Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp216953pxj; Thu, 3 Jun 2021 05:07:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxa9ItWTKxxsVWQWNWcd8o3Y4U8kmUuYkdosdom1Hwn9WvoZPI8rQS51Kd1drH0+fmbGnUo X-Received: by 2002:a17:906:eb88:: with SMTP id mh8mr21082900ejb.540.1622722028343; Thu, 03 Jun 2021 05:07:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622722028; cv=none; d=google.com; s=arc-20160816; b=q+1sfq2/6xy2ic15avqyfvg7hfHXKUerRjrW44qSbTHonx4t0ySdUV4qn8SPBIh0Zj kIQEEsHoncbovCmMUFuY+LIVXeLScwmoqlZpFl2gVSVQBLJ8GaltJcO5pP1+Mpf04x2S 839dFUQ635aGBStNEGdvHYZjr4otLWCRmTDtC8vlnYe36fee3P8pL1pR9grKTCQDZg4t ocRCBJKwzHn02lBtFYQW6EukN6ipP8O3q6u9mxOCwYBNBkWS/IAPbkeFIy+eLmWciKtO pMhOYO06UmsX8v1X+s2T7j+/A3KLnIm9l+9XDqsb4OLJNoCsHk8GjW3FXl12FaeiAznK pUEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=rlHaplZJ/SHBE33JiVYH9ls1oXwNZV0XXAfLxsFtW+E=; b=lkexkgmld2n0rkQlmlCRHeFsOcmRhh5/49ek+kNkcTEfVhdT5GwDNvYRxxTHEvbVUU awuMnDccgq/h2vsbAvjUvF4qTCQWiSRYaJtx8zaUhdDmsS9Q0fIo1db5/IeY2OMT/pUr XFQvB4DpUdDNcSZbcMjgf/ZAm1Z8ahAt+huZl4+kVEo4vA1B2tWpUh+dqBKD9h0CP/rU upFfCtunZDdOGbMKNy0TkWpKPfwbLTTk7UXXFjW5EGjnn51ZfwlFhZETlc6St8WgLbus is3oy9deCPv2tKwXWnebPTTDiR0ZUOAyd9fhGkm4MSM5bqyE3vDvApaG/A3igGUKmqfO UuQg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k22si2142517ejc.469.2021.06.03.05.06.44; Thu, 03 Jun 2021 05:07:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229932AbhFCMGI (ORCPT + 99 others); Thu, 3 Jun 2021 08:06:08 -0400 Received: from foss.arm.com ([217.140.110.172]:39602 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229747AbhFCMGI (ORCPT ); Thu, 3 Jun 2021 08:06:08 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5B0451063; Thu, 3 Jun 2021 05:04:23 -0700 (PDT) Received: from [192.168.0.110] (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 644973F774; Thu, 3 Jun 2021 05:04:22 -0700 (PDT) Subject: Re: [BUG] usb: dwc3: Kernel NULL pointer dereference in dwc3_remove() To: Greg Kroah-Hartman Cc: Felipe Balbi , p.zabel@pengutronix.de, linux-usb@vger.kernel.org, Linux Kernel Mailing List , arm-mail-list , sanm@codeaurora.org References: <87r1hjcvf6.fsf@kernel.org> <70be179c-d36b-de6f-6efc-2888055b1312@arm.com> From: Alexandru Elisei Message-ID: <8272121c-ac8a-1565-a047-e3a16dcf13b0@arm.com> Date: Thu, 3 Jun 2021 13:05:08 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Greg, On 6/3/21 12:40 PM, Greg Kroah-Hartman wrote: > On Thu, Jun 03, 2021 at 11:41:45AM +0100, Alexandru Elisei wrote: >> Hello Felipe, >> >> Thank you for having a look! >> >> On 6/3/21 7:30 AM, Felipe Balbi wrote: >>> Hi, >>> >>> Alexandru Elisei writes: >>>> I've been seeing the following panic when shutting down my rockpro64: >>>> >>>> [�� 21.459064] xhci-hcd xhci-hcd.0.auto: USB bus 5 deregistered >>>> [�� 21.683077] Unable to handle kernel NULL pointer dereference at virtual address >>>> 00000000000000a0 >>>> [�� 21.683858] Mem abort info: >>>> [�� 21.684104]�� ESR = 0x96000004 >>>> [�� 21.684375]�� EC = 0x25: DABT (current EL), IL = 32 bits >>>> [�� 21.684841]�� SET = 0, FnV = 0 >>>> [�� 21.685111]�� EA = 0, S1PTW = 0 >>>> [�� 21.685389] Data abort info: >>>> [�� 21.685644]�� ISV = 0, ISS = 0x00000004 >>>> [�� 21.686024]�� CM = 0, WnR = 0 >>>> [�� 21.686288] user pgtable: 4k pages, 48-bit VAs, pgdp=000000000757a000 >>>> [�� 21.686853] [00000000000000a0] pgd=0000000000000000, p4d=0000000000000000 >>>> [�� 21.687452] Internal error: Oops: 96000004EEMPT SMP >>>> [�� 21.687941] Modules linked in: >>>> [�� 21.688214] CPU: 4 PID: 1 Comm: shutdown Not tainted >>>> 5.12.0-rc7-00262-g568262bf5492 #33 >>>> [�� 21.688915] Hardware name: Pine64 RockPro64 v2.0 (DT) >>>> [�� 21.689357] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) >>>> [�� 21.689884] pc : down_read_interruptible+0xec/0x200 >>>> [�� 21.690321] lr : simple_recursive_removal+0x48/0x280 >>>> [�� 21.690761] sp : ffff800011f4b940 >>>> [�� 21.691053] x29: ffff800011f4b940 x28: ffff000000809b40 >>>> [�� 21.691522] x27: ffff000000809b98 x26: ffff8000114f5170 >>>> [�� 21.691990] x25: 00000000000000a0 x24: ffff800011e84030 >>>> [�� 21.692459] x23: 0000000000000080 x22: 0000000000000000 >>>> [�� 21.692927] x21: ffff800011ecaa5c x20: ffff800011ecaa60 >>>> [�� 21.693395] x19: ffff000000809b40 x18: ffffffffffffffff >>>> [�� 21.693863] x17: 0000000000000000 x16: 0000000000000000 >>>> [�� 21.694331] x15: ffff800091f4ba6d x14: 0000000000000004 >>>> [�� 21.694799] x13: 0000000000000000 x12: 0000000000000020 >>>> [�� 21.695267] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f >>>> [�� 21.695735] x9 : 6f6c746364716e62 x8 : 7f7f7f7f7f7f7f7f >>>> [�� 21.696203] x7 : fefefeff6364626d x6 : 0000000000001bd8 >>>> [�� 21.696671] x5 : 0000000000000000 x4 : 0000000000000000 >>>> [�� 21.697138] x3 : 00000000000000a0 x2 : 0000000000000001 >>>> [�� 21.697606] x1 : 0000000000000000 x0 : 00000000000000a0 >>>> [�� 21.698075] Call trace: >>>> [�� 21.698291]� down_read_interruptible+0xec/0x200 >>>> [�� 21.698690]� debugfs_remove+0x60/0x84 >>>> [�� 21.699016]� dwc3_debugfs_exit+0x1c/0x6c >>>> [�� 21.699363]� dwc3_remove+0x34/0x1a0 >>>> [�� 21.699672]� platform_remove+0x28/0x60 >>>> [�� 21.700005]� __device_release_driver+0x188/0x230 >>>> [�� 21.700414]� device_release_driver+0x2c/0x44 >>>> [�� 21.700791]� bus_remove_device+0x124/0x130 >>>> [�� 21.701154]� device_del+0x168/0x420 >>>> [�� 21.701462]� platform_device_del.part.0+0x1c/0x90 >>>> [�� 21.701877]� platform_device_unregister+0x28/0x44 >>>> [�� 21.702291]� of_platform_device_destroy+0xe8/0x100 >>>> [�� 21.702716]� device_for_each_child_reverse+0x64/0xb4 >>>> [�� 21.703153]� of_platform_depopulate+0x40/0x84 >>>> [�� 21.703538]� __dwc3_of_simple_teardown+0x20/0xd4 >>>> [�� 21.703945]� dwc3_of_simple_shutdown+0x14/0x20 >>>> [�� 21.704337]� platform_shutdown+0x28/0x40 >>>> [�� 21.704683]� device_shutdown+0x158/0x330 >>>> [�� 21.705029]� kernel_power_off+0x38/0x7c >>>> [�� 21.705372]� __do_sys_reboot+0x16c/0x2a0 >>>> [�� 21.705719]� __arm64_sys_reboot+0x28/0x34 >>>> [�� 21.706074]� el0_svc_common.constprop.0+0x60/0x120 >>>> [�� 21.706499]� do_el0_svc+0x28/0x94 >>>> [�� 21.706794]� el0_svc+0x2c/0x54 >>>> [�� 21.707067]� el0_sync_handler+0xa4/0x130 >>>> [�� 21.707414]� el0_sync+0x170/0x180 >>>> [�� 21.707711] Code: c8047c62 35ffff84 17fffe5f f9800071 (c85ffc60) >>>> [�� 21.708250] ---[ end trace 5ae08147542eb468 ]--- >>>> [�� 21.708667] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b >>>> [�� 21.709456] Kernel Offset: disabled >>>> [�� 21.709762] CPU features: 0x00240022,2100600c >>>> [�� 21.710146] Memory Limit: 2048 MB >>>> [�� 21.710443] ---[ end Kernel panic - not syncing: Attempted to kill init! >>>> exitcode=0x0000000b ]--- >>>> >>>> I've been able to bisect the panic and the offending commit is 568262bf5492 ("usb: >>>> dwc3: core: Add shutdown callback for dwc3"). I can provide more diagnostic >>>> information if needed and I can help test the fix. >>> if you simply revert that commit in HEAD, does the problem really go >>> away? >> Kernel built from commit 324c92e5e0ee, which is the kernel tip today, the panic is >> there. Reverting the offending commit, 568262bf5492, makes the panic disappear. > Want to send a revert so I can take it now? I can send a revert, but Felipe was asking Sandeep (the commit author) for a fix, so I'll leave it up to Felipe to decide how to proceed. Thanks, Alex