From: Dmitry Osipenko <digetx@gmail.com>
To: Thierry Reding <treding@nvidia.com>,
Jonathan Hunter <jonathanh@nvidia.com>,
Mark Brown <broonie@kernel.org>, Rob Herring <robh+dt@kernel.org>,
Sebastian Reichel <sre@kernel.org>,
Peter Chen <peter.chen@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Felipe Balbi <balbi@kernel.org>, David Heidelberg <david@ixit.cz>
Cc: devicetree@vger.kernel.org, linux-pm@vger.kernel.org,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-tegra@vger.kernel.org
Subject: [PATCH v5 05/12] usb: otg-fsm: Fix hrtimer list corruption
Date: Sat, 17 Jul 2021 21:21:27 +0300 [thread overview]
Message-ID: <20210717182134.30262-6-digetx@gmail.com> (raw)
In-Reply-To: <20210717182134.30262-1-digetx@gmail.com>
The HNP work can be re-scheduled while it's still in-fly. This results in
re-initialization of the busy work, resetting the hrtimer's list node of
the work and crashing kernel with null dereference within kernel/timer
once work's timer is expired. It's very easy to trigger this problem by
re-plugging USB cable quickly. Initialize HNP work only once to fix this
trouble.
Unable to handle kernel NULL pointer dereference at virtual address 00000126)
...
PC is at __run_timers.part.0+0x150/0x228
LR is at __next_timer_interrupt+0x51/0x9c
...
(__run_timers.part.0) from [<c0187a2b>] (run_timer_softirq+0x2f/0x50)
(run_timer_softirq) from [<c01013ad>] (__do_softirq+0xd5/0x2f0)
(__do_softirq) from [<c012589b>] (irq_exit+0xab/0xb8)
(irq_exit) from [<c0170341>] (handle_domain_irq+0x45/0x60)
(handle_domain_irq) from [<c04c4a43>] (gic_handle_irq+0x6b/0x7c)
(gic_handle_irq) from [<c0100b65>] (__irq_svc+0x65/0xac)
Cc: stable@vger.kernel.org
Acked-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
---
drivers/usb/common/usb-otg-fsm.c | 6 +++++-
include/linux/usb/otg-fsm.h | 1 +
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/common/usb-otg-fsm.c b/drivers/usb/common/usb-otg-fsm.c
index 3740cf95560e..0697fde51d00 100644
--- a/drivers/usb/common/usb-otg-fsm.c
+++ b/drivers/usb/common/usb-otg-fsm.c
@@ -193,7 +193,11 @@ static void otg_start_hnp_polling(struct otg_fsm *fsm)
if (!fsm->host_req_flag)
return;
- INIT_DELAYED_WORK(&fsm->hnp_polling_work, otg_hnp_polling_work);
+ if (!fsm->hnp_work_inited) {
+ INIT_DELAYED_WORK(&fsm->hnp_polling_work, otg_hnp_polling_work);
+ fsm->hnp_work_inited = true;
+ }
+
schedule_delayed_work(&fsm->hnp_polling_work,
msecs_to_jiffies(T_HOST_REQ_POLL));
}
diff --git a/include/linux/usb/otg-fsm.h b/include/linux/usb/otg-fsm.h
index 3aee78dda16d..784659d4dc99 100644
--- a/include/linux/usb/otg-fsm.h
+++ b/include/linux/usb/otg-fsm.h
@@ -196,6 +196,7 @@ struct otg_fsm {
struct mutex lock;
u8 *host_req_flag;
struct delayed_work hnp_polling_work;
+ bool hnp_work_inited;
bool state_changed;
};
--
2.32.0
next prev parent reply other threads:[~2021-07-17 18:23 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-17 18:21 [PATCH v5 00/12] Add OTG mode support to Tegra USB PHY, SMB347 and Nexus 7 Dmitry Osipenko
2021-07-17 18:21 ` [PATCH v5 01/12] dt-bindings: phy: tegra20-usb-phy: Convert to schema Dmitry Osipenko
2021-07-17 18:21 ` [PATCH v5 02/12] dt-bindings: phy: tegra20-usb-phy: Document properties needed for OTG mode Dmitry Osipenko
2021-07-23 23:05 ` Rob Herring
2021-07-17 18:21 ` [PATCH v5 03/12] soc/tegra: pmc: Expose USB regmap to all SoCs Dmitry Osipenko
2021-07-17 18:21 ` [PATCH v5 04/12] usb: phy: tegra: Support OTG mode programming Dmitry Osipenko
2021-07-17 18:21 ` Dmitry Osipenko [this message]
2021-07-17 18:21 ` [PATCH v5 06/12] dt-bindings: power: supply: smb347-charger: Document USB VBUS regulator Dmitry Osipenko
2021-07-17 18:21 ` [PATCH v5 07/12] power: supply: smb347-charger: Make smb347_set_writable() IRQ-safe Dmitry Osipenko
2021-07-17 18:21 ` [PATCH v5 08/12] power: supply: smb347-charger: Utilize generic regmap caching Dmitry Osipenko
2021-07-17 18:21 ` [PATCH v5 09/12] power: supply: smb347-charger: Implement USB VBUS regulator Dmitry Osipenko
2021-07-17 18:21 ` [PATCH v5 10/12] ARM: tegra: Add new properties to USB PHY device-tree nodes Dmitry Osipenko
2021-07-17 18:21 ` [PATCH v5 11/12] ARM: tegra: nexus7: Enable USB OTG mode Dmitry Osipenko
2021-07-17 18:21 ` [PATCH v5 12/12] arm64: tegra132: Add new properties to USB PHY device-tree node Dmitry Osipenko
2021-07-30 17:37 ` [PATCH v5 00/12] Add OTG mode support to Tegra USB PHY, SMB347 and Nexus 7 Dmitry Osipenko
2021-07-30 18:30 ` Dmitry Osipenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210717182134.30262-6-digetx@gmail.com \
--to=digetx@gmail.com \
--cc=balbi@kernel.org \
--cc=broonie@kernel.org \
--cc=david@ixit.cz \
--cc=devicetree@vger.kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jonathanh@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-tegra@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=peter.chen@kernel.org \
--cc=robh+dt@kernel.org \
--cc=sre@kernel.org \
--cc=treding@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.