From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932361AbeAHLrh (ORCPT + 1 other); Mon, 8 Jan 2018 06:47:37 -0500 Received: from mga03.intel.com ([134.134.136.65]:36808 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932136AbeAHLrf (ORCPT ); Mon, 8 Jan 2018 06:47:35 -0500 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,330,1511856000"; d="asc'?scan'208";a="165048072" From: Felipe Balbi To: Yu Chen , gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Cc: wangbinghui@hisilicon.com Subject: Re: [PATCH] usb:dwc3:fix access poisoned list_head in dwc3_gadget_giveback In-Reply-To: <20171223092505.23620-1-chenyu56@huawei.com> References: <20171223092505.23620-1-chenyu56@huawei.com> Date: Mon, 08 Jan 2018 13:46:11 +0200 Message-ID: <87fu7glgjg.fsf@linux.intel.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Yu Chen writes: > From: Yu Chen > > Unable to handle kernel paging request at virtual address dead000000000108 > pgd =3D fffffff7a3179000 > [dead000000000108] *pgd=3D00000000230e0003, *pud=3D00000000230e0003, > *pmd=3D0000000000000000 > Internal error: Oops: 96000044 [#1] PREEMPT SMP > Modules linked in: > CPU: 2 PID: 1 Comm: init Tainted: G W 4.4.23+ #1 try mainline > TGID: 1 Comm: init > Hardware name: kirin970 (DT) > task: fffffff99f190000 ti: fffffff99f1740e0 task.ti: fffffff99f1740e0 > PC is at dwc3_gadget_giveback+0xa8/0x228 > LR is at dwc3_remove_requests+0x44/0x88 > > The crash occurred when usb work as rndis device and > __dwc3_gadget_kick_transfer return error in __dwc3_gadget_ep_queue. > The request submited in __dwc3_gadget_ep_queue is moved to started_list > but not kicked. It is stil on started_list although > __dwc3_gadget_kick_transfer failed. When dwc3_gadget_ep_queue return why did kick_transfer fail? Where are the tracepoints showing the failure? > error to u_ether driver, the request will be resubmit to dwc3 driver. > At last, the same request is both on started_list and pending_list, > it will be list_del twice in dwc3_remove_requests and cause crash. > > Signed-off-by: Yu Chen > --- > drivers/usb/dwc3/gadget.c | 28 +++++++++++++++++++++++++++- > 1 file changed, 27 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c > index 639dd1b163a0..a913e64ca4e0 100644 > --- a/drivers/usb/dwc3/gadget.c > +++ b/drivers/usb/dwc3/gadget.c > @@ -1278,9 +1278,28 @@ static void dwc3_gadget_start_isoc(struct dwc3 *dw= c, > __dwc3_gadget_start_isoc(dwc, dep, cur_uf); > } >=20=20 > +static int dwc3_gadget_is_req_pengding_or_started(struct dwc3_ep *dep, > + struct dwc3_request *req) > +{ > + struct dwc3_request *iterate_req; > + > + list_for_each_entry(iterate_req, &dep->pending_list, list) { > + if (iterate_req =3D=3D req) > + return 1; > + } > + > + list_for_each_entry(iterate_req, &dep->started_list, list) { > + if (iterate_req =3D=3D req) > + return 1; > + } > + > + return 0; > +} > + > static int __dwc3_gadget_ep_queue(struct dwc3_ep *dep, struct dwc3_reque= st *req) > { > struct dwc3 *dwc =3D dep->dwc; > + int ret; >=20=20 > if (!dep->endpoint.desc) { > dev_err(dwc->dev, "%s: can't queue to disabled endpoint\n", > @@ -1334,7 +1353,14 @@ static int __dwc3_gadget_ep_queue(struct dwc3_ep *= dep, struct dwc3_request *req) > } >=20=20 > out: > - return __dwc3_gadget_kick_transfer(dep); > + ret =3D __dwc3_gadget_kick_transfer(dep); > + if (ret && dwc3_gadget_is_req_pengding_or_started(dep, req)) { first we need to figure out why kick_transfer failed. It shouldn't fail, so why did it? Then I need you to try with a more recent kernel v4.4 is rather old and a lot has changed WRT transfer handling: $ git rev-list --count --no-merges v4.4..linus/master -- drivers/usb/dwc3/g= adget.c 184 =2D-=20 balbi --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEElLzh7wn96CXwjh2IzL64meEamQYFAlpTWgMACgkQzL64meEa mQY/Fw/+JN3z4f2v9ApLoAObO/PadbhKxoYeAX8S380HUPGVulyT6m83v0Kry9re wW+A800LA3Ns0xxfk9DIv2yMHCaf3Jyg3fTSIMosiNUdHcJBDMT12qXlJnwppzcN VQIjMP7dFyAgvY2o8lAyVfJQ9cJIw10eV51vYU7g3SEIULEyjdBzIAjQnLbTBinY CxgVVYNsb1xiFgsLakc8Skec0Hvv31enMGG+auyh3BsNm3TqwSOfd8+20sF4nVQe ZfVrfzX3HuOXr7cFAVgcgCkQw+PbUw40TsrJS72fzWYDmD1JbJTb0pa9hXOjy/sW wzgoPwMR4gKlgF1h+CA4+fgCUdCN0m6nMbkVVuVzVVI8nL8K6TpXm7XAfOEvuWFz /tAR4yOYf3NJz5OMbH0AsETLfnRHSnAJ3u6xhCDzRFsPuSzeFwjwSUnf1XqRsqS0 9eD4/Gazjr4oKPCc6dEGEy5peg+X3IJAQmGSMrvFYrA9405BMid5pvaxW14D0IoK pk/M+i6WnikfPwDwljBrhIlyHVOxmGmFL++saxq92lVT+vmzFOTdeOhDmCEQxuRK 5P7+XuATqoc66XsLUrMyTMd0092G8r0k8wDKuZXUvRQAs+GMiuKEydONavYsWopD 2raxZhjcYeW7VYnxxdG//tjJ0/kimRNF/OtvrvCMRPiUTNHSxXI= =TIf8 -----END PGP SIGNATURE----- --=-=-=--