Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751679AbdGRKoV (ORCPT ); Tue, 18 Jul 2017 06:44:21 -0400 Received: from mga05.intel.com ([192.55.52.43]:29797 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751399AbdGRKoU (ORCPT ); Tue, 18 Jul 2017 06:44:20 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.40,377,1496127600"; d="scan'208";a="288294760" From: Felipe Balbi To: "He\, Bo" , "linux-kernel\@vger.kernel.org" , "linux-usb\@vger.kernel.org" Cc: "gregkh\@linuxfoundation.org" , "peter.chen\@nxp.com" , "k.opasiak\@samsung.com" , "stefan\@agner.ch" , "felixhaedicke\@web.de" , "colin.king\@canonical.com" , "rogerq\@ti.com" , "f.fainelli\@gmail.com" , "He\, Bo" , "Zhang\, Yanmin" Subject: Re: [PATCH] usb: gadget: udc: fix the kernel NULL pointer in composite_setup In-Reply-To: References: Date: Tue, 18 Jul 2017 13:44:15 +0300 Message-ID: <87pocy81og.fsf@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2395 Lines: 62 Hi, "He, Bo" writes: > the patch is for fix the below kernel panic: > BUG: unable to handle kernel NULL pointer dereference at 000000000000002a > IP: [] composite_setup+0x3d/0x1830 > PGD 27525b067 PUD 27525a067 PMD 0 > Oops: 0002 [#1] PREEMPT SMP > Call Trace: > [] ? dwc3_trace+0x52/0x60 > [] ? get_parent_ip+0xd/0x50 > [] android_setup+0xbc/0x140 > [] ? irq_finalize_oneshot+0xe0/0xe0 > [] dwc3_ep0_delegate_req+0x37/0x50 > [] dwc3_ep0_interrupt+0xaf9/0xc10 > [] ? get_parent_ip+0xd/0x50 > [] ? irq_finalize_oneshot+0xe0/0xe0 > [] dwc3_thread_interrupt+0x931/0xbf0 > [] ? irq_finalize_oneshot+0xe0/0xe0 > [] irq_thread_fn+0x1e/0x40 > [] irq_thread+0x134/0x1b0 > [] ? wake_threads_waitq+0x30/0x30 > [] kthread+0xed/0x110 > [] ret_from_fork+0x3f/0x70 > RIP [] composite_setup+0x3d/0x1830 > > the root cause is dwc interrupt comes after usb_gadget_remove_driver. > the fix is stop udc to have the dwc3 disable the interrupt, then release > the resource in udc->driver->unbind. > usb_gadget_udc_stop--> > udc->gadget->ops->udc_stop(udc->gadget)--> > dwc3_gadget_stop > > Signed-off-by: he, bo > --- > drivers/usb/gadget/udc/core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c > index e6f04ee..67e9aa5 100644 > --- a/drivers/usb/gadget/udc/core.c > +++ b/drivers/usb/gadget/udc/core.c > @@ -1258,8 +1258,8 @@ static void usb_gadget_remove_driver(struct usb_udc *udc) > > usb_gadget_disconnect(udc->gadget); > udc->driver->disconnect(udc->gadget); > - udc->driver->unbind(udc->gadget); > usb_gadget_udc_stop(udc); > + udc->driver->unbind(udc->gadget); unbind must be called before udc_stop. This seems to be a bug *only* in dwc3. I can't see how this would happen, actually. On dwc3_gadget_stop() we mask dwc3's interrupts, so the handler should be executed anymore. Can you tell me how to reproduce this? I could try this out tomorrow. Which kernel are you using? I wonder if this is something caused by the Android patches. -- balbi