From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: usb:dwc3:fix access poisoned list_head in dwc3_gadget_giveback From: Felipe Balbi Message-Id: <87fu7glgjg.fsf@linux.intel.com> Date: Mon, 08 Jan 2018 13:46:11 +0200 To: Yu Chen , gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Cc: wangbinghui@hisilicon.com List-ID: SGksCgpZdSBDaGVuIDxjaGVueXU1NkBodWF3ZWkuY29tPiB3cml0ZXM6Cj4gRnJvbTogWXUgQ2hl biA8Y2hlbnl1NTZAaHVhd2VpLmNvbT4KPgo+IFVuYWJsZSB0byBoYW5kbGUga2VybmVsIHBhZ2lu ZyByZXF1ZXN0IGF0IHZpcnR1YWwgYWRkcmVzcyBkZWFkMDAwMDAwMDAwMTA4Cj4gcGdkID0gZmZm ZmZmZjdhMzE3OTAwMAo+IFtkZWFkMDAwMDAwMDAwMTA4XSAqcGdkPTAwMDAwMDAwMjMwZTAwMDMs ICpwdWQ9MDAwMDAwMDAyMzBlMDAwMywKPiAqcG1kPTAwMDAwMDAwMDAwMDAwMDAKPiBJbnRlcm5h bCBlcnJvcjogT29wczogOTYwMDAwNDQgWyMxXSBQUkVFTVBUIFNNUAo+IE1vZHVsZXMgbGlua2Vk IGluOgo+IENQVTogMiBQSUQ6IDEgQ29tbTogaW5pdCBUYWludGVkOiBHICAgICAgICBXICAgICAg IDQuNC4yMysgIzEKCnRyeSBtYWlubGluZQoKPiBUR0lEOiAxIENvbW06IGluaXQKPiBIYXJkd2Fy ZSBuYW1lOiBraXJpbjk3MCAoRFQpCj4gdGFzazogZmZmZmZmZjk5ZjE5MDAwMCB0aTogZmZmZmZm Zjk5ZjE3NDBlMCB0YXNrLnRpOiBmZmZmZmZmOTlmMTc0MGUwCj4gUEMgaXMgYXQgZHdjM19nYWRn ZXRfZ2l2ZWJhY2srMHhhOC8weDIyOAo+IExSIGlzIGF0IGR3YzNfcmVtb3ZlX3JlcXVlc3RzKzB4 NDQvMHg4OAo+Cj4gVGhlIGNyYXNoIG9jY3VycmVkIHdoZW4gdXNiIHdvcmsgYXMgcm5kaXMgZGV2 aWNlIGFuZAo+IF9fZHdjM19nYWRnZXRfa2lja190cmFuc2ZlciByZXR1cm4gZXJyb3IgaW4gX19k d2MzX2dhZGdldF9lcF9xdWV1ZS4KPiBUaGUgcmVxdWVzdCBzdWJtaXRlZCBpbiBfX2R3YzNfZ2Fk Z2V0X2VwX3F1ZXVlIGlzIG1vdmVkIHRvIHN0YXJ0ZWRfbGlzdAo+IGJ1dCBub3Qga2lja2VkLiBJ dCBpcyBzdGlsIG9uIHN0YXJ0ZWRfbGlzdCBhbHRob3VnaAo+IF9fZHdjM19nYWRnZXRfa2lja190 cmFuc2ZlciBmYWlsZWQuIFdoZW4gZHdjM19nYWRnZXRfZXBfcXVldWUgcmV0dXJuCgp3aHkgZGlk IGtpY2tfdHJhbnNmZXIgZmFpbD8gV2hlcmUgYXJlIHRoZSB0cmFjZXBvaW50cyBzaG93aW5nIHRo ZQpmYWlsdXJlPwoKPiBlcnJvciB0byB1X2V0aGVyIGRyaXZlciwgdGhlIHJlcXVlc3Qgd2lsbCBi ZSByZXN1Ym1pdCB0byBkd2MzIGRyaXZlci4KPiBBdCBsYXN0LCB0aGUgc2FtZSByZXF1ZXN0IGlz IGJvdGggb24gc3RhcnRlZF9saXN0IGFuZCBwZW5kaW5nX2xpc3QsCj4gaXQgd2lsbCBiZSBsaXN0 X2RlbCB0d2ljZSBpbiBkd2MzX3JlbW92ZV9yZXF1ZXN0cyBhbmQgY2F1c2UgY3Jhc2guCj4KPiBT aWduZWQtb2ZmLWJ5OiBZdSBDaGVuIDxjaGVueXU1NkBodWF3ZWkuY29tPgo+IC0tLQo+ICBkcml2 ZXJzL3VzYi9kd2MzL2dhZGdldC5jIHwgMjggKysrKysrKysrKysrKysrKysrKysrKysrKysrLQo+ ICAxIGZpbGUgY2hhbmdlZCwgMjcgaW5zZXJ0aW9ucygrKSwgMSBkZWxldGlvbigtKQo+Cj4gZGlm ZiAtLWdpdCBhL2RyaXZlcnMvdXNiL2R3YzMvZ2FkZ2V0LmMgYi9kcml2ZXJzL3VzYi9kd2MzL2dh ZGdldC5jCj4gaW5kZXggNjM5ZGQxYjE2M2EwLi5hOTEzZTY0Y2E0ZTAgMTAwNjQ0Cj4gLS0tIGEv ZHJpdmVycy91c2IvZHdjMy9nYWRnZXQuYwo+ICsrKyBiL2RyaXZlcnMvdXNiL2R3YzMvZ2FkZ2V0 LmMKPiBAQCAtMTI3OCw5ICsxMjc4LDI4IEBAIHN0YXRpYyB2b2lkIGR3YzNfZ2FkZ2V0X3N0YXJ0 X2lzb2Moc3RydWN0IGR3YzMgKmR3YywKPiAgCV9fZHdjM19nYWRnZXRfc3RhcnRfaXNvYyhkd2Ms IGRlcCwgY3VyX3VmKTsKPiAgfQo+ICAKPiArc3RhdGljIGludCBkd2MzX2dhZGdldF9pc19yZXFf cGVuZ2Rpbmdfb3Jfc3RhcnRlZChzdHJ1Y3QgZHdjM19lcCAqZGVwLAo+ICsJCXN0cnVjdCBkd2Mz X3JlcXVlc3QgKnJlcSkKPiArewo+ICsJc3RydWN0IGR3YzNfcmVxdWVzdCAqaXRlcmF0ZV9yZXE7 Cj4gKwo+ICsJbGlzdF9mb3JfZWFjaF9lbnRyeShpdGVyYXRlX3JlcSwgJmRlcC0+cGVuZGluZ19s aXN0LCBsaXN0KSB7Cj4gKwkJaWYgKGl0ZXJhdGVfcmVxID09IHJlcSkKPiArCQkJcmV0dXJuIDE7 Cj4gKwl9Cj4gKwo+ICsJbGlzdF9mb3JfZWFjaF9lbnRyeShpdGVyYXRlX3JlcSwgJmRlcC0+c3Rh cnRlZF9saXN0LCBsaXN0KSB7Cj4gKwkJaWYgKGl0ZXJhdGVfcmVxID09IHJlcSkKPiArCQkJcmV0 dXJuIDE7Cj4gKwl9Cj4gKwo+ICsJcmV0dXJuIDA7Cj4gK30KPiArCj4gIHN0YXRpYyBpbnQgX19k d2MzX2dhZGdldF9lcF9xdWV1ZShzdHJ1Y3QgZHdjM19lcCAqZGVwLCBzdHJ1Y3QgZHdjM19yZXF1 ZXN0ICpyZXEpCj4gIHsKPiAgCXN0cnVjdCBkd2MzCQkqZHdjID0gZGVwLT5kd2M7Cj4gKwlpbnQJ CQlyZXQ7Cj4gIAo+ICAJaWYgKCFkZXAtPmVuZHBvaW50LmRlc2MpIHsKPiAgCQlkZXZfZXJyKGR3 Yy0+ZGV2LCAiJXM6IGNhbid0IHF1ZXVlIHRvIGRpc2FibGVkIGVuZHBvaW50XG4iLAo+IEBAIC0x MzM0LDcgKzEzNTMsMTQgQEAgc3RhdGljIGludCBfX2R3YzNfZ2FkZ2V0X2VwX3F1ZXVlKHN0cnVj dCBkd2MzX2VwICpkZXAsIHN0cnVjdCBkd2MzX3JlcXVlc3QgKnJlcSkKPiAgCX0KPiAgCj4gIG91 dDoKPiAtCXJldHVybiBfX2R3YzNfZ2FkZ2V0X2tpY2tfdHJhbnNmZXIoZGVwKTsKPiArCXJldCA9 IF9fZHdjM19nYWRnZXRfa2lja190cmFuc2ZlcihkZXApOwo+ICsJaWYgKHJldCAmJiBkd2MzX2dh ZGdldF9pc19yZXFfcGVuZ2Rpbmdfb3Jfc3RhcnRlZChkZXAsIHJlcSkpIHsKCmZpcnN0IHdlIG5l ZWQgdG8gZmlndXJlIG91dCB3aHkga2lja190cmFuc2ZlciBmYWlsZWQuIEl0IHNob3VsZG4ndCBm YWlsLApzbyB3aHkgZGlkIGl0PyBUaGVuIEkgbmVlZCB5b3UgdG8gdHJ5IHdpdGggYSBtb3JlIHJl Y2VudCBrZXJuZWwgdjQuNCBpcwpyYXRoZXIgb2xkIGFuZCBhIGxvdCBoYXMgY2hhbmdlZCBXUlQg dHJhbnNmZXIgaGFuZGxpbmc6CgokIGdpdCByZXYtbGlzdCAtLWNvdW50IC0tbm8tbWVyZ2VzIHY0 LjQuLmxpbnVzL21hc3RlciAtLSBkcml2ZXJzL3VzYi9kd2MzL2dhZGdldC5jCjE4NAo= From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932361AbeAHLrh (ORCPT + 1 other); Mon, 8 Jan 2018 06:47:37 -0500 Received: from mga03.intel.com ([134.134.136.65]:36808 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932136AbeAHLrf (ORCPT ); Mon, 8 Jan 2018 06:47:35 -0500 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,330,1511856000"; d="asc'?scan'208";a="165048072" From: Felipe Balbi To: Yu Chen , gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Cc: wangbinghui@hisilicon.com Subject: Re: [PATCH] usb:dwc3:fix access poisoned list_head in dwc3_gadget_giveback In-Reply-To: <20171223092505.23620-1-chenyu56@huawei.com> References: <20171223092505.23620-1-chenyu56@huawei.com> Date: Mon, 08 Jan 2018 13:46:11 +0200 Message-ID: <87fu7glgjg.fsf@linux.intel.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Yu Chen writes: > From: Yu Chen > > Unable to handle kernel paging request at virtual address dead000000000108 > pgd =3D fffffff7a3179000 > [dead000000000108] *pgd=3D00000000230e0003, *pud=3D00000000230e0003, > *pmd=3D0000000000000000 > Internal error: Oops: 96000044 [#1] PREEMPT SMP > Modules linked in: > CPU: 2 PID: 1 Comm: init Tainted: G W 4.4.23+ #1 try mainline > TGID: 1 Comm: init > Hardware name: kirin970 (DT) > task: fffffff99f190000 ti: fffffff99f1740e0 task.ti: fffffff99f1740e0 > PC is at dwc3_gadget_giveback+0xa8/0x228 > LR is at dwc3_remove_requests+0x44/0x88 > > The crash occurred when usb work as rndis device and > __dwc3_gadget_kick_transfer return error in __dwc3_gadget_ep_queue. > The request submited in __dwc3_gadget_ep_queue is moved to started_list > but not kicked. It is stil on started_list although > __dwc3_gadget_kick_transfer failed. When dwc3_gadget_ep_queue return why did kick_transfer fail? Where are the tracepoints showing the failure? > error to u_ether driver, the request will be resubmit to dwc3 driver. > At last, the same request is both on started_list and pending_list, > it will be list_del twice in dwc3_remove_requests and cause crash. > > Signed-off-by: Yu Chen > --- > drivers/usb/dwc3/gadget.c | 28 +++++++++++++++++++++++++++- > 1 file changed, 27 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c > index 639dd1b163a0..a913e64ca4e0 100644 > --- a/drivers/usb/dwc3/gadget.c > +++ b/drivers/usb/dwc3/gadget.c > @@ -1278,9 +1278,28 @@ static void dwc3_gadget_start_isoc(struct dwc3 *dw= c, > __dwc3_gadget_start_isoc(dwc, dep, cur_uf); > } >=20=20 > +static int dwc3_gadget_is_req_pengding_or_started(struct dwc3_ep *dep, > + struct dwc3_request *req) > +{ > + struct dwc3_request *iterate_req; > + > + list_for_each_entry(iterate_req, &dep->pending_list, list) { > + if (iterate_req =3D=3D req) > + return 1; > + } > + > + list_for_each_entry(iterate_req, &dep->started_list, list) { > + if (iterate_req =3D=3D req) > + return 1; > + } > + > + return 0; > +} > + > static int __dwc3_gadget_ep_queue(struct dwc3_ep *dep, struct dwc3_reque= st *req) > { > struct dwc3 *dwc =3D dep->dwc; > + int ret; >=20=20 > if (!dep->endpoint.desc) { > dev_err(dwc->dev, "%s: can't queue to disabled endpoint\n", > @@ -1334,7 +1353,14 @@ static int __dwc3_gadget_ep_queue(struct dwc3_ep *= dep, struct dwc3_request *req) > } >=20=20 > out: > - return __dwc3_gadget_kick_transfer(dep); > + ret =3D __dwc3_gadget_kick_transfer(dep); > + if (ret && dwc3_gadget_is_req_pengding_or_started(dep, req)) { first we need to figure out why kick_transfer failed. It shouldn't fail, so why did it? Then I need you to try with a more recent kernel v4.4 is rather old and a lot has changed WRT transfer handling: $ git rev-list --count --no-merges v4.4..linus/master -- drivers/usb/dwc3/g= adget.c 184 =2D-=20 balbi --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEElLzh7wn96CXwjh2IzL64meEamQYFAlpTWgMACgkQzL64meEa mQY/Fw/+JN3z4f2v9ApLoAObO/PadbhKxoYeAX8S380HUPGVulyT6m83v0Kry9re wW+A800LA3Ns0xxfk9DIv2yMHCaf3Jyg3fTSIMosiNUdHcJBDMT12qXlJnwppzcN VQIjMP7dFyAgvY2o8lAyVfJQ9cJIw10eV51vYU7g3SEIULEyjdBzIAjQnLbTBinY CxgVVYNsb1xiFgsLakc8Skec0Hvv31enMGG+auyh3BsNm3TqwSOfd8+20sF4nVQe ZfVrfzX3HuOXr7cFAVgcgCkQw+PbUw40TsrJS72fzWYDmD1JbJTb0pa9hXOjy/sW wzgoPwMR4gKlgF1h+CA4+fgCUdCN0m6nMbkVVuVzVVI8nL8K6TpXm7XAfOEvuWFz /tAR4yOYf3NJz5OMbH0AsETLfnRHSnAJ3u6xhCDzRFsPuSzeFwjwSUnf1XqRsqS0 9eD4/Gazjr4oKPCc6dEGEy5peg+X3IJAQmGSMrvFYrA9405BMid5pvaxW14D0IoK pk/M+i6WnikfPwDwljBrhIlyHVOxmGmFL++saxq92lVT+vmzFOTdeOhDmCEQxuRK 5P7+XuATqoc66XsLUrMyTMd0092G8r0k8wDKuZXUvRQAs+GMiuKEydONavYsWopD 2raxZhjcYeW7VYnxxdG//tjJ0/kimRNF/OtvrvCMRPiUTNHSxXI= =TIf8 -----END PGP SIGNATURE----- --=-=-=--