Unable to handle kernel NULL pointer dereference when running USB bind/unbind test |
||||
Issue description
Test script:
while true
do
for i in /sys/bus/platform/drivers/rockchip-dwc3/usb*; do
basename $i > $(dirname $i)/unbind
basename $i > $(dirname $i)/bind
done
sleep $(awk "BEGIN {printf \"%.2f\", $((RANDOM % 150)) / 100 + 0.5}")
done
Crash:
[41684.361799] Unable to handle kernel NULL pointer dereference at virtual address 00000218
[41684.369995] pgd = ffffffc00165f000
[41684.373623] [00000218] *pgd=000000000174f003, *pud=000000000174f003, *pmd=0000000001750003, *pte=00e8000001751713
[41684.384203] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[41684.389790] Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat rfcomm xt_mark fuse bridge stp llc zram btusb btrtl btbcm btintel bluetooth ip6table_filter mwifiex_pcie mwifiex cfg80211 cdc_ether usbnet r8152 mii joydev snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async ppp_generic slhc tun
[41684.425054] CPU: 1 PID: 29814 Comm: kworker/1:1 Not tainted 4.4.52 #507
[41684.431679] Hardware name: Google Kevin (DT)
[41684.435995] Workqueue: pm pm_runtime_work
[41684.440043] task: ffffffc0ac540000 ti: ffffffc0af4d4000 task.ti: ffffffc0af4d4000
[41684.447549] PC is at autosuspend_check+0x74/0x174
[41684.452275] LR is at autosuspend_check+0x70/0x174
...
[41685.920780] Call trace:
[41685.923257] [<ffffffc00080dcc0>] autosuspend_check+0x74/0x174
[41685.929028] [<ffffffc000810500>] usb_runtime_idle+0x20/0x40
[41685.934622] [<ffffffc000785ae0>] __rpm_callback+0x48/0x7c
[41685.940042] [<ffffffc000786af0>] rpm_idle+0x1e8/0x498
[41685.945111] [<ffffffc000787cdc>] pm_runtime_work+0x88/0xcc
[41685.950626] [<ffffffc000249bb8>] process_one_work+0x390/0x6b8
[41685.956398] [<ffffffc00024abcc>] worker_thread+0x480/0x610
[41685.961904] [<ffffffc000251a80>] kthread+0x164/0x178
[41685.966893] [<ffffffc0002045d0>] ret_from_fork+0x10/0x40
,
Mar 9 2017
,
Mar 13 2017
Issue 700975 has been merged into this issue.
,
Mar 20 2017
,
Mar 21 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cd110aca5c52367c273c6baa35141ed1a995a144 commit cd110aca5c52367c273c6baa35141ed1a995a144 Author: Guenter Roeck <linux@roeck-us.net> Date: Tue Mar 21 02:30:11 2017 FROMLIST: usb: hub: Do not attempt to autosuspend disconnected devices While running a bind/unbind stress test with the dwc3 usb driver on rk3399, the following crash was observed. Unable to handle kernel NULL pointer dereference at virtual address 00000218 pgd = ffffffc00165f000 [00000218] *pgd=000000000174f003, *pud=000000000174f003, *pmd=0000000001750003, *pte=00e8000001751713 Internal error: Oops: 96000005 [#1] PREEMPT SMP Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat rfcomm xt_mark fuse bridge stp llc zram btusb btrtl btbcm btintel bluetooth ip6table_filter mwifiex_pcie mwifiex cfg80211 cdc_ether usbnet r8152 mii joydev snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async ppp_generic slhc tun CPU: 1 PID: 29814 Comm: kworker/1:1 Not tainted 4.4.52 #507 Hardware name: Google Kevin (DT) Workqueue: pm pm_runtime_work task: ffffffc0ac540000 ti: ffffffc0af4d4000 task.ti: ffffffc0af4d4000 PC is at autosuspend_check+0x74/0x174 LR is at autosuspend_check+0x70/0x174 ... Call trace: [<ffffffc00080dcc0>] autosuspend_check+0x74/0x174 [<ffffffc000810500>] usb_runtime_idle+0x20/0x40 [<ffffffc000785ae0>] __rpm_callback+0x48/0x7c [<ffffffc000786af0>] rpm_idle+0x1e8/0x498 [<ffffffc000787cdc>] pm_runtime_work+0x88/0xcc [<ffffffc000249bb8>] process_one_work+0x390/0x6b8 [<ffffffc00024abcc>] worker_thread+0x480/0x610 [<ffffffc000251a80>] kthread+0x164/0x178 [<ffffffc0002045d0>] ret_from_fork+0x10/0x40 Source: (gdb) l *0xffffffc00080dcc0 0xffffffc00080dcc0 is in autosuspend_check (drivers/usb/core/driver.c:1778). 1773 /* We don't need to check interfaces that are 1774 * disabled for runtime PM. Either they are unbound 1775 * or else their drivers don't support autosuspend 1776 * and so they are permanently active. 1777 */ 1778 if (intf->dev.power.disable_depth) 1779 continue; 1780 if (atomic_read(&intf->dev.power.usage_count) > 0) 1781 return -EBUSY; 1782 w |= intf->needs_remote_wakeup; Code analysis shows that intf is set to NULL in usb_disable_device() prior to setting actconfig to NULL. At the same time, usb_runtime_idle() does not lock the usb device, and neither does any of the functions in the traceback. This means that there is no protection against a race condition where usb_disable_device() is removing dev->actconfig->interface[] pointers while those are being accessed from autosuspend_check(). To solve the problem, synchronize and validate device state between autosuspend_check() and usb_disconnect(). BUG= chromium:700088 TEST=Run the following script on kevin for several hours, with an Ethernet adapter on one Type-C port and an Apple dock on the other. base="/sys/bus/platform/drivers/rockchip-dwc3" a="${base}//usb@fe800000 ${base}/usb@fe900000" while true do for i in $a; do basename $i > $(dirname $i)/unbind basename $i > $(dirname $i)/bind done sleep $(awk "BEGIN {printf \"%.2f\", $((RANDOM % 200)) / 100 + 0.2}") done Change-Id: I7d2c6384812c932796b13ee8d9909f960eb725b2 Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (am from https://patchwork.kernel.org/patch/9635341/) Reviewed-on: https://chromium-review.googlesource.com/452942 Reviewed-by: Douglas Anderson <dianders@chromium.org> [modify] https://crrev.com/cd110aca5c52367c273c6baa35141ed1a995a144/drivers/usb/core/driver.c [modify] https://crrev.com/cd110aca5c52367c273c6baa35141ed1a995a144/drivers/usb/core/hub.c
,
Nov 3 2017
|
||||
►
Sign in to add a comment |
||||
Comment 1 by groeck@chromium.org
, Mar 9 2017