Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966594AbcDLV3t (ORCPT ); Tue, 12 Apr 2016 17:29:49 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:50795 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966452AbcDLUxs (ORCPT ); Tue, 12 Apr 2016 16:53:48 -0400 From: Kamal Mostafa To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, kernel-team@lists.ubuntu.com Cc: Yoshihiro Shimoda , Felipe Balbi , Kamal Mostafa Subject: [PATCH 4.2.y-ckt 37/70] usb: renesas_usbhs: fix to avoid using a disabled ep in usbhsg_queue_done() Date: Tue, 12 Apr 2016 13:52:22 -0700 Message-Id: <1460494375-30070-38-git-send-email-kamal@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1460494375-30070-1-git-send-email-kamal@canonical.com> References: <1460494375-30070-1-git-send-email-kamal@canonical.com> X-Extended-Stable: 4.2 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1840 Lines: 51 4.2.8-ckt8 -stable review patch. If anyone has any objections, please let me know. ---8<------------------------------------------------------------ From: Yoshihiro Shimoda commit 4fccb0767fdbdb781a9c5b5c15ee7b219443c89d upstream. This patch fixes an issue that usbhsg_queue_done() may cause kernel panic when dma callback is running and usb_ep_disable() is called by interrupt handler. (Especially, we can reproduce this issue using g_audio with usb-dmac driver.) For example of a flow: usbhsf_dma_complete (on tasklet) --> usbhsf_pkt_handler (on tasklet) --> usbhsg_queue_done (on tasklet) *** interrupt happened and usb_ep_disable() is called *** --> usbhsg_queue_pop (on tasklet) Then, oops happened. Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support") Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi Signed-off-by: Kamal Mostafa --- drivers/usb/renesas_usbhs/mod_gadget.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c index dc2aa32..0465296 100644 --- a/drivers/usb/renesas_usbhs/mod_gadget.c +++ b/drivers/usb/renesas_usbhs/mod_gadget.c @@ -154,10 +154,14 @@ static void usbhsg_queue_done(struct usbhs_priv *priv, struct usbhs_pkt *pkt) struct usbhs_pipe *pipe = pkt->pipe; struct usbhsg_uep *uep = usbhsg_pipe_to_uep(pipe); struct usbhsg_request *ureq = usbhsg_pkt_to_ureq(pkt); + unsigned long flags; ureq->req.actual = pkt->actual; - usbhsg_queue_pop(uep, ureq, 0); + usbhs_lock(priv, flags); + if (uep) + __usbhsg_queue_pop(uep, ureq, 0); + usbhs_unlock(priv, flags); } static void usbhsg_queue_push(struct usbhsg_uep *uep, -- 2.7.4