Hello Tom, On 12/09/18(Wed) 18:58, Tom Murphy wrote: > On Wed, Sep 12, 2018 at 12:55:01PM -0300, Martin Pieuchot wrote: > > On 08/09/18(Sat) 12:07, Tom Murphy wrote: > > > On Thu, Sep 06, 2018 at 01:06:50PM -0300, Martin Pieuchot wrote: > > > > Tom, as I said previously you've found a race in the ugen(4) driver. > > > > > > > > That's the symptom: > > > > > > > > > [...] > > > > > usb_detach_wait: ugen1 didn't detach > > > > > > > > To be able to understand which race we are chasing, could you rebuild a > > > > kernel with UGEN_DEBUG defined and set `ugendebug' to 6? > > > > > > OK here's the output per each step. Below that will be the dmesg and the > > > backtrace. > > > > Thanks a lot, but I need the same outputs with both UGEN_DEBUG and > > XHCI_DEBUG, and of course `ugendebug' set to 6 :) > > > > The interaction between ugen(4) the stack and xhci(4) is what will tell > > us where is the use-after-free :) > > Oh sorry about that I had replaced XHCI_DEBUG with UGEN_DEBUG. > > Anyway here's testing under kernel with both turned on and the ugendebug set > to 6: > > 1. Plugging in phone > > xhci0: port=7 change=0x80 > xhci0: port=7 change=0x80 > xhci0: xhci_cmd_slot_control > xhci0: dev 3, input=0xffffff0077164000 slot=0xffffff0077164020 > ep0=0xffffff0077164040 > xhci0: dev 3, setting DCBAA to 0x0000000077165000 > xhci_pipe_init: pipe=0xffff800001596000 addr=0 depth=1 port=7 speed=3 dev 3 > dci 1 (epAddr=0x0) > xhci0: xhci_cmd_set_address BSR=1 > xhci0: xhci_cmd_set_address BSR=0 > xhci0: dev 3 addr 3 > ugen1 at uhub0 port 7 "motorola XT1039" rev 2.00/2.28 addr 4 > ugen_set_config: ugen1 to configno 1, sc=0xffff800001534000 > ugen_set_config: ifaceno 0 > ugen_set_config: endptno 0, endpt=0x81(1,128), sce=0xffff800001534468 > ugen_set_config: endptno 1, endpt=0x01(1,0), sce=0xffff800001534310 > > 2. Starting adb > > ugenopen: flag=3, mode=8192, unit=0 endpt=0 > ugenopen: flag=3, mode=8192, unit=1 endpt=0 > ugenioctl: cmd=80045572 > ugenioctl: cmd=c020556f > xhci0: short xfer 0xffffff047d8afe10 for 48 > ugenioctl: cmd=80045572 > ugenioctl: cmd=c020556f > xhci0: short xfer 0xffffff047d8afe10 for 51 > ugenopen: flag=3, mode=8192, unit=1 endpt=1 > ugenopen: sc=0xffff800001534000, endpt=1, dir=0, sce=0xffff800001534310 > xhci_pipe_init: pipe=0xffff800001550000 addr=4 depth=1 port=7 speed=3 dev 3 > dci 2 (epAddr=0x1) > xhci0: xhci_cmd_configure_ep dev 3 > ugenopen: flag=3, mode=8192, unit=1 endpt=1 > ugenopen: sc=0xffff800001534000, endpt=1, dir=0, sce=0xffff800001534310 > xhci_pipe_init: pipe=0xffff8000015e2000 addr=4 depth=1 port=7 speed=3 dev 3 > dci 2 (epAddr=0x1) > xhci0: xhci_cmd_configure_ep dev 3 > ugenopen: sc=0xffff800001534000, endpt=1, dir=1, sce=0xffff800001534468 > xhci_pipe_init: pipe=0xffff8000015e3000 addr=4 depth=1 port=7 speed=3 dev 3 > dci 3 (epAddr=0x81) > xhci0: xhci_cmd_configure_ep dev 3 > ugenioctl: cmd=80045572 > ugenioctl: cmd=80045571 > ugen1: ugenread: 1 > ugenread: start transfer 24 bytes > ugenopen: sc=0xffff800001534000, endpt=1, dir=1, sce=0xffff800001534468 > xhci_pipe_init: pipe=0xffff8000015e4000 addr=4 depth=1 port=7 speed=3 dev 3 > dci 3 (epAddr=0x81) > xhci0: xhci_cmd_configure_ep dev 3 > ugenioctl: cmd=80045572 > ugen1: ugenwrite: 1 > ugenwrite: transfer 24 bytes > ugenopen: flag=3, mode=8192, unit=0 endpt=0 > ugenopen: flag=3, mode=8192, unit=0 endpt=0 > ugenopen: flag=3, mode=8192, unit=0 endpt=0 > ugenopen: flag=3, mode=8192, unit=0 endpt=0 > ugenopen: flag=3, mode=8192, unit=0 endpt=0 > ugenopen: flag=3, mode=8192, unit=0 endpt=0 > > 3. Unplugged phone > > ugenopen: flag=3, mode=8192, unit=0 endpt=0 > ugenopen: flag=3, mode=8192, unit=0 endpt=0 > ugenopen: flag=3, mode=8192, unit=0 endpt=0 > xhci0: port=7 change=0x80 > ugen_detach: sc=0xffff800001534000 flags=1 > xhci_abort_xfer: xfer=0xffffff047d8afc30 status=IN_PROGRESS err=CANCELLED > actlen=0 len=24 idx=0 > xhci0: xhci_cmd_stop_ep dev 3 dci 2 > xhci0: wrong trb index (4294967040) max is 255 > xhci0: xhci_cmd_set_tr_deq_async dev 3 dci 2 > > 4. Plug back in phone
At that moment you don't need to plug back the phone. The ugen(4) driver has a flawed logic where it waits 1min for all the transfers to finish. So just wait until you see: usb_detach_wait: ugen1 didn't detach What would help a lot is the output of: # ps -lAk After unplugging the phone but before seeing "usb_detach_wait". If you can also get this output after seeing the message & before killing the server that would also help. Cheers, Martin
