Message ID | 20191023140530.v2.1.I9850aab29e945168070b0a9c50c421d5485e7d97@changeid (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [v2] usb: dwc2: Fix NULL qh in dwc2_queue_transaction | expand |
On 10/24/2019 1:06 AM, Douglas Anderson wrote: > From: Alexandru M Stan <amstan@chromium.org> > > When a usb device disconnects in a certain way, dwc2_queue_transaction > still gets called after dwc2_hcd_cleanup_channels. > > dwc2_hcd_cleanup_channels does "channel->qh = NULL;" but > dwc2_queue_transaction still wants to dereference qh. > This adds a check for a null qh. > > Signed-off-by: Alexandru M Stan <amstan@chromium.org> > [dianders: rebased to mainline] > Signed-off-by: Douglas Anderson <dianders@chromium.org> Acked-by: Minas Harutyunyan <hminas@synopsys.com> > --- > While testing a newer version of the Linux kernel on rk3288-veyron > devices we saw a bunch of crashes reported in dwc2_queue_transaction() > where chan->qh was NULL [1]. I don't know how to reproduce those > crashes myself, but I noticed that in our 3.14 kernel we had a patch > that probably fixed it. That patch was sent upstream ages ago [2] but > never landed. Here I've rebased the patch. While I haven't > reproduced the crash myself, it seems fairly likely that this will fix > the problem. > > [1] https://urldefense.proofpoint.com/v2/url?u=https-3A__crbug.com_1017388&d=DwIDAQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=cQBKt4q-qzNVC53rNAwuwplH23V61rHQhhULvdLA0U8&m=cnozTly1DtI01pZ4wbwEGSQW3TtCsiwaNUy5sn5vg0w&s=7bOW1FTelQEJnZerIWHWosIBiYT6dvwbsmYTrYyzKfA&e= > [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__lore.kernel.org_r_1442952651-2D4341-2D2-2Dgit-2Dsend-2Demail-2Damstan-40chromium.org&d=DwIDAQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=cQBKt4q-qzNVC53rNAwuwplH23V61rHQhhULvdLA0U8&m=cnozTly1DtI01pZ4wbwEGSQW3TtCsiwaNUy5sn5vg0w&s=vmZjFVWnsFPU6Sgxw5IpJ-NYIAbDqyW0itJy00MLYSs&e= > > Changes in v2: > - Rebased to mainline > > drivers/usb/dwc2/hcd.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c > index 81afe553aa66..b90f858af960 100644 > --- a/drivers/usb/dwc2/hcd.c > +++ b/drivers/usb/dwc2/hcd.c > @@ -2824,7 +2824,7 @@ static int dwc2_queue_transaction(struct dwc2_hsotg *hsotg, > list_move_tail(&chan->split_order_list_entry, > &hsotg->split_order); > > - if (hsotg->params.host_dma) { > + if (hsotg->params.host_dma && chan->qh) { > if (hsotg->params.dma_desc_enable) { > if (!chan->xfer_started || > chan->ep_type == USB_ENDPOINT_XFER_ISOC) { >
diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c index 81afe553aa66..b90f858af960 100644 --- a/drivers/usb/dwc2/hcd.c +++ b/drivers/usb/dwc2/hcd.c @@ -2824,7 +2824,7 @@ static int dwc2_queue_transaction(struct dwc2_hsotg *hsotg, list_move_tail(&chan->split_order_list_entry, &hsotg->split_order); - if (hsotg->params.host_dma) { + if (hsotg->params.host_dma && chan->qh) { if (hsotg->params.dma_desc_enable) { if (!chan->xfer_started || chan->ep_type == USB_ENDPOINT_XFER_ISOC) {