[PATCH 5.4 42/78] usb: cdns3: should not use the same dev_id for shared interrupt handler

From: Greg Kroah-Hartman
Date: Tue Jan 14 2020 - 05:05:54 EST


From: Peter Chen <peter.chen@xxxxxxx>

commit af58e1fca9840192f14b6f03c59595d64bff9127 upstream.

Both drd and gadget interrupt handler use the struct cdns3 pointer as
dev_id, it causes devm_free_irq at cdns3_gadget_exit doesn't free
gadget's interrupt handler, it freed drd's handler. So, when the
host interrupt occurs, the gadget's interrupt hanlder is still
called, and causes below oops. To fix it, we use gadget's private
data priv_dev as interrupt dev_id for gadget.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000380
Mem abort info:
ESR = 0x96000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000971d79000
[0000000000000380] pgd=0000000971d6f003, pud=0000000971d6e003, pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in: mxc_jpeg_encdec crct10dif_ce fsl_imx8_ddr_perf
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-03486-g69f4e7d9c54a-dirty #254
Hardware name: Freescale i.MX8QM MEK (DT)
pstate: 00000085 (nzcv daIf -PAN -UAO)
pc : cdns3_device_irq_handler+0x1c/0xb8
lr : __handle_irq_event_percpu+0x78/0x2c0
sp : ffff800010003e30
x29: ffff800010003e30 x28: ffff8000129bb000
x27: ffff8000126e9000 x26: ffff0008f61b5600
x25: ffff800011fe1018 x24: ffff8000126ea120
x23: ffff800010003f04 x22: 0000000000000000
x21: 0000000000000093 x20: ffff0008f61b5600
x19: ffff0008f5061a80 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000
x15: 0000000000000000 x14: 003d090000000000
x13: 00003d0900000000 x12: 0000000000000000
x11: 00003d0900000000 x10: 0000000000000040
x9 : ffff800012708cb8 x8 : ffff800012708cb0
x7 : ffff0008f7c7a9d0 x6 : 0000000000000000
x5 : ffff0008f7c7a910 x4 : ffff8008ed359000
x3 : ffff800010003f40 x2 : 0000000000000000
x1 : ffff0008f5061a80 x0 : ffff800010161a60
Call trace:
cdns3_device_irq_handler+0x1c/0xb8
__handle_irq_event_percpu+0x78/0x2c0
handle_irq_event_percpu+0x40/0x98
handle_irq_event+0x4c/0xd0
handle_fasteoi_irq+0xbc/0x168
generic_handle_irq+0x34/0x50
__handle_domain_irq+0x6c/0xc0
gic_handle_irq+0xd4/0x174
el1_irq+0xb8/0x180
arch_cpu_idle+0x3c/0x230
default_idle_call+0x38/0x40
do_idle+0x20c/0x298
cpu_startup_entry+0x28/0x48
rest_init+0xdc/0xe8
arch_call_rest_init+0x14/0x1c
start_kernel+0x48c/0x4b8
Code: aa0103f3 aa1e03e0 d503201f f9409662 (f941c040)
---[ end trace 091dcf4dee011b0e ]---
Kernel panic - not syncing: Fatal exception in interrupt
SMP: stopping secondary CPUs
Kernel Offset: disabled
CPU features: 0x0002,2100600c
Memory Limit: none
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
Cc: <stable@xxxxxxxxxxxxxxx> #v5.4
Signed-off-by: Peter Chen <peter.chen@xxxxxxx>
Link: https://lore.kernel.org/r/1577437804-18146-1-git-send-email-peter.chen@xxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/usb/cdns3/gadget.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)

--- a/drivers/usb/cdns3/gadget.c
+++ b/drivers/usb/cdns3/gadget.c
@@ -1375,13 +1375,10 @@ static void cdns3_check_usb_interrupt_pr
*/
static irqreturn_t cdns3_device_irq_handler(int irq, void *data)
{
- struct cdns3_device *priv_dev;
- struct cdns3 *cdns = data;
+ struct cdns3_device *priv_dev = data;
irqreturn_t ret = IRQ_NONE;
u32 reg;

- priv_dev = cdns->gadget_dev;
-
/* check USB device interrupt */
reg = readl(&priv_dev->regs->usb_ists);
if (reg) {
@@ -1419,14 +1416,12 @@ static irqreturn_t cdns3_device_irq_hand
*/
static irqreturn_t cdns3_device_thread_irq_handler(int irq, void *data)
{
- struct cdns3_device *priv_dev;
- struct cdns3 *cdns = data;
+ struct cdns3_device *priv_dev = data;
irqreturn_t ret = IRQ_NONE;
unsigned long flags;
int bit;
u32 reg;

- priv_dev = cdns->gadget_dev;
spin_lock_irqsave(&priv_dev->lock, flags);

reg = readl(&priv_dev->regs->usb_ists);
@@ -2539,7 +2534,7 @@ void cdns3_gadget_exit(struct cdns3 *cdn

priv_dev = cdns->gadget_dev;

- devm_free_irq(cdns->dev, cdns->dev_irq, cdns);
+ devm_free_irq(cdns->dev, cdns->dev_irq, priv_dev);

pm_runtime_mark_last_busy(cdns->dev);
pm_runtime_put_autosuspend(cdns->dev);
@@ -2710,7 +2705,8 @@ static int __cdns3_gadget_init(struct cd
ret = devm_request_threaded_irq(cdns->dev, cdns->dev_irq,
cdns3_device_irq_handler,
cdns3_device_thread_irq_handler,
- IRQF_SHARED, dev_name(cdns->dev), cdns);
+ IRQF_SHARED, dev_name(cdns->dev),
+ cdns->gadget_dev);

if (ret)
goto err0;