[PATCH] xhci-ring: Fix Null pointer dereference

[PATCH] xhci-ring: Fix Null pointer dereference

[Ricardo Ribalda Delgado]

While testing a usb gadget I managed to crash completely the host
computer. This was due to a NULL pointer derefence.

This patch avoids the crash although the kernel still outputs some
warnings.

Without this patch, kernels from (at least) 3.14 can be crashed with
mass storage gadgets.

Affected host:  NEC Corporation uPD720200 USB 3.0

Aug 26 17:34:37 neopili kernel: [ 4767.480159] ------------[ cut here ]------------
Aug 26 17:34:37 neopili kernel: [ 4767.480176] WARNING: CPU: 0 PID: 10185 at drivers/usb/host/xhci-ring.c:518 xhci_cleanup_stalled_ring+0x67/0x220 [xhci_hcd]()
Aug 26 17:34:37 neopili kernel: [ 4767.480179] Modules linked in: xhci_hcd uas usb_storage bnep pci_stub cpufreq_stats vboxpci(O) cpufreq_powersave cpufreq_conservative vboxnetadp(O) cpufreq_userspace vboxnetflt(O) vboxdrv(O) binfmt_misc tun arc4 iwldvm mac80211 snd_hda_codec_hdmi ecb snd_hda_codec_conexant snd_hda_codec_generic snd_hda_intel snd_hda_controller snd_hda_codec btusb x86_pkg_temp_thermal snd_hwdep snd_pcm_oss intel_powerclamp bluetooth intel_rapl coretemp snd_mixer_oss iTCO_wdt uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core kvm_intel snd_pcm v4l2_common videodev media iTCO_vendor_support kvm iwlwifi cfg80211 snd_timer joydev crc32_pclmul ghash_clmulni_intel thinkpad_acpi nvram snd aesni_intel evdev lpc_ich soundcore ac rfkill mfd_core aes_x86_64 psmouse serio_raw pcspkr lrw gf128mul glue_helper ablk_helper tpm_tis cryptd video i2c_i801 tpm shpchp processor button battery wmi nvidia(PO) i2c_core hdaps(O) tp_smapi(O)
thinkpad_ec(O) loop firewire_sbp2 fuse parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd2 sg sd_mod sr_mod crc_t10dif cdrom crct10dif_generic hid_generic usbhid hid crct10dif_pclmul crct10dif_common crc32c_intel ahci libahci libata sdhci_pci scsi_mod sdhci firewire_ohci ehci_pci firewire_core mmc_core ehci_hcd crc_itu_t e1000e usbcore ptp usb_common pps_core thermal thermal_sys [last unloaded: xhci_hcd]
Aug 26 17:34:37 neopili kernel: [ 4767.480309] CPU: 0 PID: 10185 Comm: usb-storage Tainted: P        W  O  3.16.0+ #2
Aug 26 17:34:37 neopili kernel: [ 4767.480312] Hardware name: LENOVO 4284HE2/4284HE2, BIOS 8BET62WW (1.42 ) 07/26/2013
Aug 26 17:34:37 neopili kernel: [ 4767.480315]  0000000000000009 ffffffff814ef2dd 0000000000000000 ffffffff81064c12
Aug 26 17:34:37 neopili kernel: [ 4767.480320]  ffff88056e044210 ffff880589eb4000 0000000000000002 ffff8800be1b7800
Aug 26 17:34:37 neopili kernel: [ 4767.480325]  ffff880589eb4048 ffffffffa11eae07 ffff88055d91bc10 0000000000000000
Aug 26 17:34:37 neopili kernel: [ 4767.480329] Call Trace:
Aug 26 17:34:37 neopili kernel: [ 4767.480342]  [<ffffffff814ef2dd>] ? dump_stack+0x41/0x51
Aug 26 17:34:37 neopili kernel: [ 4767.480349]  [<ffffffff81064c12>] ? warn_slowpath_common+0x72/0x90
Aug 26 17:34:37 neopili kernel: [ 4767.480357]  [<ffffffffa11eae07>] ? xhci_cleanup_stalled_ring+0x67/0x220 [xhci_hcd]
Aug 26 17:34:37 neopili kernel: [ 4767.480363]  [<ffffffffa11eb11e>] ? xhci_endpoint_reset+0x15e/0x1d0 [xhci_hcd]
Aug 26 17:34:37 neopili kernel: [ 4767.480382]  [<ffffffffa003c305>] ? usb_enable_endpoint+0x75/0x80 [usbcore]
Aug 26 17:34:37 neopili kernel: [ 4767.480398]  [<ffffffffa003c34d>] ? usb_enable_interface+0x3d/0x50 [usbcore]
Aug 26 17:34:37 neopili kernel: [ 4767.480413]  [<ffffffffa0030e12>] ? usb_reset_and_verify_device+0x642/0x770 [usbcore]
Aug 26 17:34:37 neopili kernel: [ 4767.480427]  [<ffffffffa003105d>] ? usb_reset_device+0x11d/0x290 [usbcore]
Aug 26 17:34:37 neopili kernel: [ 4767.480434]  [<ffffffffa10eac29>] ? usb_stor_port_reset+0x59/0x60 [usb_storage]
Aug 26 17:34:37 neopili kernel: [ 4767.480439]  [<ffffffffa10eacb1>] ? usb_stor_invoke_transport+0x81/0x510 [usb_storage]
Aug 26 17:34:37 neopili kernel: [ 4767.480447]  [<ffffffff814f230e>] ? wait_for_completion_interruptible+0xbe/0x210
Aug 26 17:34:37 neopili kernel: [ 4767.480452]  [<ffffffff81093bc0>] ? wake_up_state+0x10/0x10
Aug 26 17:34:37 neopili kernel: [ 4767.480458]  [<ffffffffa10ec4b8>] ? usb_stor_control_thread+0x168/0x290 [usb_storage]
Aug 26 17:34:37 neopili kernel: [ 4767.480464]  [<ffffffffa10ec350>] ? usb_stor_disconnect+0xc0/0xc0 [usb_storage]
Aug 26 17:34:37 neopili kernel: [ 4767.480470]  [<ffffffff8108534a>] ? kthread+0xca/0xe0
Aug 26 17:34:37 neopili kernel: [ 4767.480476]  [<ffffffff81067647>] ? do_exit+0x847/0xab0
Aug 26 17:34:37 neopili kernel: [ 4767.480481]  [<ffffffff81085280>] ? kthread_create_on_node+0x180/0x180
Aug 26 17:34:37 neopili kernel: [ 4767.480486]  [<ffffffff814f4e3c>] ? ret_from_fork+0x7c/0xb0
Aug 26 17:34:37 neopili kernel: [ 4767.480491]  [<ffffffff81085280>] ? kthread_create_on_node+0x180/0x180
Aug 26 17:34:37 neopili kernel: [ 4767.480494] ---[ end trace e627648c2935c96e ]---
Aug 26 17:34:37 neopili kernel: [ 4767.480500] xhci_hcd 0000:0e:00.0: WARN Cannot submit Set TR Deq Ptr
Aug 26 17:34:37 neopili kernel: [ 4767.480504] xhci_hcd 0000:0e:00.0: WARN deq seg =           (null), deq pt = ffff8805516d7800

Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
---
 drivers/usb/host/xhci-ring.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 60fb52a..7767481 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -613,7 +613,8 @@ void xhci_queue_new_dequeue_state(struct xhci_hcd *xhci,
 			"Set TR Deq Ptr cmd, new deq seg = %p (0x%llx dma), "
 			"new deq ptr = %p (0x%llx dma), new cycle = %u",
 			deq_state->new_deq_seg,
-			(unsigned long long)deq_state->new_deq_seg->dma,
+			(unsigned long long)(deq_state->new_deq_seg) ?
+				deq_state->new_deq_seg->dma : 0,
 			deq_state->new_deq_ptr,
 			(unsigned long long)xhci_trb_virt_to_dma(deq_state->new_deq_seg, deq_state->new_deq_ptr),
 			deq_state->new_cycle_state);
-- 
2.1.0

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Ricardo Ribalda Delgado]

At least I have seen the issue on Debian 3.14 and 3.16. Is your patch
going to be backported to linux-stable? The computer crashes very very
badly

On Wed, Aug 27, 2014 at 4:25 PM, Mathias Nyman <mathias.nyman@intel.com> wrote:
> On 08/26/2014 06:47 PM, Ricardo Ribalda Delgado wrote:
>> While testing a usb gadget I managed to crash completely the host
>> computer. This was due to a NULL pointer derefence.
>>
>> This patch avoids the crash although the kernel still outputs some
>> warnings.
>>
>> Without this patch, kernels from (at least) 3.14 can be crashed with
>> mass storage gadgets.
>>
>> Affected host:  NEC Corporation uPD720200 USB 3.0
>>
>
>
> This should not be necessary anymore after
> commit 365038d83313951d6ace15342eb24624bbef1666
>     xhci: rework cycle bit checking for new dequeue pointers
>
> http://marc.info/?l=linux-usb&m=140844993115671&w=2
>
> Which was just added to Greg's usb-linus branch.
> It checks that the new_deq_ptr and new_deq_seg are valid before calling
> xhci_queue_new_dequeue_state()
>
> -Mathias
>
>
>
>
>



-- 
Ricardo Ribalda

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Mathias Nyman]

On 08/26/2014 06:47 PM, Ricardo Ribalda Delgado wrote:
> While testing a usb gadget I managed to crash completely the host
> computer. This was due to a NULL pointer derefence.
> 
> This patch avoids the crash although the kernel still outputs some
> warnings.
> 
> Without this patch, kernels from (at least) 3.14 can be crashed with
> mass storage gadgets.
> 
> Affected host:  NEC Corporation uPD720200 USB 3.0
> 


This should not be necessary anymore after 
commit 365038d83313951d6ace15342eb24624bbef1666
    xhci: rework cycle bit checking for new dequeue pointers

http://marc.info/?l=linux-usb&m=140844993115671&w=2

Which was just added to Greg's usb-linus branch.
It checks that the new_deq_ptr and new_deq_seg are valid before calling
xhci_queue_new_dequeue_state()

-Mathias

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Mathias Nyman]

On 08/27/2014 05:14 PM, Ricardo Ribalda Delgado wrote:
> At least I have seen the issue on Debian 3.14 and 3.16. Is your patch
> going to be backported to linux-stable? The computer crashes very very
> badly
> 

Yes, it is, but it might need some additional work as it won't apply cleanly on older versions

http://marc.info/?l=linux-usb&m=140913688327011&w=2

-Mathias

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Ricardo Ribalda Delgado]

Perhaps we could apply both patches to current tree and backport mine
to older kernels?

On Wed, Aug 27, 2014 at 5:27 PM, Mathias Nyman <mathias.nyman@intel.com> wrote:
> On 08/27/2014 05:14 PM, Ricardo Ribalda Delgado wrote:
>> At least I have seen the issue on Debian 3.14 and 3.16. Is your patch
>> going to be backported to linux-stable? The computer crashes very very
>> badly
>>
>
> Yes, it is, but it might need some additional work as it won't apply cleanly on older versions
>
> http://marc.info/?l=linux-usb&m=140913688327011&w=2
>
> -Mathias



-- 
Ricardo Ribalda

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Mathias Nyman]

On 08/27/2014 07:10 PM, Ricardo Ribalda Delgado wrote:
> Perhaps we could apply both patches to current tree and backport mine
> to older kernels?
> 

The already applied patch fixes many other issues than just this one.
backporting it to stable < 3.13 turned out to not be that difficult, stable maintainers
said they can do it themselves.

Stable kernels prefer patches that are already upstream, as Documentation/stable_kernel_rules.txt states:
"- It or an equivalent fix must already exist in Linus' tree (upstream)."

There is no need for the other patch anymore, not upstream nor to stable

-Mathias

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Ricardo Ribalda Delgado]

Hello

On Thu, Aug 28, 2014 at 12:41 PM, Mathias Nyman <mathias.nyman@intel.com> wrote:
> On 08/27/2014 07:10 PM, Ricardo Ribalda Delgado wrote:
>> Perhaps we could apply both patches to current tree and backport mine
>> to older kernels?
>>
>
> The already applied patch fixes many other issues than just this one.
> backporting it to stable < 3.13 turned out to not be that difficult, stable maintainers
> said they can do it themselves.

then I agree, there is absolutely no need for my patch :).

I have a broken gadget driver that was very good at triggering the
bug, I will try it out with your patch.


Thanks!

>
> Stable kernels prefer patches that are already upstream, as Documentation/stable_kernel_rules.txt states:
> "- It or an equivalent fix must already exist in Linus' tree (upstream)."
>
> There is no need for the other patch anymore, not upstream nor to stable
>
> -Mathias
>



-- 
Ricardo Ribalda

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Ricardo Ribalda Delgado]

Hello Mathias

This is the dmesg output after your patch. No WARN(), no crash :), but
still some weird messages:

[  146.511623] usb 2-2: new SuperSpeed USB device number 2 using xhci_hcd
[  146.531652] usb 2-2: New USB device found, idVendor=0525, idProduct=a4a5
[  146.531661] usb 2-2: New USB device strings: Mfr=3, Product=4, SerialNumber=0
[  146.531666] usb 2-2: Product: Mass Storage Gadget
[  146.531670] usb 2-2: Manufacturer: Linux 3.16.0-qtec-standard+ with net2280
[  147.772743] usb-storage 2-2:1.0: USB Mass Storage device detected
[  147.773018] usb-storage 2-2:1.0: Quirks match for vid 0525 pid a4a5: 10000
[  147.773185] scsi host6: usb-storage 2-2:1.0
[  147.773361] usbcore: registered new interface driver usb-storage
[  147.788950] usbcore: registered new interface driver uas
[  148.772699] scsi 6:0:0:0: Direct-Access     Linux    File-Stor
Gadget 0316 PQ: 0 ANSI: 2
[  148.773192] sd 6:0:0:0: Attached scsi generic sg2 type 0
[  148.774860] sd 6:0:0:0: [sdb] 32768 512-byte logical blocks: (16.7
MB/16.0 MiB)
[  148.888294] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
[  148.905202] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc88
[  148.905207] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc40
[  148.906324] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
[  148.912639] sd 6:0:0:0: [sdb] Test WP failed, assume Write Enabled
[  149.014972] sd 6:0:0:0: [sdb] Write cache: enabled, read cache:
enabled, doesn't support DPO or FUA
[  149.128640] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
[  149.145953] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc88
[  149.145963] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc40
[  149.147525] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
[  149.268626] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
[  149.285563] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc88
[  149.285573] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc40
[  149.286904] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
[  149.404621] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
[  149.421397] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc88
[  149.421404] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc40
[  149.422855] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
[  149.431667]  sdb: unknown partition table
[  149.544713] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
[  149.561649] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc88
[  149.561658] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc40
[  149.563021] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
[  149.680733] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
[  149.697766] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc88
[  149.697774] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc40
[  149.699025] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
[  149.706700] sd 6:0:0:0: [sdb] Write cache: enabled, read cache:
enabled, doesn't support DPO or FUA
[  149.706712] sd 6:0:0:0: [sdb] Attached SCSI disk
[  149.820933] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
[  149.837887] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc88
[  149.837895] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880036f3cc40
[  149.839242] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
[  155.752101] usb 3-1.5.6: reset high-speed USB device number 10 using ehci-pci
[  155.866642] cdc_acm 3-1.5.6:1.1: This device cannot do calls on its
own. It is not a modem.
[  155.866756] cdc_acm 3-1.5.6:1.1: ttyACM0: USB ACM device
[  155.867613] usb 3-1.5.6: usbfs: process 1521 (pool) did not claim
interface 0 before use
[  160.471327] pool[1680]: segfault at fffffffffc0e61c0 ip
00007f570f036200 sp 00007f570639f0d0 error 5 in
libc-2.19.so[7f570efee000+19f000]

Thanks!

On Thu, Aug 28, 2014 at 12:50 PM, Ricardo Ribalda Delgado
<ricardo.ribalda@gmail.com> wrote:
> Hello
>
> On Thu, Aug 28, 2014 at 12:41 PM, Mathias Nyman <mathias.nyman@intel.com> wrote:
>> On 08/27/2014 07:10 PM, Ricardo Ribalda Delgado wrote:
>>> Perhaps we could apply both patches to current tree and backport mine
>>> to older kernels?
>>>
>>
>> The already applied patch fixes many other issues than just this one.
>> backporting it to stable < 3.13 turned out to not be that difficult, stable maintainers
>> said they can do it themselves.
>
> then I agree, there is absolutely no need for my patch :).
>
> I have a broken gadget driver that was very good at triggering the
> bug, I will try it out with your patch.
>
>
> Thanks!
>
>>
>> Stable kernels prefer patches that are already upstream, as Documentation/stable_kernel_rules.txt states:
>> "- It or an equivalent fix must already exist in Linus' tree (upstream)."
>>
>> There is no need for the other patch anymore, not upstream nor to stable
>>
>> -Mathias
>>
>
>
>
> --
> Ricardo Ribalda



-- 
Ricardo Ribalda

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Ricardo Ribalda Delgado]

Sure, but the hw leaves my desk until next monday in 30 minutes.

So unless you send the patch right now you will have to wait for
results until next Monday

Thanks!



On Thu, Aug 28, 2014 at 5:20 PM, Mathias Nyman <mathias.nyman@intel.com> wrote:
> On 08/28/2014 03:36 PM, Ricardo Ribalda Delgado wrote:
>> Hello Mathias
>>
>> This is the dmesg output after your patch. No WARN(), no crash :), but
>> still some weird messages:
>>
>> [  146.511623] usb 2-2: new SuperSpeed USB device number 2 using xhci_hcd
>> [  146.531652] usb 2-2: New USB device found, idVendor=0525, idProduct=a4a5
>> [  146.531661] usb 2-2: New USB device strings: Mfr=3, Product=4, SerialNumber=0
>> [  146.531666] usb 2-2: Product: Mass Storage Gadget
>> [  146.531670] usb 2-2: Manufacturer: Linux 3.16.0-qtec-standard+ with net2280
>> [  147.772743] usb-storage 2-2:1.0: USB Mass Storage device detected
>> [  147.773018] usb-storage 2-2:1.0: Quirks match for vid 0525 pid a4a5: 10000
>> [  147.773185] scsi host6: usb-storage 2-2:1.0
>> [  147.773361] usbcore: registered new interface driver usb-storage
>> [  147.788950] usbcore: registered new interface driver uas
>> [  148.772699] scsi 6:0:0:0: Direct-Access     Linux    File-Stor
>> Gadget 0316 PQ: 0 ANSI: 2
>> [  148.773192] sd 6:0:0:0: Attached scsi generic sg2 type 0
>> [  148.774860] sd 6:0:0:0: [sdb] 32768 512-byte logical blocks: (16.7
>> MB/16.0 MiB)
>> [  148.888294] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
>> [  148.905202] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc88
>> [  148.905207] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc40
>> [  148.906324] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
>> [  148.912639] sd 6:0:0:0: [sdb] Test WP failed, assume Write Enabled
>> [  149.014972] sd 6:0:0:0: [sdb] Write cache: enabled, read cache:
>> enabled, doesn't support DPO or FUA
>> [  149.128640] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
>> [  149.145953] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc88
>> [  149.145963] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc40
>> [  149.147525] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
>> [  149.268626] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
>> [  149.285563] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc88
>> [  149.285573] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc40
>> [  149.286904] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
>> [  149.404621] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
>> [  149.421397] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc88
>> [  149.421404] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc40
>> [  149.422855] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
>> [  149.431667]  sdb: unknown partition table
>> [  149.544713] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
>> [  149.561649] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc88
>> [  149.561658] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc40
>> [  149.563021] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
>> [  149.680733] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
>> [  149.697766] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc88
>> [  149.697774] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc40
>> [  149.699025] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
>> [  149.706700] sd 6:0:0:0: [sdb] Write cache: enabled, read cache:
>> enabled, doesn't support DPO or FUA
>> [  149.706712] sd 6:0:0:0: [sdb] Attached SCSI disk
>> [  149.820933] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
>> [  149.837887] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc88
>> [  149.837895] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
>> with disabled ep ffff880036f3cc40
>> [  149.839242] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
>> [  155.752101] usb 3-1.5.6: reset high-speed USB device number 10 using ehci-pci
>> [  155.866642] cdc_acm 3-1.5.6:1.1: This device cannot do calls on its
>> own. It is not a modem.
>> [  155.866756] cdc_acm 3-1.5.6:1.1: ttyACM0: USB ACM device
>> [  155.867613] usb 3-1.5.6: usbfs: process 1521 (pool) did not claim
>> interface 0 before use
>> [  160.471327] pool[1680]: segfault at fffffffffc0e61c0 ip
>> 00007f570f036200 sp 00007f570639f0d0 error 5 in
>> libc-2.19.so[7f570efee000+19f000]
>>
>> Thanks!
>>
>
> Thanks, I see you already found bug 75521
> https://bugzilla.kernel.org/show_bug.cgi?id=75521
>
> I think this is the same cause.
> Currently I suspect that one halted endpoint is not handled before the entire device is reset.
> After device reset we try to handle the old halted endpoint that has a pointer to a invalid old dequeue state.
>
> I'll see If I can make a patch that clears all pending halted endpoint states (xhci software internal states) when a device is reset.
>
> If I send testpatches to the bug can you try them out on top of 3.17-rc2?
>
> -Mathias



-- 
Ricardo Ribalda

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Mathias Nyman]

On 08/28/2014 03:36 PM, Ricardo Ribalda Delgado wrote:
> Hello Mathias
> 
> This is the dmesg output after your patch. No WARN(), no crash :), but
> still some weird messages:
> 
> [  146.511623] usb 2-2: new SuperSpeed USB device number 2 using xhci_hcd
> [  146.531652] usb 2-2: New USB device found, idVendor=0525, idProduct=a4a5
> [  146.531661] usb 2-2: New USB device strings: Mfr=3, Product=4, SerialNumber=0
> [  146.531666] usb 2-2: Product: Mass Storage Gadget
> [  146.531670] usb 2-2: Manufacturer: Linux 3.16.0-qtec-standard+ with net2280
> [  147.772743] usb-storage 2-2:1.0: USB Mass Storage device detected
> [  147.773018] usb-storage 2-2:1.0: Quirks match for vid 0525 pid a4a5: 10000
> [  147.773185] scsi host6: usb-storage 2-2:1.0
> [  147.773361] usbcore: registered new interface driver usb-storage
> [  147.788950] usbcore: registered new interface driver uas
> [  148.772699] scsi 6:0:0:0: Direct-Access     Linux    File-Stor
> Gadget 0316 PQ: 0 ANSI: 2
> [  148.773192] sd 6:0:0:0: Attached scsi generic sg2 type 0
> [  148.774860] sd 6:0:0:0: [sdb] 32768 512-byte logical blocks: (16.7
> MB/16.0 MiB)
> [  148.888294] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
> [  148.905202] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc88
> [  148.905207] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc40
> [  148.906324] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
> [  148.912639] sd 6:0:0:0: [sdb] Test WP failed, assume Write Enabled
> [  149.014972] sd 6:0:0:0: [sdb] Write cache: enabled, read cache:
> enabled, doesn't support DPO or FUA
> [  149.128640] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
> [  149.145953] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc88
> [  149.145963] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc40
> [  149.147525] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
> [  149.268626] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
> [  149.285563] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc88
> [  149.285573] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc40
> [  149.286904] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
> [  149.404621] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
> [  149.421397] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc88
> [  149.421404] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc40
> [  149.422855] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
> [  149.431667]  sdb: unknown partition table
> [  149.544713] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
> [  149.561649] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc88
> [  149.561658] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc40
> [  149.563021] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
> [  149.680733] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
> [  149.697766] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc88
> [  149.697774] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc40
> [  149.699025] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
> [  149.706700] sd 6:0:0:0: [sdb] Write cache: enabled, read cache:
> enabled, doesn't support DPO or FUA
> [  149.706712] sd 6:0:0:0: [sdb] Attached SCSI disk
> [  149.820933] usb 2-2: reset SuperSpeed USB device number 2 using xhci_hcd
> [  149.837887] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc88
> [  149.837895] xhci_hcd 0000:0e:00.0: xHCI xhci_drop_endpoint called
> with disabled ep ffff880036f3cc40
> [  149.839242] xhci_hcd 0000:0e:00.0: Error: Failed finding new dequeue state
> [  155.752101] usb 3-1.5.6: reset high-speed USB device number 10 using ehci-pci
> [  155.866642] cdc_acm 3-1.5.6:1.1: This device cannot do calls on its
> own. It is not a modem.
> [  155.866756] cdc_acm 3-1.5.6:1.1: ttyACM0: USB ACM device
> [  155.867613] usb 3-1.5.6: usbfs: process 1521 (pool) did not claim
> interface 0 before use
> [  160.471327] pool[1680]: segfault at fffffffffc0e61c0 ip
> 00007f570f036200 sp 00007f570639f0d0 error 5 in
> libc-2.19.so[7f570efee000+19f000]
> 
> Thanks!
> 

Thanks, I see you already found bug 75521 
https://bugzilla.kernel.org/show_bug.cgi?id=75521

I think this is the same cause.
Currently I suspect that one halted endpoint is not handled before the entire device is reset.
After device reset we try to handle the old halted endpoint that has a pointer to a invalid old dequeue state.

I'll see If I can make a patch that clears all pending halted endpoint states (xhci software internal states) when a device is reset.

If I send testpatches to the bug can you try them out on top of 3.17-rc2?

-Mathias 

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Mathias Nyman]

On 08/28/2014 06:09 PM, Ricardo Ribalda Delgado wrote:
> Sure, but the hw leaves my desk until next monday in 30 minutes.
> 
> So unless you send the patch right now you will have to wait for
> results until next Monday
> 
> Thanks!
> 

Great, anytime you can test it is appreciated.
Added the patch to the bug:
https://bugzilla.kernel.org/show_bug.cgi?id=75521

Patch looks like this:

diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index c020b09..7aee5a3 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3544,6 +3544,10 @@ int xhci_discover_or_reset_device(struct usb_hcd *hcd, struct usb_device *udev)
        for (i = 1; i < 31; ++i) {
                struct xhci_virt_ep *ep = &virt_dev->eps[i];
 
+               /* reset device sets ep states to disabled, also halted ones */
+               ep->ep_state &= ~(EP_HALTED || SET_DEQ_PENDING);
+               ep->stopped_td = NULL;
+
                if (ep->ep_state & EP_HAS_STREAMS) {
                        xhci_warn(xhci, "WARN: endpoint 0x%02x has streams on device reset, freeing streams.\n",
                                        xhci_get_endpoint_address(i));


-Mathias

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Ricardo Ribalda Delgado]

Hello

The promised dmesg output. Still some "xhci_drop_endpoint called with..."

Thanks!

Sep  1 10:52:00 neopili kernel: [  193.123108] usb 2-2: new SuperSpeed
USB device number 2 using xhci_hcd
Sep  1 10:52:00 neopili kernel: [  193.142204] usb 2-2: New USB device
found, idVendor=0525, idProduct=a4a5
Sep  1 10:52:00 neopili kernel: [  193.142211] usb 2-2: New USB device
strings: Mfr=3, Product=4, SerialNumber=0
Sep  1 10:52:00 neopili kernel: [  193.142215] usb 2-2: Product: Mass
Storage Gadget
Sep  1 10:52:00 neopili kernel: [  193.142218] usb 2-2: Manufacturer:
Linux 3.16.0-qtec-standard+ with net2280
Sep  1 10:52:00 neopili systemd-udevd[221]: unknown key
'SYSFS{manufacturer}' in /etc/udev/rules.d/52-digilent-usb.rules:35
Sep  1 10:52:00 neopili systemd-udevd[221]: invalid rule
'/etc/udev/rules.d/52-digilent-usb.rules:35'
Sep  1 10:52:00 neopili systemd-udevd[221]: unknown key 'BUS' in
/lib/udev/rules.d/60-libgnuradio-fcd3.7.3.rules:2
Sep  1 10:52:00 neopili systemd-udevd[221]: invalid rule
'/lib/udev/rules.d/60-libgnuradio-fcd3.7.3.rules:2'
Sep  1 10:52:00 neopili systemd-udevd[1720]: failed to execute
'/lib/udev/mtp-probe' 'mtp-probe
/sys/devices/pci0000:00/0000:00:1c.6/0000:0e:00.0/usb2/2-2 2 2': No
such file or directory
Sep  1 10:52:00 neopili kernel: [  193.289553] usb-storage 2-2:1.0:
USB Mass Storage device detected
Sep  1 10:52:00 neopili kernel: [  193.289745] usb-storage 2-2:1.0:
Quirks match for vid 0525 pid a4a5: 10000
Sep  1 10:52:00 neopili kernel: [  193.289820] scsi host6: usb-storage 2-2:1.0
Sep  1 10:52:00 neopili kernel: [  193.289991] usbcore: registered new
interface driver usb-storage
Sep  1 10:52:00 neopili kernel: [  193.312632] usbcore: registered new
interface driver uas
Sep  1 10:52:01 neopili kernel: [  194.288067] scsi 6:0:0:0:
Direct-Access     Linux    File-Stor Gadget 0316 PQ: 0 ANSI: 2
Sep  1 10:52:01 neopili kernel: [  194.288957] sd 6:0:0:0: Attached
scsi generic sg2 type 0
Sep  1 10:52:01 neopili kernel: [  194.290003] sd 6:0:0:0: [sdb] 32768
512-byte logical blocks: (16.7 MB/16.0 MiB)
Sep  1 10:52:01 neopili kernel: [  194.403012] usb 2-2: reset
SuperSpeed USB device number 2 using xhci_hcd
Sep  1 10:52:01 neopili kernel: [  194.419901] xhci_hcd 0000:0e:00.0:
xHCI xhci_drop_endpoint called with disabled ep ffff8805e68915c8
Sep  1 10:52:01 neopili kernel: [  194.419907] xhci_hcd 0000:0e:00.0:
xHCI xhci_drop_endpoint called with disabled ep ffff8805e6891580
Sep  1 10:52:31 neopili kernel: [  224.908382] usb 2-2: reset
SuperSpeed USB device number 2 using xhci_hcd
Sep  1 10:52:31 neopili kernel: [  224.925090] xhci_hcd 0000:0e:00.0:
xHCI xhci_drop_endpoint called with disabled ep ffff8805e68915c8
Sep  1 10:52:31 neopili kernel: [  224.925100] xhci_hcd 0000:0e:00.0:
xHCI xhci_drop_endpoint called with disabled ep ffff8805e6891580
Sep  1 10:52:31 neopili kernel: [  224.926327] sd 6:0:0:0: [sdb] Write
Protect is off
Sep  1 10:52:31 neopili kernel: [  224.926336] sd 6:0:0:0: [sdb] Mode
Sense: 00 00 00 00

On Fri, Aug 29, 2014 at 5:20 PM, Mathias Nyman <mathias.nyman@intel.com> wrote:
> On 08/28/2014 06:09 PM, Ricardo Ribalda Delgado wrote:
>> Sure, but the hw leaves my desk until next monday in 30 minutes.
>>
>> So unless you send the patch right now you will have to wait for
>> results until next Monday
>>
>> Thanks!
>>
>
> Great, anytime you can test it is appreciated.
> Added the patch to the bug:
> https://bugzilla.kernel.org/show_bug.cgi?id=75521
>
> Patch looks like this:
>
> diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
> index c020b09..7aee5a3 100644
> --- a/drivers/usb/host/xhci.c
> +++ b/drivers/usb/host/xhci.c
> @@ -3544,6 +3544,10 @@ int xhci_discover_or_reset_device(struct usb_hcd *hcd, struct usb_device *udev)
>         for (i = 1; i < 31; ++i) {
>                 struct xhci_virt_ep *ep = &virt_dev->eps[i];
>
> +               /* reset device sets ep states to disabled, also halted ones */
> +               ep->ep_state &= ~(EP_HALTED || SET_DEQ_PENDING);
> +               ep->stopped_td = NULL;
> +
>                 if (ep->ep_state & EP_HAS_STREAMS) {
>                         xhci_warn(xhci, "WARN: endpoint 0x%02x has streams on device reset, freeing streams.\n",
>                                         xhci_get_endpoint_address(i));
>
>
> -Mathias
>



-- 
Ricardo Ribalda

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Ricardo Ribalda Delgado]

After some time of use (one hour or so) my system started to behave
"weird". I did check  dmesg and I was receiving the following line
again and again:

usb-storage: Error in queuecommand_lck: us->sfb= ffff8805bd61ccc0

I did disconnect the usb device and the whole computer crashed :S



On Mon, Sep 1, 2014 at 11:02 AM, Ricardo Ribalda Delgado
<ricardo.ribalda@gmail.com> wrote:
> Hello
>
> The promised dmesg output. Still some "xhci_drop_endpoint called with..."
>
> Thanks!
>
> Sep  1 10:52:00 neopili kernel: [  193.123108] usb 2-2: new SuperSpeed
> USB device number 2 using xhci_hcd
> Sep  1 10:52:00 neopili kernel: [  193.142204] usb 2-2: New USB device
> found, idVendor=0525, idProduct=a4a5
> Sep  1 10:52:00 neopili kernel: [  193.142211] usb 2-2: New USB device
> strings: Mfr=3, Product=4, SerialNumber=0
> Sep  1 10:52:00 neopili kernel: [  193.142215] usb 2-2: Product: Mass
> Storage Gadget
> Sep  1 10:52:00 neopili kernel: [  193.142218] usb 2-2: Manufacturer:
> Linux 3.16.0-qtec-standard+ with net2280
> Sep  1 10:52:00 neopili systemd-udevd[221]: unknown key
> 'SYSFS{manufacturer}' in /etc/udev/rules.d/52-digilent-usb.rules:35
> Sep  1 10:52:00 neopili systemd-udevd[221]: invalid rule
> '/etc/udev/rules.d/52-digilent-usb.rules:35'
> Sep  1 10:52:00 neopili systemd-udevd[221]: unknown key 'BUS' in
> /lib/udev/rules.d/60-libgnuradio-fcd3.7.3.rules:2
> Sep  1 10:52:00 neopili systemd-udevd[221]: invalid rule
> '/lib/udev/rules.d/60-libgnuradio-fcd3.7.3.rules:2'
> Sep  1 10:52:00 neopili systemd-udevd[1720]: failed to execute
> '/lib/udev/mtp-probe' 'mtp-probe
> /sys/devices/pci0000:00/0000:00:1c.6/0000:0e:00.0/usb2/2-2 2 2': No
> such file or directory
> Sep  1 10:52:00 neopili kernel: [  193.289553] usb-storage 2-2:1.0:
> USB Mass Storage device detected
> Sep  1 10:52:00 neopili kernel: [  193.289745] usb-storage 2-2:1.0:
> Quirks match for vid 0525 pid a4a5: 10000
> Sep  1 10:52:00 neopili kernel: [  193.289820] scsi host6: usb-storage 2-2:1.0
> Sep  1 10:52:00 neopili kernel: [  193.289991] usbcore: registered new
> interface driver usb-storage
> Sep  1 10:52:00 neopili kernel: [  193.312632] usbcore: registered new
> interface driver uas
> Sep  1 10:52:01 neopili kernel: [  194.288067] scsi 6:0:0:0:
> Direct-Access     Linux    File-Stor Gadget 0316 PQ: 0 ANSI: 2
> Sep  1 10:52:01 neopili kernel: [  194.288957] sd 6:0:0:0: Attached
> scsi generic sg2 type 0
> Sep  1 10:52:01 neopili kernel: [  194.290003] sd 6:0:0:0: [sdb] 32768
> 512-byte logical blocks: (16.7 MB/16.0 MiB)
> Sep  1 10:52:01 neopili kernel: [  194.403012] usb 2-2: reset
> SuperSpeed USB device number 2 using xhci_hcd
> Sep  1 10:52:01 neopili kernel: [  194.419901] xhci_hcd 0000:0e:00.0:
> xHCI xhci_drop_endpoint called with disabled ep ffff8805e68915c8
> Sep  1 10:52:01 neopili kernel: [  194.419907] xhci_hcd 0000:0e:00.0:
> xHCI xhci_drop_endpoint called with disabled ep ffff8805e6891580
> Sep  1 10:52:31 neopili kernel: [  224.908382] usb 2-2: reset
> SuperSpeed USB device number 2 using xhci_hcd
> Sep  1 10:52:31 neopili kernel: [  224.925090] xhci_hcd 0000:0e:00.0:
> xHCI xhci_drop_endpoint called with disabled ep ffff8805e68915c8
> Sep  1 10:52:31 neopili kernel: [  224.925100] xhci_hcd 0000:0e:00.0:
> xHCI xhci_drop_endpoint called with disabled ep ffff8805e6891580
> Sep  1 10:52:31 neopili kernel: [  224.926327] sd 6:0:0:0: [sdb] Write
> Protect is off
> Sep  1 10:52:31 neopili kernel: [  224.926336] sd 6:0:0:0: [sdb] Mode
> Sense: 00 00 00 00
>
> On Fri, Aug 29, 2014 at 5:20 PM, Mathias Nyman <mathias.nyman@intel.com> wrote:
>> On 08/28/2014 06:09 PM, Ricardo Ribalda Delgado wrote:
>>> Sure, but the hw leaves my desk until next monday in 30 minutes.
>>>
>>> So unless you send the patch right now you will have to wait for
>>> results until next Monday
>>>
>>> Thanks!
>>>
>>
>> Great, anytime you can test it is appreciated.
>> Added the patch to the bug:
>> https://bugzilla.kernel.org/show_bug.cgi?id=75521
>>
>> Patch looks like this:
>>
>> diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
>> index c020b09..7aee5a3 100644
>> --- a/drivers/usb/host/xhci.c
>> +++ b/drivers/usb/host/xhci.c
>> @@ -3544,6 +3544,10 @@ int xhci_discover_or_reset_device(struct usb_hcd *hcd, struct usb_device *udev)
>>         for (i = 1; i < 31; ++i) {
>>                 struct xhci_virt_ep *ep = &virt_dev->eps[i];
>>
>> +               /* reset device sets ep states to disabled, also halted ones */
>> +               ep->ep_state &= ~(EP_HALTED || SET_DEQ_PENDING);
>> +               ep->stopped_td = NULL;
>> +
>>                 if (ep->ep_state & EP_HAS_STREAMS) {
>>                         xhci_warn(xhci, "WARN: endpoint 0x%02x has streams on device reset, freeing streams.\n",
>>                                         xhci_get_endpoint_address(i));
>>
>>
>> -Mathias
>>
>
>
>
> --
> Ricardo Ribalda



-- 
Ricardo Ribalda

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Ricardo Ribalda Delgado]

Well, it is hard to say. rc2 without the patch showed more warnings,
but never crashed badly (queuecommand_lck....).

The sample size is not big enough. maybe rc2 also has the
queuecommand_lck bug, but I havent hit it.

On Mon, Sep 1, 2014 at 12:37 PM, Mathias Nyman <mathias.nyman@intel.com> wrote:
> On 09/01/2014 12:36 PM, Ricardo Ribalda Delgado wrote:
>> After some time of use (one hour or so) my system started to behave
>> "weird". I did check  dmesg and I was receiving the following line
>> again and again:
>>
>> usb-storage: Error in queuecommand_lck: us->sfb= ffff8805bd61ccc0
>>
>> I did disconnect the usb device and the whole computer crashed :S
>>
>
> Ok, thanks.
>
> Would you say things work better after the patch?
>
> I still think the patch solves part of the issue, i.e. how we handle halted endpoints
> in reset, but I don't know the reason why the endpoints stall in the first place
>
> -Mathias
>
>



-- 
Ricardo Ribalda

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Mathias Nyman]

On 09/01/2014 12:36 PM, Ricardo Ribalda Delgado wrote:
> After some time of use (one hour or so) my system started to behave
> "weird". I did check  dmesg and I was receiving the following line
> again and again:
> 
> usb-storage: Error in queuecommand_lck: us->sfb= ffff8805bd61ccc0
> 
> I did disconnect the usb device and the whole computer crashed :S
> 

Ok, thanks.

Would you say things work better after the patch?

I still think the patch solves part of the issue, i.e. how we handle halted endpoints
in reset, but I don't know the reason why the endpoints stall in the first place

-Mathias

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Mathias Nyman]

On 09/01/2014 01:26 PM, Ricardo Ribalda Delgado wrote:
> Well, it is hard to say. rc2 without the patch showed more warnings,
> but never crashed badly (queuecommand_lck....).
> 
> The sample size is not big enough. maybe rc2 also has the
> queuecommand_lck bug, but I havent hit it.
> 

Ok, I won't submit it as I now know what really is going on.

I asked for once of the devices that can trigger this bug,
https://bugzilla.kernel.org/show_bug.cgi?id=75521

I'll know more when I can get my hands on it

-Mathias

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Ricardo Ribalda Delgado]

Do you have a NEC/Renesas uPD720200 USB 3.0 Host?

If so, try with an usb gadget acting as a mass storage. That hits the
bug in my machine.

Regarsd!

On Mon, Sep 1, 2014 at 1:12 PM, Mathias Nyman <mathias.nyman@intel.com> wrote:
> On 09/01/2014 01:26 PM, Ricardo Ribalda Delgado wrote:
>> Well, it is hard to say. rc2 without the patch showed more warnings,
>> but never crashed badly (queuecommand_lck....).
>>
>> The sample size is not big enough. maybe rc2 also has the
>> queuecommand_lck bug, but I havent hit it.
>>
>
> Ok, I won't submit it as I now know what really is going on.
>
> I asked for once of the devices that can trigger this bug,
> https://bugzilla.kernel.org/show_bug.cgi?id=75521
>
> I'll know more when I can get my hands on it
>
> -Mathias



-- 
Ricardo Ribalda

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Ricardo Ribalda Delgado]

I could offer you a net3380 usb gadget device (mini pcie or pcie) but
the uPD720200 is my notebook, so I cannot afford an extra one for you
:)

On Mon, Sep 1, 2014 at 2:25 PM, Mathias Nyman
<mathias.nyman@linux.intel.com> wrote:
> On 09/01/2014 02:19 PM, Ricardo Ribalda Delgado wrote:
>> Do you have a NEC/Renesas uPD720200 USB 3.0 Host?
>>
>> If so, try with an usb gadget acting as a mass storage. That hits the
>> bug in my machine.
>>
>
> Thanks for the tip, but currently I only got Intel hosts.
>
> btw I earlier meant to say that I _don't_ know what's going on yet.
>
> -Mathias
>
>



-- 
Ricardo Ribalda

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Mathias Nyman]

On 09/01/2014 02:19 PM, Ricardo Ribalda Delgado wrote:
> Do you have a NEC/Renesas uPD720200 USB 3.0 Host?
> 
> If so, try with an usb gadget acting as a mass storage. That hits the
> bug in my machine.
> 

Thanks for the tip, but currently I only got Intel hosts.

btw I earlier meant to say that I _don't_ know what's going on yet.

-Mathias 

Re: [PATCH] xhci-ring: Fix Null pointer dereference

[Alan Stern]

On Mon, 1 Sep 2014, Mathias Nyman wrote:

> On 09/01/2014 12:36 PM, Ricardo Ribalda Delgado wrote:
> > After some time of use (one hour or so) my system started to behave
> > "weird". I did check  dmesg and I was receiving the following line
> > again and again:
> > 
> > usb-storage: Error in queuecommand_lck: us->sfb= ffff8805bd61ccc0

This is probably caused by some transfer not occurring correctly.  With 
a usbmon trace we could see what was going on.

> > I did disconnect the usb device and the whole computer crashed :S
> > 
> 
> Ok, thanks.
> 
> Would you say things work better after the patch?
> 
> I still think the patch solves part of the issue, i.e. how we handle halted endpoints
> in reset, but I don't know the reason why the endpoints stall in the first place

The endpoint stall occurs because the device's protocol requires the
endpoint to stall.  The reason doesn't matter; xhci-hcd should handle 
stalls correctly whenever they occur.

Alan Stern