Crash in hub_port_init() while running insertion/removal test |
||||
Issue description
Running the following script on kevin
while true
do
for i in /sys/bus/platform/drivers/rockchip-dwc3/usb*; do
basename $i > $(dirname $i)/unbind
basename $i > $(dirname $i)/bind
done
sleep 1
done
with all pending CLs applied to fix other problems results in the following crash.
[ 575.076904] ==================================================================
[ 575.084131] BUG: KASAN: null-ptr-deref on address 0000000000000008
[ 575.090304] Read of size 8 by task kworker/5:3/3353
[ 575.095181] CPU: 5 PID: 3353 Comm: kworker/5:3 Not tainted 4.4.52 #480
[ 575.101700] Hardware name: Google Kevin (DT)
[ 575.105974] Workqueue: events driver_set_config_work
[ 575.110946] Call trace:
[ 575.113400] [<ffffffc00020a6b4>] dump_backtrace+0x0/0x190
[ 575.118796] [<ffffffc00020a864>] show_stack+0x20/0x28
[ 575.123846] [<ffffffc0005d1a94>] dump_stack+0xa4/0xcc
[ 575.128896] [<ffffffc0003cf910>] kasan_report+0x124/0x4ec
[ 575.134290] [<ffffffc0003ced60>] __asan_load8+0x78/0x80
[ 575.139513] [<ffffffc0007fbbfc>] hub_port_init+0xc3c/0xd10
[ 575.144995] [<ffffffc0007fbe2c>] usb_reset_and_verify_device+0x15c/0x82c
[ 575.151690] [<ffffffc0007fc5e0>] usb_reset_device+0xe4/0x298
[ 575.157357] [<ffffffbffc0e3fcc>] rtl8152_probe+0x84/0x9b0 [r8152]
[ 575.163448] [<ffffffc00080ca8c>] usb_probe_interface+0x244/0x2f8
[ 575.169452] [<ffffffc000774a24>] driver_probe_device+0x180/0x3b4
[ 575.175453] [<ffffffc000774e48>] __device_attach_driver+0xb4/0xe0
[ 575.181543] [<ffffffc000772168>] bus_for_each_drv+0xb4/0xe4
[ 575.187112] [<ffffffc0007747ec>] __device_attach+0xd0/0x158
[ 575.192683] [<ffffffc000775080>] device_initial_probe+0x24/0x30
[ 575.198599] [<ffffffc0007739d4>] bus_probe_device+0x50/0xe4
[ 575.204170] [<ffffffc000770bd0>] device_add+0x414/0x738
[ 575.206288] usb 7-1.2: new low-speed USB device number 3 using xhci-hcd
[ 575.215994] [<ffffffc000809fe8>] usb_set_configuration+0x89c/0x914
[ 575.222167] [<ffffffc00080a120>] driver_set_config_work+0xc0/0xf0
[ 575.228258] [<ffffffc000249bb8>] process_one_work+0x390/0x6b8
[ 575.233999] [<ffffffc00024abcc>] worker_thread+0x480/0x610
[ 575.239481] [<ffffffc000251a80>] kthread+0x164/0x178
[ 575.244443] [<ffffffc0002045d0>] ret_from_fork+0x10/0x40
[ 575.249751] ==================================================================
Complete log is attached.
,
Mar 7 2017
(gdb) l *0xffffffc0007fbbfc
0xffffffc0007fbbfc is in hub_port_init (/mnt/host/source/src/third_party/kernel/v4.4/drivers/usb/core/hub.c:4293).
4288 return;
4289
4290 if (hub)
4291 connect_type = hub->ports[udev->portnum - 1]->connect_type;
4292
4293 if ((udev->bos->ext_cap->bmAttributes & cpu_to_le32(USB_BESL_SUPPORT)) ||
4294 connect_type == USB_PORT_CONNECT_TYPE_HARD_WIRED) {
4295 udev->usb2_hw_lpm_allowed = 1;
4296 usb_set_usb2_hardware_lpm(udev, 1);
4297 }
,
Mar 8 2017
udev->bos can be NULL if reading it failed. This causes the crash.
,
Mar 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/36eaad4e56bbb0eae5e9c4d72cd3b59826b44c66 commit 36eaad4e56bbb0eae5e9c4d72cd3b59826b44c66 Author: Guenter Roeck <linux@roeck-us.net> Date: Sat Mar 18 03:12:22 2017 FROMLIST: usb: hub: Fix crash after failure to read BOS descriptor If usb_get_bos_descriptor() returns an error, usb->bos will be NULL. Nevertheless, it is dereferenced unconditionally in hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set. This results in a crash. usb 5-1: unable to get BOS descriptor ... Unable to handle kernel NULL pointer dereference at virtual address 00000008 pgd = ffffffc00165f000 [00000008] *pgd=000000000174f003, *pud=000000000174f003, *pmd=0000000001750003, *pte=00e8000001751713 Internal error: Oops: 96000005 [#1] PREEMPT SMP Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ] CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G B 4.4.52 #480 Hardware name: Google Kevin (DT) Workqueue: events driver_set_config_work task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000 PC is at hub_port_init+0xc3c/0xd10 LR is at hub_port_init+0xc3c/0xd10 ... Call trace: [<ffffffc0007fbbfc>] hub_port_init+0xc3c/0xd10 [<ffffffc0007fbe2c>] usb_reset_and_verify_device+0x15c/0x82c [<ffffffc0007fc5e0>] usb_reset_device+0xe4/0x298 [<ffffffbffc0e3fcc>] rtl8152_probe+0x84/0x9b0 [r8152] [<ffffffc00080ca8c>] usb_probe_interface+0x244/0x2f8 [<ffffffc000774a24>] driver_probe_device+0x180/0x3b4 [<ffffffc000774e48>] __device_attach_driver+0xb4/0xe0 [<ffffffc000772168>] bus_for_each_drv+0xb4/0xe4 [<ffffffc0007747ec>] __device_attach+0xd0/0x158 [<ffffffc000775080>] device_initial_probe+0x24/0x30 [<ffffffc0007739d4>] bus_probe_device+0x50/0xe4 [<ffffffc000770bd0>] device_add+0x414/0x738 [<ffffffc000809fe8>] usb_set_configuration+0x89c/0x914 [<ffffffc00080a120>] driver_set_config_work+0xc0/0xf0 [<ffffffc000249bb8>] process_one_work+0x390/0x6b8 [<ffffffc00024abcc>] worker_thread+0x480/0x610 [<ffffffc000251a80>] kthread+0x164/0x178 [<ffffffc0002045d0>] ret_from_fork+0x10/0x40 Since we don't know anything about LPM capabilities without BOS descriptor, don't attempt to enable LPM if it is not available. BUG= chromium:699286 TEST=bind/unbind usb ports in loop Change-Id: I36c85f91c47e03929b6bc6286c54d05f630fb0cd Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...") Cc: Mathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (am from https://patchwork.kernel.org/patch/9611839/) Reviewed-on: https://chromium-review.googlesource.com/451581 Reviewed-by: Douglas Anderson <dianders@chromium.org> [modify] https://crrev.com/36eaad4e56bbb0eae5e9c4d72cd3b59826b44c66/drivers/usb/core/hub.c
,
Mar 20 2017
|
||||
►
Sign in to add a comment |
||||
Comment 1 by groeck@chromium.org
, Mar 7 2017