From fd537c041b7f2cbceb5a21c37946e017006edd1c Mon Sep 17 00:00:00 2001 From: Marc Kleine-Budde Date: Mon, 10 Oct 2011 18:38:07 +0200 Subject: [PATCH] USB: ci13xxx_udc: fix deadlock during rmmod The inline documentation of _gadget_stop_activity() states that the function should be called holding the udc->lock. This however will result in a deadlock, because _gadget_stop_activity() takes the udc->lock. During normal operation _gadget_stop_activity() is always called unlocked, but in ci13xxx_stop() it's called locked, this results in the following deadlock during rmmod of a gadget driver. This patch fixes the deadlock by calling _gadget_stop_activity() always unlocked, the inline documentation is adjusted accordingly. ============================================= [ INFO: possible recursive locking detected ] 3.1.0-rc6+ #159 --------------------------------------------- rmmod/121 is trying to acquire lock: (udc_lock){-.-...}, at: [] _gadget_stop_activity+0x18/0x154 but task is already holding lock: (udc_lock){-.-...}, at: [] ci13xxx_stop+0x5c/0x164 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(udc_lock); lock(udc_lock); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by rmmod/121: #0: (udc_lock#2){+.+.+.}, at: [] usb_gadget_unregister_driver+0x34/0x88 #1: (udc_lock){-.-...}, at: [] ci13xxx_stop+0x5c/0x164 stack backtrace: [] (unwind_backtrace+0x0/0xf0) from [] (check_deadlock.clone.24+0x284/0x2c4) [] (check_deadlock.clone.24+0x284/0x2c4) from [] (validate_chain.clone.25+0x430/0x6fc) [] (validate_chain.clone.25+0x430/0x6fc) from [] (__lock_acquire+0x494/0x8f0) [] (__lock_acquire+0x494/0x8f0) from [] (lock_acquire+0x98/0x1a8) [] (lock_acquire+0x98/0x1a8) from [] (_raw_spin_lock_irqsave+0x64/0xa0) [] (_raw_spin_lock_irqsave+0x64/0xa0) from [] (_gadget_stop_activity+0x18/0x154) [] (_gadget_stop_activity+0x18/0x154) from [] (ci13xxx_stop+0xb0/0x164) [] (ci13xxx_stop+0xb0/0x164) from [] (usb_gadget_remove_driver+0x88/0x98) [] (usb_gadget_remove_driver+0x88/0x98) from [] (usb_gadget_unregister_driver+0x68/0x88) [] (usb_gadget_unregister_driver+0x68/0x88) from [] (sys_delete_module+0x1fc/0x26c) [] (sys_delete_module+0x1fc/0x26c) from [] (ret_fast_syscall+0x0/0x38) BUG: spinlock lockup on CPU#0, rmmod/121, c05b1644 [] (unwind_backtrace+0x0/0xf0) from [] (do_raw_spin_lock+0x128/0x144) [] (do_raw_spin_lock+0x128/0x144) from [] (_raw_spin_lock_irqsave+0x88/0xa0) [] (_raw_spin_lock_irqsave+0x88/0xa0) from [] (_gadget_stop_activity+0x18/0x154) [] (_gadget_stop_activity+0x18/0x154) from [] (ci13xxx_stop+0xb0/0x164) [] (ci13xxx_stop+0xb0/0x164) from [] (usb_gadget_remove_driver+0x88/0x98) [] (usb_gadget_remove_driver+0x88/0x98) from [] (usb_gadget_unregister_driver+0x68/0x88) [] (usb_gadget_unregister_driver+0x68/0x88) from [] (sys_delete_module+0x1fc/0x26c) [] (sys_delete_module+0x1fc/0x26c) from [] (ret_fast_syscall+0x0/0x38) Tested-by: Pavankumar Kondeti Signed-off-by: Marc Kleine-Budde Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/ci13xxx_udc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/ci13xxx_udc.c b/drivers/usb/gadget/ci13xxx_udc.c index ae6c0010f5e7..4241241128c6 100644 --- a/drivers/usb/gadget/ci13xxx_udc.c +++ b/drivers/usb/gadget/ci13xxx_udc.c @@ -1613,7 +1613,6 @@ __acquires(mEp->lock) * @gadget: gadget * * This function returns an error code - * Caller must hold lock */ static int _gadget_stop_activity(struct usb_gadget *gadget) { @@ -2707,7 +2706,9 @@ static int ci13xxx_stop(struct usb_gadget_driver *driver) if (udc->udc_driver->notify_event) udc->udc_driver->notify_event(udc, CI13XXX_CONTROLLER_STOPPED_EVENT); + spin_unlock_irqrestore(udc->lock, flags); _gadget_stop_activity(&udc->gadget); + spin_lock_irqsave(udc->lock, flags); pm_runtime_put(&udc->gadget.dev); }