| commit | abf710e655fe843afe0ab6a56e344567d933b018 | |
| author | Vikram Pandita <vikram.pandita@ti.com> | |
| Fri, 18 May 2012 20:48:04 +0000 (18 13:48 -0700) | ||
| committer | Felipe Balbi <balbi@ti.com> | |
| Mon, 4 Jun 2012 15:29:04 +0000 (4 18:29 +0300) | ||
| tree | fd27b4525ecefdd44b2cf4a80e088761bd657164 | treesnapshot (tar.gz zip) |
| parent | f8f5701bdaf9134b1f90e5044a82c66324d2073f | commitdiff |
usb: musb: handle nuked ep dma interrupt
User can trigger disabling of gadget at run time while the
transfers are going on.
Eg: 1: rmmod of musb driver while transfers are going on
Eg: 2: On android doing:
echo 0 > /sys/class/android_usb/android0/enable
While a big file transfer is going on via PTP/MTP.
In such a case, musb_gadget_disable() calls nuke()
but the dma interrupt may still happen for an endpoint since hw
would raise the interrupt in anycase.
This can result in a NULL pointer access crash:
[ 314.030426] PC is at txstate+0x74/0x20c
[ 314.034759] LR is at musb_g_tx+0x140/0x204
[ 314.039489] pc : [<c03506f4>] lr : [<c0350bcc>] psr: 20000193
[ 314.039520] sp : c783bc68 ip : 00000002 fp : c783bc9c
[ 314.052429] r10: 00000018 r9 : 00000000 r8 : 00000200
[ 314.058258] r7 : 00000000 r6 : fc0ab130 r5 : c781a410 r4 : c6caf640
[ 314.065643] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : c781a000
[ 315.083251] Backtrace:
[ 315.086242] [<c0350680>] (txstate+0x0/0x20c) from [<c0350bcc>] (musb_g_tx+0x140/0x204)
[ 315.095123] [<c0350a8c>] (musb_g_tx+0x0/0x204) from [<c034eb00>] (musb_dma_completion+0x40/0x54)
[ 315.104980] [<c034eac0>] (musb_dma_completion+0x0/0x54) from [<c0351e6c>] (dma_controller_irq+0x118/0x184)
[ 315.115661] [<c0351d54>] (dma_controller_irq+0x0/0x184) from [<c00d86b8>] (handle_irq_event_percpu+0x54/0x188)
So put protection in code to handle possiblity of getting an interrupt for an
endpoint that might have been already nuked.
Reported-by: Todd Poynor <toddpoynor@google.com>
Signed-off-by: Vikram Pandita <vikram.pandita@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
User can trigger disabling of gadget at run time while the
transfers are going on.
Eg: 1: rmmod of musb driver while transfers are going on
Eg: 2: On android doing:
echo 0 > /sys/class/android_usb/android0/enable
While a big file transfer is going on via PTP/MTP.
In such a case, musb_gadget_disable() calls nuke()
but the dma interrupt may still happen for an endpoint since hw
would raise the interrupt in anycase.
This can result in a NULL pointer access crash:
[ 314.030426] PC is at txstate+0x74/0x20c
[ 314.034759] LR is at musb_g_tx+0x140/0x204
[ 314.039489] pc : [<c03506f4>] lr : [<c0350bcc>] psr: 20000193
[ 314.039520] sp : c783bc68 ip : 00000002 fp : c783bc9c
[ 314.052429] r10: 00000018 r9 : 00000000 r8 : 00000200
[ 314.058258] r7 : 00000000 r6 : fc0ab130 r5 : c781a410 r4 : c6caf640
[ 314.065643] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : c781a000
[ 315.083251] Backtrace:
[ 315.086242] [<c0350680>] (txstate+0x0/0x20c) from [<c0350bcc>] (musb_g_tx+0x140/0x204)
[ 315.095123] [<c0350a8c>] (musb_g_tx+0x0/0x204) from [<c034eb00>] (musb_dma_completion+0x40/0x54)
[ 315.104980] [<c034eac0>] (musb_dma_completion+0x0/0x54) from [<c0351e6c>] (dma_controller_irq+0x118/0x184)
[ 315.115661] [<c0351d54>] (dma_controller_irq+0x0/0x184) from [<c00d86b8>] (handle_irq_event_percpu+0x54/0x188)
So put protection in code to handle possiblity of getting an interrupt for an
endpoint that might have been already nuked.
Reported-by: Todd Poynor <toddpoynor@google.com>
Signed-off-by: Vikram Pandita <vikram.pandita@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
| drivers/usb/musb/musb_gadget.c | diffblobblamehistory |