[v3,05/12] usb: otg-fsm: Fix hrtimer list corruption

Message ID	20210704225433.32029-6-digetx@gmail.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <linux-usb-owner@kernel.org> From: Dmitry Osipenko <digetx@gmail.com> To: Thierry Reding <treding@nvidia.com>, Jonathan Hunter <jonathanh@nvidia.com>, Mark Brown <broonie@kernel.org>, Rob Herring <robh+dt@kernel.org>, Sebastian Reichel <sre@kernel.org>, Peter Chen <peter.chen@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Felipe Balbi <balbi@kernel.org>, David Heidelberg <david@ixit.cz> Cc: devicetree@vger.kernel.org, linux-pm@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, linux-tegra@vger.kernel.org Subject: [PATCH v3 05/12] usb: otg-fsm: Fix hrtimer list corruption Date: Mon, 5 Jul 2021 01:54:26 +0300 Message-Id: <20210704225433.32029-6-digetx@gmail.com> In-Reply-To: <20210704225433.32029-1-digetx@gmail.com> References: <20210704225433.32029-1-digetx@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Add OTG mode support to Tegra USB PHY, SMB347 and Nexus 7 \| expand [v3,00/12] Add OTG mode support to Tegra USB PHY, SMB347 and Nexus 7 [v3,01/12] dt-bindings: phy: tegra20-usb-phy: Convert to schema [v3,02/12] dt-bindings: phy: tegra20-usb-phy: Document properties needed for OTG mode [v3,03/12] soc/tegra: pmc: Expose USB regmap to all SoCs [v3,04/12] usb: phy: tegra: Support OTG mode programming [v3,05/12] usb: otg-fsm: Fix hrtimer list corruption [v3,06/12] dt-bindings: power: supply: smb347-charger: Document USB VBUS regulator [v3,07/12] power: supply: smb347-charger: Make smb347_set_writable() IRQ-safe [v3,08/12] power: supply: smb347-charger: Remove caching of charger state [v3,09/12] power: supply: smb347-charger: Implement USB VBUS regulator [v3,10/12] arm64: tegra132: Add new properties to USB PHY device-tree node [v3,11/12] ARM: tegra: Add new properties to USB PHY device-tree nodes [v3,12/12] ARM: tegra: nexus7: Enable USB OTG mode

Message ID

20210704225433.32029-6-digetx@gmail.com (mailing list archive)

State

Superseded

Headers

From: Dmitry Osipenko <digetx@gmail.com>
To: Thierry Reding <treding@nvidia.com>,
        Jonathan Hunter <jonathanh@nvidia.com>,
        Mark Brown <broonie@kernel.org>,
        Rob Herring <robh+dt@kernel.org>,
        Sebastian Reichel <sre@kernel.org>,
        Peter Chen <peter.chen@kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Felipe Balbi <balbi@kernel.org>,
        David Heidelberg <david@ixit.cz>
Cc: devicetree@vger.kernel.org, linux-pm@vger.kernel.org,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-tegra@vger.kernel.org
Subject: [PATCH v3 05/12] usb: otg-fsm: Fix hrtimer list corruption
Date: Mon,  5 Jul 2021 01:54:26 +0300
Message-Id: <20210704225433.32029-6-digetx@gmail.com>
In-Reply-To: <20210704225433.32029-1-digetx@gmail.com>
References: <20210704225433.32029-1-digetx@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Add OTG mode support to Tegra USB PHY, SMB347 and Nexus 7 | expand

Commit Message

Dmitry Osipenko July 4, 2021, 10:54 p.m. UTC

The HNP work can be re-scheduled while it's still in-fly. This results in
re-initialization of the busy work, resetting the hrtimer's list node of
the work and crashing kernel with null dereference within kernel/timer
once work's timer is expired. It's very easy to trigger this problem by
re-plugging USB cable quickly. Initialize HNP work only once to fix this
trouble.

Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
---
 drivers/usb/common/usb-otg-fsm.c | 6 +++++-
 include/linux/usb/otg-fsm.h      | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

Comments

Peter Chen July 6, 2021, 12:57 a.m. UTC | #1

On 21-07-05 01:54:26, Dmitry Osipenko wrote:
> The HNP work can be re-scheduled while it's still in-fly. This results in
> re-initialization of the busy work, resetting the hrtimer's list node of
> the work and crashing kernel with null dereference within kernel/timer
> once work's timer is expired. It's very easy to trigger this problem by
> re-plugging USB cable quickly. Initialize HNP work only once to fix this
> trouble.
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Dmitry Osipenko <digetx@gmail.com>

Acked-by: Peter Chen <peter.chen@kernel.org>

It is better to append kernel dump if you have v4 patchset.

Peter

> ---
>  drivers/usb/common/usb-otg-fsm.c | 6 +++++-
>  include/linux/usb/otg-fsm.h      | 1 +
>  2 files changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/common/usb-otg-fsm.c b/drivers/usb/common/usb-otg-fsm.c
> index 3740cf95560e..0697fde51d00 100644
> --- a/drivers/usb/common/usb-otg-fsm.c
> +++ b/drivers/usb/common/usb-otg-fsm.c
> @@ -193,7 +193,11 @@ static void otg_start_hnp_polling(struct otg_fsm *fsm)
>  	if (!fsm->host_req_flag)
>  		return;
>  
> -	INIT_DELAYED_WORK(&fsm->hnp_polling_work, otg_hnp_polling_work);
> +	if (!fsm->hnp_work_inited) {
> +		INIT_DELAYED_WORK(&fsm->hnp_polling_work, otg_hnp_polling_work);
> +		fsm->hnp_work_inited = true;
> +	}
> +
>  	schedule_delayed_work(&fsm->hnp_polling_work,
>  					msecs_to_jiffies(T_HOST_REQ_POLL));
>  }
> diff --git a/include/linux/usb/otg-fsm.h b/include/linux/usb/otg-fsm.h
> index 3aee78dda16d..784659d4dc99 100644
> --- a/include/linux/usb/otg-fsm.h
> +++ b/include/linux/usb/otg-fsm.h
> @@ -196,6 +196,7 @@ struct otg_fsm {
>  	struct mutex lock;
>  	u8 *host_req_flag;
>  	struct delayed_work hnp_polling_work;
> +	bool hnp_work_inited;
>  	bool state_changed;
>  };
>  
> -- 
> 2.32.0
>

Dmitry Osipenko July 6, 2021, 1:15 a.m. UTC | #2

06.07.2021 03:57, Peter Chen пишет:
> On 21-07-05 01:54:26, Dmitry Osipenko wrote:
>> The HNP work can be re-scheduled while it's still in-fly. This results in
>> re-initialization of the busy work, resetting the hrtimer's list node of
>> the work and crashing kernel with null dereference within kernel/timer
>> once work's timer is expired. It's very easy to trigger this problem by
>> re-plugging USB cable quickly. Initialize HNP work only once to fix this
>> trouble.
>>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
> 
> Acked-by: Peter Chen <peter.chen@kernel.org>
> 
> It is better to append kernel dump if you have v4 patchset.

The stacktrace isn't very useful because it crashes within a hrtimer
code from a work thread, i.e. it doesn't point at usb at all. It
actually took me some effort to find where the bug was.

diff --git a/drivers/usb/common/usb-otg-fsm.c b/drivers/usb/common/usb-otg-fsm.c
index 3740cf95560e..0697fde51d00 100644
--- a/drivers/usb/common/usb-otg-fsm.c
+++ b/drivers/usb/common/usb-otg-fsm.c
@@ -193,7 +193,11 @@  static void otg_start_hnp_polling(struct otg_fsm *fsm)
 	if (!fsm->host_req_flag)
 		return;
 
-	INIT_DELAYED_WORK(&fsm->hnp_polling_work, otg_hnp_polling_work);
+	if (!fsm->hnp_work_inited) {
+		INIT_DELAYED_WORK(&fsm->hnp_polling_work, otg_hnp_polling_work);
+		fsm->hnp_work_inited = true;
+	}
+
 	schedule_delayed_work(&fsm->hnp_polling_work,
 					msecs_to_jiffies(T_HOST_REQ_POLL));
 }
diff --git a/include/linux/usb/otg-fsm.h b/include/linux/usb/otg-fsm.h
index 3aee78dda16d..784659d4dc99 100644
--- a/include/linux/usb/otg-fsm.h
+++ b/include/linux/usb/otg-fsm.h
@@ -196,6 +196,7 @@  struct otg_fsm {
 	struct mutex lock;
 	u8 *host_req_flag;
 	struct delayed_work hnp_polling_work;
+	bool hnp_work_inited;
 	bool state_changed;
 };

[v3,05/12] usb: otg-fsm: Fix hrtimer list corruption

Commit Message

Comments

Patch