On Sun, May 01, 2022 at 11:11:36PM -0500, Dan Vacura wrote: > On Sat, Apr 30, 2022 at 09:56:50AM +0200, Greg Kroah-Hartman wrote: > > On Fri, Apr 29, 2022 at 02:20:01PM -0500, Dan Vacura wrote: > > > Several types of kernel panics can occur due to timing during the uvc > > > gadget removal. This appears to be a problem with gadget resources being > > > managed by both the client application's v4l2 open/close and the UDC > > > gadget bind/unbind. Since the concept of USB_GADGET_DELAYED_STATUS > > > doesn't exist for unbind, add a wait to allow for the application to > > > close out. > > > > > > Some examples of the panics that can occur are: > > > > > > <1>[ 1147.652313] Unable to handle kernel NULL pointer dereference at > > > virtual address 0000000000000028 > > > <4>[ 1147.652510] Call trace: > > > <4>[ 1147.652514] usb_gadget_disconnect+0x74/0x1f0 > > > <4>[ 1147.652516] usb_gadget_deactivate+0x38/0x168 > > > <4>[ 1147.652520] usb_function_deactivate+0x54/0x90 > > > <4>[ 1147.652524] uvc_function_disconnect+0x14/0x38 > > > <4>[ 1147.652527] uvc_v4l2_release+0x34/0xa0 > > > <4>[ 1147.652537] __fput+0xdc/0x2c0 > > > <4>[ 1147.652540] ____fput+0x10/0x1c > > > <4>[ 1147.652545] task_work_run+0xe4/0x12c > > > <4>[ 1147.652549] do_notify_resume+0x108/0x168 > > > > > > <1>[ 282.950561][ T1472] Unable to handle kernel NULL pointer > > > dereference at virtual address 00000000000005b8 > > > <6>[ 282.953111][ T1472] Call trace: > > > <6>[ 282.953121][ T1472] usb_function_deactivate+0x54/0xd4 > > > <6>[ 282.953134][ T1472] uvc_v4l2_release+0xac/0x1e4 > > > <6>[ 282.953145][ T1472] v4l2_release+0x134/0x1f0 > > > <6>[ 282.953167][ T1472] __fput+0xf4/0x428 > > > <6>[ 282.953178][ T1472] ____fput+0x14/0x24 > > > <6>[ 282.953193][ T1472] task_work_run+0xac/0x130 > > > > > > <3>[ 213.410077][ T29] configfs-gadget gadget: uvc: Failed to queue > > > request (-108). > > > <1>[ 213.410116][ T29] Unable to handle kernel NULL pointer > > > dereference at virtual address 0000000000000003 > > > <6>[ 213.413460][ T29] Call trace: > > > <6>[ 213.413474][ T29] uvcg_video_pump+0x1f0/0x384 > > > <6>[ 213.413489][ T29] process_one_work+0x2a4/0x544 > > > <6>[ 213.413502][ T29] worker_thread+0x350/0x784 > > > <6>[ 213.413515][ T29] kthread+0x2ac/0x320 > > > <6>[ 213.413528][ T29] ret_from_fork+0x10/0x30 > > > > > > Signed-off-by: Dan Vacura <w36195@xxxxxxxxxxxx> > > > --- > > > drivers/usb/gadget/function/f_uvc.c | 24 ++++++++++++++++++++++++ > > > drivers/usb/gadget/function/uvc.h | 2 ++ > > > drivers/usb/gadget/function/uvc_v4l2.c | 3 ++- > > > 3 files changed, 28 insertions(+), 1 deletion(-) > > > > > > diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c > > > index 50e6e7a58b41..3cc8cf24a7c7 100644 > > > --- a/drivers/usb/gadget/function/f_uvc.c > > > +++ b/drivers/usb/gadget/function/f_uvc.c > > > @@ -892,13 +892,36 @@ static void uvc_function_unbind(struct usb_configuration *c, > > > { > > > struct usb_composite_dev *cdev = c->cdev; > > > struct uvc_device *uvc = to_uvc(f); > > > + int wait_ret = 1; > > > > > > uvcg_info(f, "%s()\n", __func__); > > > > Ick, wait, is that in the kernel? That needs to be removed, ftrace can > > do that for you. > > Yes, part of the kernel, and tbh, I find it to be quite helpful in > debugging field issues from customers, where enabling ftrace isn't > practical. Why isn't ftrace ok to enable in a running kernel? Worst case, this should be dev_dbg(), right? > If you still want to remove, there are other locations in > this gadget driver that log function entry. Perhaps it'd be better to > do a separate change that cleans up logging a bit or do you prefer to > just refactor this one now? This commit is fine, it's a separate issue, I just noticed it as it was in the context of this change. > > > + /* If we know we're connected via v4l2, then there should be a cleanup > > > + * of the device from userspace either via UVC_EVENT_DISCONNECT or > > > + * though the video device removal uevent. Allow some time for the > > > + * application to close out before things get deleted. > > > + */ > > > + if (uvc->func_connected) { > > > + uvcg_info(f, "%s waiting for clean disconnect\n", __func__); > > > + wait_ret = wait_event_interruptible_timeout(uvc->func_connected_queue, > > > + uvc->func_connected == false, msecs_to_jiffies(500)); > > > + uvcg_info(f, "%s done waiting with ret: %u\n", __func__, wait_ret); > > > > Please remove debugging code before submitting patches. > > Will do. But this should be removed :) Feel free to change it to dev_dbg(), which gives you the __func__ automatically without anything extra needed. thanks, greg k-h