Oops with dwc3 in device mode and functionfs

Tue, 03 Jan 2017 06:51:30 -0800 

Hello,

I am hitting the following oops with 4.10-rc2 (on an intel edison, so
this is with Andy's patchset[1] which is currently based on 4.10-rc2
and does not seem to touch usb code) with Felipe's fixes-for-v4.10-rc3
merged on top of it.

The oops + kdb traceback:

[   42.537029] file system registered
[   45.048685] systemd-hostnam (1666) used greatest stack depth: 5680 bytes left
[   51.643687] read descriptors
[   51.648273] read strings
[   53.921220] configfs-gadget gadget: high-speed config #1: c
[   53.927231] BUG: unable to handle kernel paging request at 00040905
[   53.933683] IP: usb_ep_enable+0x23/0xb0 [udc_core]
[   53.938585] *pde = 00000000
[   53.938591]
[   53.943060] Oops: 0000 [#1] SMP

Entering kdb (current=0xf40a8f00, pid 1866) on processor 0 Oops: (null)
due to oops @ 0xf812a023
CPU: 0 PID: 1866 Comm: irq/34-dwc3 Not tainted
4.10.0-rc2-edison-00061-g1a2e83d30e6d #18
Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542
2015.01.21:18.19.48
task: f40a8f00 task.stack: f4d3a000
EIP: usb_ep_enable+0x23/0xb0 [udc_core]
EFLAGS: 00010046 CPU: 0
EAX: f4d996d4 EBX: f4d996c0 ECX: 00040905 EDX: f4d996dd
ESI: f4fa4200 EDI: f4d996d4 EBP: f4d3bdec ESP: f4d3bddc
DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
CR0: 80050033 CR2: 00040905 CR3: 01d62000 CR4: 001006d0
Call Trace:
ffs_func_set_alt+0x243/0x290 [usb_f_fs]
composite_setup+0xcf1/0x1ba0 [libcomposite]
? dwc3_gadget_exit+0x140/0x1c0 [dwc3]
dwc3_ep0_delegate_req+0x2d/0x40 [dwc3]
dwc3_ep0_interrupt+0x409/0xad0 [dwc3]
? dwc3_thread_interrupt+0x22/0xe80 [dwc3]
? _raw_spin_lock_irqsave+0x43/0x50
dwc3_thread_interrupt+0x120/0xe80 [dwc3]
? __schedule+0x65e/0x850
irq_thread_fn+0x18/0x30
irq_thread+0xef/0x180
? irq_finalize_oneshot+0xd0/0xd0
? wake_threads_waitq+0x40/0x40
? free_percpu_irq+0x60/0x60
kthread+0xfb/0x100
? free_percpu_irq+0x60/0x60
? kthread_stop+0x150/0x150
ret_from_fork+0x19/0x24
Code: <ff> 11 85 c0 89 45 f0 75 04 c6 47 19 01 3e 8d 74 26 00 eb 41 89 f6

same traceback, in (k)gdb:
(gdb)  bt
#0  0xf812a023 in usb_ep_enable (ep=0xf4d996d4) at
drivers/usb/gadget/udc/core.c:109
#1  0xf967b533 in ffs_func_eps_enable (func=<optimized out>) at
drivers/usb/gadget/function/f_fs.c:1857
#2  ffs_func_set_alt (f=<optimized out>, interface=<optimized out>,
alt=<optimized out>) at drivers/usb/gadget/function/f_fs.c:3146
#3  0xf8179791 in set_config (ctrl=<optimized out>, number=<optimized
out>, cdev=<optimized out>) at drivers/usb/gadget/composite.c:814
#4  0xf8b4030d in dwc3_ep0_delegate_req (dwc=0xf557b814,
ctrl=0xf4f2c000) at drivers/usb/dwc3/ep0.c:603
#5  0xf8b412a9 in dwc3_ep0_set_config (ctrl=<optimized out>,
dwc=<optimized out>) at drivers/usb/dwc3/ep0.c:622
#6  dwc3_ep0_std_request (ctrl=<optimized out>, dwc=<optimized out>)
at drivers/usb/dwc3/ep0.c:778
#7  dwc3_ep0_inspect_setup (event=<optimized out>, dwc=<optimized
out>) at drivers/usb/dwc3/ep0.c:818
#8  dwc3_ep0_xfer_complete (event=<optimized out>, dwc=<optimized
out>) at drivers/usb/dwc3/ep0.c:977
#9  dwc3_ep0_interrupt (dwc=0xf557b814, event=<optimized out>) at
drivers/usb/dwc3/ep0.c:1139
#10 0xf8b3d930 in dwc3_endpoint_interrupt (event=<optimized out>,
dwc=<optimized out>) at drivers/usb/dwc3/gadget.c:2245
#11 0xc10b1818 in irq_thread_fn (desc=0xf4d26600, action=0xf4d99200)
at kernel/irq/manage.c:896
#12 0xc10b1caf in irq_thread (data=0xf4d99200) at kernel/irq/manage.c:973
#13 0xc1074a6b in kthread (_create=0xf4c14f20) at kernel/kthread.c:227
#14 0xc185de01 in ret_from_fork () at arch/x86/entry/entry_32.S:295
(gdb) print *ep
$1 = {driver_data = 0xf4d996c0, name = 0xff00 <error: Cannot access
memory at address 0xff00>, ops = 0x40905, ep_list = {next = 0xff0000,
   prev = 0x500 <trace_event_define_fields_udc_log_req+175>}, caps =
{type_control = 0, type_iso = 0, type_bulk = 0, type_int = 0, dir_in =
0, dir_out = 0}, claimed = false,
 enabled = false, maxpacket = 0, maxpacket_limit = 0, max_streams = 0,
mult = 0, maxburst = 0, address = 0 '\000', desc = 0xf4d996dd,
comp_desc = 0x0}

Note "name" and "ep_list.prev" are also broken, as likely ep_list.next.

Last command:
# echo dwc3.1.auto > /sys/kernel/config/usb_gadget/g1/UDC

Host's syslog:
Jan  3 15:20:23 vincent-tkpad kernel: [876929.788285] usb 2-1: new
high-speed USB device number 86 using xhci_hcd
Jan  3 15:20:23 vincent-tkpad kernel: [876929.918767] usb 2-1: New USB
device found, idVendor=1d6b, idProduct=0104
Jan  3 15:20:23 vincent-tkpad kernel: [876929.918771] usb 2-1: New USB
device strings: Mfr=1, Product=2, SerialNumber=3
Jan  3 15:20:23 vincent-tkpad kernel: [876929.918774] usb 2-1: Product: tesla
Jan  3 15:20:23 vincent-tkpad kernel: [876929.918776] usb 2-1:
Manufacturer: vpelletier
Jan  3 15:20:23 vincent-tkpad kernel: [876929.918777] usb 2-1:
SerialNumber: FZED443D01T42501
Jan  3 15:20:28 vincent-tkpad kernel: [876934.916146] usb 2-1: can't
set config #1, error -110
Jan  3 15:20:28 vincent-tkpad mtp-probe: checking bus 2, device 86:
"/sys/devices/pci0000:00/0000:00:14.0/usb2/2-1"
Jan  3 15:20:28 vincent-tkpad mtp-probe: bus: 2, device: 86 was not an
MTP device

Device is a single-configuration, single-function, single alt-setting,
zero endpoints, once-string, functionfs-based device.

The functionfs side of things is a bit complicated, as I'm writing a
python module[2] for it, and I am still very new to functionfs. It
does not crash on 4.9-rc7 though.

Is something else needed to reproduce this issue ?

[1] https://github.com/andy-shev/linux/commits/eds
[2] https://github.com/vpelletier/python-functionfs

Regards,
-- 
Vincent Pelletier
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to