Re: [xhci] null pointer dereference on ring_doorbell_for_active_rings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hi

I just started looking at this issue as well from xhci perspective.
From your Oops backtrace I can see that ring_doorbell_for_active_rings() was called from handle_cmd_completion()

This should only happend if XHCI_RESET_EP_QUIRK is set, i.e. you have a Fresco Logic host controller.

In that case the ep_index calculation in handle_cmd_completion() look suspicious, it looks like we do a "-1" subtraction twice.

/* Input ctx add_flags are the endpoint index plus one */
ep_index = xhci_last_valid_endpoint(le32_to_cpu(ctrl_ctx->add_flags)) - 1;

xhci_last_valid_endpoint() already does a "-1"

could you try something like:

- ep_index = xhci_last_valid_endpoint(le32_to_cpu(ctrl_ctx->add_flags)) - 1;
+ ep_index = xhci_last_valid_endpoint(le32_to_cpu(ctrl_ctx->add_flags));

and see if it helps?

-Mathias

On 07/09/2013 08:08 PM, Oleksij Rempel wrote:
You have right.

this problem didn't disappear, it just masked and have other side effect.
I get corrupt buffers after reloading of ath9k_htc(wifi usb adapter) ...
some times laptop will crash in same way like the bug i reported you
before.. If I reduce command buffer size (and size of urb) or reload
xhci_hcd module i can avoid crashes or buffer corruption. Looks like
some part of memory is corrupt.
Then i noticed some problems with usb mouse. It just stop to respond. I
assumed hardware problem, but after reloading xhci_hcd i can bring mouse
back. In case of mouse, i just can't check if buffers are ok.

PS: I had similar problem with i915. It got null pointer dereference by
attaching vga cable. See:
https://bugs.freedesktop.org/show_bug.cgi?id=48652#c107
But it seems to be fixed by disabling "Intel VT-d". Suddenly it wont
solve problem with xhcd... may be this problems have same root.

Am 08.07.2013 18:37, schrieb Sarah Sharp:
On Sat, Jul 06, 2013 at 11:13:15AM +0200, Oleksij Rempel wrote:
Hi Sarah,

thanks you or who ever fixed this issue. With latest wireless-testing
i can't reproduce my crash any more. Instead i get this messages:

What kernel is your wireless-testing branch based on?

It would be nice to know which patch fixed your issue, since AFAIK we
didn't make a concerted effort to fix it yet. Any chance you can do a
git bisect? I'm afraid some other change in the wireless stack is
masking an xHCI driver bug.

Sarah Sharp


[ 4510.621603] ath9k_htc: Driver unloaded
[ 4516.407764] usb 3-2: reset high-speed USB device number 4 using
xhci_hcd
[ 4516.430175] xhci_hcd 0000:00:14.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880113f39c00
[ 4516.430179] xhci_hcd 0000:00:14.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880113f39c40
[ 4516.430181] xhci_hcd 0000:00:14.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880113f39c80
[ 4516.430183] xhci_hcd 0000:00:14.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880113f39cc0
[ 4516.430185] xhci_hcd 0000:00:14.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880113f39d00
[ 4516.430186] xhci_hcd 0000:00:14.0: xHCI xhci_drop_endpoint called
with disabled ep ffff880113f39d40
[ 4516.430855] usb 3-2: ath9k_htc: Firmware htc_9271.fw requested
[ 4516.431139] usbcore: registered new interface driver ath9k_htc


Am 11.06.2013 19:34, schrieb Sarah Sharp:
On Mon, Jun 10, 2013 at 08:55:56AM +0200, Oleksij Rempel wrote:
Hello all,

i'm working on usb_autosuspend for ath9k_htc and triggered this
oops. Currently i do not know if real bug is in ath9k_htc or in
xhci. Same adapter with same kernel and my patches work fine on ehci
host... so may be it is xhci.

Which kernel version is this oops on? I suspect it's an xHCI issue.

Please turn on CONFIG_USB_XHCI_HCD_DEBUGGING and CONFIG_USB_DEBUG and
send me dmesg, from the beginning of connecting the device to when
it is
suspended and then resumed. That will be a lot of output, so feel free
to compress it.

Sarah Sharp

i get oops on this line:
426 static void ring_doorbell_for_active_rings(struct xhci_hcd *xhci,
427 unsigned int slot_id,
428 unsigned int ep_index)
429 {
430 unsigned int stream_id;
431 struct xhci_virt_ep *ep;
432
433 ep = &xhci->devs[slot_id]->eps[ep_index];
^^^ ^^^^^^^^^^^^^^^^^^^^^^^

changes for ath9k_htc are in attachment and photo of oops here:
https://plus.google.com/u/0/102032716864870215256/posts/a9d8nFsLhYK
--
Regards,
Oleksij

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c
b/drivers/net/wireless/ath/ath9k/hif_usb.c
index f5dda84..3d74575 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1368,6 +1368,7 @@ static struct usb_driver ath9k_hif_usb_driver
= {
.suspend = ath9k_hif_usb_suspend,
.resume = ath9k_hif_usb_resume,
.reset_resume = ath9k_hif_usb_resume,
+ .supports_autosuspend = 1,
#endif
.id_table = ath9k_hif_usb_ids,
.soft_unbind = 1,
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
index 0743a47..20be8a1 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
@@ -905,6 +905,7 @@ static int ath9k_htc_start(struct ieee80211_hw
*hw)
struct ath_hw *ah = priv->ah;
struct ath_common *common = ath9k_hw_common(ah);
struct ieee80211_channel *curchan = hw->conf.chandef.chan;
+ struct hif_device_usb *hif_dev = priv->htc->hif_dev;
struct ath9k_channel *init_channel;
int ret = 0;
enum htc_phymode mode;
@@ -917,6 +918,14 @@ static int ath9k_htc_start(struct ieee80211_hw
*hw)
"Starting driver with initial channel: %d MHz\n",
curchan->center_freq);

+ ret = usb_autopm_get_interface(hif_dev->interface);
+ if (ret < 0) {
+ ath_err(common,
+ "Unable wake up hardware\n");
+ mutex_unlock(&priv->mutex);
+ return ret;
+ }
+
/* Ensure that HW is awake before flushing RX */
ath9k_htc_setpower(priv, ATH9K_PM_AWAKE);
WMI_CMD(WMI_FLUSH_RECV_CMDID);
@@ -972,6 +981,7 @@ static void ath9k_htc_stop(struct ieee80211_hw
*hw)
{
struct ath9k_htc_priv *priv = hw->priv;
struct ath_hw *ah = priv->ah;
+ struct hif_device_usb *hif_dev = priv->htc->hif_dev;
struct ath_common *common = ath9k_hw_common(ah);
int ret __attribute__ ((unused));
u8 cmd_rsp;
@@ -1022,6 +1032,8 @@ static void ath9k_htc_stop(struct
ieee80211_hw *hw)

set_bit(OP_INVALID, &priv->op_flags);

+ usb_autopm_put_interface(hif_dev->interface);
+
ath_dbg(common, CONFIG, "Driver halt\n");
mutex_unlock(&priv->mutex);
}


--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html



--
Regards,
Oleksij
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html




--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux