From: "Bruno Prémont" <bonbons@linux-vserver.org>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Jiri Kosina <jkosina@suse.cz>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-fbdev@vger.kernel.org
Subject: Re: [PATCH 0/7] HID: picoLCD updates
Date: Sun, 19 Aug 2012 16:23:00 +0000 [thread overview]
Message-ID: <20120819182300.63665a0b@neptune.home> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1208182001320.25537-100000@netrider.rowland.org>
On Sat, 18 August 2012 Alan Stern wrote:
> On Sat, 18 Aug 2012, Bruno Prémont wrote:
>
> > One thing I just though about, how does usbhid handle the calls to
> > usbhid_submit_report() when hid_hw_stop()/hid_hw_close() have already
> > been called?
>
> Looks like they aren't synchronized at all. That's a bug.
> usbhid_submit_report() should check the HID_DISCONNECTED flag.
>
> > I will attempt to see if it makes a difference to shortcut my
> > usbhid_submit_report() calls from the point on I have called hid_hw_close()...
>
> I don't know bout hid_hw_close(). Certainly no more reports should be
> submitted following usbhid_stop().
Ok, I did just that, prevent new calls to usbhid_submit_report(), after
calling hid_hw_close(), fixed one bug in my code that triggers the NULL
pointer dereference (calling hid_set_drvdata(hdev, NULL) too early).
Now I'm still seeing the bad paging request in _mmx_memcpy(), though rather
sporadically.
The last ones I saw were during remove() around the time of calling hid_hw_close()
and hid_hw_stop(). Adding a printk() between the two (at least while picoLCD
is hosting fbcon) makes it very improbably for the bad page to happen.
It looks like low-level driver did free memory in hid_hw_close() for some
in-flight URB and thus things break in following USB interrupt.
From mapping trace information to source it seems:
usbhid/hid-core.c:
static int hid_submit_out(struct hid_device *hid)
{
struct hid_report *report;
char *raw_report;
struct usbhid_device *usbhid = hid->driver_data;
int r;
report = usbhid->out[usbhid->outtail].report;
raw_report = usbhid->out[usbhid->outtail].raw_report;
usbhid->urbout->transfer_buffer_length = ((report->size - 1) >> 3) +
1 + (report->id > 0);
usbhid->urbout->dev = hid_to_usb_dev(hid);
if (raw_report) {
memcpy(usbhid->outbuf, raw_report,
usbhid->urbout->transfer_buffer_length);
^^^^^^^^^^^^^^^_ this is exploding
kfree(raw_report);
usbhid->out[usbhid->outtail].raw_report = NULL;
}
dbg_hid("submitting out urb\n");
r = usb_submit_urb(usbhid->urbout, GFP_ATOMIC);
if (r < 0) {
hid_err(hid, "usb_submit_urb(out) failed: %d\n", r);
return r;
}
usbhid->last_out = jiffies;
return 0;
}
Bruno
next prev parent reply other threads:[~2012-08-19 16:23 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-30 19:36 [PATCH 0/7] HID: picoLCD updates Bruno Prémont
2012-07-30 19:38 ` [PATCH 2/7] HID: picoLCD: Replace own refcounting with fbdev's Bruno Prémont
2012-07-30 19:38 ` [PATCH 3/7] HID: picoLCD: prevent NULL pointer dereference on unplug Bruno Prémont
2012-07-30 19:38 ` [PATCH 4/7] HID: picoLCD: satify some checkpatch warnings Bruno Prémont
2012-07-30 19:38 ` [PATCH 5/7] HID: picoLCD: Improve unplug handling Bruno Prémont
2012-07-30 19:38 ` [PATCH 6/7] HID: picoLCD: disable version check during probe Bruno Prémont
2012-08-15 8:15 ` Jiri Kosina
2012-08-19 16:56 ` [PATCH 6/7 v2] HID: picoLCD: drop " Bruno Prémont
2012-09-17 18:21 ` Bruno Prémont
2012-09-19 11:45 ` Jiri Kosina
2012-07-30 19:39 ` [PATCH 7/7] HID: picoLCD: add myself to MAINTAINERS Bruno Prémont
[not found] ` <20120730213828.6c78f8f3@neptune.home>
2012-07-30 19:59 ` [PATCH 1/7] HID: picoLCD: split driver code Bruno Prémont
2012-07-31 7:26 ` [PATCH 0/7] HID: picoLCD updates David Herrmann
2012-07-31 7:59 ` Bruno Prémont
2012-08-09 18:09 ` Bruno Prémont
2012-08-13 23:27 ` Tejun Heo
2012-08-14 6:30 ` Bruno Prémont
2012-08-14 17:31 ` Tejun Heo
2012-08-15 8:27 ` Jiri Kosina
2012-08-15 9:42 ` Bruno Prémont
2012-08-15 12:11 ` Jiri Kosina
2012-08-15 15:16 ` Bruno Prémont
2012-08-15 21:32 ` Jiri Kosina
2012-08-16 16:30 ` Bruno Prémont
2012-08-16 16:47 ` Jiri Kosina
2012-08-18 12:40 ` Bruno Prémont
2012-08-18 13:19 ` Alan Stern
2012-08-18 13:48 ` Bruno Prémont
2012-08-18 18:49 ` Bruno Prémont
2012-08-19 0:11 ` Alan Stern
2012-08-19 16:23 ` Bruno Prémont [this message]
2012-08-19 19:56 ` Alan Stern
2012-08-19 17:28 ` [PATCH 0/6] HID: picoLCD additional fixes + CIR support Bruno Prémont
2012-08-19 17:32 ` [PATCH 2/6] HID: picoLCD: rework hid-fbdev interaction Bruno Prémont
2012-09-05 9:50 ` [PATCH 0/6] HID: picoLCD additional fixes + CIR support Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120819182300.63665a0b@neptune.home \
--to=bonbons@linux-vserver.org \
--cc=jkosina@suse.cz \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).