On Wed, Oct 16, 2024 at 11:44:45AM -0400, Alan Stern wrote: > The syzbot fuzzer has been encountering "task hung" problems ever > since the dummy-hcd driver was changed to use hrtimers instead of > regular timers. It turns out that the problems are caused by a subtle > difference between the timer_pending() and hrtimer_active() APIs. > > The changeover blindly replaced the first by the second. However, > timer_pending() returns True when the timer is queued but not when its > callback is running, whereas hrtimer_active() returns True when the > hrtimer is queued _or_ its callback is running. This difference > occasionally caused dummy_urb_enqueue() to think that the callback > routine had not yet started when in fact it was almost finished. As a > result the hrtimer was not restarted, which made it impossible for the > driver to dequeue later the URB that was just enqueued. This caused > usb_kill_urb() to hang, and things got worse from there. > > Since hrtimers have no API for telling when they are queued and the > callback isn't running, the driver must keep track of this for itself. > That's what this patch does, adding a new "timer_pending" flag and > setting or clearing it at the appropriate times. > > Reported-by: syzbot+f342ea16c9d06d80b585@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://lore.kernel.org/linux-usb/6709234e.050a0220.3e960.0011.GAE@xxxxxxxxxx/ > Tested-by: syzbot+f342ea16c9d06d80b585@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > Fixes: a7f3813e589f ("usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler") > Cc: Marcello Sylvester Bauer <sylv@xxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > > --- > > I expect this will fix a lot of the bugs that syzbot has found in the > last few months. Nice! Thanks for tracking this down and fixing it. greg k-h
