* kernel v5.19 warn in usb_ep_queue @ 2022-08-11 2:12 Rondreis 2022-08-11 16:52 ` Alan Stern 2022-09-20 18:16 ` Alan Stern 0 siblings, 2 replies; 7+ messages in thread From: Rondreis @ 2022-08-11 2:12 UTC (permalink / raw) To: balbi, andriy.shevchenko, jakobkoschel, quic_wcheng, linux-kernel, linux-usb Hello, When fuzzing the Linux kernel driver 5.19.0-rc4-00208-g69cb6c6556ad, the following crash was triggered. HEAD commit: 4b0986a3613c92f4ec1bdc7f60ec66fea135991f (HEAD, tag: v5.18) git tree: upstream kernel config: https://pastebin.com/KecL2gaG C reproducer: https://pastebin.com/wLDJ9cnP console output: https://pastebin.com/t0r8EwTw Basically, in the c reproducer, we use the gadget module to emulate the process of attaching a usb device (vendor id: 0xbaf, product id: 0x121, with function: midi and ms_null). To reproduce this crash, we utilize a third-party library to emulate the attaching process: https://github.com/linux-usb-gadgets/libusbgx. Just clone this repository, make install it, and compile the c reproducer with ``` gcc crash.c -lusbgx -o crash ``` will do the trick. It seems that an error state in struct usb_ep trigger such kernel warning. The crash report is as follow: ``` ------------[ cut here ]------------ ------------[ cut here ]------------ WARNING: CPU: 3 PID: 3442 at drivers/usb/gadget/udc/core.c:283 usb_ep_queue+0x16b/0x3b0 drivers/usb/gadget/udc/core.c:283 Modules linked in: CPU: 3 PID: 3442 Comm: file-storage Not tainted 5.19.0-rc4-00208-g69cb6c6556ad #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:usb_ep_queue+0x16b/0x3b0 drivers/usb/gadget/udc/core.c:283 Code: 46 05 0f 92 c3 31 ff 89 de e8 f1 e9 49 fd 84 db 0f 85 16 01 00 00 e8 c4 e8 49 fd 44 89 e0 5b 5d 41 5c 41 5d c3 e8 b5 e8 49 fd <0f> 0b 41 bc 94 ff ff ff e9 73 ff ff ff e8 a3 e8 49 fd 65 8b 1d cc RSP: 0018:ffffc9000490fd00 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffff888110e0d580 RDX: 0000000000000000 RSI: ffff888110e0d580 RDI: 0000000000000002 RBP: ffff88810ae84158 R08: ffffffff83fb31eb R09: 0000000000000000 R10: 0000000000000001 R11: ffffed10221c1ab0 R12: 0000000000000cc0 R13: ffff888111843f10 R14: ffff888111843f10 R15: ffff88811084e000 FS: 0000000000000000(0000) GS:ffff88811a980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f841985e020 CR3: 000000010d19a000 CR4: 0000000000350ee0 Call Trace: <TASK> start_transfer.isra.0+0x26/0x100 drivers/usb/gadget/function/f_mass_storage.c:527 start_out_transfer.isra.0+0xf0/0x1b0 drivers/usb/gadget/function/f_mass_storage.c:560 get_next_command drivers/usb/gadget/function/f_mass_storage.c:2249 [inline] fsg_main_thread+0x377/0x6fc0 drivers/usb/gadget/function/f_mass_storage.c:2572 kthread+0x2ef/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 </TASK> ``` ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: kernel v5.19 warn in usb_ep_queue 2022-08-11 2:12 kernel v5.19 warn in usb_ep_queue Rondreis @ 2022-08-11 16:52 ` Alan Stern 2022-09-20 18:16 ` Alan Stern 1 sibling, 0 replies; 7+ messages in thread From: Alan Stern @ 2022-08-11 16:52 UTC (permalink / raw) To: Rondreis Cc: balbi, andriy.shevchenko, jakobkoschel, quic_wcheng, linux-kernel, linux-usb On Thu, Aug 11, 2022 at 10:12:04AM +0800, Rondreis wrote: > Hello, > > When fuzzing the Linux kernel driver 5.19.0-rc4-00208-g69cb6c6556ad, > the following crash was triggered. > > HEAD commit: 4b0986a3613c92f4ec1bdc7f60ec66fea135991f (HEAD, tag: v5.18) Why does this say v5.18 if the kernel you were testing was 5.19? > git tree: upstream > > kernel config: https://pastebin.com/KecL2gaG > C reproducer: https://pastebin.com/wLDJ9cnP > console output: https://pastebin.com/t0r8EwTw This link is bad. The pastebin.com page contains a second copy of the C reproducer, not the console output. Alan Stern > > Basically, in the c reproducer, we use the gadget module to emulate > the process of attaching a usb device (vendor id: 0xbaf, product id: > 0x121, with function: midi and ms_null). > To reproduce this crash, we utilize a third-party library to emulate > the attaching process: https://github.com/linux-usb-gadgets/libusbgx. > Just clone this repository, make install it, and compile the c > reproducer with ``` gcc crash.c -lusbgx -o crash ``` will do the > trick. > > It seems that an error state in struct usb_ep trigger such kernel warning. > > The crash report is as follow: > > ``` > ------------[ cut here ]------------ > ------------[ cut here ]------------ > WARNING: CPU: 3 PID: 3442 at drivers/usb/gadget/udc/core.c:283 > usb_ep_queue+0x16b/0x3b0 drivers/usb/gadget/udc/core.c:283 > Modules linked in: > CPU: 3 PID: 3442 Comm: file-storage Not tainted > 5.19.0-rc4-00208-g69cb6c6556ad #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > 1.13.0-1ubuntu1.1 04/01/2014 > RIP: 0010:usb_ep_queue+0x16b/0x3b0 drivers/usb/gadget/udc/core.c:283 > Code: 46 05 0f 92 c3 31 ff 89 de e8 f1 e9 49 fd 84 db 0f 85 16 01 00 > 00 e8 c4 e8 49 fd 44 89 e0 5b 5d 41 5c 41 5d c3 e8 b5 e8 49 fd <0f> 0b > 41 bc 94 ff ff ff e9 73 ff ff ff e8 a3 e8 49 fd 65 8b 1d cc > RSP: 0018:ffffc9000490fd00 EFLAGS: 00010246 > RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffff888110e0d580 > RDX: 0000000000000000 RSI: ffff888110e0d580 RDI: 0000000000000002 > RBP: ffff88810ae84158 R08: ffffffff83fb31eb R09: 0000000000000000 > R10: 0000000000000001 R11: ffffed10221c1ab0 R12: 0000000000000cc0 > R13: ffff888111843f10 R14: ffff888111843f10 R15: ffff88811084e000 > FS: 0000000000000000(0000) GS:ffff88811a980000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f841985e020 CR3: 000000010d19a000 CR4: 0000000000350ee0 > Call Trace: > <TASK> > start_transfer.isra.0+0x26/0x100 > drivers/usb/gadget/function/f_mass_storage.c:527 > start_out_transfer.isra.0+0xf0/0x1b0 > drivers/usb/gadget/function/f_mass_storage.c:560 > get_next_command drivers/usb/gadget/function/f_mass_storage.c:2249 [inline] > fsg_main_thread+0x377/0x6fc0 drivers/usb/gadget/function/f_mass_storage.c:2572 > kthread+0x2ef/0x3a0 kernel/kthread.c:376 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 > </TASK> > > > ``` ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: kernel v5.19 warn in usb_ep_queue 2022-08-11 2:12 kernel v5.19 warn in usb_ep_queue Rondreis 2022-08-11 16:52 ` Alan Stern @ 2022-09-20 18:16 ` Alan Stern 2022-09-21 15:00 ` Rondreis 1 sibling, 1 reply; 7+ messages in thread From: Alan Stern @ 2022-09-20 18:16 UTC (permalink / raw) To: Rondreis Cc: balbi, andriy.shevchenko, jakobkoschel, quic_wcheng, linux-kernel, linux-usb On Thu, Aug 11, 2022 at 10:12:04AM +0800, Rondreis wrote: > Hello, > > When fuzzing the Linux kernel driver 5.19.0-rc4-00208-g69cb6c6556ad, > the following crash was triggered. > > HEAD commit: 4b0986a3613c92f4ec1bdc7f60ec66fea135991f (HEAD, tag: v5.18) > git tree: upstream > > kernel config: https://pastebin.com/KecL2gaG > C reproducer: https://pastebin.com/wLDJ9cnP > console output: https://pastebin.com/t0r8EwTw > > Basically, in the c reproducer, we use the gadget module to emulate > the process of attaching a usb device (vendor id: 0xbaf, product id: > 0x121, with function: midi and ms_null). > To reproduce this crash, we utilize a third-party library to emulate > the attaching process: https://github.com/linux-usb-gadgets/libusbgx. > Just clone this repository, make install it, and compile the c > reproducer with ``` gcc crash.c -lusbgx -o crash ``` will do the > trick. > > It seems that an error state in struct usb_ep trigger such kernel warning. > > The crash report is as follow: > > ``` > ------------[ cut here ]------------ > ------------[ cut here ]------------ > WARNING: CPU: 3 PID: 3442 at drivers/usb/gadget/udc/core.c:283 > usb_ep_queue+0x16b/0x3b0 drivers/usb/gadget/udc/core.c:283 > Modules linked in: > CPU: 3 PID: 3442 Comm: file-storage Not tainted > 5.19.0-rc4-00208-g69cb6c6556ad #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > 1.13.0-1ubuntu1.1 04/01/2014 > RIP: 0010:usb_ep_queue+0x16b/0x3b0 drivers/usb/gadget/udc/core.c:283 > Code: 46 05 0f 92 c3 31 ff 89 de e8 f1 e9 49 fd 84 db 0f 85 16 01 00 > 00 e8 c4 e8 49 fd 44 89 e0 5b 5d 41 5c 41 5d c3 e8 b5 e8 49 fd <0f> 0b > 41 bc 94 ff ff ff e9 73 ff ff ff e8 a3 e8 49 fd 65 8b 1d cc > RSP: 0018:ffffc9000490fd00 EFLAGS: 00010246 > RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffff888110e0d580 > RDX: 0000000000000000 RSI: ffff888110e0d580 RDI: 0000000000000002 > RBP: ffff88810ae84158 R08: ffffffff83fb31eb R09: 0000000000000000 > R10: 0000000000000001 R11: ffffed10221c1ab0 R12: 0000000000000cc0 > R13: ffff888111843f10 R14: ffff888111843f10 R15: ffff88811084e000 > FS: 0000000000000000(0000) GS:ffff88811a980000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f841985e020 CR3: 000000010d19a000 CR4: 0000000000350ee0 > Call Trace: > <TASK> > start_transfer.isra.0+0x26/0x100 > drivers/usb/gadget/function/f_mass_storage.c:527 > start_out_transfer.isra.0+0xf0/0x1b0 > drivers/usb/gadget/function/f_mass_storage.c:560 > get_next_command drivers/usb/gadget/function/f_mass_storage.c:2249 [inline] > fsg_main_thread+0x377/0x6fc0 drivers/usb/gadget/function/f_mass_storage.c:2572 > kthread+0x2ef/0x3a0 kernel/kthread.c:376 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 > </TASK> Can you please try to recreate this bug after applying the diagnostic patch below? I'd like to see what output it produces in the kernel log. Alan Stern Index: usb-devel/drivers/usb/gadget/function/f_mass_storage.c =================================================================== --- usb-devel.orig/drivers/usb/gadget/function/f_mass_storage.c +++ usb-devel/drivers/usb/gadget/function/f_mass_storage.c @@ -415,6 +415,7 @@ static void bulk_in_complete(struct usb_ struct fsg_common *common = ep->driver_data; struct fsg_buffhd *bh = req->context; + dev_info(&common->gadget->dev, "Bulk in complete %p\n", bh); if (req->status || req->actual != req->length) DBG(common, "%s --> %d, %u/%u\n", __func__, req->status, req->actual, req->length); @@ -431,6 +432,7 @@ static void bulk_out_complete(struct usb struct fsg_common *common = ep->driver_data; struct fsg_buffhd *bh = req->context; + dev_info(&common->gadget->dev, "Bulk out complete %p\n", bh); dump_msg(common, "bulk-out", req->buf, req->actual); if (req->status || req->actual != bh->bulk_out_intended_length) DBG(common, "%s --> %d, %u/%u\n", __func__, @@ -547,6 +549,7 @@ static bool start_in_transfer(struct fsg if (!fsg_is_set(common)) return false; bh->state = BUF_STATE_SENDING; + dev_info(&common->gadget->dev, "Bulk in start %p\n", bh); if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq)) bh->state = BUF_STATE_EMPTY; return true; @@ -557,6 +560,7 @@ static bool start_out_transfer(struct fs if (!fsg_is_set(common)) return false; bh->state = BUF_STATE_RECEIVING; + dev_info(&common->gadget->dev, "Bulk out start %p\n", bh); if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq)) bh->state = BUF_STATE_FULL; return true; @@ -2310,10 +2314,12 @@ reset: /* Disable the endpoints */ if (fsg->bulk_in_enabled) { + dev_info(&fsg->gadget->dev, "Disable bulk in A\n"); usb_ep_disable(fsg->bulk_in); fsg->bulk_in_enabled = 0; } if (fsg->bulk_out_enabled) { + dev_info(&fsg->gadget->dev, "Disable bulk out A\n"); usb_ep_disable(fsg->bulk_out); fsg->bulk_out_enabled = 0; } @@ -2333,6 +2339,7 @@ reset: rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in); if (rc) goto reset; + dev_info(&fsg->gadget->dev, "Enable bulk in\n"); rc = usb_ep_enable(fsg->bulk_in); if (rc) goto reset; @@ -2343,6 +2350,7 @@ reset: fsg->bulk_out); if (rc) goto reset; + dev_info(&fsg->gadget->dev, "Enable bulk out\n"); rc = usb_ep_enable(fsg->bulk_out); if (rc) goto reset; @@ -2392,10 +2400,12 @@ static void fsg_disable(struct usb_funct /* Disable the endpoints */ if (fsg->bulk_in_enabled) { + dev_info(&fsg->gadget->dev, "Disable bulk in B\n"); usb_ep_disable(fsg->bulk_in); fsg->bulk_in_enabled = 0; } if (fsg->bulk_out_enabled) { + dev_info(&fsg->gadget->dev, "Disable bulk out B\n"); usb_ep_disable(fsg->bulk_out); fsg->bulk_out_enabled = 0; } ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: kernel v5.19 warn in usb_ep_queue 2022-09-20 18:16 ` Alan Stern @ 2022-09-21 15:00 ` Rondreis 2022-09-21 16:01 ` Alan Stern 0 siblings, 1 reply; 7+ messages in thread From: Rondreis @ 2022-09-21 15:00 UTC (permalink / raw) To: Alan Stern Cc: balbi, andriy.shevchenko, jakobkoschel, quic_wcheng, linux-kernel, linux-usb Thanks for your reply! I applied this patch in v5.19 and the reproducer just attached a composite device with network and mass storage functions. The output of the kernel is as follows: [ 1545.764824][ T29] kauditd_printk_skb: 10 callbacks suppressed [ 1557.637709][ T7391] cgroup: Unknown subsys name 'net' [ 1557.641365][ T7391] cgroup: Unknown subsys name 'rlimit' [ 1557.684875][ T29] audit: type=1800 audit(1663769132.086:80): pid=7416 uid=0 auid=0 ses=2 subj==unconfined op=collect_data cause=failed comm="executor.0" name="UDC" dev="co0 [ 1558.186936][ T29] audit: type=1800 audit(1663769132.586:81): pid=7416 uid=0 auid=0 ses=2 subj==unconfined op=collect_data cause=failed comm="executor.0" name="UDC" dev="co0 [ 1558.188217][ T29] audit: type=1800 audit(1663769132.586:82): pid=7416 uid=0 auid=0 ses=2 subj==unconfined op=collect_data cause=failed comm="executor.0" name="UDC" dev="co0 [ 1558.193766][ T7416] using random self ethernet address [ 1558.193959][ T7416] using random host ethernet address [ 1558.194319][ T7416] Mass Storage Function, version: 2009/09/11 [ 1558.194535][ T7416] LUN: removable file: (no medium) [ 1558.201875][ T7416] usb0: HOST MAC 0e:a1:b6:f7:1a:97 [ 1558.202118][ T7416] usb0: MAC ce:6c:9e:d1:14:db [ 1558.468458][ T24] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 1558.828060][ T24] usb 2-1: Dual-Role OTG device on HNP port [ 1558.848060][ T24] usb 2-1: New USB device found, idVendor=03f0, idProduct=0107, bcdDevice= 2.00 [ 1558.848620][ T24] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1558.849102][ T24] usb 2-1: Product: Bar Gadget [ 1558.849407][ T24] usb 2-1: Manufacturer: Foo Inc. [ 1558.849722][ T24] usb 2-1: SerialNumber: 12345678 [ 1558.868398][ T7423] configfs-gadget gadget.1: Enable bulk in [ 1558.868675][ T7423] configfs-gadget gadget.1: Enable bulk out [ 1558.868957][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 [ 1558.952998][ T24] cdc_eem 2-1:1.0 usb1: register 'cdc_eem' at usb-dummy_hcd.1-1, CDC EEM Device, 72:47:e4:74:0b:8e [ 1558.968402][ T24] usb-storage 2-1:1.1: USB Mass Storage device detected [ 1558.976267][ T24] scsi host2: usb-storage 2-1:1.1 [ 1560.028547][ T7470] cdc_eem 2-1:1.0 usb1: unregister 'cdc_eem' usb-dummy_hcd.1-1, CDC EEM Device [ 1560.078980][ T7470] configfs-gadget gadget.1: Bulk out complete ffff8881279f0b00 [ 1560.080226][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 [ 1560.080617][ T7470] configfs-gadget gadget.1: Disable bulk in B [ 1560.080820][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 [ 1560.081456][ T7470] configfs-gadget gadget.1: Disable bulk out B [ 1560.081950][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 [ 1560.083056][ T7423] ------------[ cut here ]------------ [ 1560.083386][ T7423] WARNING: CPU: 0 PID: 7423 at drivers/usb/gadget/udc/core.c:283 usb_ep_queue+0x9b/0x3b0 [ 1560.083968][ T7423] Modules linked in: [ 1560.084163][ T7423] CPU: 0 PID: 7423 Comm: file-storage Not tainted 5.19.0+ #15 [ 1560.084522][ T7423] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014 [ 1560.085169][ T7423] RIP: 0010:usb_ep_queue+0x9b/0x3b0 [ 1560.085512][ T7423] Code: 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 db 02 00 00 44 0f b6 6b 35 31 ff 44 89 ee e8 af 41 b2 fb 45 84 ed 74 0e e8 55 46 b2 fb <0f> 0b bd 94 ff ff ff eb0 [ 1560.086782][ T7423] RSP: 0018:ffffc900043efd00 EFLAGS: 00010293 [ 1560.087104][ T7423] RAX: 0000000000000000 RBX: ffff888110abc2c0 RCX: 0000000000000000 [ 1560.087600][ T7423] RDX: ffff88807e9f3800 RSI: ffffffff85c6d79b RDI: 0000000000000001 [ 1560.088798][ T7423] RBP: 0000000000000cc0 R08: 0000000000000001 R09: 0000000000000000 [ 1560.089461][ T7423] R10: 0000000000000007 R11: 0000000000000000 R12: ffff88811c2bcf10 [ 1560.090090][ T7423] R13: 0000000000000007 R14: ffff88812505e000 R15: dffffc0000000000 [ 1560.090721][ T7423] FS: 0000000000000000(0000) GS:ffff888128c00000(0000) knlGS:0000000000000000 [ 1560.091455][ T7423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1560.091982][ T7423] CR2: 00007f2fbc03f0c8 CR3: 000000011ee22000 CR4: 00000000000006f0 [ 1560.092632][ T7423] Call Trace: [ 1560.092914][ T7423] <TASK> [ 1560.093153][ T7423] start_transfer+0x24/0x14f [ 1560.093523][ T7423] start_out_transfer.part.0+0xf1/0x13d [ 1560.093987][ T7423] fsg_main_thread+0x385/0x1460 [ 1560.094395][ T7423] ? __kthread_parkme+0xc4/0x210 [ 1560.094810][ T7423] ? reacquire_held_locks+0x4b0/0x4b0 [ 1560.095241][ T7423] ? do_set_interface.isra.0+0x530/0x530 [ 1560.095713][ T7423] ? __kthread_parkme+0x14e/0x210 [ 1560.096136][ T7423] ? do_set_interface.isra.0+0x530/0x530 [ 1560.096590][ T7423] kthread+0x2e0/0x390 [ 1560.096929][ T7423] ? kthread_complete_and_exit+0x40/0x40 [ 1560.097404][ T7423] ret_from_fork+0x1f/0x30 [ 1560.097786][ T7423] </TASK> [ 1560.098792][ T7423] Kernel panic - not syncing: panic_on_warn set ... [ 1560.099342][ T7423] CPU: 0 PID: 7423 Comm: file-storage Not tainted 5.19.0+ #15 [ 1560.099938][ T7423] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014 [ 1560.100752][ T7423] Call Trace: [ 1560.101031][ T7423] <TASK> [ 1560.101275][ T7423] dump_stack_lvl+0xfc/0x174 [ 1560.101660][ T7423] panic+0x2cf/0x61f [ 1560.101990][ T7423] ? panic_print_sys_info.part.0+0x10b/0x10b [ 1560.102522][ T7423] ? __warn.cold+0xcd/0x2cc [ 1560.102910][ T7423] ? usb_ep_queue+0x9b/0x3b0 [ 1560.103301][ T7423] __warn.cold+0xde/0x2cc [ 1560.103661][ T7423] ? usb_ep_queue+0x9b/0x3b0 [ 1560.104044][ T7423] report_bug+0x1b7/0x240 [ 1560.104425][ T7423] handle_bug+0x3c/0x60 [ 1560.104762][ T7423] exc_invalid_op+0x13/0x40 [ 1560.105129][ T7423] asm_exc_invalid_op+0x16/0x20 [ 1560.105525][ T7423] RIP: 0010:usb_ep_queue+0x9b/0x3b0 [ 1560.105951][ T7423] Code: 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 db 02 00 00 44 0f b6 6b 35 31 ff 44 89 ee e8 af 41 b2 fb 45 84 ed 74 0e e8 55 46 b2 fb <0f> 0b bd 94 ff ff ff eb0 [ 1560.107487][ T7423] RSP: 0018:ffffc900043efd00 EFLAGS: 00010293 [ 1560.107978][ T7423] RAX: 0000000000000000 RBX: ffff888110abc2c0 RCX: 0000000000000000 [ 1560.108633][ T7423] RDX: ffff88807e9f3800 RSI: ffffffff85c6d79b RDI: 0000000000000001 [ 1560.109247][ T7423] RBP: 0000000000000cc0 R08: 0000000000000001 R09: 0000000000000000 [ 1560.109896][ T7423] R10: 0000000000000007 R11: 0000000000000000 R12: ffff88811c2bcf10 [ 1560.110538][ T7423] R13: 0000000000000007 R14: ffff88812505e000 R15: dffffc0000000000 [ 1560.111167][ T7423] ? usb_ep_queue+0x9b/0x3b0 [ 1560.111551][ T7423] start_transfer+0x24/0x14f [ 1560.111940][ T7423] start_out_transfer.part.0+0xf1/0x13d [ 1560.112406][ T7423] fsg_main_thread+0x385/0x1460 [ 1560.112800][ T7423] ? __kthread_parkme+0xc4/0x210 [ 1560.113045][ T7423] ? reacquire_held_locks+0x4b0/0x4b0 [ 1560.113303][ T7423] ? do_set_interface.isra.0+0x530/0x530 [ 1560.113586][ T7423] ? __kthread_parkme+0x14e/0x210 [ 1560.113834][ T7423] ? do_set_interface.isra.0+0x530/0x530 [ 1560.114103][ T7423] kthread+0x2e0/0x390 [ 1560.114301][ T7423] ? kthread_complete_and_exit+0x40/0x40 [ 1560.114587][ T7423] ret_from_fork+0x1f/0x30 [ 1560.114813][ T7423] </TASK> [ 1560.115078][ T7423] Kernel Offset: disabled [ 1560.115319][ T7423] Rebooting in 86400 seconds.. On Wed, Sep 21, 2022 at 2:16 AM Alan Stern <stern@rowland.harvard.edu> wrote: > > On Thu, Aug 11, 2022 at 10:12:04AM +0800, Rondreis wrote: > > Hello, > > > > When fuzzing the Linux kernel driver 5.19.0-rc4-00208-g69cb6c6556ad, > > the following crash was triggered. > > > > HEAD commit: 4b0986a3613c92f4ec1bdc7f60ec66fea135991f (HEAD, tag: v5.18) > > git tree: upstream > > > > kernel config: https://pastebin.com/KecL2gaG > > C reproducer: https://pastebin.com/wLDJ9cnP > > console output: https://pastebin.com/t0r8EwTw > > > > Basically, in the c reproducer, we use the gadget module to emulate > > the process of attaching a usb device (vendor id: 0xbaf, product id: > > 0x121, with function: midi and ms_null). > > To reproduce this crash, we utilize a third-party library to emulate > > the attaching process: https://github.com/linux-usb-gadgets/libusbgx. > > Just clone this repository, make install it, and compile the c > > reproducer with ``` gcc crash.c -lusbgx -o crash ``` will do the > > trick. > > > > It seems that an error state in struct usb_ep trigger such kernel warning. > > > > The crash report is as follow: > > > > ``` > > ------------[ cut here ]------------ > > ------------[ cut here ]------------ > > WARNING: CPU: 3 PID: 3442 at drivers/usb/gadget/udc/core.c:283 > > usb_ep_queue+0x16b/0x3b0 drivers/usb/gadget/udc/core.c:283 > > Modules linked in: > > CPU: 3 PID: 3442 Comm: file-storage Not tainted > > 5.19.0-rc4-00208-g69cb6c6556ad #1 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > > 1.13.0-1ubuntu1.1 04/01/2014 > > RIP: 0010:usb_ep_queue+0x16b/0x3b0 drivers/usb/gadget/udc/core.c:283 > > Code: 46 05 0f 92 c3 31 ff 89 de e8 f1 e9 49 fd 84 db 0f 85 16 01 00 > > 00 e8 c4 e8 49 fd 44 89 e0 5b 5d 41 5c 41 5d c3 e8 b5 e8 49 fd <0f> 0b > > 41 bc 94 ff ff ff e9 73 ff ff ff e8 a3 e8 49 fd 65 8b 1d cc > > RSP: 0018:ffffc9000490fd00 EFLAGS: 00010246 > > RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffff888110e0d580 > > RDX: 0000000000000000 RSI: ffff888110e0d580 RDI: 0000000000000002 > > RBP: ffff88810ae84158 R08: ffffffff83fb31eb R09: 0000000000000000 > > R10: 0000000000000001 R11: ffffed10221c1ab0 R12: 0000000000000cc0 > > R13: ffff888111843f10 R14: ffff888111843f10 R15: ffff88811084e000 > > FS: 0000000000000000(0000) GS:ffff88811a980000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 00007f841985e020 CR3: 000000010d19a000 CR4: 0000000000350ee0 > > Call Trace: > > <TASK> > > start_transfer.isra.0+0x26/0x100 > > drivers/usb/gadget/function/f_mass_storage.c:527 > > start_out_transfer.isra.0+0xf0/0x1b0 > > drivers/usb/gadget/function/f_mass_storage.c:560 > > get_next_command drivers/usb/gadget/function/f_mass_storage.c:2249 [inline] > > fsg_main_thread+0x377/0x6fc0 drivers/usb/gadget/function/f_mass_storage.c:2572 > > kthread+0x2ef/0x3a0 kernel/kthread.c:376 > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 > > </TASK> > > Can you please try to recreate this bug after applying the diagnostic > patch below? I'd like to see what output it produces in the kernel log. > > Alan Stern > > > Index: usb-devel/drivers/usb/gadget/function/f_mass_storage.c > =================================================================== > --- usb-devel.orig/drivers/usb/gadget/function/f_mass_storage.c > +++ usb-devel/drivers/usb/gadget/function/f_mass_storage.c > @@ -415,6 +415,7 @@ static void bulk_in_complete(struct usb_ > struct fsg_common *common = ep->driver_data; > struct fsg_buffhd *bh = req->context; > > + dev_info(&common->gadget->dev, "Bulk in complete %p\n", bh); > if (req->status || req->actual != req->length) > DBG(common, "%s --> %d, %u/%u\n", __func__, > req->status, req->actual, req->length); > @@ -431,6 +432,7 @@ static void bulk_out_complete(struct usb > struct fsg_common *common = ep->driver_data; > struct fsg_buffhd *bh = req->context; > > + dev_info(&common->gadget->dev, "Bulk out complete %p\n", bh); > dump_msg(common, "bulk-out", req->buf, req->actual); > if (req->status || req->actual != bh->bulk_out_intended_length) > DBG(common, "%s --> %d, %u/%u\n", __func__, > @@ -547,6 +549,7 @@ static bool start_in_transfer(struct fsg > if (!fsg_is_set(common)) > return false; > bh->state = BUF_STATE_SENDING; > + dev_info(&common->gadget->dev, "Bulk in start %p\n", bh); > if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq)) > bh->state = BUF_STATE_EMPTY; > return true; > @@ -557,6 +560,7 @@ static bool start_out_transfer(struct fs > if (!fsg_is_set(common)) > return false; > bh->state = BUF_STATE_RECEIVING; > + dev_info(&common->gadget->dev, "Bulk out start %p\n", bh); > if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq)) > bh->state = BUF_STATE_FULL; > return true; > @@ -2310,10 +2314,12 @@ reset: > > /* Disable the endpoints */ > if (fsg->bulk_in_enabled) { > + dev_info(&fsg->gadget->dev, "Disable bulk in A\n"); > usb_ep_disable(fsg->bulk_in); > fsg->bulk_in_enabled = 0; > } > if (fsg->bulk_out_enabled) { > + dev_info(&fsg->gadget->dev, "Disable bulk out A\n"); > usb_ep_disable(fsg->bulk_out); > fsg->bulk_out_enabled = 0; > } > @@ -2333,6 +2339,7 @@ reset: > rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in); > if (rc) > goto reset; > + dev_info(&fsg->gadget->dev, "Enable bulk in\n"); > rc = usb_ep_enable(fsg->bulk_in); > if (rc) > goto reset; > @@ -2343,6 +2350,7 @@ reset: > fsg->bulk_out); > if (rc) > goto reset; > + dev_info(&fsg->gadget->dev, "Enable bulk out\n"); > rc = usb_ep_enable(fsg->bulk_out); > if (rc) > goto reset; > @@ -2392,10 +2400,12 @@ static void fsg_disable(struct usb_funct > > /* Disable the endpoints */ > if (fsg->bulk_in_enabled) { > + dev_info(&fsg->gadget->dev, "Disable bulk in B\n"); > usb_ep_disable(fsg->bulk_in); > fsg->bulk_in_enabled = 0; > } > if (fsg->bulk_out_enabled) { > + dev_info(&fsg->gadget->dev, "Disable bulk out B\n"); > usb_ep_disable(fsg->bulk_out); > fsg->bulk_out_enabled = 0; > } > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: kernel v5.19 warn in usb_ep_queue 2022-09-21 15:00 ` Rondreis @ 2022-09-21 16:01 ` Alan Stern 2022-09-22 8:39 ` Rondreis [not found] ` <CAB7eexKF5tiUHtesX218XoWSHV0aCiYaW97fgEY91x8Q9JF23g@mail.gmail.com> 0 siblings, 2 replies; 7+ messages in thread From: Alan Stern @ 2022-09-21 16:01 UTC (permalink / raw) To: Rondreis Cc: balbi, andriy.shevchenko, jakobkoschel, quic_wcheng, linux-kernel, linux-usb On Wed, Sep 21, 2022 at 11:00:41PM +0800, Rondreis wrote: > Thanks for your reply! > I applied this patch in v5.19 and the reproducer just attached > a composite device with network and mass storage functions. > The output of the kernel is as follows: > [ 1558.868398][ T7423] configfs-gadget gadget.1: Enable bulk in > [ 1558.868675][ T7423] configfs-gadget gadget.1: Enable bulk out > [ 1558.868957][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 > [ 1558.952998][ T24] cdc_eem 2-1:1.0 usb1: register 'cdc_eem' at > usb-dummy_hcd.1-1, CDC EEM Device, 72:47:e4:74:0b:8e > [ 1558.968402][ T24] usb-storage 2-1:1.1: USB Mass Storage device detected > [ 1558.976267][ T24] scsi host2: usb-storage 2-1:1.1 > [ 1560.028547][ T7470] cdc_eem 2-1:1.0 usb1: unregister 'cdc_eem' > usb-dummy_hcd.1-1, CDC EEM Device > [ 1560.078980][ T7470] configfs-gadget gadget.1: Bulk out complete > ffff8881279f0b00 > [ 1560.080226][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 > [ 1560.080617][ T7470] configfs-gadget gadget.1: Disable bulk in B > [ 1560.080820][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 > [ 1560.081456][ T7470] configfs-gadget gadget.1: Disable bulk out B > [ 1560.081950][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 > [ 1560.083056][ T7423] ------------[ cut here ]------------ > [ 1560.083386][ T7423] WARNING: CPU: 0 PID: 7423 at > drivers/usb/gadget/udc/core.c:283 usb_ep_queue+0x9b/0x3b0 Okay, that's not what I expected. Can you try the same thing with updated patch below? Alan Stern Index: usb-devel/drivers/usb/gadget/function/f_mass_storage.c =================================================================== --- usb-devel.orig/drivers/usb/gadget/function/f_mass_storage.c +++ usb-devel/drivers/usb/gadget/function/f_mass_storage.c @@ -367,6 +367,7 @@ static void __raise_exception(struct fsg { unsigned long flags; + dev_info(&common->gadget->dev, "Raise exception %d %p\n", new_state, arg); /* * Do nothing if a higher-priority exception is already in progress. * If a lower-or-equal priority exception is in progress, preempt it @@ -415,6 +416,7 @@ static void bulk_in_complete(struct usb_ struct fsg_common *common = ep->driver_data; struct fsg_buffhd *bh = req->context; + dev_info(&common->gadget->dev, "Bulk in complete %p\n", bh); if (req->status || req->actual != req->length) DBG(common, "%s --> %d, %u/%u\n", __func__, req->status, req->actual, req->length); @@ -431,6 +433,7 @@ static void bulk_out_complete(struct usb struct fsg_common *common = ep->driver_data; struct fsg_buffhd *bh = req->context; + dev_info(&common->gadget->dev, "Bulk out complete %p\n", bh); dump_msg(common, "bulk-out", req->buf, req->actual); if (req->status || req->actual != bh->bulk_out_intended_length) DBG(common, "%s --> %d, %u/%u\n", __func__, @@ -547,6 +550,7 @@ static bool start_in_transfer(struct fsg if (!fsg_is_set(common)) return false; bh->state = BUF_STATE_SENDING; + dev_info(&common->gadget->dev, "Bulk in start %p\n", bh); if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq)) bh->state = BUF_STATE_EMPTY; return true; @@ -557,6 +561,8 @@ static bool start_out_transfer(struct fs if (!fsg_is_set(common)) return false; bh->state = BUF_STATE_RECEIVING; + dev_info(&common->gadget->dev, "Bulk out start %p\n", bh); + dump_stack(); if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq)) bh->state = BUF_STATE_FULL; return true; @@ -2310,12 +2316,15 @@ reset: /* Disable the endpoints */ if (fsg->bulk_in_enabled) { + dev_info(&fsg->gadget->dev, "Disable bulk in A\n"); usb_ep_disable(fsg->bulk_in); fsg->bulk_in_enabled = 0; } if (fsg->bulk_out_enabled) { + dev_info(&fsg->gadget->dev, "Disable bulk out A\n"); usb_ep_disable(fsg->bulk_out); fsg->bulk_out_enabled = 0; + dev_info(&fsg->gadget->dev, "Disable bulk out A finished\n"); } common->fsg = NULL; @@ -2333,6 +2342,7 @@ reset: rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in); if (rc) goto reset; + dev_info(&fsg->gadget->dev, "Enable bulk in\n"); rc = usb_ep_enable(fsg->bulk_in); if (rc) goto reset; @@ -2343,6 +2353,7 @@ reset: fsg->bulk_out); if (rc) goto reset; + dev_info(&fsg->gadget->dev, "Enable bulk out\n"); rc = usb_ep_enable(fsg->bulk_out); if (rc) goto reset; @@ -2392,12 +2403,15 @@ static void fsg_disable(struct usb_funct /* Disable the endpoints */ if (fsg->bulk_in_enabled) { + dev_info(&fsg->gadget->dev, "Disable bulk in B\n"); usb_ep_disable(fsg->bulk_in); fsg->bulk_in_enabled = 0; } if (fsg->bulk_out_enabled) { + dev_info(&fsg->gadget->dev, "Disable bulk out B\n"); usb_ep_disable(fsg->bulk_out); fsg->bulk_out_enabled = 0; + dev_info(&fsg->gadget->dev, "Disable bulk out B finished\n"); } __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL); ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: kernel v5.19 warn in usb_ep_queue 2022-09-21 16:01 ` Alan Stern @ 2022-09-22 8:39 ` Rondreis [not found] ` <CAB7eexKF5tiUHtesX218XoWSHV0aCiYaW97fgEY91x8Q9JF23g@mail.gmail.com> 1 sibling, 0 replies; 7+ messages in thread From: Rondreis @ 2022-09-22 8:39 UTC (permalink / raw) To: Alan Stern Cc: balbi, andriy.shevchenko, jakobkoschel, quic_wcheng, linux-kernel, linux-usb I patched it again, and the output is: [ 53.871222][ T6507] cgroup: Unknown subsys name 'net' [ 53.874463][ T6507] cgroup: Unknown subsys name 'rlimit' [ 54.426894][ T28] audit: type=1800 audit(1663835481.621:4): pid=6532 uid=0 auid=0 ses=2 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="UDC" dev="configfs" ino=30794 res=0 errno=0 [ 54.435086][ T6532] using random self ethernet address [ 54.435402][ T6532] using random host ethernet address [ 54.436060][ T6532] Mass Storage Function, version: 2009/09/11 [ 54.436437][ T6532] LUN: removable file: (no medium) [ 54.444557][ T6532] usb0: HOST MAC 1a:89:f1:74:ef:df [ 54.444853][ T6532] usb0: MAC 5e:3b:64:0f:0b:ed [ 54.721631][ T24] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 55.131602][ T24] usb 2-1: Dual-Role OTG device on HNP port [ 55.151589][ T24] usb 2-1: New USB device found, idVendor=03f0, idProduct=0107, bcdDevice= 2.00 [ 55.151919][ T24] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 55.152199][ T24] usb 2-1: Product: Bar Gadget [ 55.152374][ T24] usb 2-1: Manufacturer: Foo Inc. [ 55.152557][ T24] usb 2-1: SerialNumber: 12345678 [ 55.171998][ C1] configfs-gadget gadget.1: Raise exception 3 ffff88811b9ba000 [ 55.172604][ T6539] configfs-gadget gadget.1: Enable bulk in [ 55.172884][ T6539] configfs-gadget gadget.1: Enable bulk out [ 55.173179][ T6539] configfs-gadget gadget.1: Bulk out start ffff888115fd7c80 [ 55.173506][ T6539] CPU: 0 PID: 6539 Comm: file-storage Not tainted 5.19.0+ #16 [ 55.173834][ T6539] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014 [ 55.174193][ T6539] Call Trace: [ 55.174316][ T6539] <TASK> [ 55.174425][ T6539] dump_stack_lvl+0xfc/0x174 [ 55.174602][ T6539] start_out_transfer.part.0+0x7c/0x142 [ 55.174813][ T6539] fsg_main_thread+0x375/0x1450 [ 55.175004][ T6539] ? __kthread_parkme+0xc4/0x210 [ 55.175191][ T6539] ? reacquire_held_locks+0x4b0/0x4b0 [ 55.175392][ T6539] ? do_set_interface.isra.0+0x530/0x530 [ 55.175606][ T6539] ? __kthread_parkme+0x14e/0x210 [ 55.175797][ T6539] ? do_set_interface.isra.0+0x530/0x530 [ 55.176005][ T6539] kthread+0x2e0/0x390 [ 55.176156][ T6539] ? kthread_complete_and_exit+0x40/0x40 [ 55.176363][ T6539] ret_from_fork+0x1f/0x30 [ 55.176537][ T6539] </TASK> [ 55.253779][ T24] cdc_eem 2-1:1.0 usb1: register 'cdc_eem' at usb-dummy_hcd.1-1, CDC EEM Device, c2:07:46:1b:bf:4a [ 55.271856][ T24] usb-storage 2-1:1.1: USB Mass Storage device detected [ 55.278904][ T24] scsi host2: usb-storage 2-1:1.1 [ 56.352122][ T6584] cdc_eem 2-1:1.0 usb1: unregister 'cdc_eem' usb-dummy_hcd.1-1, CDC EEM Device [ 56.412714][ T6584] configfs-gadget gadget.1: Bulk out complete ffff888115fd7c80 [ 56.413545][ T6539] configfs-gadget gadget.1: Bulk out start ffff888115fd7c80 [ 56.413787][ T6584] configfs-gadget gadget.1: Disable bulk in B [ 56.413988][ T6539] CPU: 1 PID: 6539 Comm: file-storage Not tainted 5.19.0+ #16 [ 56.414336][ T6584] configfs-gadget gadget.1: Disable bulk out B [ 56.414647][ T6539] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014 [ 56.414908][ T6584] configfs-gadget gadget.1: Disable bulk out B finished [ 56.415348][ T6539] Call Trace: [ 56.415352][ T6539] <TASK> [ 56.415827][ T6584] configfs-gadget gadget.1: Raise exception 3 0000000000000000 [ 56.415969][ T6539] dump_stack_lvl+0xfc/0x174 [ 56.416735][ T6539] start_out_transfer.part.0+0x7c/0x142 [ 56.416989][ T6539] fsg_main_thread+0x375/0x1450 [ 56.417256][ T6539] ? __kthread_parkme+0xc4/0x210 [ 56.417560][ T6539] ? reacquire_held_locks+0x4b0/0x4b0 [ 56.417885][ T6539] ? do_set_interface.isra.0+0x530/0x530 [ 56.418231][ T6539] ? __kthread_parkme+0x14e/0x210 [ 56.418576][ T6539] ? do_set_interface.isra.0+0x530/0x530 [ 56.418919][ T6539] kthread+0x2e0/0x390 [ 56.419172][ T6539] ? kthread_complete_and_exit+0x40/0x40 [ 56.419515][ T6539] ret_from_fork+0x1f/0x30 [ 56.419804][ T6539] </TASK> [ 56.420255][ T6539] ------------[ cut here ]------------ [ 56.420496][ T6539] WARNING: CPU: 1 PID: 6539 at drivers/usb/gadget/udc/core.c:283 usb_ep_queue+0x9b/0x3b0 [ 56.420923][ T6539] Modules linked in: [ 56.421102][ T6539] CPU: 1 PID: 6539 Comm: file-storage Not tainted 5.19.0+ #16 [ 56.421429][ T6539] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014 [ 56.431805][ T6539] RIP: 0010:usb_ep_queue+0x9b/0x3b0 [ 56.432129][ T6539] Code: 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 db 02 00 00 44 0f b6 6b 35 31 ff 44 89 ee e8 af 41 b2 fb 45 84 ed 74 0e e8 55 46 b2 fb <0f> 0b bd 94 ff ff ff eb 55 e8 47 46 b2 fb 48 8d 7b 10 0 [ 56.433208][ T6539] RSP: 0018:ffffc900047afd08 EFLAGS: 00010293 [ 56.433560][ T6539] RAX: 0000000000000000 RBX: ffff8881107d82c0 RCX: 0000000000000000 [ 56.434009][ T6539] RDX: ffff8881196d1c00 RSI: ffffffff85c6d79b RDI: 0000000000000001 [ 56.434452][ T6539] RBP: 0000000000000cc0 R08: 0000000000000001 R09: 0000000000000000 [ 56.434898][ T6539] R10: 0000000000000007 R11: 0000000000000000 R12: ffff888113c6a210 [ 56.435350][ T6539] R13: 0000000000000007 R14: ffff8881197c9000 R15: dffffc0000000000 [ 56.435796][ T6539] FS: 0000000000000000(0000) GS:ffff888128c00000(0000) knlGS:0000000000000000 [ 56.436296][ T6539] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 56.436666][ T6539] CR2: 00005611a32a2d30 CR3: 000000011b5aa000 CR4: 00000000000006f0 [ 56.437111][ T6539] Call Trace: [ 56.437305][ T6539] <TASK> [ 56.437479][ T6539] start_transfer+0x24/0x14f [ 56.437752][ T6539] start_out_transfer.part.0+0xf6/0x142 [ 56.438076][ T6539] fsg_main_thread+0x375/0x1450 [ 56.438370][ T6539] ? __kthread_parkme+0xc4/0x210 [ 56.438660][ T6539] ? reacquire_held_locks+0x4b0/0x4b0 [ 56.438973][ T6539] ? do_set_interface.isra.0+0x530/0x530 [ 56.439306][ T6539] ? __kthread_parkme+0x14e/0x210 [ 56.439604][ T6539] ? do_set_interface.isra.0+0x530/0x530 [ 56.439932][ T6539] kthread+0x2e0/0x390 [ 56.440171][ T6539] ? kthread_complete_and_exit+0x40/0x40 [ 56.440497][ T6539] ret_from_fork+0x1f/0x30 [ 56.440767][ T6539] </TASK> [ 56.440949][ T6539] Kernel panic - not syncing: panic_on_warn set ... [ 56.441321][ T6539] CPU: 0 PID: 6539 Comm: file-storage Not tainted 5.19.0+ #16 [ 56.441751][ T6539] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014 [ 56.442322][ T6539] Call Trace: [ 56.442515][ T6539] <TASK> [ 56.442687][ T6539] dump_stack_lvl+0xfc/0x174 [ 56.442959][ T6539] panic+0x2cf/0x61f [ 56.443194][ T6539] ? panic_print_sys_info.part.0+0x10b/0x10b [ 56.443545][ T6539] ? __warn.cold+0xcd/0x2cc [ 56.443812][ T6539] ? usb_ep_queue+0x9b/0x3b0 [ 56.444085][ T6539] __warn.cold+0xde/0x2cc [ 56.444341][ T6539] ? usb_ep_queue+0x9b/0x3b0 [ 56.444612][ T6539] report_bug+0x1b7/0x240 [ 56.444870][ T6539] handle_bug+0x3c/0x60 [ 56.445119][ T6539] exc_invalid_op+0x13/0x40 [ 56.445386][ T6539] asm_exc_invalid_op+0x16/0x20 [ 56.445671][ T6539] RIP: 0010:usb_ep_queue+0x9b/0x3b0 [ 56.445971][ T6539] Code: 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 db 02 00 00 44 0f b6 6b 35 31 ff 44 89 ee e8 af 41 b2 fb 45 84 ed 74 0e e8 55 46 b2 fb <0f> 0b bd 94 ff ff ff eb 55 e8 47 46 b2 fb 48 8d 7b 10 0 [ 56.447050][ T6539] RSP: 0018:ffffc900047afd08 EFLAGS: 00010293 [ 56.447400][ T6539] RAX: 0000000000000000 RBX: ffff8881107d82c0 RCX: 0000000000000000 [ 56.447849][ T6539] RDX: ffff8881196d1c00 RSI: ffffffff85c6d79b RDI: 0000000000000001 [ 56.448301][ T6539] RBP: 0000000000000cc0 R08: 0000000000000001 R09: 0000000000000000 [ 56.448752][ T6539] R10: 0000000000000007 R11: 0000000000000000 R12: ffff888113c6a210 [ 56.449196][ T6539] R13: 0000000000000007 R14: ffff8881197c9000 R15: dffffc0000000000 [ 56.449648][ T6539] ? usb_ep_queue+0x9b/0x3b0 [ 56.449921][ T6539] ? usb_ep_queue+0x9b/0x3b0 [ 56.450193][ T6539] start_transfer+0x24/0x14f [ 56.450468][ T6539] start_out_transfer.part.0+0xf6/0x142 [ 56.450795][ T6539] fsg_main_thread+0x375/0x1450 [ 56.451082][ T6539] ? __kthread_parkme+0xc4/0x210 [ 56.451376][ T6539] ? reacquire_held_locks+0x4b0/0x4b0 [ 56.451693][ T6539] ? do_set_interface.isra.0+0x530/0x530 [ 56.452024][ T6539] ? __kthread_parkme+0x14e/0x210 [ 56.452324][ T6539] ? do_set_interface.isra.0+0x530/0x530 [ 56.452649][ T6539] kthread+0x2e0/0x390 [ 56.452890][ T6539] ? kthread_complete_and_exit+0x40/0x40 [ 56.453216][ T6539] ret_from_fork+0x1f/0x30 [ 56.453489][ T6539] </TASK> [ 56.453826][ T6539] Kernel Offset: disabled [ 56.454117][ T6539] Rebooting in 86400 seconds.. On Thu, Sep 22, 2022 at 12:01 AM Alan Stern <stern@rowland.harvard.edu> wrote: > > On Wed, Sep 21, 2022 at 11:00:41PM +0800, Rondreis wrote: > > Thanks for your reply! > > I applied this patch in v5.19 and the reproducer just attached > > a composite device with network and mass storage functions. > > The output of the kernel is as follows: > > > [ 1558.868398][ T7423] configfs-gadget gadget.1: Enable bulk in > > [ 1558.868675][ T7423] configfs-gadget gadget.1: Enable bulk out > > [ 1558.868957][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 > > [ 1558.952998][ T24] cdc_eem 2-1:1.0 usb1: register 'cdc_eem' at > > usb-dummy_hcd.1-1, CDC EEM Device, 72:47:e4:74:0b:8e > > [ 1558.968402][ T24] usb-storage 2-1:1.1: USB Mass Storage device detected > > [ 1558.976267][ T24] scsi host2: usb-storage 2-1:1.1 > > [ 1560.028547][ T7470] cdc_eem 2-1:1.0 usb1: unregister 'cdc_eem' > > usb-dummy_hcd.1-1, CDC EEM Device > > [ 1560.078980][ T7470] configfs-gadget gadget.1: Bulk out complete > > ffff8881279f0b00 > > [ 1560.080226][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 > > [ 1560.080617][ T7470] configfs-gadget gadget.1: Disable bulk in B > > [ 1560.080820][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 > > [ 1560.081456][ T7470] configfs-gadget gadget.1: Disable bulk out B > > [ 1560.081950][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 > > [ 1560.083056][ T7423] ------------[ cut here ]------------ > > [ 1560.083386][ T7423] WARNING: CPU: 0 PID: 7423 at > > drivers/usb/gadget/udc/core.c:283 usb_ep_queue+0x9b/0x3b0 > > Okay, that's not what I expected. Can you try the same thing with > updated patch below? > > Alan Stern > > > Index: usb-devel/drivers/usb/gadget/function/f_mass_storage.c > =================================================================== > --- usb-devel.orig/drivers/usb/gadget/function/f_mass_storage.c > +++ usb-devel/drivers/usb/gadget/function/f_mass_storage.c > @@ -367,6 +367,7 @@ static void __raise_exception(struct fsg > { > unsigned long flags; > > + dev_info(&common->gadget->dev, "Raise exception %d %p\n", new_state, arg); > /* > * Do nothing if a higher-priority exception is already in progress. > * If a lower-or-equal priority exception is in progress, preempt it > @@ -415,6 +416,7 @@ static void bulk_in_complete(struct usb_ > struct fsg_common *common = ep->driver_data; > struct fsg_buffhd *bh = req->context; > > + dev_info(&common->gadget->dev, "Bulk in complete %p\n", bh); > if (req->status || req->actual != req->length) > DBG(common, "%s --> %d, %u/%u\n", __func__, > req->status, req->actual, req->length); > @@ -431,6 +433,7 @@ static void bulk_out_complete(struct usb > struct fsg_common *common = ep->driver_data; > struct fsg_buffhd *bh = req->context; > > + dev_info(&common->gadget->dev, "Bulk out complete %p\n", bh); > dump_msg(common, "bulk-out", req->buf, req->actual); > if (req->status || req->actual != bh->bulk_out_intended_length) > DBG(common, "%s --> %d, %u/%u\n", __func__, > @@ -547,6 +550,7 @@ static bool start_in_transfer(struct fsg > if (!fsg_is_set(common)) > return false; > bh->state = BUF_STATE_SENDING; > + dev_info(&common->gadget->dev, "Bulk in start %p\n", bh); > if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq)) > bh->state = BUF_STATE_EMPTY; > return true; > @@ -557,6 +561,8 @@ static bool start_out_transfer(struct fs > if (!fsg_is_set(common)) > return false; > bh->state = BUF_STATE_RECEIVING; > + dev_info(&common->gadget->dev, "Bulk out start %p\n", bh); > + dump_stack(); > if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq)) > bh->state = BUF_STATE_FULL; > return true; > @@ -2310,12 +2316,15 @@ reset: > > /* Disable the endpoints */ > if (fsg->bulk_in_enabled) { > + dev_info(&fsg->gadget->dev, "Disable bulk in A\n"); > usb_ep_disable(fsg->bulk_in); > fsg->bulk_in_enabled = 0; > } > if (fsg->bulk_out_enabled) { > + dev_info(&fsg->gadget->dev, "Disable bulk out A\n"); > usb_ep_disable(fsg->bulk_out); > fsg->bulk_out_enabled = 0; > + dev_info(&fsg->gadget->dev, "Disable bulk out A finished\n"); > } > > common->fsg = NULL; > @@ -2333,6 +2342,7 @@ reset: > rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in); > if (rc) > goto reset; > + dev_info(&fsg->gadget->dev, "Enable bulk in\n"); > rc = usb_ep_enable(fsg->bulk_in); > if (rc) > goto reset; > @@ -2343,6 +2353,7 @@ reset: > fsg->bulk_out); > if (rc) > goto reset; > + dev_info(&fsg->gadget->dev, "Enable bulk out\n"); > rc = usb_ep_enable(fsg->bulk_out); > if (rc) > goto reset; > @@ -2392,12 +2403,15 @@ static void fsg_disable(struct usb_funct > > /* Disable the endpoints */ > if (fsg->bulk_in_enabled) { > + dev_info(&fsg->gadget->dev, "Disable bulk in B\n"); > usb_ep_disable(fsg->bulk_in); > fsg->bulk_in_enabled = 0; > } > if (fsg->bulk_out_enabled) { > + dev_info(&fsg->gadget->dev, "Disable bulk out B\n"); > usb_ep_disable(fsg->bulk_out); > fsg->bulk_out_enabled = 0; > + dev_info(&fsg->gadget->dev, "Disable bulk out B finished\n"); > } > > __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL); > ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <CAB7eexKF5tiUHtesX218XoWSHV0aCiYaW97fgEY91x8Q9JF23g@mail.gmail.com>]
* Re: kernel v5.19 warn in usb_ep_queue [not found] ` <CAB7eexKF5tiUHtesX218XoWSHV0aCiYaW97fgEY91x8Q9JF23g@mail.gmail.com> @ 2022-09-22 15:52 ` Alan Stern 0 siblings, 0 replies; 7+ messages in thread From: Alan Stern @ 2022-09-22 15:52 UTC (permalink / raw) To: Rondreis, Felipe Balbi, Michal Nazarewicz Cc: andriy.shevchenko, jakobkoschel, quic_wcheng, linux-kernel, linux-usb Felipe and Michal, see below. On Thu, Sep 22, 2022 at 04:34:44PM +0800, Rondreis wrote: > I patched it again, and the output is: > > > [ 54.721631][ T24] usb 2-1: new high-speed USB device number 2 using > dummy_hcd > [ 55.131602][ T24] usb 2-1: Dual-Role OTG device on HNP port > [ 55.151589][ T24] usb 2-1: New USB device found, idVendor=03f0, > idProduct=0107, bcdDevice= 2.00 > [ 55.151919][ T24] usb 2-1: New USB device strings: Mfr=1, Product=2, > SerialNumber=3 > [ 55.152199][ T24] usb 2-1: Product: Gadget > [ 55.152374][ T24] usb 2-1: Manufacturer: Foo Inc. > [ 55.152557][ T24] usb 2-1: SerialNumber: 12345678 > [ 55.171998][ C1] configfs-gadget gadget.1: Raise exception 3 > ffff88811b9ba000 > [ 55.172604][ T6539] configfs-gadget gadget.1: Enable bulk in > [ 55.172884][ T6539] configfs-gadget gadget.1: Enable bulk out > [ 55.173179][ T6539] configfs-gadget gadget.1: Bulk out start > ffff888115fd7c80 > [ 55.173506][ T6539] CPU: 0 PID: 6539 Comm: file-storage Not tainted > 5.19.0+ #16 > [ 55.173834][ T6539] Hardware name: QEMU Standard PC (i440FX + PIIX, > 1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014 > [ 55.174193][ T6539] Call Trace: > [ 55.174316][ T6539] <TASK> > [ 55.174425][ T6539] dump_stack_lvl+0xfc/0x174 > [ 55.174602][ T6539] start_out_transfer.part.0+0x7c/0x142 > [ 55.174813][ T6539] fsg_main_thread+0x375/0x1450 > [ 55.175004][ T6539] ? __kthread_parkme+0xc4/0x210 > [ 55.175191][ T6539] ? reacquire_held_locks+0x4b0/0x4b0 > [ 55.175392][ T6539] ? do_set_interface.isra.0+0x530/0x530 > [ 55.175606][ T6539] ? __kthread_parkme+0x14e/0x210 > [ 55.175797][ T6539] ? do_set_interface.isra.0+0x530/0x530 > [ 55.176005][ T6539] kthread+0x2e0/0x390 > [ 55.176156][ T6539] ? kthread_complete_and_exit+0x40/0x40 > [ 55.176363][ T6539] ret_from_fork+0x1f/0x30 > [ 55.176537][ T6539] </TASK> > [ 55.253779][ T24] cdc_eem 2-1:1.0 usb1: register 'cdc_eem' at > usb-dummy_hcd.1-1, CDC EEM Device, c2:07:46:1b:bf:4a > [ 55.271856][ T24] usb-storage 2-1:1.1: USB Mass Storage device detected > [ 55.278904][ T24] scsi host2: usb-storage 2-1:1.1 > [ 56.352122][ T6584] cdc_eem 2-1:1.0 usb1: unregister 'cdc_eem' > usb-dummy_hcd.1-1, CDC EEM Device > [ 56.412714][ T6584] configfs-gadget gadget.1: Bulk out complete > ffff888115fd7c80 > [ 56.413545][ T6539] configfs-gadget gadget.1: Bulk out start > ffff888115fd7c80 > [ 56.413787][ T6584] configfs-gadget gadget.1: Disable bulk in B > [ 56.413988][ T6539] CPU: 1 PID: 6539 Comm: file-storage Not tainted > 5.19.0+ #16 > [ 56.414336][ T6584] configfs-gadget gadget.1: Disable bulk out B > [ 56.414647][ T6539] Hardware name: QEMU Standard PC (i440FX + PIIX, > 1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014 > [ 56.414908][ T6584] configfs-gadget gadget.1: Disable bulk out B finished > [ 56.415348][ T6539] Call Trace: > [ 56.415352][ T6539] <TASK> > [ 56.415827][ T6584] configfs-gadget gadget.1: Raise exception 3 > 0000000000000000 > [ 56.415969][ T6539] dump_stack_lvl+0xfc/0x174 > [ 56.416735][ T6539] start_out_transfer.part.0+0x7c/0x142 > [ 56.416989][ T6539] fsg_main_thread+0x375/0x1450 > [ 56.417256][ T6539] ? __kthread_parkme+0xc4/0x210 > [ 56.417560][ T6539] ? reacquire_held_locks+0x4b0/0x4b0 > [ 56.417885][ T6539] ? do_set_interface.isra.0+0x530/0x530 > [ 56.418231][ T6539] ? __kthread_parkme+0x14e/0x210 > [ 56.418576][ T6539] ? do_set_interface.isra.0+0x530/0x530 > [ 56.418919][ T6539] kthread+0x2e0/0x390 > [ 56.419172][ T6539] ? kthread_complete_and_exit+0x40/0x40 > [ 56.419515][ T6539] ret_from_fork+0x1f/0x30 > [ 56.419804][ T6539] </TASK> > [ 56.420255][ T6539] ------------[ cut here ]------------ > [ 56.420496][ T6539] WARNING: CPU: 1 PID: 6539 at > drivers/usb/gadget/udc/core.c:283 usb_ep_queue+0x9b/0x3b0 > [ 56.420923][ T6539] Modules linked in: > [ 56.421102][ T6539] CPU: 1 PID: 6539 Comm: file-storage Not tainted > 5.19.0+ #16 > [ 56.421429][ T6539] Hardware name: QEMU Standard PC (i440FX + PIIX, > 1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014 > [ 56.431805][ T6539] RIP: 0010:usb_ep_queue+0x9b/0x3b0 Okay, thanks. It's pretty clear what's going wrong. f_mass_storage uses a kernel thread to do almost all of its work. But the fsg_disable() callback routine runs in an atomic context, so it can't sleep. And there is no find-grained synchronization between that routine and the kernel thread. As a result, when fsg_disable() disables an endpoint, the kernel thread may still try to use it for a little while. That's what happened here. I can think of three ways to resolve this. The first is to add fine-grained synchronization, in the form of a spinlock that has to be held whenever f_mass_storage uses an endpoint. Kind of awkward. The second is to allow drivers to try to access endpoints even after the endpoints have been disabled. This means removing the WARN_ON_ONCE() in usb_ep_queue(). I believe allowing this won't lead to any trouble, because we will still require drivers not to access the gadget at all after their ->unbind callback has returned -- but maybe I'm wrong. In any case, it seems bad to use an atomic callback to tell drivers they have to give up a resource; resource removal should be allowed to sleep. The third way is to allow a function driver's ->disable callback not to disable its endpoints. However, I don't know if this is compatible with the intended operation of the composite framework. The documentation does not explain very clearly what .disable() in struct usb_function is supposed to do. I'm not sure which approach would be better. Felipe and Michal, any suggestions? Alan Stern ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-09-22 15:52 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-08-11 2:12 kernel v5.19 warn in usb_ep_queue Rondreis 2022-08-11 16:52 ` Alan Stern 2022-09-20 18:16 ` Alan Stern 2022-09-21 15:00 ` Rondreis 2022-09-21 16:01 ` Alan Stern 2022-09-22 8:39 ` Rondreis [not found] ` <CAB7eexKF5tiUHtesX218XoWSHV0aCiYaW97fgEY91x8Q9JF23g@mail.gmail.com> 2022-09-22 15:52 ` Alan Stern
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).