[PATCH] fix panic at pwq_activate_delayed_work.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

the kernel panic is one regression with the patch:
usb: gadget: ffs: Fix BUG when userland exits with submitted AIO transfers

the kernel panic is followed the list corrupt warning:
WARNING: CPU: 0 PID: 1430 at ../../../../../../kernel/4.14/lib/list_debug.c:28 __list_add_valid+0x53/0x80
Workqueue: adb ffs_aio_cancel_worker
task: ffff880076ebe080 task.stack: ffffc90001864000
RIP: 0010:__list_add_valid+0x53/0x80
Call Trace:
insert_work+0x51/0xc0
__queue_work+0x10e/0x430
queue_work_on+0x71/0x80
ffs_epfile_async_io_complete+0x4b/0x50
usb_gadget_giveback_request+0x29/0x90
dwc3_gadget_giveback+0x3a/0x50 [dwc3]
dwc3_gadget_ep_dequeue+0x92/0x300 [dwc3]
usb_ep_dequeue+0x23/0x90
ffs_aio_cancel_worker+0x16/0x20
process_one_work+0x186/0x3e0
worker_thread+0x3d/0x3b0
kthread+0x132/0x150
ret_from_fork+0x3a/0x50

the root cause is there is race between ffs_epfile_async_io_complete()
and ffs_aio_cancel() queue the ffs->io_completion_wq.

ffs_epfile_async_io_complete() is safe to hold the eps_lock
with the below backtrace:
ffs_epfile_async_io_complete+0x25/0x70
usb_gadget_giveback_request+0x29/0x90
dwc3_gadget_giveback+0x3a/0x50 [dwc3]
__dwc3_gadget_ep_disable+0x5c/0x270 [dwc3]
dwc3_gadget_ep_disable+0x42/0xf0 [dwc3]
usb_ep_disable+0x24/0xa0
ffs_func_eps_disable.isra.15+0x5f/0xb0

the patch add eps_lock to protect the io_completion_wq in ffs_aio_cancel.

Signed-off-by: he, bo <bo.he@xxxxxxxxx>
Signed-off-by: Bai, Jie A <jie.a.bai@xxxxxxxxx>

---
 drivers/usb/gadget/function/f_fs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 3ada83d..45ade26 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1091,6 +1091,8 @@ static int ffs_aio_cancel(struct kiocb *kiocb)
 
 	ENTER();
 
+	spin_lock_irq(&ffs->eps_lock);
+
 	if (likely(io_data && io_data->ep && io_data->req)) {
 		INIT_WORK(&io_data->cancellation_work, ffs_aio_cancel_worker);
 		queue_work(ffs->io_completion_wq, &io_data->cancellation_work);
@@ -1099,6 +1101,8 @@ static int ffs_aio_cancel(struct kiocb *kiocb)
 		value = -EINVAL;
 	}
 
+	spin_unlock_irq(&ffs->eps_lock);
+
 	return value;
 }
 
-- 
2.7.4



--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux