Re: USB oops regression caused by -stable patch
Thanks, that fixes it. Tested on 4.5.0-rc5 and 3.18.27. Just to be clear, I tested it *without* reverting d8f00cd685f5. So this patch is in addition to d8f00cd685f5 instead of replacing it. Tested-by: Tony BattersbyOn 02/21/2016 09:27 PM, Du, Changbin wrote: > Thanks for reporting, Tony. It was remiss of me. > There is another BOS free operation in label re_enumerate. This cause a > double-free of BOS. > USB2 doesn't have BOS desc, so you cannot reproduce it. > > I am on a travel. It is appreciated if you can help try below fix. > > Hi, Greg, I will commit a final patch once returned from travel. > > --- a/drivers/usb/core/hub.c > +++ b/drivers/usb/core/hub.c > @@ -5501,8 +5501,10 @@ done: > return 0; > > re_enumerate: > - usb_release_bos_descriptor(udev); > - udev->bos = bos; > + if (udev->bos != bos) { > + usb_release_bos_descriptor(udev); > + udev->bos = bos; > + } > > Best Regards, > Du, Changbin > >> On Fri, Feb 19, 2016 at 09:39:57AM -0500, Tony Battersby wrote: >>> This upstream commit is causing an oops: >>> d8f00cd685f5 ("usb: hub: do not clear BOS field during reset device") >>> >>> This patch has already been included in several -stable kernels. Here >>> are the affected kernels: >>> 4.5.0-rc4 (current git) >>> 4.4.2 >>> 4.3.6 (currently in review) >>> 4.1.18 >>> 3.18.27 >>> 3.14.61 >>> >>> How to reproduce the problem: >>> Boot kernel with slub debugging enabled (otherwise memory corruption >>> will cause random oopses later instead of immediately) >>> Plug in USB 3.0 disk to xhci USB 3.0 port >>> dd if=/dev/sdc of=/dev/null bs=65536 >>> (where /dev/sdc is the USB 3.0 disk) >>> Unplug USB cable while dd is still going >>> Oops is immediate: >> Not good, thanks for letting us know. I've now reverted this and will >> get the fix into 4.5-rc6. >> >> greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: USB oops regression caused by -stable patch
Thanks for reporting, Tony. It was remiss of me. There is another BOS free operation in label re_enumerate. This cause a double-free of BOS. USB2 doesn't have BOS desc, so you cannot reproduce it. I am on a travel. It is appreciated if you can help try below fix. Hi, Greg, I will commit a final patch once returned from travel. --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -5501,8 +5501,10 @@ done: return 0; re_enumerate: - usb_release_bos_descriptor(udev); - udev->bos = bos; + if (udev->bos != bos) { + usb_release_bos_descriptor(udev); + udev->bos = bos; + } Best Regards, Du, Changbin > On Fri, Feb 19, 2016 at 09:39:57AM -0500, Tony Battersby wrote: > > This upstream commit is causing an oops: > > d8f00cd685f5 ("usb: hub: do not clear BOS field during reset device") > > > > This patch has already been included in several -stable kernels. Here > > are the affected kernels: > > 4.5.0-rc4 (current git) > > 4.4.2 > > 4.3.6 (currently in review) > > 4.1.18 > > 3.18.27 > > 3.14.61 > > > > How to reproduce the problem: > > Boot kernel with slub debugging enabled (otherwise memory corruption > > will cause random oopses later instead of immediately) > > Plug in USB 3.0 disk to xhci USB 3.0 port > > dd if=/dev/sdc of=/dev/null bs=65536 > > (where /dev/sdc is the USB 3.0 disk) > > Unplug USB cable while dd is still going > > Oops is immediate: > > Not good, thanks for letting us know. I've now reverted this and will > get the fix into 4.5-rc6. > > greg k-h 0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch Description: 0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch
Re: USB oops regression caused by -stable patch
On Fri, Feb 19, 2016 at 09:39:57AM -0500, Tony Battersby wrote: > This upstream commit is causing an oops: > d8f00cd685f5 ("usb: hub: do not clear BOS field during reset device") > > This patch has already been included in several -stable kernels. Here > are the affected kernels: > 4.5.0-rc4 (current git) > 4.4.2 > 4.3.6 (currently in review) > 4.1.18 > 3.18.27 > 3.14.61 > > How to reproduce the problem: > Boot kernel with slub debugging enabled (otherwise memory corruption > will cause random oopses later instead of immediately) > Plug in USB 3.0 disk to xhci USB 3.0 port > dd if=/dev/sdc of=/dev/null bs=65536 > (where /dev/sdc is the USB 3.0 disk) > Unplug USB cable while dd is still going > Oops is immediate: Not good, thanks for letting us know. I've now reverted this and will get the fix into 4.5-rc6. greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
USB oops regression caused by -stable patch
This upstream commit is causing an oops: d8f00cd685f5 ("usb: hub: do not clear BOS field during reset device") This patch has already been included in several -stable kernels. Here are the affected kernels: 4.5.0-rc4 (current git) 4.4.2 4.3.6 (currently in review) 4.1.18 3.18.27 3.14.61 How to reproduce the problem: Boot kernel with slub debugging enabled (otherwise memory corruption will cause random oopses later instead of immediately) Plug in USB 3.0 disk to xhci USB 3.0 port dd if=/dev/sdc of=/dev/null bs=65536 (where /dev/sdc is the USB 3.0 disk) Unplug USB cable while dd is still going Oops is immediate: blk_update_request: I/O error, dev sdc, sector 864768 blk_update_request: I/O error, dev sdc, sector 865008 blk_update_request: I/O error, dev sdc, sector 865024 blk_update_request: I/O error, dev sdc, sector 865264 blk_update_request: I/O error, dev sdc, sector 864768 Buffer I/O error on dev sdc, logical block 108096, async page read general protection fault: [#1] SMP DEBUG_PAGEALLOC Modules linked in: netconsole igb i2c_algo_bit ptp pps_core sg eeprom i2c_i801 CPU: 3 PID: 24 Comm: kworker/3:0 Not tainted 4.5.0-rc4-00095-g2850713 #14 Hardware name: Supermicro X8DTH-i/6/iF/6F/X8DTH, BIOS 2.1b 05/04/12 Workqueue: usb_hub_wq hub_event task: 88042b09f080 ti: 88042b0a4000 task.ti: 88042b0a4000 RIP: 0010:[] [] kfree+0x49/0x110 RSP: 0018:88042b0a7988 EFLAGS: 00010207 RAX: ea00 RBX: 6b6b6b6b0100 RCX: 0018 RDX: 0018 RSI: RDI: 01ad998dac00 RBP: 88042b0a79c8 R08: ea0010a72210 R09: ea0010a72218 R10: 880429c88548 R11: 0001 R12: 8800bb1b8000 R13: 880429a21ce0 R14: 8800bb1a0690 R15: 0001 FS: () GS:88043dc6() knlGS: CS: 0010 DS: ES: CR0: 8005003b CR2: 7f3a6186b990 CR3: 00a0a000 CR4: 06e0 Stack: ea0002ea2220 880429c88548 0001 88042b0a79e8 804f56cb 880401002801 880429c80948 88042b0a79e8 804f3df0 8800bb1a0690 880429c80948 Call Trace: [] ? usb_destroy_configuration+0x11b/0x140 [] usb_release_bos_descriptor+0x20/0x40 [] usb_release_dev+0x2c/0x70 [] device_release+0x33/0xa0 [] kobject_release+0x47/0x90 [] kobject_put+0x2c/0x60 [] put_device+0x12/0x20 [] usb_disconnect+0x1cb/0x220 [] hub_event+0x46a/0x1070 [] ? dequeue_task_fair+0x73a/0x820 [] ? next_zone+0x25/0x30 [] ? pick_next_task_fair+0xa9/0x850 [] process_one_work+0x151/0x3c0 [] ? mod_timer+0xe9/0x160 [] ? lock_timer_base+0x55/0x70 [] ? schedule+0x3b/0xa0 [] worker_thread+0x158/0x6b0 [] ? __schedule+0x27a/0x6e0 [] ? default_wake_function+0xd/0x10 [] ? __wake_up_common+0x51/0x80 [] ? schedule+0x3b/0xa0 [] ? process_one_work+0x3c0/0x3c0 [] kthread+0xc7/0xf0 [] ? kthread_parkme+0x20/0x20 [] ret_from_fork+0x3f/0x70 [] ? kthread_parkme+0x20/0x20 Code: 00 00 80 ff 77 00 00 48 01 df 48 0f 42 05 50 33 70 00 48 8d 3c 38 48 b8 00 00 00 00 00 ea ff ff 48 c1 ef 0c 48 c1 e7 06 48 01 c7 <48> 8b 47 20 48 89 45 e0 a8 01 75 64 48 8b 47 20 48 8d 57 20 48 RIP [] kfree+0x49/0x110 RSP ---[ end trace a3bcfa253dbef567 ]--- BUG: unable to handle kernel paging request at ffd8 IP: [] kthread_data+0xb/0x20 PGD a0b067 PUD a0d067 PMD 0 Oops: [#2] SMP DEBUG_PAGEALLOC Modules linked in: netconsole igb i2c_algo_bit ptp pps_core sg eeprom i2c_i801 CPU: 3 PID: 24 Comm: kworker/3:0 Tainted: G D 4.5.0-rc4-00095-g2850713 #14 Hardware name: Supermicro X8DTH-i/6/iF/6F/X8DTH, BIOS 2.1b 05/04/12 task: 88042b09f080 ti: 88042b0a4000 task.ti: 88042b0a4000 RIP: 0010:[] [] kthread_data+0xb/0x20 RSP: 0018:88042b0a7608 EFLAGS: 00010096 RAX: RBX: 0003 RCX: 88043dc73840 RDX: 88042b09f080 RSI: 0003 RDI: 88042b09f080 RBP: 88042b0a7608 R08: 88043dc738a8 R09: 00016800 R10: 0001 R11: 0001 R12: 00013840 R13: 88042b09f4c8 R14: 0003 R15: FS: () GS:88043dc6() knlGS: CS: 0010 DS: ES: CR0: 8005003b CR2: 0028 CR3: 00a0a000 CR4: 06e0 Stack: 88042b0a7648 802731c0 88042b0a7648 8027d642 88042b09f448 88043dc73840 00013840 88043dc73840 88042b0a76f8 80608438 88042b09f3e0 88042b09f080 Call Trace: [] wq_worker_sleeping+0x10/0xa0 [] ? deactivate_task+0x52/0x60 [] __schedule+0x3a8/0x6e0 [] ? exit_notify+0xed/0x1e0 [] schedule+0x3b/0xa0 [] do_exit+0x39a/0x580 [] ? vprintk_default+0x1a/0x20 [] ? printk+0x41/0x43 [] oops_end+0x72/0xa0 [] die+0x56/0x80 [] do_general_protection+0xce/0x150 [] general_protection+0x1f/0x30 [] ? kfree+0x49/0x110 [] ? usb_release_interface_cache+0x4a/0x60 [] ? usb_destroy_configuration+0x11b/0x140