Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752679AbdHIIkK (ORCPT ); Wed, 9 Aug 2017 04:40:10 -0400 Received: from mail-yw0-f194.google.com ([209.85.161.194]:37581 "EHLO mail-yw0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752324AbdHIIkH (ORCPT ); Wed, 9 Aug 2017 04:40:07 -0400 MIME-Version: 1.0 From: noman pouigt Date: Wed, 9 Aug 2017 01:40:06 -0700 Message-ID: Subject: f_hid.c conversion to the new function interface and crash due to race To: bjorn@mork.no, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, jikos@kernel.org, linux-usb@vger.kernel.org, Pavel Machek , balbi@ti.com, eu@felipetonello.com, k.opasiak@samsung.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 7068 Lines: 163 Hello, I am currently using 3.18 linux kernel and getting below spinlock crashe in f_hid.c driver (https://goo.gl/3mdAr1). Crash is happening due to race condition between hidg_unbind and f_hidg_poll function. This is still a problem with latest kernel though as cdev_del(&hidg->cdev) is racing with f_hidg_poll function. [ 2300.676626] BUG: spinlock bad magic on CPU#0, firmware_update/2403 [ 2300.682787] Unable to handle kernel paging request at virtual address 6b6b6f03 [ 2300.689975] pgd = e8dec000 [ 2300.692663] [6b6b6f03] *pgd=00000000 [ 2300.696240] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [ 2300.701521] Modules linked in: [ 2300.704583] CPU: 0 PID: 2403 Comm: firmware_update Tainted: G W 3.18.31 #1 [ 2300.712466] task: e9d94140 ti: e97b6000 task.ti: e97b6000 [ 2300.717869] PC is at spin_bug+0x64/0xb0 [ 2300.721667] LR is at spin_bug+0x58/0xb0 [ 2300.725495] pc : [] lr : [] psr: 200f0093 [ 2300.725495] sp : e97b7ae0 ip : c130d400 fp : 00000000 [ 2300.736938] r10: 00000008 r9 : 00000000 r8 : 00000100 [ 2300.742151] r7 : e97b7bb4 r6 : c0e5e797 r5 : ea145e64 r4 : 6b6b6b6b [ 2300.748661] r3 : 6b6b6feb r2 : 6b6b6b6b r1 : e97b6000 r0 : 00000036 [ 2300.755181] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user [ 2300.762380] Control: 10c5387d Table: a8dec06a DAC: 00000015 [ 2300.768104] Process firmware_update (pid: 2403, stack limit = 0xe97b6238) [ 2300.774876] Stack: (0xe97b7ae0 to 0xe97b8000) [ 2300.779245] 7ae0: 00000963 c0e5e797 ea145e64 ea145e64 e97b7bd8 c0064010 800f0013 ea145e64 [ 2300.787400] 7b00: e97b7bd8 e97b7bb4 00000100 00000000 00000008 c0aacc14 00000006 00000000 [ 2300.795558] 7b20: ea145e64 c005d414 00000000 e97b7bd8 00000000 c0136c7c 00000000 00000002 [ 2300.803718] 7b40: 00000002 00000002 e97b7e38 c0137360 c0012000 00000000 00000000 00000000 [ 2300.811876] 7b60: 00000050 00000000 00000000 e97b7e60 e97b7e64 e97b7e68 000000f0 00000000 [ 2300.820038] 7b80: 00000000 e97b7e54 e97b7e58 e97b7e5c 00000000 00000000 00000020 000000f0 [ 2300.828199] 7ba0: ea391880 ea391880 00006472 001b2b28 001adf64 00000000 000000db 00000000 [ 2300.836357] 7bc0: e9d94140 00000000 00000000 00000006 e9de0000 000000db 00000000 e97b7bb4 [ 2300.844520] 7be0: c013695c ea145e74 ea145e74 ea145e64 e9de0000 000000db 00000000 e97b7bb4 [ 2300.852680] 7c00: c013695c ea145ebc ea145ebc ea145eac e9de1340 000000db 00000000 e97b7bb4 [ 2300.860837] 7c20: c013695c ea12a324 e97b7c84 ea12a314 e9de1a40 000000db 00000000 e97b7bb4 [ 2300.868999] 7c40: c013695c ea146134 ea146134 ea146124 e9de1a40 000000db 00000000 e97b7bb4 [ 2300.877159] 7c60: c013695c ea14617c ea14617c ea14616c ea391880 000000db 00000000 e97b7bb4 [ 2300.885318] 7c80: c013695c e97b7c24 ea12a324 ea12a314 00000000 e97b7cd8 e97b7fa8 c000e960 [ 2300.893473] 7ca0: 00000000 c1094a28 e97b8000 00000000 00000000 00000003 00000000 e97b7d00 [ 2300.901640] 7cc0: c0012000 e97b7cf0 e97b6000 ed824100 e97b7d8c c0134020 e97b7d1c c0011ff4 [ 2300.909799] 7ce0: e97b7d20 ffffffff e8d1a180 c0012164 e97b7d20 c000e960 c0e90a13 c0e639c6 [ 2300.917958] 7d00: 00000010 e8d1b1d8 c0134020 e8d1a180 e97b6000 ea2de540 ea4cec48 c0281200 [ 2300.926114] 7d20: ea4cec48 ec36c03c ef5ecc40 c00d9fac ea2de540 00000000 00000000 00000000 [ 2300.934277] 7d40: ea4cec44 c00da300 00000000 ea2de540 000000c9 000000c9 c0e61f37 000001e6 [ 2300.942436] 7d60: 00000000 ea2de540 000000c9 c00dc4f8 e97b7d8c 00000000 e9c0b4a0 e97b7db0 [ 2300.950598] 7d80: 000000c9 00000000 edd6d1c8 000be476 be47659f e8c4e1e4 47279000 ef5ecc40 [ 2300.958754] 7da0: 00000000 c011181c 00000012 c001b0c4 00000103 be47659f ede89f30 ef5ecc40 [ 2300.966915] 7dc0: ede89f40 e8c4e000 e8c4e000 c0aacc68 ede89f40 c0102428 00000000 00000000 [ 2300.975074] 7de0: ef5ecc40 c013a978 e9aee6dc e9aef784 e9aef784 ea367f00 ea4c9618 e97b7fb0 [ 2300.983232] 7e00: e9c0b4a0 47279000 e8c4e000 00000000 e9c1a080 00000004 e97b7e50 00000000 [ 2300.991392] 7e20: 00000000 001b2a6c e97b6038 00000008 00000000 c013759c e97b7e50 e97b7e54 [ 2300.999553] 7e40: e97b7e58 e97b7e5c e97b7e60 e97b7e64 000000f0 00000000 00000000 00000050 [ 2301.007713] 7e60: 00000000 00000000 80000007 e9c1a080 e9c1a0c4 c0aaeec8 00000000 c0134020 [ 2301.015872] 7e80: e8d1a180 e8d1a180 fffffffe c13465a8 00000000 00000000 e97b6000 00000000 [ 2301.024032] 7ea0: 00000000 c0134020 ed85af10 e9aee668 f02ce0fe 0000000b e8d1a196 c011c914 [ 2301.032190] 7ec0: 00000000 ea4c95c8 e988ef38 00000001 00000002 0000008a 00000000 00000000 [ 2301.040351] 7ee0: ea391880 47279380 00000007 c11b6ac4 47279380 e97b7fb0 00000005 001adf64 [ 2301.048513] 7f00: 00000000 c000874c 00000001 001adf64 ffffff9c 001b2c94 e97b7f50 c0134048 [ 2301.056671] 7f20: 00000000 001b2c94 00000001 c012a788 ffffff9c 001b2c94 bebfeab0 001adf64 [ 2301.064830] 7f40: 001b2a68 000000c3 c000eae4 c012ad5c 00000000 00000000 00000000 001b2a6c [ 2301.072988] 7f60: 00000008 e97b6000 00000000 c013772c 00000000 00000000 00000000 c01606d0 [ 2301.081152] 7f80: ffffbffd ffffffff 00000000 001b2a6c 00000000 0000008e c000eae4 e97b6000 [ 2301.089307] 7fa0: 00000000 c000e960 00000000 001b2a6c 00000008 001b2a6c 00000000 00000000 [ 2301.097466] 7fc0: 00000000 001b2a6c 00000000 0000008e 001b2a78 00000005 001adf64 00000000 [ 2301.105628] 7fe0: 00000000 bebfeb98 000104ec 472793a4 600d0010 00000008 00000000 00000000 [ 2301.113814] [] (spin_bug) from [] (do_raw_spin_lock+0x20/0x17c) [ 2301.121448] [] (do_raw_spin_lock) from [] (_raw_spin_lock_irqsave+0x20/0x28) [ 2301.130206] [] (_raw_spin_lock_irqsave) from [] (remove_wait_queue+0x10/0x2c) [ 2301.139060] [] (remove_wait_queue) from [] (poll_freewait+0x2c/0x84) [ 2301.147128] [] (poll_freewait) from [] (do_select+0x50c/0x524) [ 2301.154678] [] (do_select) from [] (core_sys_select+0x224/0x2e0) [ 2301.162403] [] (core_sys_select) from [] (SyS_select+0xd4/0x104) [ 2301.170138] [] (SyS_select) from [] (ret_fast_syscall+0x0/0x38) [ 2301.177761] Code: eb28fab0 e3540000 12843d12 e5952004 (15941398) [ 2301.183827] ---[ end trace 6b784faa179a13ec ]--- [ 2301.188516] note: firmware_update[2403] exited with preempt_count 1 [ 2301.210857] f_hidg_poll So, i ported latest f_hid.c file from upstream to my kernel along with dependent changes. This f_hid driver is instantiated from gadget driver for android. drivers/usb/gadget/android.c static struct android_usb_function hid_function = { .name = "hid", .init = hid_function_init, .cleanup = hid_function_cleanup, .bind_config = hid_function_bind_config, .attributes = hid_function_attributes, }; I got above patch from here: https://goo.gl/Ygkjrw Can anyone let me how can I instantiate function hid driver to get /dev/hid{0-2} nodes after it got converted to new function interface? Currently ep0 of ffs driver in android is instatiating the hid function driver but I don't know how that can happen in the latest upstream code. Thanks, varisla