From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: usb HC busted? From: Alan Stern Message-Id: Date: Tue, 17 Jul 2018 10:28:14 -0400 (EDT) To: Sudip Mukherjee Cc: Mathias Nyman , Andy Shevchenko , Andy Shevchenko , Mathias Nyman , linux-usb@vger.kernel.org, lukaszx.szulc@intel.com, Christoph Hellwig , Marek Szyprowski , iommu@lists.linux-foundation.org List-ID: T24gVHVlLCAxNyBKdWwgMjAxOCwgU3VkaXAgTXVraGVyamVlIHdyb3RlOgoKPiBJIGRpZCBzb21l IG1vcmUgZGVidWdnaW5nLiBUZXN0ZWQgd2l0aCBhIEtBU0FOIGVuYWJsZWQga2VybmVsIGFuZCB0 aGF0Cj4gc2hvd3MgdGhlIHByb2JsZW0uIFRoZSByZXBvcnQgaXMgYXR0YWNoZWQuCj4gCj4gVG8g bXkgdW5kZXJzdGFuZGluZzoKPiAKPiBidHVzYl93b3JrKCkgaXMgY2FsbGluZyB1c2Jfc2V0X2lu dGVyZmFjZSgpIHdpdGggYWx0ZXJuYXRlID0gMC4gd2hpY2gKPiBhZ2FpbiBjYWxscyB1c2JfaGNk X2FsbG9jX2JhbmR3aWR0aCgpIGFuZCB0aGF0IGZyZWVzIHRoZSByaW5ncyBieQo+IHhoY2lfZnJl ZV9lbmRwb2ludF9yaW5nKCkuCgpUaGF0IGRvZXNuJ3Qgc291bmQgbGlrZSB0aGUgcmlnaHQgdGhp bmcgdG8gZG8uICBUaGUgcmluZ3Mgc2hvdWxkbid0IGJlIApmcmVlZCB1bnRpbCB4aGNpX2VuZHBv aW50X2Rpc2FibGUoKSBpcyBjYWxsZWQuICAKCk9uIHRoZSBvdGhlciBoYW5kLCB0aGVyZSBkb2Vz bid0IGFwcGVhciB0byBiZSBhbnkgCnhoY2lfZW5kcG9pbnRfZGlzYWJsZSgpIHJvdXRpbmUsIGFs dGhvdWdoIGEgY29tbWVudCByZWZlcnMgdG8gaXQuICAKTWF5YmUgdGhpcyBpcyB0aGUgcmVhbCBw cm9ibGVtPwoKQWxhbiBTdGVybgoKPiBCdXQgdGhlbiB1c2Jfc2V0X2ludGVyZmFjZSgpIGNvbnRp bnVlcyBhbmQKPiBjYWxscyB1c2JfZGlzYWJsZV9pbnRlcmZhY2UoKSAtPiB1c2JfaGNkX2ZsdXNo X2VuZHBvaW50KCktPnVubGluazEoKS0+Cj4geGhjaV91cmJfZGVxdWV1ZSgpIHdoaWNoIGF0IHRo ZSBlbmQgZ2l2ZXMgdGhlIGNvbW1hbmQgdG8gc3RvcCBlbmRwb2ludC4KPiAKPiBJbiBhbGwgdGhl IGN5Y2xlcyBJIGhhdmUgdGVzdGVkIEkgc2VlIHRoYXQgb25seSBpbiB0aGUgZmFpbCBjYXNlCj4g aGFuZGxlX2NtZF9jb21wbGV0aW9uKCkgZ2V0cyBjYWxsZWQsIGJ1dCBpbiB0aGUgY3ljbGVzIHdo ZXJlIHRoZSBlcnJvcgo+IGlzIG5vdCB0aGVyZSBoYW5kbGVfY21kX2NvbXBsZXRpb24oKSBpcyBu b3QgY2FsbGVkIHdpdGggdGhhdCBjb21tYW5kLgo+IAo+IEkgYW0gbm90IHN1cmUgd2hhdCBpcyBo YXBwZW5pbmcsIGFuZCB5b3UgYXJlIHRoZSBiZXN0IHBlcnNvbiB0byB1bmRlcnN0YW5kCj4gd2hh dCBpcyBoYXBwZW5pbmcuIDopCj4gCj4gQnV0IGZvciBub3cgKHVudGlsbCB5b3UgYXJlIGJhY2sg ZnJvbSBob2xpZGF5IGFuZCBzdWdnZXN0IGEgcHJvcGVyIHNvbHV0aW9uKSwKPiBJIG1hZGUgYSBo YWNreSBwYXRjaCAoYXR0YWNoZWQpIHdoaWNoIGlzIHdvcmtpbmcgYW5kIEkgZG9ub3QgZ2V0IGFu eQo+IGNvcnJ1cHRpb24gYWZ0ZXIgdGhhdC4gQm90aCBLQVNBTiBhbmQgc2x1YiBkZWJ1ZyBhcmUg YWxzbyBoYXBweS4KPiAKPiBTbywgbm93IHdhaXRpbmcgZm9yIHlvdSB0byBhbmFseXplIHdoYXQg aXMgZ29pbmcgb24gYW5kIHN1Z2dlc3QgYSBwcm9wZXIKPiBmaXguCj4gCj4gVGhhbmtzIGluIGFk dmFuY2UuCj4gCj4gLS0KPiBSZWdhcmRzCj4gU3VkaXAKPgotLS0KVG8gdW5zdWJzY3JpYmUgZnJv bSB0aGlzIGxpc3Q6IHNlbmQgdGhlIGxpbmUgInVuc3Vic2NyaWJlIGxpbnV4LXVzYiIgaW4KdGhl IGJvZHkgb2YgYSBtZXNzYWdlIHRvIG1ham9yZG9tb0B2Z2VyLmtlcm5lbC5vcmcKTW9yZSBtYWpv cmRvbW8gaW5mbyBhdCAgaHR0cDovL3ZnZXIua2VybmVsLm9yZy9tYWpvcmRvbW8taW5mby5odG1s Cg== From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alan Stern Subject: Re: usb HC busted? Date: Tue, 17 Jul 2018 10:28:14 -0400 (EDT) Message-ID: References: <20180717114104.irgdb5rmg2qxclgp@debian> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20180717114104.irgdb5rmg2qxclgp@debian> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: iommu-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: iommu-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Sudip Mukherjee Cc: Mathias Nyman , Mathias Nyman , linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, Christoph Hellwig , Andy Shevchenko , Andy Shevchenko , lukaszx.szulc-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org List-Id: iommu@lists.linux-foundation.org On Tue, 17 Jul 2018, Sudip Mukherjee wrote: > I did some more debugging. Tested with a KASAN enabled kernel and that > shows the problem. The report is attached. > > To my understanding: > > btusb_work() is calling usb_set_interface() with alternate = 0. which > again calls usb_hcd_alloc_bandwidth() and that frees the rings by > xhci_free_endpoint_ring(). That doesn't sound like the right thing to do. The rings shouldn't be freed until xhci_endpoint_disable() is called. On the other hand, there doesn't appear to be any xhci_endpoint_disable() routine, although a comment refers to it. Maybe this is the real problem? Alan Stern > But then usb_set_interface() continues and > calls usb_disable_interface() -> usb_hcd_flush_endpoint()->unlink1()-> > xhci_urb_dequeue() which at the end gives the command to stop endpoint. > > In all the cycles I have tested I see that only in the fail case > handle_cmd_completion() gets called, but in the cycles where the error > is not there handle_cmd_completion() is not called with that command. > > I am not sure what is happening, and you are the best person to understand > what is happening. :) > > But for now (untill you are back from holiday and suggest a proper solution), > I made a hacky patch (attached) which is working and I donot get any > corruption after that. Both KASAN and slub debug are also happy. > > So, now waiting for you to analyze what is going on and suggest a proper > fix. > > Thanks in advance. > > -- > Regards > Sudip >