suspend(struct mtu3 *mtu)
>  /* called when VBUS drops below session threshold, and in other cases */
>  void mtu3_gadget_disconnect(struct mtu3 *mtu)
>  {
> +	struct usb_gadget_driver *driver;
> +
>  	dev_dbg(mtu->dev, "gadget DISCONNECT\n");
>  	if (mtu->gadget_driver && mtu->gadget_driver->disconnect) {
> +		driver = mtu->gadget_driver;
>  		spin_unlock(&mtu->lock);
> -		mtu->gadget_driver->disconnect(&mtu->g);
> +		/*
> +		 * avoid kernel panic because mtu3_gadget_stop() assigned NULL
> +		 * to mtu->gadget_driver.
> +		 */
> +		driver->disconnect(&mtu->g);
>  		spin_lock(&mtu->lock);
>  	}

This is not the right approach; it might race with the gadget driver 
unregistering itself.

Instead, mtu3_gadget_stop() should call synchronize_irq() after 
releasing the IRQ line.  When synchronize_irq() returns, you'll know any 
IRQ handlers have finished running, so you won't receive any more 
disconnect notifications.  Then it will be safe to acquire the spinlock 
and set mtu->gadget_driver to NULL.

Alan Stern

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop()
  2020-07-31  8:57 ` [PATCH v2] " Macpaul Lin
  2020-07-31 14:22   ` Alan Stern
@ 2020-08-27  9:22   ` Macpaul Lin
  2020-08-27 13:03     ` Felipe Balbi
  2020-08-27 14:42     ` [PATCH v4] " Macpaul Lin
  1 sibling, 2 replies; 8+ messages in thread
From: Macpaul Lin @ 2020-08-27  9:22 UTC (permalink / raw)
  To: Chunfeng Yun, Greg Kroah-Hartman, Matthias Brugger, linux-usb,
	linux-arm-kernel, linux-mediatek
  Cc: Ainge Hsu, Eddie Hung, Mediatek WSD Upstream, Macpaul Lin,
	Macpaul Lin, linux-kernel, stable

This patch fixes a possible issue when mtu3_gadget_stop()
already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect().

[<ffffff9008161974>] notifier_call_chain+0xa4/0x128
[<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138
[<ffffff9008162ec0>] notify_die+0xb0/0x120
[<ffffff900809e340>] die+0x1f8/0x5d0
[<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280
[<ffffff90080d04dc>] do_bad_area+0x44/0x140
[<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90
[<ffffff9008080a78>] do_mem_abort+0xb8/0x258
[<ffffff90080849d0>] el1_da+0x24/0x3c
[<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128
[<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18
[<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0
[<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138
[<ffffff90082acc44>] handle_irq_event+0xac/0x148
[<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568
[<ffffff90082a8708>] generic_handle_irq+0x48/0x68
[<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740
[<ffffff90080819f4>] gic_handle_irq+0x14c/0x250
[<ffffff9008084cec>] el1_irq+0xec/0x194
[<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0
[<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238
[<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0
[<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270
[<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148
[<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0
[<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0
[<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460
[<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68
[<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878
[<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8
[<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898
[<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108
[<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580
[<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0
[<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920
[<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820
[<ffffff900863c754>] SyS_ioctl+0x8c/0xa0

Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
Cc: stable@vger.kernel.org
---
Changes for v3:
  - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering
    callback function in mtu3_gadget_disconnect().
    Thanks for Alan's suggestion.

Changes for v2:
  - Check mtu_gadget_driver out of spin_lock might still not work.
    We use a temporary pointer to remember the callback function.

 drivers/usb/mtu3/mtu3_gadget.c |    1 +
 1 file changed, 1 insertions(+)

diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
index 1de5c9a..1ab3d3a 100644
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g)
 
 	spin_unlock_irqrestore(&mtu->lock, flags);
 
+	synchronize_irq(mtu->irq);
 	return 0;
 }
 
-- 
1.7.9.5

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop()
  2020-08-27  9:22   ` [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop() Macpaul Lin
@ 2020-08-27 13:03     ` Felipe Balbi
  2020-08-27 14:42     ` [PATCH v4] " Macpaul Lin
  1 sibling, 0 replies; 8+ messages in thread
From: Felipe Balbi @ 2020-08-27 13:03 UTC (permalink / raw)
  To: Macpaul Lin, Chunfeng Yun, Greg Kroah-Hartman, Matthias Brugger,
	linux-usb, linux-arm-kernel, linux-mediatek
  Cc: Ainge Hsu, Eddie Hung, Mediatek WSD Upstream, Macpaul Lin,
	Macpaul Lin, linux-kernel, stable

[-- Attachment #1: Type: text/plain, Size: 2326 bytes --]

Macpaul Lin <macpaul.lin@mediatek.com> writes:

> This patch fixes a possible issue when mtu3_gadget_stop()
> already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect().
>
> [<ffffff9008161974>] notifier_call_chain+0xa4/0x128
> [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138
> [<ffffff9008162ec0>] notify_die+0xb0/0x120
> [<ffffff900809e340>] die+0x1f8/0x5d0
> [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280
> [<ffffff90080d04dc>] do_bad_area+0x44/0x140
> [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90
> [<ffffff9008080a78>] do_mem_abort+0xb8/0x258
> [<ffffff90080849d0>] el1_da+0x24/0x3c
> [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128
> [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18
> [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0
> [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138
> [<ffffff90082acc44>] handle_irq_event+0xac/0x148
> [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568
> [<ffffff90082a8708>] generic_handle_irq+0x48/0x68
> [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740
> [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250
> [<ffffff9008084cec>] el1_irq+0xec/0x194
> [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0
> [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238
> [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0
> [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270
> [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148
> [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0
> [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0
> [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460
> [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68
> [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878
> [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8
> [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898
> [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108
> [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580
> [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0
> [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920
> [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820
> [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0
>
> Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
> Cc: stable@vger.kernel.org

missing a Fixes: line here

-- 
balbi

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 857 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v4] usb: mtu3: fix panic in mtu3_gadget_stop()
  2020-08-27  9:22   ` [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop() Macpaul Lin
  2020-08-27 13:03     ` Felipe Balbi
@ 2020-08-27 14:42     ` Macpaul Lin
  2020-08-31  1:50       ` Chunfeng Yun
  2020-11-06  5:54       ` [RESEND PATCH " Macpaul Lin
  1 sibling, 2 replies; 8+ messages in thread
From: Macpaul Lin @ 2020-08-27 14:42 UTC (permalink / raw)
  To: Alan Stern, Felipe Balbi, Chunfeng Yun, Greg Kroah-Hartman,
	Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek
  Cc: Ainge Hsu, Eddie Hung, Mediatek WSD Upstream, Macpaul Lin,
	Macpaul Lin, linux-kernel, stable

This patch fixes a possible issue when mtu3_gadget_stop()
already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect().

[<ffffff9008161974>] notifier_call_chain+0xa4/0x128
[<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138
[<ffffff9008162ec0>] notify_die+0xb0/0x120
[<ffffff900809e340>] die+0x1f8/0x5d0
[<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280
[<ffffff90080d04dc>] do_bad_area+0x44/0x140
[<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90
[<ffffff9008080a78>] do_mem_abort+0xb8/0x258
[<ffffff90080849d0>] el1_da+0x24/0x3c
[<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128
[<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18
[<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0
[<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138
[<ffffff90082acc44>] handle_irq_event+0xac/0x148
[<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568
[<ffffff90082a8708>] generic_handle_irq+0x48/0x68
[<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740
[<ffffff90080819f4>] gic_handle_irq+0x14c/0x250
[<ffffff9008084cec>] el1_irq+0xec/0x194
[<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0
[<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238
[<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0
[<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270
[<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148
[<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0
[<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0
[<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460
[<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68
[<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878
[<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8
[<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898
[<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108
[<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580
[<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0
[<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920
[<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820
[<ffffff900863c754>] SyS_ioctl+0x8c/0xa0

Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver")
Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
Cc: stable@vger.kernel.org
---
Changes for v4:
  - Add a "Fixes:" line.  Thanks Felipe.
Changes for v3:
  - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering
    callback function in mtu3_gadget_disconnect().
    Thanks for Alan's suggestion.
Changes for v2:
  - Check mtu_gadget_driver out of spin_lock might still not work.
    We use a temporary pointer to remember the callback function.

 drivers/usb/mtu3/mtu3_gadget.c |    1 +
 1 file changed, 1 insertions(+)

diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
index 1de5c9a..1ab3d3a 100644
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g)
 
 	spin_unlock_irqrestore(&mtu->lock, flags);
 
+	synchronize_irq(mtu->irq);
 	return 0;
 }
 
-- 
1.7.9.5

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH v4] usb: mtu3: fix panic in mtu3_gadget_stop()
  2020-08-27 14:42     ` [PATCH v4] " Macpaul Lin
@ 2020-08-31  1:50       ` Chunfeng Yun
  2020-11-06  5:54       ` [RESEND PATCH " Macpaul Lin
  1 sibling, 0 replies; 8+ messages in thread
From: Chunfeng Yun @ 2020-08-31  1:50 UTC (permalink / raw)
  To: Macpaul Lin
  Cc: Alan Stern, Felipe Balbi, Greg Kroah-Hartman, Matthias Brugger,
	linux-usb, linux-arm-kernel, linux-mediatek, Ainge Hsu,
	Eddie Hung, Mediatek WSD Upstream, Macpaul Lin, linux-kernel,
	stable

On Thu, 2020-08-27 at 22:42 +0800, Macpaul Lin wrote:
> This patch fixes a possible issue when mtu3_gadget_stop()
> already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect().
> 
> [<ffffff9008161974>] notifier_call_chain+0xa4/0x128
> [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138
> [<ffffff9008162ec0>] notify_die+0xb0/0x120
> [<ffffff900809e340>] die+0x1f8/0x5d0
> [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280
> [<ffffff90080d04dc>] do_bad_area+0x44/0x140
> [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90
> [<ffffff9008080a78>] do_mem_abort+0xb8/0x258
> [<ffffff90080849d0>] el1_da+0x24/0x3c
> [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128
> [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18
> [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0
> [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138
> [<ffffff90082acc44>] handle_irq_event+0xac/0x148
> [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568
> [<ffffff90082a8708>] generic_handle_irq+0x48/0x68
> [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740
> [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250
> [<ffffff9008084cec>] el1_irq+0xec/0x194
> [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0
> [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238
> [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0
> [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270
> [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148
> [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0
> [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0
> [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460
> [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68
> [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878
> [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8
> [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898
> [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108
> [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580
> [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0
> [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920
> [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820
> [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0
> 
> Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver")
> Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
> Cc: stable@vger.kernel.org
> ---
> Changes for v4:
>   - Add a "Fixes:" line.  Thanks Felipe.
> Changes for v3:
>   - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering
>     callback function in mtu3_gadget_disconnect().
>     Thanks for Alan's suggestion.
> Changes for v2:
>   - Check mtu_gadget_driver out of spin_lock might still not work.
>     We use a temporary pointer to remember the callback function.
> 
>  drivers/usb/mtu3/mtu3_gadget.c |    1 +
>  1 file changed, 1 insertions(+)
> 
> diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
> index 1de5c9a..1ab3d3a 100644
> --- a/drivers/usb/mtu3/mtu3_gadget.c
> +++ b/drivers/usb/mtu3/mtu3_gadget.c
> @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g)
>  
>  	spin_unlock_irqrestore(&mtu->lock, flags);
>  
> +	synchronize_irq(mtu->irq);
>  	return 0;
>  }
>  
Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com>

Thanks a lot




^ permalink raw reply	[flat|nested] 8+ messages in thread

* [RESEND PATCH v4] usb: mtu3: fix panic in mtu3_gadget_stop()
  2020-08-27 14:42     ` [PATCH v4] " Macpaul Lin
  2020-08-31  1:50       ` Chunfeng Yun
@ 2020-11-06  5:54       ` Macpaul Lin
  1 sibling, 0 replies; 8+ messages in thread
From: Macpaul Lin @ 2020-11-06  5:54 UTC (permalink / raw)
  To: Alan Stern, Felipe Balbi, Greg Kroah-Hartman, Matthias Brugger,
	Chunfeng Yun
  Cc: Ainge Hsu, Eddie Hung, Mediatek WSD Upstream, Macpaul Lin,
	Macpaul Lin, linux-kernel, linux-arm-kernel, linux-usb,
	linux-mediatek, stable

This patch fixes a possible issue when mtu3_gadget_stop()
already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect().

[<ffffff9008161974>] notifier_call_chain+0xa4/0x128
[<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138
[<ffffff9008162ec0>] notify_die+0xb0/0x120
[<ffffff900809e340>] die+0x1f8/0x5d0
[<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280
[<ffffff90080d04dc>] do_bad_area+0x44/0x140
[<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90
[<ffffff9008080a78>] do_mem_abort+0xb8/0x258
[<ffffff90080849d0>] el1_da+0x24/0x3c
[<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128
[<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18
[<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0
[<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138
[<ffffff90082acc44>] handle_irq_event+0xac/0x148
[<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568
[<ffffff90082a8708>] generic_handle_irq+0x48/0x68
[<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740
[<ffffff90080819f4>] gic_handle_irq+0x14c/0x250
[<ffffff9008084cec>] el1_irq+0xec/0x194
[<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0
[<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238
[<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0
[<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270
[<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148
[<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0
[<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0
[<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460
[<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68
[<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878
[<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8
[<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898
[<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108
[<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580
[<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0
[<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920
[<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820
[<ffffff900863c754>] SyS_ioctl+0x8c/0xa0

Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver")
Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Cc: stable@vger.kernel.org
---
RESEND for v4:
  - Resend this patch by plain-text instead of MTK IT's default (base64)
    outgoing SMTP settings.
  - Add Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Changes for v4:
  - Add a "Fixes:" line.  Thanks Felipe.
Changes for v3:
  - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering
    callback function in mtu3_gadget_disconnect().
    Thanks for Alan's suggestion.
Changes for v2:
  - Check mtu_gadget_driver out of spin_lock might still not work.
    We use a temporary pointer to remember the callback function.

 drivers/usb/mtu3/mtu3_gadget.c |    1 +
 1 file changed, 1 insertions(+)

diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
index 1de5c9a..1ab3d3a 100644
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g)
 
 	spin_unlock_irqrestore(&mtu->lock, flags);
 
+	synchronize_irq(mtu->irq);
 	return 0;
 }
 
-- 
1.7.9.5


^ permalink raw reply related	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2020-11-06  5:54 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-31  6:36 [PATCH] usb: mtu3: fix panic in mtu3_gadget_disconnect() Macpaul Lin
2020-07-31  8:57 ` [PATCH v2] " Macpaul Lin
2020-07-31 14:22   ` Alan Stern
2020-08-27  9:22   ` [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop() Macpaul Lin
2020-08-27 13:03     ` Felipe Balbi
2020-08-27 14:42     ` [PATCH v4] " Macpaul Lin
2020-08-31  1:50       ` Chunfeng Yun
2020-11-06  5:54       ` [RESEND PATCH " Macpaul Lin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).