On 12/18/21 12:15, Mauro Carvalho Chehab wrote:
Em Sat, 18 Dec 2021 02:09:46 +0100
Maximilian Böhm <maximilian.boehm@xxxxxxxxxx> escreveu:
Hello Paul and the other people involved,
I’m a user of a Hauppauge WinTV dualHD DVB-T2 USB card and experiencing a bug since Linux 5.15.3 of which kernel bisecting brought me to a commit by you from Juli 29: "media: em28xx: add missing em28xx_close_extension".
So, basically this changeset: 2c98b8a3458d ("media: em28xx: add missing em28xx_close_extension")
My problem: This TV stick doesn’t work for me after a wake up from a system standby, so I have to use the little helper tool usbreset to reset its USB connection.
What such patch should be doing is to ensure that the drivers will
do the right thing when the device is removed (or unbound).
It shouldn't have been called during suspend/resume. While this bug
should be fixed, the issue with suspend/resume callbacks also seem
to require additional work.
Now, I dunno what a "usbreset" tool would be doing, but I'm assuming
that it will be doing a unbind/bind sequence.
First of all I want to apologize for introducing this bug. I don't have
any em28xx devices and I've only tested with syzbot reproducer.
I can't say much about task hung bug, because I am not an expert in
em28xx driver, but I have an idea about NULL deref (which is in attached
dmesg on bugzilla page)
[ 108.755526] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 108.755529] #PF: supervisor read access in kernel mode
[ 108.755530] #PF: error_code(0x0000) - not-present page
[ 108.755532] PGD 0 P4D 0
[ 108.755534] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 108.755535] CPU: 12 PID: 28104 Comm: usbreset Not tainted 5.16.0-rc3-1-mainline #1 5300773575872a1d8fb5e17c51f4b15320e5794c
[ 108.755538] Hardware name: System manufacturer System Product Name/ROG STRIX X570-E GAMING, BIOS 1407 02/24/2020
[ 108.755539] RIP: 0010:__list_del_entry_valid+0x25/0xc0
[ 108.755545] RSP: 0018:ffffb26a8b67bc70 EFLAGS: 00010217
[ 108.755547] RAX: dead000000000122 RBX: ffffffffc11ea000 RCX: 0000000000000000
[ 108.755548] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff92c9d82081e8
[ 108.755549] RBP: ffff92c9d8208000 R08: 0000000000000000 R09: 0000000000000000
[ 108.755550] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffc11ea0d0
[ 108.755551] R13: ffff92c9d50ea400 R14: ffff92c9d50ea430 R15: ffff92c9d50ea400
[ 108.755552] FS: 00007f9ce9bd4580(0000) GS:ffff92d0bed00000(0000) knlGS:0000000000000000
[ 108.755553] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 108.755555] CR2: 0000000000000000 CR3: 00000003cc740000 CR4: 0000000000350ee0
[ 108.755556] Call Trace:
[ 108.755558] <TASK>
[ 108.755561] em28xx_close_extension+0x64/0xb0 [em28xx e547aa2f945c8b78712225f6e5e1ca6a1015473f]
[ 108.755569] em28xx_usb_disconnect.cold+0x82/0xbb [em28xx e547aa2f945c8b78712225f6e5e1ca6a1015473f]
[ 108.755574] usb_unbind_interface+0x87/0x280
Looks like missing INIT_LIST_HEAD() somewhere, because all devices are
kzalloced.
Something like this may work
diff --git a/drivers/media/usb/em28xx/em28xx-cards.c
b/drivers/media/usb/em28xx/em28xx-cards.c
index b207f34af5c6..c303a95e845a 100644
--- a/drivers/media/usb/em28xx/em28xx-cards.c
+++ b/drivers/media/usb/em28xx/em28xx-cards.c
@@ -3936,6 +3936,7 @@ static int em28xx_usb_probe(struct usb_interface
*intf,
dev->is_audio_only = has_vendor_audio && !(has_video || has_dvb);
dev->has_video = has_video;
dev->ifnum = ifnum;
+ INIT_LIST_HEAD(&dev->devlist);
dev->ts = PRIMARY_TS;
snprintf(dev->name, 28, "em28xx");
With regards,
Pavel Skripkin
