From: tom.leiming@gmail.com
To: greg@kroah.com
Cc: linux-usb@vger.kernel.org, linux-omap@vger.kernel.org,
linux-kernel@vger.kernel.org, Ming Lei <tom.leiming@gmail.com>,
David Brownell <dbrownell@users.sourceforge.net>,
Felipe Balbi <me@felipebalbi.com>, Anand Gadiyar <gadiyar@ti.com>,
Mike Frysinger <vapier@gentoo.org>,
Sergei Shtylyov <sshtylyov@ru.mvista.com>,
stable <stable@kernel.org>
Subject: [RESEND/PATCH 1/6] USB: musb-gadget: fix kernel panic if using out ep with FIFO_TXRX style(v1)
Date: Tue, 7 Sep 2010 23:23:29 +0800 [thread overview]
Message-ID: <1283873014-32511-2-git-send-email-tom.leiming@gmail.com> (raw)
In-Reply-To: <1283873014-32511-1-git-send-email-tom.leiming@gmail.com>
From: Ming Lei <tom.leiming@gmail.com>
For shared fifo hw endpoint(with FIFO_TXRX style), only ep_in
field of musb_hw_ep is intialized in musb_g_init_endpoints, and
ep_out is not initialized, but musb_g_rx and rxstate may access
ep_out field of musb_hw_ep by the method below:
musb_ep = &musb->endpoints[epnum].ep_out
which can cause the kernel panic[1] below, this patch fixes the issue
by getting 'musb_ep' from '&musb->endpoints[epnum].ep_in' for shared fifo
endpoint.
[1], kernel panic
[root@OMAP3EVM /]# musb_interrupt 1583: ** IRQ peripheral usb0008 tx0000 rx4000
musb_stage0_irq 460: <== Power=f0, DevCtl=99, int_usb=0x8
musb_g_rx 772: <== (null), rxcsr 4007 ffffffe8
musb_g_rx 786: iso overrun on ffffffe8
Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = c0004000
[00000008] *pgd=00000000
Internal error: Oops: 17 [#1] PREEMPT
last sysfs file: /sys/devices/platform/musb_hdrc/usb1/usb_device/usbdev1.1/dev
Modules linked in: g_zero
CPU: 0 Tainted: G W (2.6.35-rc6-gkh-wl+ #92)
PC is at musb_g_rx+0xfc/0x2ec
LR is at vprintk+0x3f4/0x458
pc : [<c02c07a4>] lr : [<c006ccb0>] psr: 20000193
sp : c760bd78 ip : c03c9d70 fp : c760bdbc
r10: 00000000 r9 : fa0ab1e0 r8 : 0000000e
r7 : c7e80158 r6 : ffffffe8 r5 : 00000001 r4 : 00004003
r3 : 00010003 r2 : c760bcd8 r1 : c03cd030 r0 : 0000002e
Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
Control: 10c5387d Table: 8778c019 DAC: 00000017
Process kmemleak (pid: 421, stack limit = 0xc760a2e8)
Stack: (0xc760bd78 to 0xc760c000)
bd60: ffffffe8 c04b1b58
bd80: ffffffe8 c7c01ac0 00000000 c7e80d24 c0084238 00000001 00000001 c7e80158
bda0: 0000000e 00000008 00000099 000000f0 c760be04 c760bdc0 c02bcd68 c02c06b4
bdc0: 00000099 00000008 00004000 c760bdd8 c03cc4f8 00000000 00000002 c7e80158
bde0: c7d2e300 60000193 c760a000 0000005c 00000000 00000000 c760be24 c760be08
be00: c02bcecc c02bc1ac c7d2e300 c7d2e300 0000005c c760a000 c760be54 c760be28
be20: c00ad698 c02bce6c 00000000 c7d2e300 c067c258 0000005c c067c294 00000001
be40: c760a000 00000000 c760be74 c760be58 c00af984 c00ad5fc 0000005c 00000000
be60: 00000000 00000002 c760be8c c760be78 c0039080 c00af8d0 ffffffff fa200000
be80: c760beec c760be90 c0039b6c c003900c 00000001 00000000 c7d1e240 00000000
bea0: 00000000 c068bae8 00000000 60000013 00000001 00000000 00000000 c760beec
bec0: c0064ecc c760bed8 c00ff7d0 c003a0a8 60000013 ffffffff 00000000 c068bae8
bee0: c760bf24 c760bef0 c00ff7d0 c0064ec4 00000001 00000000 c00ff700 00000000
bf00: c0087f00 00000000 60000013 c0d76a70 c0e23795 00000001 c760bf4c c760bf28
bf20: c00ffdd8 c00ff70c c068bb08 c068bae8 60000013 c0100938 c068bb30 00000000
bf40: c760bf84 c760bf50 c010014c c00ffd84 00000001 00000000 c010000c 00012c00
bf60: c7c33f04 00012c00 c7c33f04 00000000 c0100938 00000000 c760bf9c c760bf88
bf80: c01009a8 c0100018 c760bfa8 c7c33f04 c760bff4 c760bfa0 c0088000 c0100944
bfa0: c760bf98 00000000 00000000 00000001 dead4ead ffffffff ffffffff c08ba2bc
bfc0: 00000000 c049e7fa 00000000 c0087f70 c760bfd0 c760bfd0 c7c33f04 c0087f70
bfe0: c006f5e8 00000013 00000000 c760bff8 c006f5e8 c0087f7c 7f0004ff df2000ff
Backtrace:
[<c02c06a8>] (musb_g_rx+0x0/0x2ec) from [<c02bcd68>] (musb_interrupt+0xbc8/0xcc0)
[<c02bc1a0>] (musb_interrupt+0x0/0xcc0) from [<c02bcecc>] (generic_interrupt+0x6c/0x84)
[<c02bce60>] (generic_interrupt+0x0/0x84) from [<c00ad698>] (handle_IRQ_event+0xa8/0x1ec)
r7:c760a000 r6:0000005c r5:c7d2e300 r4:c7d2e300
[<c00ad5f0>] (handle_IRQ_event+0x0/0x1ec) from [<c00af984>] (handle_level_irq+0xc0/0x13c)
[<c00af8c4>] (handle_level_irq+0x0/0x13c) from [<c0039080>] (asm_do_IRQ+0x80/0xa0)
r7:00000002 r6:00000000 r5:00000000 r4:0000005c
[<c0039000>] (asm_do_IRQ+0x0/0xa0) from [<c0039b6c>] (__irq_svc+0x4c/0xb4)
Exception stack(0xc760be90 to 0xc760bed8)
be80: 00000001 00000000 c7d1e240 00000000
bea0: 00000000 c068bae8 00000000 60000013 00000001 00000000 00000000 c760beec
bec0: c0064ecc c760bed8 c00ff7d0 c003a0a8 60000013 ffffffff
r5:fa200000 r4:ffffffff
[<c0064eb8>] (sub_preempt_count+0x0/0x100) from [<c00ff7d0>] (find_and_get_object+0xd0/0x110)
r5:c068bae8 r4:00000000
[<c00ff700>] (find_and_get_object+0x0/0x110) from [<c00ffdd8>] (scan_block+0x60/0x104)
r8:00000001 r7:c0e23795 r6:c0d76a70 r5:60000013 r4:00000000
[<c00ffd78>] (scan_block+0x0/0x104) from [<c010014c>] (kmemleak_scan+0x140/0x484)
[<c010000c>] (kmemleak_scan+0x0/0x484) from [<c01009a8>] (kmemleak_scan_thread+0x70/0xcc)
r8:00000000 r7:c0100938 r6:00000000 r5:c7c33f04 r4:00012c00
[<c0100938>] (kmemleak_scan_thread+0x0/0xcc) from [<c0088000>] (kthread+0x90/0x98)
r5:c7c33f04 r4:c760bfa8
[<c0087f70>] (kthread+0x0/0x98) from [<c006f5e8>] (do_exit+0x0/0x684)
r7:00000013 r6:c006f5e8 r5:c0087f70 r4:c7c33f04
Code: e3002312 e58d6000 e2833e16 eb0422d5 (e5963020)
---[ end trace f3d5e96f75c297b7 ]---
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Reviewed-by: Sergei Shtylyov <sshtylyov@mvista.com>
Cc: David Brownell <dbrownell@users.sourceforge.net>
Cc: Felipe Balbi <me@felipebalbi.com>
Cc: Anand Gadiyar <gadiyar@ti.com>
Cc: Mike Frysinger <vapier@gentoo.org>
Cc: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Cc: stable <stable@kernel.org>
---
drivers/usb/musb/musb_gadget.c | 20 +++++++++++++++++---
1 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
index 6fca870..de0ca90 100644
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -568,11 +568,19 @@ static void rxstate(struct musb *musb, struct musb_request *req)
{
const u8 epnum = req->epnum;
struct usb_request *request = &req->request;
- struct musb_ep *musb_ep = &musb->endpoints[epnum].ep_out;
+ struct musb_ep *musb_ep;
void __iomem *epio = musb->endpoints[epnum].regs;
unsigned fifo_count = 0;
- u16 len = musb_ep->packet_sz;
+ u16 len;
u16 csr = musb_readw(epio, MUSB_RXCSR);
+ struct musb_hw_ep *hw_ep = &musb->endpoints[epnum];
+
+ if (hw_ep->is_shared_fifo)
+ musb_ep = &hw_ep->ep_in;
+ else
+ musb_ep = &hw_ep->ep_out;
+
+ len = musb_ep->packet_sz;
/* We shouldn't get here while DMA is active, but we do... */
if (dma_channel_status(musb_ep->dma) == MUSB_DMA_STATUS_BUSY) {
@@ -740,9 +748,15 @@ void musb_g_rx(struct musb *musb, u8 epnum)
u16 csr;
struct usb_request *request;
void __iomem *mbase = musb->mregs;
- struct musb_ep *musb_ep = &musb->endpoints[epnum].ep_out;
+ struct musb_ep *musb_ep;
void __iomem *epio = musb->endpoints[epnum].regs;
struct dma_channel *dma;
+ struct musb_hw_ep *hw_ep = &musb->endpoints[epnum];
+
+ if (hw_ep->is_shared_fifo)
+ musb_ep = &hw_ep->ep_in;
+ else
+ musb_ep = &hw_ep->ep_out;
musb_ep_select(mbase, epnum);
--
1.6.2.5
next prev parent reply other threads:[~2010-09-07 15:24 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-07 15:23 [RESEND/PATCH 0/6] USB: musb-gadget: bug fix tom.leiming-Re5JQEeQqe8AvxtiuMwx3w
2010-09-07 15:23 ` tom.leiming
2010-09-07 15:23 ` tom.leiming [this message]
2010-09-07 15:23 ` [RESEND/PATCH 2/6] USB: musb-gadget: fix bulk IN infinite hangs in double buffer case tom.leiming
2010-09-07 15:23 ` [RESEND/PATCH 3/6] USB: musb-gadget: enable autoclear for OUT transfer in both DMA 0 and DMA 1 tom.leiming
[not found] ` <1283873014-32511-1-git-send-email-tom.leiming-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-09-07 15:23 ` [RESEND/PATCH 4/6] USB: musb-gadget: fix DMA length for OUT transfer tom.leiming-Re5JQEeQqe8AvxtiuMwx3w
2010-09-07 15:23 ` tom.leiming
2010-09-07 15:23 ` [RESEND/PATCH 5/6] USB: musb-gadget: complete request only if data is transfered over tom.leiming-Re5JQEeQqe8AvxtiuMwx3w
2010-09-07 15:23 ` tom.leiming
2010-09-13 12:27 ` Sergei Shtylyov
2010-09-13 14:34 ` Ming Lei
2010-09-13 14:34 ` Ming Lei
2010-09-13 15:51 ` Sergei Shtylyov
2010-09-13 16:26 ` Sergei Shtylyov
2010-09-14 6:56 ` Felipe Balbi
[not found] ` <20100914065604.GD2601-UiBtZHVXSwEVvW8u9ZQWYwjfymiNCTlR@public.gmane.org>
2010-09-14 10:46 ` Sergei Shtylyov
2010-09-14 10:46 ` Sergei Shtylyov
2010-09-14 10:54 ` Felipe Balbi
2010-09-14 10:54 ` Felipe Balbi
[not found] ` <20100914105402.GD7554-UiBtZHVXSwEVvW8u9ZQWYwjfymiNCTlR@public.gmane.org>
2010-09-14 17:51 ` Sergei Shtylyov
2010-09-14 17:51 ` Sergei Shtylyov
2010-09-15 6:53 ` Felipe Balbi
2010-09-15 9:56 ` Ming Lei
2010-09-15 10:01 ` Sergei Shtylyov
2010-09-15 10:05 ` Felipe Balbi
2010-09-15 10:08 ` Sergei Shtylyov
2010-09-15 10:14 ` Ming Lei
2010-09-15 10:18 ` Sergei Shtylyov
[not found] ` <4C909D87.2090901-hkdhdckH98+B+jHODAdFcQ@public.gmane.org>
2010-09-15 10:22 ` Felipe Balbi
2010-09-15 10:22 ` Felipe Balbi
[not found] ` <20100915102256.GK3393-UiBtZHVXSwEVvW8u9ZQWYwjfymiNCTlR@public.gmane.org>
2010-09-15 10:27 ` Sergei Shtylyov
2010-09-15 10:27 ` Sergei Shtylyov
2010-09-15 10:31 ` Felipe Balbi
2010-09-15 10:41 ` Sergei Shtylyov
2010-09-15 10:52 ` Felipe Balbi
2010-09-15 13:02 ` Sergei Shtylyov
2010-09-15 10:37 ` Ming Lei
2010-09-07 15:23 ` [RESEND/PATCH 6/6] USB: musb-gadget: fix dma length in txstate tom.leiming-Re5JQEeQqe8AvxtiuMwx3w
2010-09-07 15:23 ` tom.leiming
2010-09-14 17:43 ` Sergei Shtylyov
2010-09-15 7:09 ` Felipe Balbi
2010-09-08 2:19 ` [RESEND/PATCH 0/6] USB: musb-gadget: bug fix Greg KH
[not found] ` <20100908021939.GA20443-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2010-09-08 4:32 ` Ming Lei
2010-09-08 4:32 ` Ming Lei
[not found] ` <AANLkTim605xLy8LjaKO+wR+UX2_r-dEQr=bMasXLAk22-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-09-08 6:18 ` Greg KH
2010-09-08 6:18 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1283873014-32511-2-git-send-email-tom.leiming@gmail.com \
--to=tom.leiming@gmail.com \
--cc=dbrownell@users.sourceforge.net \
--cc=gadiyar@ti.com \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-omap@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=me@felipebalbi.com \
--cc=sshtylyov@ru.mvista.com \
--cc=stable@kernel.org \
--cc=vapier@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.