On 23.08.2016 13:54, Mathias Nyman wrote:
On 23.08.2016 02:21, Jose Marino wrote:
I'm using my phone (Nexus 5X running Android) to tether a USB connection to my laptop (XPS 15 9550). I plug the phone through the USB-C connection and in the phone I select USB tethering. Initially things look normal: a usb0 network interface appears in the laptop and it tries to get an IP with dhcp. However, I observe two different behaviors depending on whether it's a fresh boot, or I have suspend/resumed the laptop. In a fresh boot everything works fine, I get an IP and the connection works as expected. If I unplug the phone, everything also works as expected.
However, after a suspend/resume cycle, I plug the phone in but the laptop never connects to it. The usb0 interface still appears, but the dhcp daemon is unable to get any response and finally times out. The fun part happens when I unplug the phone. I consistently get a kernel panic.
...
Anyways, I'll look at that panic in more detail as well
<6>[ 178.693631] xhci_hcd 0000:3e:00.0: USB bus 4 deregistered
<6>[ 178.693642] xhci_hcd 0000:3e:00.0: remove, state 1
<6>[ 178.693648] usb usb3: USB disconnect, device number 1
<4>[ 183.634994] xhci_hcd 0000:3e:00.0: xHCI host not responding to stop endpoint command.
<4>[ 183.635001] xhci_hcd 0000:3e:00.0: Assuming host is dying, halting host.
<4>[ 183.635019] xhci_hcd 0000:3e:00.0: Host not halted after 16000 microseconds.
<4>[ 183.635022] xhci_hcd 0000:3e:00.0: Non-responsive xHCI host is not halting.
<4>[ 183.635025] xhci_hcd 0000:3e:00.0: Completing active URBs anyway.
<1>[ 183.635116] BUG: unable to handle kernel NULL pointer dereference at (null)
<1>[ 183.635402] IP: [<ffffffffa006d196>] usb_hc_died+0x16/0xc0 [usbcore]
Looks like the 5 second command timeout timer for stop endpoint commands causes this.
the timer (stop_cmd_timer) will call
xhci_stop_endpoint_command_watchdog() which calls
usb_hc_died(xhci_to_hcd(xhci)->primary_hcd)
but hcd are probably freed and pointers set to null already -> NULL pointer dereference.
The timer should be synchronously deleted when the device is freed, unless xhci_free_dev()
returns early.
So either hub_free_dev() is not called for this device at hcd removal, or xhci_free_dev returns early.
hub_free_dev()
hcd->driver->free_dev(hcd, udev);
xhci_free_dev()
(possible early return here)
for (i = 0; i < 31; ++i) {
virt_dev->eps[i].ep_state &= ~EP_HALT_PENDING;
del_timer_sync(&virt_dev->eps[i].stop_cmd_timer);
-Mathias
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
