On Sun, Oct 13, 2024 at 08:02:02AM -0700, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: > INFO: task hung in usb_register_dev All right, that's more like it. Now there's a smoking gun: > INFO: task kworker/0:3:6517 blocked for more than 144 seconds. > Not tainted 6.12.0-rc1-syzkaller-00028-gd73dc7b182be-dirty #0 > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > task:kworker/0:3 state:D stack:24240 pid:6517 tgid:6517 ppid:2 flags:0x00004000 > Workqueue: pm pm_runtime_work > Call Trace: > <TASK> > context_switch kernel/sched/core.c:5315 [inline] > __schedule+0x105f/0x34b0 kernel/sched/core.c:6675 > __schedule_loop kernel/sched/core.c:6752 [inline] > schedule+0xe7/0x350 kernel/sched/core.c:6767 > usb_kill_urb.part.0+0x1ca/0x250 drivers/usb/core/urb.c:713 > usb_kill_urb+0x83/0xa0 drivers/usb/core/urb.c:702 > usb_start_wait_urb+0x255/0x4c0 drivers/usb/core/message.c:65 > usb_internal_control_msg drivers/usb/core/message.c:103 [inline] > usb_control_msg+0x327/0x4b0 drivers/usb/core/message.c:154 Unforunately the URB not getting dequeued _is_ a control URB. So let's trace enqueues and dequeues for all URBs. And let's see when the timer handler runs. Alan Stern #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing Index: usb-devel/drivers/usb/gadget/udc/dummy_hcd.c =================================================================== --- usb-devel.orig/drivers/usb/gadget/udc/dummy_hcd.c +++ usb-devel/drivers/usb/gadget/udc/dummy_hcd.c @@ -50,7 +50,7 @@ #define POWER_BUDGET 500 /* in mA; use 8 for low-power port testing */ #define POWER_BUDGET_3 900 /* in mA */ -#define DUMMY_TIMER_INT_NSECS 125000 /* 1 microframe */ +#define DUMMY_INT_KTIME ns_to_ktime(125000) /* 1 microframe */ static const char driver_name[] = "dummy_hcd"; static const char driver_desc[] = "USB Host+Gadget Emulator"; @@ -1301,10 +1301,12 @@ static int dummy_urb_enqueue( dum_hcd->next_frame_urbp = urbp; if (usb_pipetype(urb->pipe) == PIPE_CONTROL) urb->error_count = 1; /* mark as a new urb */ + dev_info(dummy_dev(dum_hcd), "Enqueue %p type %d\n", urb, + usb_pipetype(urb->pipe)); /* kick the scheduler, it'll do the rest */ if (!hrtimer_active(&dum_hcd->timer)) - hrtimer_start(&dum_hcd->timer, ns_to_ktime(DUMMY_TIMER_INT_NSECS), + hrtimer_start(&dum_hcd->timer, DUMMY_INT_KTIME, HRTIMER_MODE_REL_SOFT); done: @@ -1325,9 +1327,14 @@ static int dummy_urb_dequeue(struct usb_ rc = usb_hcd_check_unlink_urb(hcd, urb, status); if (!rc && dum_hcd->rh_state != DUMMY_RH_RUNNING && - !list_empty(&dum_hcd->urbp_list)) - hrtimer_start(&dum_hcd->timer, ns_to_ktime(0), HRTIMER_MODE_REL_SOFT); - + !list_empty(&dum_hcd->urbp_list)) { + dev_info(dummy_dev(dum_hcd), "Dequeue restart %p\n", urb); + hrtimer_start(&dum_hcd->timer, DUMMY_INT_KTIME, + HRTIMER_MODE_REL_SOFT); + } else { + dev_info(dummy_dev(dum_hcd), "Dequeue norestart: %d %p\n", + rc, urb); + } spin_unlock_irqrestore(&dum_hcd->dum->lock, flags); return rc; } @@ -1813,6 +1820,7 @@ static enum hrtimer_restart dummy_timer( /* look at each urb queued by the host side driver */ spin_lock_irqsave(&dum->lock, flags); + dev_info(dummy_dev(dum_hcd), "Timer handler\n"); if (!dum_hcd->udev) { dev_err(dummy_dev(dum_hcd), @@ -1984,6 +1992,7 @@ return_urb: ep->already_seen = ep->setup_stage = 0; usb_hcd_unlink_urb_from_ep(dummy_hcd_to_hcd(dum_hcd), urb); + dev_info(dummy_dev(dum_hcd), "Giveback %p\n", urb); spin_unlock(&dum->lock); usb_hcd_giveback_urb(dummy_hcd_to_hcd(dum_hcd), urb, status); spin_lock(&dum->lock); @@ -1995,8 +2004,7 @@ return_urb: usb_put_dev(dum_hcd->udev); dum_hcd->udev = NULL; } else if (dum_hcd->rh_state == DUMMY_RH_RUNNING) { - /* want a 1 msec delay here */ - hrtimer_start(&dum_hcd->timer, ns_to_ktime(DUMMY_TIMER_INT_NSECS), + hrtimer_start(&dum_hcd->timer, DUMMY_INT_KTIME, HRTIMER_MODE_REL_SOFT); } @@ -2391,7 +2399,8 @@ static int dummy_bus_resume(struct usb_h dum_hcd->rh_state = DUMMY_RH_RUNNING; set_link_state(dum_hcd); if (!list_empty(&dum_hcd->urbp_list)) - hrtimer_start(&dum_hcd->timer, ns_to_ktime(0), HRTIMER_MODE_REL_SOFT); + hrtimer_start(&dum_hcd->timer, DUMMY_INT_KTIME, + HRTIMER_MODE_REL_SOFT); hcd->state = HC_STATE_RUNNING; } spin_unlock_irq(&dum_hcd->dum->lock);
