On 23.08.2016 13:54, Mathias Nyman wrote:
On 23.08.2016 02:21, Jose Marino wrote:
I'm using my phone (Nexus 5X running Android) to tether a USB connection to my
laptop (XPS 15 9550). I plug the phone through the USB-C connection and in the
phone I select USB tethering. Initially things look normal: a usb0 network
interface appears in the laptop and it tries to get an IP with dhcp. However, I
observe two different behaviors depending on whether it's a fresh boot, or I
have suspend/resumed the laptop. In a fresh boot everything works fine, I get
an IP and the connection works as expected. If I unplug the phone, everything
also works as expected.
However, after a suspend/resume cycle, I plug the phone in but the laptop never
connects to it. The usb0 interface still appears, but the dhcp daemon is unable
to get any response and finally times out. The fun part happens when I unplug
the phone. I consistently get a kernel panic.
...
Anyways, I'll look at that panic in more detail as well
<6>[ 178.693631] xhci_hcd 0000:3e:00.0: USB bus 4 deregistered
<6>[ 178.693642] xhci_hcd 0000:3e:00.0: remove, state 1
<6>[ 178.693648] usb usb3: USB disconnect, device number 1
<4>[ 183.634994] xhci_hcd 0000:3e:00.0: xHCI host not responding to stop
endpoint command.
<4>[ 183.635001] xhci_hcd 0000:3e:00.0: Assuming host is dying, halting host.
<4>[ 183.635019] xhci_hcd 0000:3e:00.0: Host not halted after 16000
microseconds.
<4>[ 183.635022] xhci_hcd 0000:3e:00.0: Non-responsive xHCI host is not
halting.
<4>[ 183.635025] xhci_hcd 0000:3e:00.0: Completing active URBs anyway.
<1>[ 183.635116] BUG: unable to handle kernel NULL pointer dereference at
(null)
<1>[ 183.635402] IP: [<ffffffffa006d196>] usb_hc_died+0x16/0xc0 [usbcore]
Looks like the 5 second command timeout timer for stop endpoint commands causes
this.
the timer (stop_cmd_timer) will call
xhci_stop_endpoint_command_watchdog() which calls
usb_hc_died(xhci_to_hcd(xhci)->primary_hcd)
but hcd are probably freed and pointers set to null already -> NULL pointer
dereference.
The timer should be synchronously deleted when the device is freed, unless
xhci_free_dev()
returns early.
So either hub_free_dev() is not called for this device at hcd removal, or
xhci_free_dev returns early.
hub_free_dev()
hcd->driver->free_dev(hcd, udev);
xhci_free_dev()
(possible early return here)
for (i = 0; i < 31; ++i) {
virt_dev->eps[i].ep_state &= ~EP_HALT_PENDING;
del_timer_sync(&virt_dev->eps[i].stop_cmd_timer);
-Mathias
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
