* [PATCH] usb: mtu3: fix panic in mtu3_gadget_disconnect() @ 2020-07-31 6:36 ` Macpaul Lin 0 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-07-31 6:36 UTC (permalink / raw) To: Chunfeng Yun, Eddie Hung, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek, linux-kernel Cc: stable, Macpaul Lin, Macpaul Lin, Mediatek WSD Upstream This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). Backtrace: [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Cc: stable@vger.kernel.org --- drivers/usb/mtu3/mtu3_gadget.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 68ea4395f871..f20fb83b3239 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -843,7 +843,12 @@ void mtu3_gadget_disconnect(struct mtu3 *mtu) dev_dbg(mtu->dev, "gadget DISCONNECT\n"); if (mtu->gadget_driver && mtu->gadget_driver->disconnect) { spin_unlock(&mtu->lock); - mtu->gadget_driver->disconnect(&mtu->g); + /* + * avoid kernel panic because mtu3_gadget_stop() assigned NULL + * to mtu->gadget_driver. + */ + if (mtu->gadget_driver && mtu->gadget_driver->disconnect) + mtu->gadget_driver->disconnect(&mtu->g); spin_lock(&mtu->lock); } -- 2.18.0 _______________________________________________ Linux-mediatek mailing list Linux-mediatek@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-mediatek ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH] usb: mtu3: fix panic in mtu3_gadget_disconnect() @ 2020-07-31 6:36 ` Macpaul Lin 0 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-07-31 6:36 UTC (permalink / raw) To: Chunfeng Yun, Eddie Hung, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek, linux-kernel Cc: stable, Macpaul Lin, Macpaul Lin, Mediatek WSD Upstream This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). Backtrace: [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Cc: stable@vger.kernel.org --- drivers/usb/mtu3/mtu3_gadget.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 68ea4395f871..f20fb83b3239 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -843,7 +843,12 @@ void mtu3_gadget_disconnect(struct mtu3 *mtu) dev_dbg(mtu->dev, "gadget DISCONNECT\n"); if (mtu->gadget_driver && mtu->gadget_driver->disconnect) { spin_unlock(&mtu->lock); - mtu->gadget_driver->disconnect(&mtu->g); + /* + * avoid kernel panic because mtu3_gadget_stop() assigned NULL + * to mtu->gadget_driver. + */ + if (mtu->gadget_driver && mtu->gadget_driver->disconnect) + mtu->gadget_driver->disconnect(&mtu->g); spin_lock(&mtu->lock); } -- 2.18.0 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH] usb: mtu3: fix panic in mtu3_gadget_disconnect() @ 2020-07-31 6:36 ` Macpaul Lin 0 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-07-31 6:36 UTC (permalink / raw) To: Chunfeng Yun, Eddie Hung, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek, linux-kernel Cc: Mediatek WSD Upstream, Macpaul Lin, Macpaul Lin, stable This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). Backtrace: [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Cc: stable@vger.kernel.org --- drivers/usb/mtu3/mtu3_gadget.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 68ea4395f871..f20fb83b3239 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -843,7 +843,12 @@ void mtu3_gadget_disconnect(struct mtu3 *mtu) dev_dbg(mtu->dev, "gadget DISCONNECT\n"); if (mtu->gadget_driver && mtu->gadget_driver->disconnect) { spin_unlock(&mtu->lock); - mtu->gadget_driver->disconnect(&mtu->g); + /* + * avoid kernel panic because mtu3_gadget_stop() assigned NULL + * to mtu->gadget_driver. + */ + if (mtu->gadget_driver && mtu->gadget_driver->disconnect) + mtu->gadget_driver->disconnect(&mtu->g); spin_lock(&mtu->lock); } -- 2.18.0 ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH v2] usb: mtu3: fix panic in mtu3_gadget_disconnect() 2020-07-31 6:36 ` Macpaul Lin (?) @ 2020-07-31 8:57 ` Macpaul Lin -1 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-07-31 8:57 UTC (permalink / raw) To: Chunfeng Yun, Eddie Hung, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek, linux-kernel Cc: stable, Macpaul Lin, Macpaul Lin, Mediatek WSD Upstream This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Cc: stable@vger.kernel.org --- Changes for v2: - Check mtu_gadget_driver out of spin_lock might still not work. We use a temporary pointer to keep the callback function. drivers/usb/mtu3/mtu3_gadget.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 68ea4395f871..40cb6626f496 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -840,10 +840,17 @@ void mtu3_gadget_suspend(struct mtu3 *mtu) /* called when VBUS drops below session threshold, and in other cases */ void mtu3_gadget_disconnect(struct mtu3 *mtu) { + struct usb_gadget_driver *driver; + dev_dbg(mtu->dev, "gadget DISCONNECT\n"); if (mtu->gadget_driver && mtu->gadget_driver->disconnect) { + driver = mtu->gadget_driver; spin_unlock(&mtu->lock); - mtu->gadget_driver->disconnect(&mtu->g); + /* + * avoid kernel panic because mtu3_gadget_stop() assigned NULL + * to mtu->gadget_driver. + */ + driver->disconnect(&mtu->g); spin_lock(&mtu->lock); } -- 2.18.0 _______________________________________________ Linux-mediatek mailing list Linux-mediatek@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-mediatek ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH v2] usb: mtu3: fix panic in mtu3_gadget_disconnect() @ 2020-07-31 8:57 ` Macpaul Lin 0 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-07-31 8:57 UTC (permalink / raw) To: Chunfeng Yun, Eddie Hung, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek, linux-kernel Cc: stable, Macpaul Lin, Macpaul Lin, Mediatek WSD Upstream This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Cc: stable@vger.kernel.org --- Changes for v2: - Check mtu_gadget_driver out of spin_lock might still not work. We use a temporary pointer to keep the callback function. drivers/usb/mtu3/mtu3_gadget.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 68ea4395f871..40cb6626f496 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -840,10 +840,17 @@ void mtu3_gadget_suspend(struct mtu3 *mtu) /* called when VBUS drops below session threshold, and in other cases */ void mtu3_gadget_disconnect(struct mtu3 *mtu) { + struct usb_gadget_driver *driver; + dev_dbg(mtu->dev, "gadget DISCONNECT\n"); if (mtu->gadget_driver && mtu->gadget_driver->disconnect) { + driver = mtu->gadget_driver; spin_unlock(&mtu->lock); - mtu->gadget_driver->disconnect(&mtu->g); + /* + * avoid kernel panic because mtu3_gadget_stop() assigned NULL + * to mtu->gadget_driver. + */ + driver->disconnect(&mtu->g); spin_lock(&mtu->lock); } -- 2.18.0 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH v2] usb: mtu3: fix panic in mtu3_gadget_disconnect() @ 2020-07-31 8:57 ` Macpaul Lin 0 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-07-31 8:57 UTC (permalink / raw) To: Chunfeng Yun, Eddie Hung, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek, linux-kernel Cc: Mediatek WSD Upstream, Macpaul Lin, Macpaul Lin, stable This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Cc: stable@vger.kernel.org --- Changes for v2: - Check mtu_gadget_driver out of spin_lock might still not work. We use a temporary pointer to keep the callback function. drivers/usb/mtu3/mtu3_gadget.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 68ea4395f871..40cb6626f496 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -840,10 +840,17 @@ void mtu3_gadget_suspend(struct mtu3 *mtu) /* called when VBUS drops below session threshold, and in other cases */ void mtu3_gadget_disconnect(struct mtu3 *mtu) { + struct usb_gadget_driver *driver; + dev_dbg(mtu->dev, "gadget DISCONNECT\n"); if (mtu->gadget_driver && mtu->gadget_driver->disconnect) { + driver = mtu->gadget_driver; spin_unlock(&mtu->lock); - mtu->gadget_driver->disconnect(&mtu->g); + /* + * avoid kernel panic because mtu3_gadget_stop() assigned NULL + * to mtu->gadget_driver. + */ + driver->disconnect(&mtu->g); spin_lock(&mtu->lock); } -- 2.18.0 ^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [PATCH v2] usb: mtu3: fix panic in mtu3_gadget_disconnect() 2020-07-31 8:57 ` Macpaul Lin (?) @ 2020-07-31 14:22 ` Alan Stern -1 siblings, 0 replies; 24+ messages in thread From: Alan Stern @ 2020-07-31 14:22 UTC (permalink / raw) To: Macpaul Lin Cc: linux-usb, Mediatek WSD Upstream, Greg Kroah-Hartman, Eddie Hung, linux-kernel, stable, Matthias Brugger, linux-mediatek, Chunfeng Yun, Macpaul Lin, linux-arm-kernel On Fri, Jul 31, 2020 at 04:57:58PM +0800, Macpaul Lin wrote: > This patch fixes a possible issue when mtu3_gadget_stop() > already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). > > Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> > Cc: stable@vger.kernel.org > --- > Changes for v2: > - Check mtu_gadget_driver out of spin_lock might still not work. > We use a temporary pointer to keep the callback function. > > drivers/usb/mtu3/mtu3_gadget.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c > index 68ea4395f871..40cb6626f496 100644 > --- a/drivers/usb/mtu3/mtu3_gadget.c > +++ b/drivers/usb/mtu3/mtu3_gadget.c > @@ -840,10 +840,17 @@ void mtu3_gadget_suspend(struct mtu3 *mtu) > /* called when VBUS drops below session threshold, and in other cases */ > void mtu3_gadget_disconnect(struct mtu3 *mtu) > { > + struct usb_gadget_driver *driver; > + > dev_dbg(mtu->dev, "gadget DISCONNECT\n"); > if (mtu->gadget_driver && mtu->gadget_driver->disconnect) { > + driver = mtu->gadget_driver; > spin_unlock(&mtu->lock); > - mtu->gadget_driver->disconnect(&mtu->g); > + /* > + * avoid kernel panic because mtu3_gadget_stop() assigned NULL > + * to mtu->gadget_driver. > + */ > + driver->disconnect(&mtu->g); > spin_lock(&mtu->lock); > } This is not the right approach; it might race with the gadget driver unregistering itself. Instead, mtu3_gadget_stop() should call synchronize_irq() after releasing the IRQ line. When synchronize_irq() returns, you'll know any IRQ handlers have finished running, so you won't receive any more disconnect notifications. Then it will be safe to acquire the spinlock and set mtu->gadget_driver to NULL. Alan Stern _______________________________________________ Linux-mediatek mailing list Linux-mediatek@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-mediatek ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] usb: mtu3: fix panic in mtu3_gadget_disconnect() @ 2020-07-31 14:22 ` Alan Stern 0 siblings, 0 replies; 24+ messages in thread From: Alan Stern @ 2020-07-31 14:22 UTC (permalink / raw) To: Macpaul Lin Cc: linux-usb, Mediatek WSD Upstream, Greg Kroah-Hartman, Eddie Hung, linux-kernel, stable, Matthias Brugger, linux-mediatek, Chunfeng Yun, Macpaul Lin, linux-arm-kernel On Fri, Jul 31, 2020 at 04:57:58PM +0800, Macpaul Lin wrote: > This patch fixes a possible issue when mtu3_gadget_stop() > already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). > > Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> > Cc: stable@vger.kernel.org > --- > Changes for v2: > - Check mtu_gadget_driver out of spin_lock might still not work. > We use a temporary pointer to keep the callback function. > > drivers/usb/mtu3/mtu3_gadget.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c > index 68ea4395f871..40cb6626f496 100644 > --- a/drivers/usb/mtu3/mtu3_gadget.c > +++ b/drivers/usb/mtu3/mtu3_gadget.c > @@ -840,10 +840,17 @@ void mtu3_gadget_suspend(struct mtu3 *mtu) > /* called when VBUS drops below session threshold, and in other cases */ > void mtu3_gadget_disconnect(struct mtu3 *mtu) > { > + struct usb_gadget_driver *driver; > + > dev_dbg(mtu->dev, "gadget DISCONNECT\n"); > if (mtu->gadget_driver && mtu->gadget_driver->disconnect) { > + driver = mtu->gadget_driver; > spin_unlock(&mtu->lock); > - mtu->gadget_driver->disconnect(&mtu->g); > + /* > + * avoid kernel panic because mtu3_gadget_stop() assigned NULL > + * to mtu->gadget_driver. > + */ > + driver->disconnect(&mtu->g); > spin_lock(&mtu->lock); > } This is not the right approach; it might race with the gadget driver unregistering itself. Instead, mtu3_gadget_stop() should call synchronize_irq() after releasing the IRQ line. When synchronize_irq() returns, you'll know any IRQ handlers have finished running, so you won't receive any more disconnect notifications. Then it will be safe to acquire the spinlock and set mtu->gadget_driver to NULL. Alan Stern _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] usb: mtu3: fix panic in mtu3_gadget_disconnect() @ 2020-07-31 14:22 ` Alan Stern 0 siblings, 0 replies; 24+ messages in thread From: Alan Stern @ 2020-07-31 14:22 UTC (permalink / raw) To: Macpaul Lin Cc: Chunfeng Yun, Eddie Hung, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek, linux-kernel, Mediatek WSD Upstream, Macpaul Lin, stable On Fri, Jul 31, 2020 at 04:57:58PM +0800, Macpaul Lin wrote: > This patch fixes a possible issue when mtu3_gadget_stop() > already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). > > Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> > Cc: stable@vger.kernel.org > --- > Changes for v2: > - Check mtu_gadget_driver out of spin_lock might still not work. > We use a temporary pointer to keep the callback function. > > drivers/usb/mtu3/mtu3_gadget.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c > index 68ea4395f871..40cb6626f496 100644 > --- a/drivers/usb/mtu3/mtu3_gadget.c > +++ b/drivers/usb/mtu3/mtu3_gadget.c > @@ -840,10 +840,17 @@ void mtu3_gadget_suspend(struct mtu3 *mtu) > /* called when VBUS drops below session threshold, and in other cases */ > void mtu3_gadget_disconnect(struct mtu3 *mtu) > { > + struct usb_gadget_driver *driver; > + > dev_dbg(mtu->dev, "gadget DISCONNECT\n"); > if (mtu->gadget_driver && mtu->gadget_driver->disconnect) { > + driver = mtu->gadget_driver; > spin_unlock(&mtu->lock); > - mtu->gadget_driver->disconnect(&mtu->g); > + /* > + * avoid kernel panic because mtu3_gadget_stop() assigned NULL > + * to mtu->gadget_driver. > + */ > + driver->disconnect(&mtu->g); > spin_lock(&mtu->lock); > } This is not the right approach; it might race with the gadget driver unregistering itself. Instead, mtu3_gadget_stop() should call synchronize_irq() after releasing the IRQ line. When synchronize_irq() returns, you'll know any IRQ handlers have finished running, so you won't receive any more disconnect notifications. Then it will be safe to acquire the spinlock and set mtu->gadget_driver to NULL. Alan Stern ^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop() 2020-07-31 8:57 ` Macpaul Lin (?) @ 2020-08-27 9:22 ` Macpaul Lin -1 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-08-27 9:22 UTC (permalink / raw) To: Chunfeng Yun, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek Cc: Mediatek WSD Upstream, Eddie Hung, linux-kernel, stable, Ainge Hsu, Macpaul Lin, Macpaul Lin This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Cc: stable@vger.kernel.org --- Changes for v3: - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering callback function in mtu3_gadget_disconnect(). Thanks for Alan's suggestion. Changes for v2: - Check mtu_gadget_driver out of spin_lock might still not work. We use a temporary pointer to remember the callback function. drivers/usb/mtu3/mtu3_gadget.c | 1 + 1 file changed, 1 insertions(+) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 1de5c9a..1ab3d3a 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g) spin_unlock_irqrestore(&mtu->lock, flags); + synchronize_irq(mtu->irq); return 0; } -- 1.7.9.5 _______________________________________________ Linux-mediatek mailing list Linux-mediatek@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-mediatek ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop() @ 2020-08-27 9:22 ` Macpaul Lin 0 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-08-27 9:22 UTC (permalink / raw) To: Chunfeng Yun, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek Cc: Mediatek WSD Upstream, Eddie Hung, linux-kernel, stable, Ainge Hsu, Macpaul Lin, Macpaul Lin This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Cc: stable@vger.kernel.org --- Changes for v3: - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering callback function in mtu3_gadget_disconnect(). Thanks for Alan's suggestion. Changes for v2: - Check mtu_gadget_driver out of spin_lock might still not work. We use a temporary pointer to remember the callback function. drivers/usb/mtu3/mtu3_gadget.c | 1 + 1 file changed, 1 insertions(+) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 1de5c9a..1ab3d3a 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g) spin_unlock_irqrestore(&mtu->lock, flags); + synchronize_irq(mtu->irq); return 0; } -- 1.7.9.5 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop() @ 2020-08-27 9:22 ` Macpaul Lin 0 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-08-27 9:22 UTC (permalink / raw) To: Chunfeng Yun, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek Cc: Ainge Hsu, Eddie Hung, Mediatek WSD Upstream, Macpaul Lin, Macpaul Lin, linux-kernel, stable This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Cc: stable@vger.kernel.org --- Changes for v3: - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering callback function in mtu3_gadget_disconnect(). Thanks for Alan's suggestion. Changes for v2: - Check mtu_gadget_driver out of spin_lock might still not work. We use a temporary pointer to remember the callback function. drivers/usb/mtu3/mtu3_gadget.c | 1 + 1 file changed, 1 insertions(+) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 1de5c9a..1ab3d3a 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g) spin_unlock_irqrestore(&mtu->lock, flags); + synchronize_irq(mtu->irq); return 0; } -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop() 2020-08-27 9:22 ` Macpaul Lin (?) @ 2020-08-27 13:03 ` Felipe Balbi -1 siblings, 0 replies; 24+ messages in thread From: Felipe Balbi @ 2020-08-27 13:03 UTC (permalink / raw) To: Macpaul Lin, Chunfeng Yun, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek Cc: Mediatek WSD Upstream, Eddie Hung, linux-kernel, stable, Ainge Hsu, Macpaul Lin, Macpaul Lin [-- Attachment #1.1: Type: text/plain, Size: 2326 bytes --] Macpaul Lin <macpaul.lin@mediatek.com> writes: > This patch fixes a possible issue when mtu3_gadget_stop() > already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). > > [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 > [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 > [<ffffff9008162ec0>] notify_die+0xb0/0x120 > [<ffffff900809e340>] die+0x1f8/0x5d0 > [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 > [<ffffff90080d04dc>] do_bad_area+0x44/0x140 > [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 > [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 > [<ffffff90080849d0>] el1_da+0x24/0x3c > [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 > [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 > [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 > [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 > [<ffffff90082acc44>] handle_irq_event+0xac/0x148 > [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 > [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 > [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 > [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 > [<ffffff9008084cec>] el1_irq+0xec/0x194 > [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 > [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 > [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 > [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 > [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 > [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 > [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 > [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 > [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 > [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 > [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 > [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 > [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 > [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 > [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 > [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 > [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 > [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 > > Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> > Cc: stable@vger.kernel.org missing a Fixes: line here -- balbi [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 857 bytes --] [-- Attachment #2: Type: text/plain, Size: 170 bytes --] _______________________________________________ Linux-mediatek mailing list Linux-mediatek@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-mediatek ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop() @ 2020-08-27 13:03 ` Felipe Balbi 0 siblings, 0 replies; 24+ messages in thread From: Felipe Balbi @ 2020-08-27 13:03 UTC (permalink / raw) To: Macpaul Lin, Chunfeng Yun, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek Cc: Mediatek WSD Upstream, Eddie Hung, linux-kernel, stable, Ainge Hsu, Macpaul Lin, Macpaul Lin [-- Attachment #1.1: Type: text/plain, Size: 2326 bytes --] Macpaul Lin <macpaul.lin@mediatek.com> writes: > This patch fixes a possible issue when mtu3_gadget_stop() > already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). > > [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 > [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 > [<ffffff9008162ec0>] notify_die+0xb0/0x120 > [<ffffff900809e340>] die+0x1f8/0x5d0 > [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 > [<ffffff90080d04dc>] do_bad_area+0x44/0x140 > [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 > [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 > [<ffffff90080849d0>] el1_da+0x24/0x3c > [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 > [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 > [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 > [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 > [<ffffff90082acc44>] handle_irq_event+0xac/0x148 > [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 > [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 > [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 > [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 > [<ffffff9008084cec>] el1_irq+0xec/0x194 > [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 > [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 > [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 > [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 > [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 > [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 > [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 > [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 > [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 > [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 > [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 > [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 > [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 > [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 > [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 > [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 > [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 > [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 > > Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> > Cc: stable@vger.kernel.org missing a Fixes: line here -- balbi [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 857 bytes --] [-- Attachment #2: Type: text/plain, Size: 176 bytes --] _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop() @ 2020-08-27 13:03 ` Felipe Balbi 0 siblings, 0 replies; 24+ messages in thread From: Felipe Balbi @ 2020-08-27 13:03 UTC (permalink / raw) To: Macpaul Lin, Chunfeng Yun, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek Cc: Ainge Hsu, Eddie Hung, Mediatek WSD Upstream, Macpaul Lin, Macpaul Lin, linux-kernel, stable [-- Attachment #1: Type: text/plain, Size: 2326 bytes --] Macpaul Lin <macpaul.lin@mediatek.com> writes: > This patch fixes a possible issue when mtu3_gadget_stop() > already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). > > [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 > [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 > [<ffffff9008162ec0>] notify_die+0xb0/0x120 > [<ffffff900809e340>] die+0x1f8/0x5d0 > [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 > [<ffffff90080d04dc>] do_bad_area+0x44/0x140 > [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 > [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 > [<ffffff90080849d0>] el1_da+0x24/0x3c > [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 > [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 > [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 > [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 > [<ffffff90082acc44>] handle_irq_event+0xac/0x148 > [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 > [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 > [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 > [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 > [<ffffff9008084cec>] el1_irq+0xec/0x194 > [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 > [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 > [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 > [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 > [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 > [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 > [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 > [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 > [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 > [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 > [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 > [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 > [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 > [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 > [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 > [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 > [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 > [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 > > Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> > Cc: stable@vger.kernel.org missing a Fixes: line here -- balbi [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 857 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH v4] usb: mtu3: fix panic in mtu3_gadget_stop() 2020-08-27 9:22 ` Macpaul Lin (?) @ 2020-08-27 14:42 ` Macpaul Lin -1 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-08-27 14:42 UTC (permalink / raw) To: Alan Stern, Felipe Balbi, Chunfeng Yun, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek Cc: Mediatek WSD Upstream, Eddie Hung, linux-kernel, stable, Ainge Hsu, Macpaul Lin, Macpaul Lin This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver") Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Cc: stable@vger.kernel.org --- Changes for v4: - Add a "Fixes:" line. Thanks Felipe. Changes for v3: - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering callback function in mtu3_gadget_disconnect(). Thanks for Alan's suggestion. Changes for v2: - Check mtu_gadget_driver out of spin_lock might still not work. We use a temporary pointer to remember the callback function. drivers/usb/mtu3/mtu3_gadget.c | 1 + 1 file changed, 1 insertions(+) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 1de5c9a..1ab3d3a 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g) spin_unlock_irqrestore(&mtu->lock, flags); + synchronize_irq(mtu->irq); return 0; } -- 1.7.9.5 _______________________________________________ Linux-mediatek mailing list Linux-mediatek@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-mediatek ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH v4] usb: mtu3: fix panic in mtu3_gadget_stop() @ 2020-08-27 14:42 ` Macpaul Lin 0 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-08-27 14:42 UTC (permalink / raw) To: Alan Stern, Felipe Balbi, Chunfeng Yun, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek Cc: Mediatek WSD Upstream, Eddie Hung, linux-kernel, stable, Ainge Hsu, Macpaul Lin, Macpaul Lin This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver") Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Cc: stable@vger.kernel.org --- Changes for v4: - Add a "Fixes:" line. Thanks Felipe. Changes for v3: - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering callback function in mtu3_gadget_disconnect(). Thanks for Alan's suggestion. Changes for v2: - Check mtu_gadget_driver out of spin_lock might still not work. We use a temporary pointer to remember the callback function. drivers/usb/mtu3/mtu3_gadget.c | 1 + 1 file changed, 1 insertions(+) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 1de5c9a..1ab3d3a 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g) spin_unlock_irqrestore(&mtu->lock, flags); + synchronize_irq(mtu->irq); return 0; } -- 1.7.9.5 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH v4] usb: mtu3: fix panic in mtu3_gadget_stop() @ 2020-08-27 14:42 ` Macpaul Lin 0 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-08-27 14:42 UTC (permalink / raw) To: Alan Stern, Felipe Balbi, Chunfeng Yun, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek Cc: Ainge Hsu, Eddie Hung, Mediatek WSD Upstream, Macpaul Lin, Macpaul Lin, linux-kernel, stable This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver") Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Cc: stable@vger.kernel.org --- Changes for v4: - Add a "Fixes:" line. Thanks Felipe. Changes for v3: - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering callback function in mtu3_gadget_disconnect(). Thanks for Alan's suggestion. Changes for v2: - Check mtu_gadget_driver out of spin_lock might still not work. We use a temporary pointer to remember the callback function. drivers/usb/mtu3/mtu3_gadget.c | 1 + 1 file changed, 1 insertions(+) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 1de5c9a..1ab3d3a 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g) spin_unlock_irqrestore(&mtu->lock, flags); + synchronize_irq(mtu->irq); return 0; } -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [PATCH v4] usb: mtu3: fix panic in mtu3_gadget_stop() 2020-08-27 14:42 ` Macpaul Lin (?) @ 2020-08-31 1:50 ` Chunfeng Yun -1 siblings, 0 replies; 24+ messages in thread From: Chunfeng Yun @ 2020-08-31 1:50 UTC (permalink / raw) To: Macpaul Lin Cc: Felipe Balbi, Eddie Hung, Mediatek WSD Upstream, Greg Kroah-Hartman, linux-usb, linux-kernel, stable, Alan Stern, Ainge Hsu, Matthias Brugger, linux-mediatek, Macpaul Lin, linux-arm-kernel On Thu, 2020-08-27 at 22:42 +0800, Macpaul Lin wrote: > This patch fixes a possible issue when mtu3_gadget_stop() > already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). > > [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 > [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 > [<ffffff9008162ec0>] notify_die+0xb0/0x120 > [<ffffff900809e340>] die+0x1f8/0x5d0 > [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 > [<ffffff90080d04dc>] do_bad_area+0x44/0x140 > [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 > [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 > [<ffffff90080849d0>] el1_da+0x24/0x3c > [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 > [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 > [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 > [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 > [<ffffff90082acc44>] handle_irq_event+0xac/0x148 > [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 > [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 > [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 > [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 > [<ffffff9008084cec>] el1_irq+0xec/0x194 > [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 > [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 > [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 > [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 > [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 > [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 > [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 > [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 > [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 > [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 > [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 > [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 > [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 > [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 > [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 > [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 > [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 > [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 > > Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver") > Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> > Cc: stable@vger.kernel.org > --- > Changes for v4: > - Add a "Fixes:" line. Thanks Felipe. > Changes for v3: > - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering > callback function in mtu3_gadget_disconnect(). > Thanks for Alan's suggestion. > Changes for v2: > - Check mtu_gadget_driver out of spin_lock might still not work. > We use a temporary pointer to remember the callback function. > > drivers/usb/mtu3/mtu3_gadget.c | 1 + > 1 file changed, 1 insertions(+) > > diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c > index 1de5c9a..1ab3d3a 100644 > --- a/drivers/usb/mtu3/mtu3_gadget.c > +++ b/drivers/usb/mtu3/mtu3_gadget.c > @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g) > > spin_unlock_irqrestore(&mtu->lock, flags); > > + synchronize_irq(mtu->irq); > return 0; > } > Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com> Thanks a lot _______________________________________________ Linux-mediatek mailing list Linux-mediatek@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-mediatek ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v4] usb: mtu3: fix panic in mtu3_gadget_stop() @ 2020-08-31 1:50 ` Chunfeng Yun 0 siblings, 0 replies; 24+ messages in thread From: Chunfeng Yun @ 2020-08-31 1:50 UTC (permalink / raw) To: Macpaul Lin Cc: Felipe Balbi, Eddie Hung, Mediatek WSD Upstream, Greg Kroah-Hartman, linux-usb, linux-kernel, stable, Alan Stern, Ainge Hsu, Matthias Brugger, linux-mediatek, Macpaul Lin, linux-arm-kernel On Thu, 2020-08-27 at 22:42 +0800, Macpaul Lin wrote: > This patch fixes a possible issue when mtu3_gadget_stop() > already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). > > [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 > [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 > [<ffffff9008162ec0>] notify_die+0xb0/0x120 > [<ffffff900809e340>] die+0x1f8/0x5d0 > [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 > [<ffffff90080d04dc>] do_bad_area+0x44/0x140 > [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 > [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 > [<ffffff90080849d0>] el1_da+0x24/0x3c > [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 > [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 > [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 > [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 > [<ffffff90082acc44>] handle_irq_event+0xac/0x148 > [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 > [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 > [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 > [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 > [<ffffff9008084cec>] el1_irq+0xec/0x194 > [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 > [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 > [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 > [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 > [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 > [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 > [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 > [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 > [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 > [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 > [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 > [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 > [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 > [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 > [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 > [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 > [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 > [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 > > Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver") > Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> > Cc: stable@vger.kernel.org > --- > Changes for v4: > - Add a "Fixes:" line. Thanks Felipe. > Changes for v3: > - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering > callback function in mtu3_gadget_disconnect(). > Thanks for Alan's suggestion. > Changes for v2: > - Check mtu_gadget_driver out of spin_lock might still not work. > We use a temporary pointer to remember the callback function. > > drivers/usb/mtu3/mtu3_gadget.c | 1 + > 1 file changed, 1 insertions(+) > > diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c > index 1de5c9a..1ab3d3a 100644 > --- a/drivers/usb/mtu3/mtu3_gadget.c > +++ b/drivers/usb/mtu3/mtu3_gadget.c > @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g) > > spin_unlock_irqrestore(&mtu->lock, flags); > > + synchronize_irq(mtu->irq); > return 0; > } > Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com> Thanks a lot _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v4] usb: mtu3: fix panic in mtu3_gadget_stop() @ 2020-08-31 1:50 ` Chunfeng Yun 0 siblings, 0 replies; 24+ messages in thread From: Chunfeng Yun @ 2020-08-31 1:50 UTC (permalink / raw) To: Macpaul Lin Cc: Alan Stern, Felipe Balbi, Greg Kroah-Hartman, Matthias Brugger, linux-usb, linux-arm-kernel, linux-mediatek, Ainge Hsu, Eddie Hung, Mediatek WSD Upstream, Macpaul Lin, linux-kernel, stable On Thu, 2020-08-27 at 22:42 +0800, Macpaul Lin wrote: > This patch fixes a possible issue when mtu3_gadget_stop() > already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). > > [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 > [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 > [<ffffff9008162ec0>] notify_die+0xb0/0x120 > [<ffffff900809e340>] die+0x1f8/0x5d0 > [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 > [<ffffff90080d04dc>] do_bad_area+0x44/0x140 > [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 > [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 > [<ffffff90080849d0>] el1_da+0x24/0x3c > [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 > [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 > [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 > [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 > [<ffffff90082acc44>] handle_irq_event+0xac/0x148 > [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 > [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 > [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 > [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 > [<ffffff9008084cec>] el1_irq+0xec/0x194 > [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 > [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 > [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 > [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 > [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 > [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 > [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 > [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 > [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 > [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 > [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 > [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 > [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 > [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 > [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 > [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 > [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 > [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 > > Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver") > Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> > Cc: stable@vger.kernel.org > --- > Changes for v4: > - Add a "Fixes:" line. Thanks Felipe. > Changes for v3: > - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering > callback function in mtu3_gadget_disconnect(). > Thanks for Alan's suggestion. > Changes for v2: > - Check mtu_gadget_driver out of spin_lock might still not work. > We use a temporary pointer to remember the callback function. > > drivers/usb/mtu3/mtu3_gadget.c | 1 + > 1 file changed, 1 insertions(+) > > diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c > index 1de5c9a..1ab3d3a 100644 > --- a/drivers/usb/mtu3/mtu3_gadget.c > +++ b/drivers/usb/mtu3/mtu3_gadget.c > @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g) > > spin_unlock_irqrestore(&mtu->lock, flags); > > + synchronize_irq(mtu->irq); > return 0; > } > Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com> Thanks a lot ^ permalink raw reply [flat|nested] 24+ messages in thread
* [RESEND PATCH v4] usb: mtu3: fix panic in mtu3_gadget_stop() 2020-08-27 14:42 ` Macpaul Lin (?) @ 2020-11-06 5:54 ` Macpaul Lin -1 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-11-06 5:54 UTC (permalink / raw) To: Alan Stern, Felipe Balbi, Greg Kroah-Hartman, Matthias Brugger, Chunfeng Yun Cc: linux-usb, Mediatek WSD Upstream, Eddie Hung, linux-kernel, stable, linux-mediatek, Macpaul Lin, Macpaul Lin, linux-arm-kernel, Ainge Hsu This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver") Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com> Cc: stable@vger.kernel.org --- RESEND for v4: - Resend this patch by plain-text instead of MTK IT's default (base64) outgoing SMTP settings. - Add Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com> Changes for v4: - Add a "Fixes:" line. Thanks Felipe. Changes for v3: - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering callback function in mtu3_gadget_disconnect(). Thanks for Alan's suggestion. Changes for v2: - Check mtu_gadget_driver out of spin_lock might still not work. We use a temporary pointer to remember the callback function. drivers/usb/mtu3/mtu3_gadget.c | 1 + 1 file changed, 1 insertions(+) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 1de5c9a..1ab3d3a 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g) spin_unlock_irqrestore(&mtu->lock, flags); + synchronize_irq(mtu->irq); return 0; } -- 1.7.9.5 _______________________________________________ Linux-mediatek mailing list Linux-mediatek@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-mediatek ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RESEND PATCH v4] usb: mtu3: fix panic in mtu3_gadget_stop() @ 2020-11-06 5:54 ` Macpaul Lin 0 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-11-06 5:54 UTC (permalink / raw) To: Alan Stern, Felipe Balbi, Greg Kroah-Hartman, Matthias Brugger, Chunfeng Yun Cc: linux-usb, Mediatek WSD Upstream, Eddie Hung, linux-kernel, stable, linux-mediatek, Macpaul Lin, Macpaul Lin, linux-arm-kernel, Ainge Hsu This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver") Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com> Cc: stable@vger.kernel.org --- RESEND for v4: - Resend this patch by plain-text instead of MTK IT's default (base64) outgoing SMTP settings. - Add Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com> Changes for v4: - Add a "Fixes:" line. Thanks Felipe. Changes for v3: - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering callback function in mtu3_gadget_disconnect(). Thanks for Alan's suggestion. Changes for v2: - Check mtu_gadget_driver out of spin_lock might still not work. We use a temporary pointer to remember the callback function. drivers/usb/mtu3/mtu3_gadget.c | 1 + 1 file changed, 1 insertions(+) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 1de5c9a..1ab3d3a 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g) spin_unlock_irqrestore(&mtu->lock, flags); + synchronize_irq(mtu->irq); return 0; } -- 1.7.9.5 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RESEND PATCH v4] usb: mtu3: fix panic in mtu3_gadget_stop() @ 2020-11-06 5:54 ` Macpaul Lin 0 siblings, 0 replies; 24+ messages in thread From: Macpaul Lin @ 2020-11-06 5:54 UTC (permalink / raw) To: Alan Stern, Felipe Balbi, Greg Kroah-Hartman, Matthias Brugger, Chunfeng Yun Cc: Ainge Hsu, Eddie Hung, Mediatek WSD Upstream, Macpaul Lin, Macpaul Lin, linux-kernel, linux-arm-kernel, linux-usb, linux-mediatek, stable This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver") Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com> Cc: stable@vger.kernel.org --- RESEND for v4: - Resend this patch by plain-text instead of MTK IT's default (base64) outgoing SMTP settings. - Add Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com> Changes for v4: - Add a "Fixes:" line. Thanks Felipe. Changes for v3: - Call synchronize_irq() in mtu3_gadget_stop() instead of remembering callback function in mtu3_gadget_disconnect(). Thanks for Alan's suggestion. Changes for v2: - Check mtu_gadget_driver out of spin_lock might still not work. We use a temporary pointer to remember the callback function. drivers/usb/mtu3/mtu3_gadget.c | 1 + 1 file changed, 1 insertions(+) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 1de5c9a..1ab3d3a 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -564,6 +564,7 @@ static int mtu3_gadget_stop(struct usb_gadget *g) spin_unlock_irqrestore(&mtu->lock, flags); + synchronize_irq(mtu->irq); return 0; } -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 24+ messages in thread
end of thread, other threads:[~2020-11-06 5:56 UTC | newest] Thread overview: 24+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-07-31 6:36 [PATCH] usb: mtu3: fix panic in mtu3_gadget_disconnect() Macpaul Lin 2020-07-31 6:36 ` Macpaul Lin 2020-07-31 6:36 ` Macpaul Lin 2020-07-31 8:57 ` [PATCH v2] " Macpaul Lin 2020-07-31 8:57 ` Macpaul Lin 2020-07-31 8:57 ` Macpaul Lin 2020-07-31 14:22 ` Alan Stern 2020-07-31 14:22 ` Alan Stern 2020-07-31 14:22 ` Alan Stern 2020-08-27 9:22 ` [PATCH v3] usb: mtu3: fix panic in mtu3_gadget_stop() Macpaul Lin 2020-08-27 9:22 ` Macpaul Lin 2020-08-27 9:22 ` Macpaul Lin 2020-08-27 13:03 ` Felipe Balbi 2020-08-27 13:03 ` Felipe Balbi 2020-08-27 13:03 ` Felipe Balbi 2020-08-27 14:42 ` [PATCH v4] " Macpaul Lin 2020-08-27 14:42 ` Macpaul Lin 2020-08-27 14:42 ` Macpaul Lin 2020-08-31 1:50 ` Chunfeng Yun 2020-08-31 1:50 ` Chunfeng Yun 2020-08-31 1:50 ` Chunfeng Yun 2020-11-06 5:54 ` [RESEND PATCH " Macpaul Lin 2020-11-06 5:54 ` Macpaul Lin 2020-11-06 5:54 ` Macpaul Lin
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.