RE: [PROBLEM] usb hub malformed packets causes null pointer dereference

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello, 
   Apologies for the late response. 
   We tried the patch, and although the system does not crash anymore, another issue occurs. 

   Depending on platform (Gigabyte GXBT, Galileo board), the USB port that is used for testing or all USB ports become blocked and cannot recognize new devices. 
   Also, soft shutdown / reboot seems to hang.

   The below trace gives more information:

[  240.304129] INFO: task kworker/3:2:93 blocked for more than 120 seconds.
[  240.304173]       Tainted: G            E   4.3.0with-patch #8
[  240.304190] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[  240.304212] kworker/3:2     D ffff88011e2d6980     0    93      2 0x00000000
[  240.304241] Workqueue: usb_hub_wq hub_event
[  240.304257]  ffff8800c73bbb78 0000000000000046 ffff88011931aa00 ffff8800c7107000
[  240.304286]  ffff8800c73bc000 ffff8800c9bb6494 ffff8800c7107000 00000000ffffffff
[  240.304315]  ffff8800c9bb6498 ffff8800c73bbb90 ffffffff817ab963 ffff8800c9bb6490
[  240.304344] Call Trace:
[  240.304357]  [<ffffffff817ab963>] schedule+0x33/0x80
[  240.304373]  [<ffffffff817abc0e>] schedule_preempt_disabled+0xe/0x10
[  240.304393]  [<ffffffff817ad445>] __mutex_lock_slowpath+0x95/0x110
[  240.304413]  [<ffffffff817ad4df>] mutex_lock+0x1f/0x2f
[  240.304430]  [<ffffffff814f20bb>] device_release_driver+0x1b/0x30
[  240.304448]  [<ffffffff814f0ea1>] bus_remove_device+0x101/0x170
[  240.304467]  [<ffffffff814ed5f9>] device_del+0x139/0x260
[  240.304485]  [<ffffffff815b728f>] ? usb_remove_ep_devs+0x1f/0x30
[  240.304504]  [<ffffffff815b0696>] usb_disable_device+0xa6/0x280
[  240.304522]  [<ffffffff815a6474>] usb_disconnect+0x94/0x270
[  240.304539]  [<ffffffff815a8533>] hub_event+0x693/0x1420
[  240.304557]  [<ffffffff8109259e>] process_one_work+0x14e/0x3d0
[  240.304575]  [<ffffffff81092c4a>] worker_thread+0x11a/0x470
[  240.305058]  [<ffffffff817ab378>] ? __schedule+0x358/0x910
[  240.305527]  [<ffffffff81092b30>] ? rescuer_thread+0x310/0x310
[  240.305992]  [<ffffffff81098372>] kthread+0xd2/0xf0
[  240.306450]  [<ffffffff810982a0>] ? kthread_park+0x50/0x50
[  240.306905]  [<ffffffff817af54f>] ret_from_fork+0x3f/0x70
[  240.307357]  [<ffffffff810982a0>] ? kthread_park+0x50/0x50
[  360.382912] INFO: task kworker/3:2:93 blocked for more than 120 seconds.
// same output every 120s

Regards,
   /Alex

-----Original Message-----
From: Alan Stern [mailto:stern@xxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, November 12, 2015 6:59 PM
To: Cornea, Alexandru <alexandru.cornea@xxxxxxxxx>
Cc: linux-usb@xxxxxxxxxxxxxxx; Maxim, Costel <costel.maxim@xxxxxxxxx>; Moraru, Cristina <cristina.moraru@xxxxxxxxx>
Subject: Re: [PROBLEM] usb hub malformed packets causes null pointer dereference

On Tue, 10 Nov 2015, Cornea, Alexandru wrote:

> Hello,
>  
>     We observed a kernel panic due to a null pointer dereference in the USB stack while sending malformed USB hub packets.

This is an interesting bug.  Not least because it has nothing to do with the malformed packets -- it was triggered when the USB device was disconnected while the initialization procedure was still running.

>     Testing was done on a Galileo board, using kernel version 4.1.8 (image built with Yocto project).
>     
>     Output of /proc/version: Linux version 4.1.8-yocto-standard 
> (REDACTED) (gcc version 5.2.0 (GCC) ) #1 PREEMPT Fri Oct 30 15:05:46 
> EET 2015
> 
>     Please see full call trace at the end of the mail and reproduction steps.
> 
>     Running in debug mode, part of the call trace is displayed, along with:
> <6, <6,  (null): activate --> -19
> which links to drivers/usb/core/hub.c:1239 , function hub_activate (init3). This shows that hub->intfdev is null.
> 
> 1240  init3:
> 1241         hub->quiescing = 0;
> 1242 
> 1243         status = usb_submit_urb(hub->urb, GFP_NOIO);
> 1244         if (status < 0)
> 1245                 dev_err(hub->intfdev, "activate --> %d\n", status);    
> 
> If you need additional info, please let us know.

Please try the patch below and let us know if it fixes the problem.

Alan Stern



Index: usb-4.3/drivers/usb/core/hub.c
===================================================================
--- usb-4.3.orig/drivers/usb/core/hub.c
+++ usb-4.3/drivers/usb/core/hub.c
@@ -1031,10 +1031,20 @@ static void hub_activate(struct usb_hub
 	unsigned delay;
 
 	/* Continue a partial initialization */
-	if (type == HUB_INIT2)
-		goto init2;
-	if (type == HUB_INIT3)
+	if (type == HUB_INIT2 || type == HUB_INIT3) {
+		device_lock(hub->intfdev);
+
+		/* Was the hub disconnected while we were waiting? */
+		if (hub->disconnected) {
+			device_unlock(hub->intfdev);
+			kref_put(&hub->kref, hub_release);
+			return;
+		}
+		if (type == HUB_INIT2)
+			goto init2;
 		goto init3;
+	}
+	kref_get(&hub->kref);
 
 	/* The superspeed hub except for root hub has to use Hub Depth
 	 * value as an offset into the route string to locate the bits @@ -1232,6 +1242,7 @@ static void hub_activate(struct usb_hub
 			queue_delayed_work(system_power_efficient_wq,
 					&hub->init_work,
 					msecs_to_jiffies(delay));
+			device_unlock(hub->intfdev);
 			return;		/* Continues at init3: below */
 		} else {
 			msleep(delay);
@@ -1253,6 +1264,11 @@ static void hub_activate(struct usb_hub
 	/* Allow autosuspend if it was suppressed */
 	if (type <= HUB_INIT3)
 		usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
+
+	if (type == HUB_INIT3)
+		device_unlock(hub->intfdev);
+
+	kref_put(&hub->kref, hub_release);
 }
 
 /* Implement the continuations for the delays above */

��.n��������+%������w��{.n�����{���)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux