| Message ID | 20230914015656.20856-1-xingxing.luo@unisoc.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | usb: musb: Get the musb_qh poniter after musb_giveback | expand |
Hello! On 9/14/23 4:56 AM, Xingxing Luo wrote: > When multiple threads are performing USB transmission, musb->lock will be > unlocked when musb_giveback is executed. At this time, qh may be released > in the dequeue process in other threads, resulting in a wild pointer, so > it needs to be here get qh again, and judge whether qh is NULL, and when > dequeue, you need to set qh to NULL. > > Fixes: dbac5d07d13e ("usb: musb: host: don't start next rx urb if current one failed") > Signed-off-by: Xingxing Luo <xingxing.luo@unisoc.com> > --- > drivers/usb/musb/musb_host.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c > index a02c29216955..9df27db5847a 100644 > --- a/drivers/usb/musb/musb_host.c > +++ b/drivers/usb/musb/musb_host.c > @@ -321,10 +321,16 @@ static void musb_advance_schedule(struct musb *musb, struct urb *urb, > musb_giveback(musb, urb, status); > qh->is_ready = ready; > > + /* > + * musb->lock had been unlocked in musb_giveback, so somtimes qh Sometimes? > + * may freed, need get it again > + */ > + qh = musb_ep_get_qh(hw_ep, is_in); > + > /* reclaim resources (and bandwidth) ASAP; deschedule it, and > * invalidate qh as soon as list_empty(&hep->urb_list) > */ > - if (list_empty(&qh->hep->urb_list)) { > + if (qh != NULL && list_empty(&qh->hep->urb_list)) { Just qh, perhaps? [...] MBR, Sergey
On 9/14/23 1:06 PM, Sergey Shtylyov wrote: [...] >> When multiple threads are performing USB transmission, musb->lock will be >> unlocked when musb_giveback is executed. At this time, qh may be released >> in the dequeue process in other threads, resulting in a wild pointer, so >> it needs to be here get qh again, and judge whether qh is NULL, and when >> dequeue, you need to set qh to NULL. >> >> Fixes: dbac5d07d13e ("usb: musb: host: don't start next rx urb if current one failed") >> Signed-off-by: Xingxing Luo <xingxing.luo@unisoc.com> >> --- >> drivers/usb/musb/musb_host.c | 9 ++++++++- >> 1 file changed, 8 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c >> index a02c29216955..9df27db5847a 100644 >> --- a/drivers/usb/musb/musb_host.c >> +++ b/drivers/usb/musb/musb_host.c >> @@ -321,10 +321,16 @@ static void musb_advance_schedule(struct musb *musb, struct urb *urb, >> musb_giveback(musb, urb, status); >> qh->is_ready = ready; >> >> + /* >> + * musb->lock had been unlocked in musb_giveback, so somtimes qh > > Sometimes? > >> + * may freed, need get it again + * may be freed, need to get it again Overlooked it in the 1st review, sorry... [...] MBR, Sergey
Add more. On Mon, Sep 18, 2023 at 1:22 PM xingxing luo <xingxing0070.luo@gmail.com> wrote: > > On Fri, Sep 15, 2023 at 4:48 PM Sergey Shtylyov <s.shtylyov@omp.ru> wrote: > > > > On 9/15/23 5:59 AM, xingxing luo wrote: > > [...] > > > > >>> When multiple threads are performing USB transmission, musb->lock will be > > >>> unlocked when musb_giveback is executed. At this time, qh may be released > > >>> in the dequeue process in other threads, resulting in a wild pointer, so > > >>> it needs to be here get qh again, and judge whether qh is NULL, and when > > >>> dequeue, you need to set qh to NULL. > > >>> > > >>> Fixes: dbac5d07d13e ("usb: musb: host: don't start next rx urb if current one failed") > > >>> Signed-off-by: Xingxing Luo <xingxing.luo@unisoc.com> > > >>> --- > > >>> drivers/usb/musb/musb_host.c | 9 ++++++++- > > >>> 1 file changed, 8 insertions(+), 1 deletion(-) > > >>> > > >>> diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c > > >>> index a02c29216955..9df27db5847a 100644 > > >>> --- a/drivers/usb/musb/musb_host.c > > >>> +++ b/drivers/usb/musb/musb_host.c > > >>> @@ -321,10 +321,16 @@ static void musb_advance_schedule(struct musb *musb, struct urb *urb, > > >>> musb_giveback(musb, urb, status); > > >>> qh->is_ready = ready; > > >>> > > >>> + /* > > >>> + * musb->lock had been unlocked in musb_giveback, so somtimes qh > > >> > > >> Sometimes? > > > > You have a typo... > > > > >> > > >>> + * may freed, need get it again > > >>> + */ > > >>> + qh = musb_ep_get_qh(hw_ep, is_in); > > >>> + > > >>> /* reclaim resources (and bandwidth) ASAP; deschedule it, and > > >>> * invalidate qh as soon as list_empty(&hep->urb_list) > > >>> */ > > >>> - if (list_empty(&qh->hep->urb_list)) { > > >>> + if (qh != NULL && list_empty(&qh->hep->urb_list)) { > > >> > > >> Just qh, perhaps? > > > > > > Could you elaborate a little more? > > > Thanks. > > > > Just 'qh' gives you the same as 'qh != NULL'. > > Ok, I will address this in the next version. > > > > > [...] > > > > MBR, Sergey B.R Xingxing.Luo
diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c index a02c29216955..9df27db5847a 100644 --- a/drivers/usb/musb/musb_host.c +++ b/drivers/usb/musb/musb_host.c @@ -321,10 +321,16 @@ static void musb_advance_schedule(struct musb *musb, struct urb *urb, musb_giveback(musb, urb, status); qh->is_ready = ready; + /* + * musb->lock had been unlocked in musb_giveback, so somtimes qh + * may freed, need get it again + */ + qh = musb_ep_get_qh(hw_ep, is_in); + /* reclaim resources (and bandwidth) ASAP; deschedule it, and * invalidate qh as soon as list_empty(&hep->urb_list) */ - if (list_empty(&qh->hep->urb_list)) { + if (qh != NULL && list_empty(&qh->hep->urb_list)) { struct list_head *head; struct dma_controller *dma = musb->dma_controller; @@ -2398,6 +2404,7 @@ static int musb_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) * and its URB list has emptied, recycle this qh. */ if (ready && list_empty(&qh->hep->urb_list)) { + musb_ep_set_qh(qh->hw_ep, is_in, NULL); qh->hep->hcpriv = NULL; list_del(&qh->ring); kfree(qh);
When multiple threads are performing USB transmission, musb->lock will be unlocked when musb_giveback is executed. At this time, qh may be released in the dequeue process in other threads, resulting in a wild pointer, so it needs to be here get qh again, and judge whether qh is NULL, and when dequeue, you need to set qh to NULL. Fixes: dbac5d07d13e ("usb: musb: host: don't start next rx urb if current one failed") Signed-off-by: Xingxing Luo <xingxing.luo@unisoc.com> --- drivers/usb/musb/musb_host.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)