On Mon, Dec 12, 2016 at 7:44 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
>
> I'm still puzzled. Can you try running the test with the diagnostic
> patch below? The resulting kernel log ought to help pin down where the
> problem comes from.
Sure, here's the log:
usb 1-1: string descriptor 0 read error: -71
usb 1-1: New USB device found, idVendor=0000, idProduct=0002
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=7
usb 1-1: can't set config #131, error -71
usb 1-1: USB disconnect, device number 45
gadgetfs: bound to dummy_udc driver
dummy: stop_activity
usb 1-1: new full-speed USB device number 46 using dummy_hcd
gadgetfs: connected
dummy: queue ffff88006addc300 ep ep0
dummy: complete ffff88006addc300 ep ep0
dummy: stop_activity
gadgetfs: disconnected
gadgetfs: connected
dummy: queue ffff88006addc300 ep ep0
dummy: complete ffff88006addc300 ep ep0
dummy: queue ffff88006addc300 ep ep0
dummy: complete ffff88006addc300 ep ep0
dummy: queue ffff88006addc300 ep ep0
dummy: complete ffff88006addc300 ep ep0
usb 1-1: config 131 has too many interfaces: 158, using maximum allowed: 32
usb 1-1: config 131 has 1 interface, different from the descriptor's value: 158
dummy: queue ffff88006addc300 ep ep0
dummy: stop_activity
gadgetfs: disconnected
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4892 at drivers/usb/gadget/udc/dummy_hcd.c:675
dummy_free_request+0x153/0x170
Modules linked in:
CPU: 1 PID: 4892 Comm: syz-executor Not tainted 4.9.0-rc7+ #33
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88006b966d10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d72cd35
ffffed000d72cd2d ffff8800615a5800 0000000041b58ab3 ffffffff8598b6d0
ffffffff81f968f8 0000000041b58ab3 ffffffff859412a0 ffffffff813f0590
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff812b808f>] __warn+0x19f/0x1e0 kernel/panic.c:550
[<ffffffff812b831c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
[<ffffffff830fcae3>] dummy_free_request+0x153/0x170
drivers/usb/gadget/udc/dummy_hcd.c:675
[<ffffffff830ed1b0>] usb_ep_free_request+0xc0/0x420
drivers/usb/gadget/udc/core.c:195
[<ffffffff83224f21>] gadgetfs_unbind+0x131/0x190
drivers/usb/gadget/legacy/inode.c:1612
[<ffffffff830ebd8f>] usb_gadget_remove_driver+0x10f/0x2b0
drivers/usb/gadget/udc/core.c:1228
[<ffffffff830ec084>] usb_gadget_unregister_driver+0x154/0x240
drivers/usb/gadget/udc/core.c:1357
[<ffffffff83224590>] dev_release+0x80/0x160
drivers/usb/gadget/legacy/inode.c:1187
[<ffffffff81805922>] __fput+0x332/0x7f0 fs/file_table.c:208
[<ffffffff81805e65>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff81338b9b>] task_work_run+0x19b/0x270 kernel/task_work.c:116
[< inline >] exit_task_work ./include/linux/task_work.h:21
[<ffffffff812c7eca>] do_exit+0x16aa/0x2530 kernel/exit.c:828
[<ffffffff812cd749>] do_group_exit+0x149/0x420 kernel/exit.c:932
[<ffffffff812faa9d>] get_signal+0x76d/0x17b0 kernel/signal.c:2307
[<ffffffff811cfee2>] do_signal+0xd2/0x2120 arch/x86/kernel/signal.c:807
[<ffffffff81003d00>] exit_to_usermode_loop+0x170/0x200
arch/x86/entry/common.c:156
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
[<ffffffff81007293>] syscall_return_slowpath+0x3d3/0x420
arch/x86/entry/common.c:259
[<ffffffff84f47f62>] entry_SYSCALL_64_fastpath+0xc0/0xc2
arch/x86/entry/entry_64.S:244
---[ end trace a9660fdf4f9ba45b ]---
usb 1-1: string descriptor 0 read error: -71
usb 1-1: New USB device found, idVendor=0000, idProduct=0002
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=7
usb 1-1: can't set config #131, error -71
usb 1-1: USB disconnect, device number 46
gadgetfs: bound to dummy_udc driver
dummy: stop_activity
usb 1-1: new full-speed USB device number 47 using dummy_hcd
dummy: stale ffff88006addc300 ep ep0
==================================================================
BUG: KASAN: use-after-free in __list_del_entry+0x267/0x280 at addr
ffff88006addc308
Read of size 8 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G W 4.9.0-rc7+ #33
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88006cb06c60 ffffffff81f96b8a ffffffff00000001 1ffff1000d960d1f
ffffed000d960d17 0000000000000000 0000000041b58ab3 ffffffff8598b6d0
ffffffff81f968f8 ffffffff853df840 ffffffff85cff020 dffffc0000000000
Call Trace:
<IRQ> [ 96.936042] [<ffffffff81f96b8a>] dump_stack+0x292/0x398
[<ffffffff817e4ebc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
[< inline >] print_address_description mm/kasan/report.c:197
[<ffffffff817e5150>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
[< inline >] kasan_report mm/kasan/report.c:306
[<ffffffff817e553e>] __asan_report_load8_noabort+0x3e/0x40
mm/kasan/report.c:327
[<ffffffff8201ad07>] __list_del_entry+0x267/0x280 lib/list_debug.c:48
[< inline >] list_del_init ./include/linux/list.h:145
[<ffffffff830ffe67>] dummy_timer+0x3367/0x35f0
drivers/usb/gadget/udc/dummy_hcd.c:1839
...
Let me know if you need to test something else.
>
> Alan Stern
>
>
>
> Index: usb-4.x/drivers/usb/gadget/udc/dummy_hcd.c
> ===================================================================
> --- usb-4.x.orig/drivers/usb/gadget/udc/dummy_hcd.c
> +++ usb-4.x/drivers/usb/gadget/udc/dummy_hcd.c
> @@ -318,6 +318,7 @@ static void nuke(struct dummy *dum, stru
> struct dummy_request *req;
>
> req = list_entry(ep->queue.next, struct dummy_request, queue);
> + pr_info("dummy: nuke %p ep %s\n", req, ep->ep.name);
> list_del_init(&req->queue);
> req->req.status = -ESHUTDOWN;
>
> @@ -332,6 +333,8 @@ static void stop_activity(struct dummy *
> {
> struct dummy_ep *ep;
>
> + pr_info("dummy: stop_activity\n");
> +
> /* prevent any more requests */
> dum->address = 0;
>
> @@ -719,14 +722,17 @@ static int dummy_queue(struct usb_ep *_e
> req->req.context = dum;
> req->req.complete = fifo_complete;
>
> + pr_info("dummy: fake queue %p ep %s\n", req, _ep->name);
> list_add_tail(&req->queue, &ep->queue);
> spin_unlock(&dum->lock);
> _req->actual = _req->length;
> _req->status = 0;
> usb_gadget_giveback_request(_ep, _req);
> spin_lock(&dum->lock);
> - } else
> + } else {
> + pr_info("dummy: queue %p ep %s\n", req, _ep->name);
> list_add_tail(&req->queue, &ep->queue);
> + }
> spin_unlock_irqrestore(&dum->lock, flags);
>
> /* real hardware would likely enable transfers here, in case
> @@ -755,6 +761,7 @@ static int dummy_dequeue(struct usb_ep *
> spin_lock(&dum->lock);
> list_for_each_entry(req, &ep->queue, queue) {
> if (&req->req == _req) {
> + pr_info("dummy: dequeue %p ep %s\n", req, _ep->name);
> list_del_init(&req->queue);
> _req->status = -ECONNRESET;
> retval = 0;
> @@ -1454,6 +1461,7 @@ top:
>
> /* device side completion --> continuable */
> if (req->req.status != -EINPROGRESS) {
> + pr_info("dummy: complete %p ep %s\n", req, ep->ep.name);
> list_del_init(&req->queue);
>
> spin_unlock(&dum->lock);
> @@ -1827,6 +1835,7 @@ restart:
> setup = *(struct usb_ctrlrequest *) urb->setup_packet;
> /* paranoia, in case of stale queued data */
> list_for_each_entry(req, &ep->queue, queue) {
> + pr_info("dummy: stale %p ep ep0\n", req);
> list_del_init(&req->queue);
> req->req.status = -EOVERFLOW;
> dev_dbg(udc_dev(dum), "stale req = %p\n",
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
