[PATCH v2] usb: xhci: Fix sleep in atomic context in xhci_free

Linux USB
 help / color / mirror / Atom feed

* [PATCH v2] usb: xhci: Fix sleep in atomic context in xhci_free_streams()
@ 2026-06-12  6:29 胡连勤
  2026-06-12 15:07 ` Mathias Nyman
  0 siblings, 1 reply; 2+ messages in thread
From: 胡连勤 @ 2026-06-12  6:29 UTC (permalink / raw)
  To: Mathias Nyman, Greg Kroah-Hartman, Michal Pecio
  Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	胡连勤

When a USB device with active stream endpoints is disconnected,
xhci_free_streams() is called from the hub_event workqueue to
free the stream resources.  It calls xhci_free_stream_info()
while holding xhci->lock with irqs disabled.

xhci_free_stream_info() invokes xhci_free_stream_ctx(), which
calls dma_free_coherent() for large stream context arrays.

dma_free_coherent() can sleep (e.g. via vunmap), triggering
a BUG when called from atomic context.

Call trace:
 dma_free_attrs+0x174/0x220
 xhci_free_stream_info+0xd0/0x11c
 xhci_free_streams+0x278/0x37c
 usb_free_streams+0x98/0xc0
 usb_unbind_interface+0x1b8/0x2f8
 device_release_driver_internal+0x1d4/0x2cc
 device_release_driver+0x18/0x28
 bus_remove_device+0x160/0x1a4
 device_del+0x1ec/0x350
 usb_disable_device+0x98/0x214
 usb_disconnect+0xf0/0x35c
 hub_event+0xab4/0x19ec
 process_one_work+0x278/0x63c

Fix this by saving the stream_info pointers and clearing the
ep references under the lock, then calling xhci_free_stream_info()
outside the lock where sleeping is allowed.

Fixes: 8df75f42f8e6 ("USB: xhci: Add memory allocation for USB3 bulk streams.")
Cc: stable@vger.kernel.org
Signed-off-by: Lianqin Hu <hulianqin@vivo.com>
---

Changes in v2:
 - Update submission description information
 - Link to v1: https://lore.kernel.org/all/TYUPR06MB6217153FC7FC9757871D501ED21B2@TYUPR06MB6217.apcprd06.prod.outlook.com/

 drivers/usb/host/xhci.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index a54f5b57f205..c9af508edcb9 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3788,6 +3788,7 @@ static int xhci_free_streams(struct usb_hcd *hcd, struct usb_device *udev,
 	struct xhci_virt_device *vdev;
 	struct xhci_command *command;
 	struct xhci_input_control_ctx *ctrl_ctx;
+	struct xhci_stream_info *stream_info[EP_CTX_PER_DEV];
 	unsigned int ep_index;
 	unsigned long flags;
 	u32 changed_ep_bitmask;
@@ -3848,10 +3849,14 @@ static int xhci_free_streams(struct usb_hcd *hcd, struct usb_device *udev,
 	if (ret < 0)
 		return ret;
 
+	/* dma_free_coherent() called by xhci_free_stream_info() may sleep,
+	 * so save stream_info pointers and clear references under lock,
+	 * then free the memory outside lock.
+	 */
 	spin_lock_irqsave(&xhci->lock, flags);
 	for (i = 0; i < num_eps; i++) {
 		ep_index = xhci_get_endpoint_index(&eps[i]->desc);
-		xhci_free_stream_info(xhci, vdev->eps[ep_index].stream_info);
+		stream_info[i] = vdev->eps[ep_index].stream_info;
 		vdev->eps[ep_index].stream_info = NULL;
 		/* FIXME Unset maxPstreams in endpoint context and
 		 * update deq ptr to point to normal string ring.
@@ -3861,6 +3866,9 @@ static int xhci_free_streams(struct usb_hcd *hcd, struct usb_device *udev,
 	}
 	spin_unlock_irqrestore(&xhci->lock, flags);
 
+	for (i = 0; i < num_eps; i++)
+		xhci_free_stream_info(xhci, stream_info[i]);
+
 	return 0;
 }
 
-- 
2.48.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] usb: xhci: Fix sleep in atomic context in xhci_free_streams()
  2026-06-12  6:29 [PATCH v2] usb: xhci: Fix sleep in atomic context in xhci_free_streams() 胡连勤
@ 2026-06-12 15:07 ` Mathias Nyman
  0 siblings, 0 replies; 2+ messages in thread
From: Mathias Nyman @ 2026-06-12 15:07 UTC (permalink / raw)
  To: 胡连勤, Greg Kroah-Hartman, Michal Pecio
  Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org

On 6/12/26 09:29, 胡连勤 wrote:
> When a USB device with active stream endpoints is disconnected,
> xhci_free_streams() is called from the hub_event workqueue to
> free the stream resources.  It calls xhci_free_stream_info()
> while holding xhci->lock with irqs disabled.
> 
> xhci_free_stream_info() invokes xhci_free_stream_ctx(), which
> calls dma_free_coherent() for large stream context arrays.
> 
> dma_free_coherent() can sleep (e.g. via vunmap), triggering
> a BUG when called from atomic context.
> 
> Call trace:
>   dma_free_attrs+0x174/0x220
>   xhci_free_stream_info+0xd0/0x11c
>   xhci_free_streams+0x278/0x37c
>   usb_free_streams+0x98/0xc0
>   usb_unbind_interface+0x1b8/0x2f8
>   device_release_driver_internal+0x1d4/0x2cc
>   device_release_driver+0x18/0x28
>   bus_remove_device+0x160/0x1a4
>   device_del+0x1ec/0x350
>   usb_disable_device+0x98/0x214
>   usb_disconnect+0xf0/0x35c
>   hub_event+0xab4/0x19ec
>   process_one_work+0x278/0x63c
> 
> Fix this by saving the stream_info pointers and clearing the
> ep references under the lock, then calling xhci_free_stream_info()
> outside the lock where sleeping is allowed.
> 
> Fixes: 8df75f42f8e6 ("USB: xhci: Add memory allocation for USB3 bulk streams.")
> Cc: stable@vger.kernel.org
> Signed-off-by: Lianqin Hu <hulianqin@vivo.com>


Applied, needed some manual work

Line endings (CR/CRLF) of this patch got mangled somewhere on the way (mail client?).

Checkpatch also complained about "From" and "Signed-off-by" mismatch.
胡连勤 != Lianqin Hu according to script, But this can probably be ignored

Thanks
Mathias


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-12 15:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-12  6:29 [PATCH v2] usb: xhci: Fix sleep in atomic context in xhci_free_streams() 胡连勤
2026-06-12 15:07 ` Mathias Nyman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox