On Mon, Oct 14, 2024 at 11:42:02AM -0700, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: Let's try to get some more debugging info. Alan Stern #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git v6.12-rc3 Index: usb-devel/drivers/usb/gadget/udc/dummy_hcd.c =================================================================== --- usb-devel.orig/drivers/usb/gadget/udc/dummy_hcd.c +++ usb-devel/drivers/usb/gadget/udc/dummy_hcd.c @@ -50,7 +50,7 @@ #define POWER_BUDGET 500 /* in mA; use 8 for low-power port testing */ #define POWER_BUDGET_3 900 /* in mA */ -#define DUMMY_TIMER_INT_NSECS 125000 /* 1 microframe */ +#define DUMMY_INT_KTIME ns_to_ktime(125000) /* 1 microframe */ static const char driver_name[] = "dummy_hcd"; static const char driver_desc[] = "USB Host+Gadget Emulator"; @@ -257,6 +257,9 @@ struct dummy_hcd { unsigned active:1; unsigned old_active:1; unsigned resuming:1; + + int alanflag; + const char *alanstr; }; struct dummy { @@ -323,6 +326,14 @@ static inline struct dummy *gadget_dev_t return container_of(dev, struct dummy, gadget.dev); } +void alandbg(struct dummy_hcd *dum_hcd, const char *str); +void alandbg(struct dummy_hcd *dum_hcd, const char *str) +{ + dum_hcd->alanstr = str; + if (dum_hcd->alanflag) + dev_info(dummy_dev(dum_hcd), str); +} + /*-------------------------------------------------------------------------*/ /* DEVICE/GADGET SIDE UTILITY ROUTINES */ @@ -1303,9 +1314,11 @@ static int dummy_urb_enqueue( urb->error_count = 1; /* mark as a new urb */ /* kick the scheduler, it'll do the rest */ - if (!hrtimer_active(&dum_hcd->timer)) - hrtimer_start(&dum_hcd->timer, ns_to_ktime(DUMMY_TIMER_INT_NSECS), + if (!hrtimer_active(&dum_hcd->timer)) { + alandbg(dum_hcd, "start1"); + hrtimer_start(&dum_hcd->timer, DUMMY_INT_KTIME, HRTIMER_MODE_REL_SOFT); + } done: spin_unlock_irqrestore(&dum_hcd->dum->lock, flags); @@ -1325,9 +1338,19 @@ static int dummy_urb_dequeue(struct usb_ rc = usb_hcd_check_unlink_urb(hcd, urb, status); if (!rc && dum_hcd->rh_state != DUMMY_RH_RUNNING && - !list_empty(&dum_hcd->urbp_list)) - hrtimer_start(&dum_hcd->timer, ns_to_ktime(0), HRTIMER_MODE_REL_SOFT); - + !list_empty(&dum_hcd->urbp_list)) { + dev_info(dummy_dev(dum_hcd), "Dequeue restart %p\n", urb); + hrtimer_start(&dum_hcd->timer, DUMMY_INT_KTIME, + HRTIMER_MODE_REL_SOFT); + alandbg(dum_hcd, "start2"); + } else { + dev_info(dummy_dev(dum_hcd), "Dequeue norestart: %d %d %d %p active %d %s\n", + rc, dum_hcd->rh_state, + list_empty(&dum_hcd->urbp_list), urb, + hrtimer_active(&dum_hcd->timer), + dum_hcd->alanstr); + } + ++dum_hcd->alanflag; spin_unlock_irqrestore(&dum_hcd->dum->lock, flags); return rc; } @@ -1813,10 +1836,12 @@ static enum hrtimer_restart dummy_timer( /* look at each urb queued by the host side driver */ spin_lock_irqsave(&dum->lock, flags); + alandbg(dum_hcd, "handler1"); if (!dum_hcd->udev) { dev_err(dummy_dev(dum_hcd), "timer fired with no URBs pending?\n"); + alandbg(dum_hcd, "handler2"); spin_unlock_irqrestore(&dum->lock, flags); return HRTIMER_NORESTART; } @@ -1984,6 +2009,8 @@ return_urb: ep->already_seen = ep->setup_stage = 0; usb_hcd_unlink_urb_from_ep(dummy_hcd_to_hcd(dum_hcd), urb); + if (dum_hcd->alanflag) + dev_info(dummy_dev(dum_hcd), "Giveback %p\n", urb); spin_unlock(&dum->lock); usb_hcd_giveback_urb(dummy_hcd_to_hcd(dum_hcd), urb, status); spin_lock(&dum->lock); @@ -1994,12 +2021,17 @@ return_urb: if (list_empty(&dum_hcd->urbp_list)) { usb_put_dev(dum_hcd->udev); dum_hcd->udev = NULL; + alandbg(dum_hcd, "handler3"); } else if (dum_hcd->rh_state == DUMMY_RH_RUNNING) { - /* want a 1 msec delay here */ - hrtimer_start(&dum_hcd->timer, ns_to_ktime(DUMMY_TIMER_INT_NSECS), + alandbg(dum_hcd, "handler-start"); + hrtimer_start(&dum_hcd->timer, DUMMY_INT_KTIME, HRTIMER_MODE_REL_SOFT); + } else { + alandbg(dum_hcd, "handler4"); } + if (dum_hcd->alanflag > 0) + --dum_hcd->alanflag; spin_unlock_irqrestore(&dum->lock, flags); return HRTIMER_NORESTART; @@ -2390,8 +2422,11 @@ static int dummy_bus_resume(struct usb_h } else { dum_hcd->rh_state = DUMMY_RH_RUNNING; set_link_state(dum_hcd); - if (!list_empty(&dum_hcd->urbp_list)) - hrtimer_start(&dum_hcd->timer, ns_to_ktime(0), HRTIMER_MODE_REL_SOFT); + if (!list_empty(&dum_hcd->urbp_list)) { + alandbg(dum_hcd, "start3"); + hrtimer_start(&dum_hcd->timer, DUMMY_INT_KTIME, + HRTIMER_MODE_REL_SOFT); + } hcd->state = HC_STATE_RUNNING; } spin_unlock_irq(&dum_hcd->dum->lock); @@ -2490,6 +2525,7 @@ static int dummy_start(struct usb_hcd *h { struct dummy_hcd *dum_hcd = hcd_to_dummy_hcd(hcd); + dum_hcd->alanstr = "init"; /* * HOST side init ... we emulate a root hub that'll only ever * talk to one device (the gadget side). Also appears in sysfs, @@ -2521,6 +2557,7 @@ static void dummy_stop(struct usb_hcd *h { struct dummy_hcd *dum_hcd = hcd_to_dummy_hcd(hcd); + alandbg(dum_hcd, "cancel"); hrtimer_cancel(&dum_hcd->timer); device_remove_file(dummy_dev(dum_hcd), &dev_attr_urbs); dev_info(dummy_dev(dum_hcd), "stopped\n");