On Wed, 24 Aug 2016, Stefan Wahren wrote:
> Hi,
>
> [add Li Jun to CC]
>
> > Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> hat am 24. August 2016 um 15:45
> > geschrieben:
> >
> >
> > On Wed, 24 Aug 2016, Peter Chen wrote:
> >
> > > On Tue, Aug 23, 2016 at 09:17:02PM +0200, Stefan Wahren wrote:
> > > > Hi,
> > > >
> > > > i'm using a iMX233-OLinuXino board and the kernel panics during shutdown
> > > > with
> > > > 4.8.0-rc2-next-20160819:
> > > >
> > > > [ 420.040000] ci_hdrc ci_hdrc.0: remove, state 1
> > > > [ 420.050000] usb usb1: USB disconnect, device number 1
> > > > [ 420.060000] usb 1-1: USB disconnect, device number 2
> > > > [ 420.060000] usb 1-1.1: USB disconnect, device number 3
> > > > [ 420.090000] smsc95xx 1-1.1:1.0 eth0: unregister 'smsc95xx'
> > > > usb-ci_hdrc.0-1.1,
> > > > smsc95xx USB 2.0 Ethernet
> > > > [ 420.290000] ci_hdrc ci_hdrc.0: USB bus 1 deregistered
> > > > [ 420.300000] Unable to handle kernel NULL pointer dereference at virtual
> > > > address 00000118
> > > > [ 420.300000] pgd = c2ea4000
> > > > [ 420.300000] [00000118] *pgd=00000000
> > > > [ 420.300000] Internal error: Oops: 5 [#1] ARM
> > > > [ 420.300000] Modules linked in:
> > > > [ 420.300000] CPU: 0 PID: 1 Comm: systemd-shutdow Not tainted
> > > > 4.8.0-rc2-next-20160819 #1
> > > > [ 420.300000] Hardware name: Freescale MXS (Device Tree)
> > > > [ 420.300000] task: c3490000 task.stack: c348e000
> > > > [ 420.300000] PC is at usb_hcd_irq+0x0/0x34
> > > > [ 420.300000] LR is at ci_irq+0x58/0x12c
> >
> > > I am afraid the hcd is freed before the interrupt triggered. Would you
> > > please try below changes:
> > >
> > > diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c
> > > index 96ae695..61237a9 100644
> > > --- a/drivers/usb/chipidea/host.c
> > > +++ b/drivers/usb/chipidea/host.c
> > > @@ -103,7 +103,7 @@ static const struct ehci_driver_overrides
> > > ehci_ci_overrides = {
> > > static irqreturn_t host_irq(struct ci_hdrc *ci)
> > > {
> > > - return usb_hcd_irq(ci->irq, ci->hcd);
> > > + return ci->hcd ? usb_hcd_irq(ci->irq, ci->hcd) : IRQ_NONE;
> > > }
> >
> > This should not be needed. Instead, the driver should make sure that
> > the interrupt handler has been fully unregistered before the hcd is
> > deallocated.
>
> according to ci_hdrc_probe() from the chipidea core the IRQ seems to be
> requested via devm_request_irq() with the flag IRQF_SHARED.
>
> I have the suspicion the following commit triggers the kernel panic:
>
> 43a404577a93 ("usb: chipidea: host: set host to be null after hcd is freed")
No, that's not the cause. Without that commit, you would try to access
deallocated memory instead of trying to dereference a NULL pointer, but
the kernel would still oops.
Instead, how about setting ci->role to CI_ROLE_END and then calling
synchronize_irq(ci->irq) in host_stop(), before the usb_put_hcd()?
Alan Stern
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
