)]}'
{
  "commit": "ed62ca2f4f51c17841ea39d98c0c409cb53a3e10",
  "tree": "e0f5eda057a87350ecdfcce42e45a933129b5e62",
  "parents": [
    "53ec7f2733745f35f78ea1bab1e73b30e7667e8b"
  ],
  "author": {
    "name": "Douglas Anderson",
    "email": "dianders@chromium.org",
    "time": "Thu Aug 10 15:42:22 2017 -0700"
  },
  "committer": {
    "name": "Greg Kroah-Hartman",
    "email": "gregkh@linuxfoundation.org",
    "time": "Mon Aug 28 11:17:57 2017 +0200"
  },
  "message": "USB: core: Avoid race of async_completed() w/ usbdev_release()\n\nWhile running reboot tests w/ a specific set of USB devices (and\nslub_debug enabled), I found that once every few hours my device would\nbe crashed with a stack that looked like this:\n\n[   14.012445] BUG: spinlock bad magic on CPU#0, modprobe/2091\n[   14.012460]  lock: 0xffffffc0cb055978, .magic: ffffffc0, .owner: cryption contexts: %lu/%lu\n[   14.012460] /1025536097, .owner_cpu: 0\n[   14.012466] CPU: 0 PID: 2091 Comm: modprobe Not tainted 4.4.79 #352\n[   14.012468] Hardware name: Google Kevin (DT)\n[   14.012471] Call trace:\n[   14.012483] [\u003c....\u003e] dump_backtrace+0x0/0x160\n[   14.012487] [\u003c....\u003e] show_stack+0x20/0x28\n[   14.012494] [\u003c....\u003e] dump_stack+0xb4/0xf0\n[   14.012500] [\u003c....\u003e] spin_dump+0x8c/0x98\n[   14.012504] [\u003c....\u003e] spin_bug+0x30/0x3c\n[   14.012508] [\u003c....\u003e] do_raw_spin_lock+0x40/0x164\n[   14.012515] [\u003c....\u003e] _raw_spin_lock_irqsave+0x64/0x74\n[   14.012521] [\u003c....\u003e] __wake_up+0x2c/0x60\n[   14.012528] [\u003c....\u003e] async_completed+0x2d0/0x300\n[   14.012534] [\u003c....\u003e] __usb_hcd_giveback_urb+0xc4/0x138\n[   14.012538] [\u003c....\u003e] usb_hcd_giveback_urb+0x54/0xf0\n[   14.012544] [\u003c....\u003e] xhci_irq+0x1314/0x1348\n[   14.012548] [\u003c....\u003e] usb_hcd_irq+0x40/0x50\n[   14.012553] [\u003c....\u003e] handle_irq_event_percpu+0x1b4/0x3f0\n[   14.012556] [\u003c....\u003e] handle_irq_event+0x4c/0x7c\n[   14.012561] [\u003c....\u003e] handle_fasteoi_irq+0x158/0x1c8\n[   14.012564] [\u003c....\u003e] generic_handle_irq+0x30/0x44\n[   14.012568] [\u003c....\u003e] __handle_domain_irq+0x90/0xbc\n[   14.012572] [\u003c....\u003e] gic_handle_irq+0xcc/0x18c\n\nInvestigation using kgdb() found that the wait queue that was passed\ninto wake_up() had been freed (it was filled with slub_debug poison).\n\nI analyzed and instrumented the code and reproduced.  My current\nbelief is that this is happening:\n\n1. async_completed() is called (from IRQ).  Moves \"as\" onto the\n   completed list.\n2. On another CPU, proc_reapurbnonblock_compat() calls\n   async_getcompleted().  Blocks on spinlock.\n3. async_completed() releases the lock; keeps running; gets blocked\n   midway through wake_up().\n4. proc_reapurbnonblock_compat() \u003d\u003e async_getcompleted() gets the\n   lock; removes \"as\" from completed list and frees it.\n5. usbdev_release() is called.  Frees \"ps\".\n6. async_completed() finally continues running wake_up().  ...but\n   wake_up() has a pointer to the freed \"ps\".\n\nThe instrumentation that led me to believe this was based on adding\nsome trace_printk() calls in a select few functions and then using\nkdb\u0027s \"ftdump\" at crash time.  The trace follows (NOTE: in the trace\nbelow I cheated a little bit and added a udelay(1000) in\nasync_completed() after releasing the spinlock because I wanted it to\ntrigger quicker):\n\n\u003c...\u003e-2104   0d.h2 13759034us!: async_completed at start: as\u003dffffffc0cc638200\nmtpd-2055    3.... 13759356us : async_getcompleted before spin_lock_irqsave\nmtpd-2055    3d..1 13759362us : async_getcompleted after list_del_init: as\u003dffffffc0cc638200\nmtpd-2055    3.... 13759371us+: proc_reapurbnonblock_compat: free_async(ffffffc0cc638200)\nmtpd-2055    3.... 13759422us+: async_getcompleted before spin_lock_irqsave\nmtpd-2055    3.... 13759479us : usbdev_release at start: ps\u003dffffffc0cc042080\nmtpd-2055    3.... 13759487us : async_getcompleted before spin_lock_irqsave\nmtpd-2055    3.... 13759497us!: usbdev_release after kfree(ps): ps\u003dffffffc0cc042080\n\u003c...\u003e-2104   0d.h2 13760294us : async_completed before wake_up(): as\u003dffffffc0cc638200\n\nTo fix this problem we can just move the wake_up() under the ps-\u003elock.\nThere should be no issues there that I\u0027m aware of.\n\nSigned-off-by: Douglas Anderson \u003cdianders@chromium.org\u003e\nAcked-by: Alan Stern \u003cstern@rowland.harvard.edu\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "ebe27595c4afbc343285cdcfca0070720c5512be",
      "old_mode": 33188,
      "old_path": "drivers/usb/core/devio.c",
      "new_id": "0ff0feddfd1f9df26a59ac62cc4be07b16c37f6b",
      "new_mode": 33188,
      "new_path": "drivers/usb/core/devio.c"
    }
  ]
}