lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAB7eexJQbrp-ZWben6bVt7SVwYRu1cqPxQHunmsZqT0AjQH-vg@mail.gmail.com>
Date:   Thu, 22 Sep 2022 16:39:04 +0800
From:   Rondreis <linhaoguo86@...il.com>
To:     Alan Stern <stern@...land.harvard.edu>
Cc:     balbi@...nel.org, andriy.shevchenko@...ux.intel.com,
        jakobkoschel@...il.com, quic_wcheng@...cinc.com,
        linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org
Subject: Re: kernel v5.19 warn in usb_ep_queue

I patched it again, and the output is:

[   53.871222][ T6507] cgroup: Unknown subsys name 'net'
[   53.874463][ T6507] cgroup: Unknown subsys name 'rlimit'
[   54.426894][   T28] audit: type=1800 audit(1663835481.621:4):
pid=6532 uid=0 auid=0 ses=2 subj==unconfined op=collect_data
cause=failed comm="syz-executor.0" name="UDC" dev="configfs" ino=30794
res=0 errno=0
[   54.435086][ T6532] using random self ethernet address
[   54.435402][ T6532] using random host ethernet address
[   54.436060][ T6532] Mass Storage Function, version: 2009/09/11
[   54.436437][ T6532] LUN: removable file: (no medium)
[   54.444557][ T6532] usb0: HOST MAC 1a:89:f1:74:ef:df
[   54.444853][ T6532] usb0: MAC 5e:3b:64:0f:0b:ed
[   54.721631][   T24] usb 2-1: new high-speed USB device number 2
using dummy_hcd
[   55.131602][   T24] usb 2-1: Dual-Role OTG device on HNP port
[   55.151589][   T24] usb 2-1: New USB device found, idVendor=03f0,
idProduct=0107, bcdDevice= 2.00
[   55.151919][   T24] usb 2-1: New USB device strings: Mfr=1,
Product=2, SerialNumber=3
[   55.152199][   T24] usb 2-1: Product: Bar Gadget
[   55.152374][   T24] usb 2-1: Manufacturer: Foo Inc.
[   55.152557][   T24] usb 2-1: SerialNumber: 12345678
[   55.171998][    C1] configfs-gadget gadget.1: Raise exception 3
ffff88811b9ba000
[   55.172604][ T6539] configfs-gadget gadget.1: Enable bulk in
[   55.172884][ T6539] configfs-gadget gadget.1: Enable bulk out
[   55.173179][ T6539] configfs-gadget gadget.1: Bulk out start ffff888115fd7c80
[   55.173506][ T6539] CPU: 0 PID: 6539 Comm: file-storage Not tainted
5.19.0+ #16
[   55.173834][ T6539] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014
[   55.174193][ T6539] Call Trace:
[   55.174316][ T6539]  <TASK>
[   55.174425][ T6539]  dump_stack_lvl+0xfc/0x174
[   55.174602][ T6539]  start_out_transfer.part.0+0x7c/0x142
[   55.174813][ T6539]  fsg_main_thread+0x375/0x1450
[   55.175004][ T6539]  ? __kthread_parkme+0xc4/0x210
[   55.175191][ T6539]  ? reacquire_held_locks+0x4b0/0x4b0
[   55.175392][ T6539]  ? do_set_interface.isra.0+0x530/0x530
[   55.175606][ T6539]  ? __kthread_parkme+0x14e/0x210
[   55.175797][ T6539]  ? do_set_interface.isra.0+0x530/0x530
[   55.176005][ T6539]  kthread+0x2e0/0x390
[   55.176156][ T6539]  ? kthread_complete_and_exit+0x40/0x40
[   55.176363][ T6539]  ret_from_fork+0x1f/0x30
[   55.176537][ T6539]  </TASK>
[   55.253779][   T24] cdc_eem 2-1:1.0 usb1: register 'cdc_eem' at
usb-dummy_hcd.1-1, CDC EEM Device, c2:07:46:1b:bf:4a
[   55.271856][   T24] usb-storage 2-1:1.1: USB Mass Storage device detected
[   55.278904][   T24] scsi host2: usb-storage 2-1:1.1
[   56.352122][ T6584] cdc_eem 2-1:1.0 usb1: unregister 'cdc_eem'
usb-dummy_hcd.1-1, CDC EEM Device
[   56.412714][ T6584] configfs-gadget gadget.1: Bulk out complete
ffff888115fd7c80
[   56.413545][ T6539] configfs-gadget gadget.1: Bulk out start ffff888115fd7c80
[   56.413787][ T6584] configfs-gadget gadget.1: Disable bulk in B
[   56.413988][ T6539] CPU: 1 PID: 6539 Comm: file-storage Not tainted
5.19.0+ #16
[   56.414336][ T6584] configfs-gadget gadget.1: Disable bulk out B
[   56.414647][ T6539] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014
[   56.414908][ T6584] configfs-gadget gadget.1: Disable bulk out B finished
[   56.415348][ T6539] Call Trace:
[   56.415352][ T6539]  <TASK>
[   56.415827][ T6584] configfs-gadget gadget.1: Raise exception 3
0000000000000000
[   56.415969][ T6539]  dump_stack_lvl+0xfc/0x174
[   56.416735][ T6539]  start_out_transfer.part.0+0x7c/0x142
[   56.416989][ T6539]  fsg_main_thread+0x375/0x1450
[   56.417256][ T6539]  ? __kthread_parkme+0xc4/0x210
[   56.417560][ T6539]  ? reacquire_held_locks+0x4b0/0x4b0
[   56.417885][ T6539]  ? do_set_interface.isra.0+0x530/0x530
[   56.418231][ T6539]  ? __kthread_parkme+0x14e/0x210
[   56.418576][ T6539]  ? do_set_interface.isra.0+0x530/0x530
[   56.418919][ T6539]  kthread+0x2e0/0x390
[   56.419172][ T6539]  ? kthread_complete_and_exit+0x40/0x40
[   56.419515][ T6539]  ret_from_fork+0x1f/0x30
[   56.419804][ T6539]  </TASK>
[   56.420255][ T6539] ------------[ cut here ]------------
[   56.420496][ T6539] WARNING: CPU: 1 PID: 6539 at
drivers/usb/gadget/udc/core.c:283 usb_ep_queue+0x9b/0x3b0
[   56.420923][ T6539] Modules linked in:
[   56.421102][ T6539] CPU: 1 PID: 6539 Comm: file-storage Not tainted
5.19.0+ #16
[   56.421429][ T6539] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014
[   56.431805][ T6539] RIP: 0010:usb_ep_queue+0x9b/0x3b0
[   56.432129][ T6539] Code: 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 db
02 00 00 44 0f b6 6b 35 31 ff 44 89 ee e8 af 41 b2 fb 45 84 ed 74 0e
e8 55 46 b2 fb <0f> 0b bd 94 ff ff ff eb 55 e8 47 46 b2 fb 48 8d 7b 10
0
[   56.433208][ T6539] RSP: 0018:ffffc900047afd08 EFLAGS: 00010293
[   56.433560][ T6539] RAX: 0000000000000000 RBX: ffff8881107d82c0
RCX: 0000000000000000
[   56.434009][ T6539] RDX: ffff8881196d1c00 RSI: ffffffff85c6d79b
RDI: 0000000000000001
[   56.434452][ T6539] RBP: 0000000000000cc0 R08: 0000000000000001
R09: 0000000000000000
[   56.434898][ T6539] R10: 0000000000000007 R11: 0000000000000000
R12: ffff888113c6a210
[   56.435350][ T6539] R13: 0000000000000007 R14: ffff8881197c9000
R15: dffffc0000000000
[   56.435796][ T6539] FS:  0000000000000000(0000)
GS:ffff888128c00000(0000) knlGS:0000000000000000
[   56.436296][ T6539] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   56.436666][ T6539] CR2: 00005611a32a2d30 CR3: 000000011b5aa000
CR4: 00000000000006f0
[   56.437111][ T6539] Call Trace:
[   56.437305][ T6539]  <TASK>
[   56.437479][ T6539]  start_transfer+0x24/0x14f
[   56.437752][ T6539]  start_out_transfer.part.0+0xf6/0x142
[   56.438076][ T6539]  fsg_main_thread+0x375/0x1450
[   56.438370][ T6539]  ? __kthread_parkme+0xc4/0x210
[   56.438660][ T6539]  ? reacquire_held_locks+0x4b0/0x4b0
[   56.438973][ T6539]  ? do_set_interface.isra.0+0x530/0x530
[   56.439306][ T6539]  ? __kthread_parkme+0x14e/0x210
[   56.439604][ T6539]  ? do_set_interface.isra.0+0x530/0x530
[   56.439932][ T6539]  kthread+0x2e0/0x390
[   56.440171][ T6539]  ? kthread_complete_and_exit+0x40/0x40
[   56.440497][ T6539]  ret_from_fork+0x1f/0x30
[   56.440767][ T6539]  </TASK>
[   56.440949][ T6539] Kernel panic - not syncing: panic_on_warn set ...
[   56.441321][ T6539] CPU: 0 PID: 6539 Comm: file-storage Not tainted
5.19.0+ #16
[   56.441751][ T6539] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014
[   56.442322][ T6539] Call Trace:
[   56.442515][ T6539]  <TASK>
[   56.442687][ T6539]  dump_stack_lvl+0xfc/0x174
[   56.442959][ T6539]  panic+0x2cf/0x61f
[   56.443194][ T6539]  ? panic_print_sys_info.part.0+0x10b/0x10b
[   56.443545][ T6539]  ? __warn.cold+0xcd/0x2cc
[   56.443812][ T6539]  ? usb_ep_queue+0x9b/0x3b0
[   56.444085][ T6539]  __warn.cold+0xde/0x2cc
[   56.444341][ T6539]  ? usb_ep_queue+0x9b/0x3b0
[   56.444612][ T6539]  report_bug+0x1b7/0x240
[   56.444870][ T6539]  handle_bug+0x3c/0x60
[   56.445119][ T6539]  exc_invalid_op+0x13/0x40
[   56.445386][ T6539]  asm_exc_invalid_op+0x16/0x20
[   56.445671][ T6539] RIP: 0010:usb_ep_queue+0x9b/0x3b0
[   56.445971][ T6539] Code: 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 db
02 00 00 44 0f b6 6b 35 31 ff 44 89 ee e8 af 41 b2 fb 45 84 ed 74 0e
e8 55 46 b2 fb <0f> 0b bd 94 ff ff ff eb 55 e8 47 46 b2 fb 48 8d 7b 10
0
[   56.447050][ T6539] RSP: 0018:ffffc900047afd08 EFLAGS: 00010293
[   56.447400][ T6539] RAX: 0000000000000000 RBX: ffff8881107d82c0
RCX: 0000000000000000
[   56.447849][ T6539] RDX: ffff8881196d1c00 RSI: ffffffff85c6d79b
RDI: 0000000000000001
[   56.448301][ T6539] RBP: 0000000000000cc0 R08: 0000000000000001
R09: 0000000000000000
[   56.448752][ T6539] R10: 0000000000000007 R11: 0000000000000000
R12: ffff888113c6a210
[   56.449196][ T6539] R13: 0000000000000007 R14: ffff8881197c9000
R15: dffffc0000000000
[   56.449648][ T6539]  ? usb_ep_queue+0x9b/0x3b0
[   56.449921][ T6539]  ? usb_ep_queue+0x9b/0x3b0
[   56.450193][ T6539]  start_transfer+0x24/0x14f
[   56.450468][ T6539]  start_out_transfer.part.0+0xf6/0x142
[   56.450795][ T6539]  fsg_main_thread+0x375/0x1450
[   56.451082][ T6539]  ? __kthread_parkme+0xc4/0x210
[   56.451376][ T6539]  ? reacquire_held_locks+0x4b0/0x4b0
[   56.451693][ T6539]  ? do_set_interface.isra.0+0x530/0x530
[   56.452024][ T6539]  ? __kthread_parkme+0x14e/0x210
[   56.452324][ T6539]  ? do_set_interface.isra.0+0x530/0x530
[   56.452649][ T6539]  kthread+0x2e0/0x390
[   56.452890][ T6539]  ? kthread_complete_and_exit+0x40/0x40
[   56.453216][ T6539]  ret_from_fork+0x1f/0x30
[   56.453489][ T6539]  </TASK>
[   56.453826][ T6539] Kernel Offset: disabled
[   56.454117][ T6539] Rebooting in 86400 seconds..


On Thu, Sep 22, 2022 at 12:01 AM Alan Stern <stern@...land.harvard.edu> wrote:
>
> On Wed, Sep 21, 2022 at 11:00:41PM +0800, Rondreis wrote:
> > Thanks for your reply!
> > I applied this patch in v5.19 and the reproducer just attached
> > a composite device with network and mass storage functions.
> > The output of the kernel is as follows:
>
> > [ 1558.868398][ T7423] configfs-gadget gadget.1: Enable bulk in
> > [ 1558.868675][ T7423] configfs-gadget gadget.1: Enable bulk out
> > [ 1558.868957][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00
> > [ 1558.952998][   T24] cdc_eem 2-1:1.0 usb1: register 'cdc_eem' at
> > usb-dummy_hcd.1-1, CDC EEM Device, 72:47:e4:74:0b:8e
> > [ 1558.968402][   T24] usb-storage 2-1:1.1: USB Mass Storage device detected
> > [ 1558.976267][   T24] scsi host2: usb-storage 2-1:1.1
> > [ 1560.028547][ T7470] cdc_eem 2-1:1.0 usb1: unregister 'cdc_eem'
> > usb-dummy_hcd.1-1, CDC EEM Device
> > [ 1560.078980][ T7470] configfs-gadget gadget.1: Bulk out complete
> > ffff8881279f0b00
> > [ 1560.080226][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00
> > [ 1560.080617][ T7470] configfs-gadget gadget.1: Disable bulk in B
> > [ 1560.080820][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00
> > [ 1560.081456][ T7470] configfs-gadget gadget.1: Disable bulk out B
> > [ 1560.081950][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00
> > [ 1560.083056][ T7423] ------------[ cut here ]------------
> > [ 1560.083386][ T7423] WARNING: CPU: 0 PID: 7423 at
> > drivers/usb/gadget/udc/core.c:283 usb_ep_queue+0x9b/0x3b0
>
> Okay, that's not what I expected.  Can you try the same thing with
> updated patch below?
>
> Alan Stern
>
>
> Index: usb-devel/drivers/usb/gadget/function/f_mass_storage.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/gadget/function/f_mass_storage.c
> +++ usb-devel/drivers/usb/gadget/function/f_mass_storage.c
> @@ -367,6 +367,7 @@ static void __raise_exception(struct fsg
>  {
>         unsigned long           flags;
>
> +       dev_info(&common->gadget->dev, "Raise exception %d %p\n", new_state, arg);
>         /*
>          * Do nothing if a higher-priority exception is already in progress.
>          * If a lower-or-equal priority exception is in progress, preempt it
> @@ -415,6 +416,7 @@ static void bulk_in_complete(struct usb_
>         struct fsg_common       *common = ep->driver_data;
>         struct fsg_buffhd       *bh = req->context;
>
> +       dev_info(&common->gadget->dev, "Bulk in complete %p\n", bh);
>         if (req->status || req->actual != req->length)
>                 DBG(common, "%s --> %d, %u/%u\n", __func__,
>                     req->status, req->actual, req->length);
> @@ -431,6 +433,7 @@ static void bulk_out_complete(struct usb
>         struct fsg_common       *common = ep->driver_data;
>         struct fsg_buffhd       *bh = req->context;
>
> +       dev_info(&common->gadget->dev, "Bulk out complete %p\n", bh);
>         dump_msg(common, "bulk-out", req->buf, req->actual);
>         if (req->status || req->actual != bh->bulk_out_intended_length)
>                 DBG(common, "%s --> %d, %u/%u\n", __func__,
> @@ -547,6 +550,7 @@ static bool start_in_transfer(struct fsg
>         if (!fsg_is_set(common))
>                 return false;
>         bh->state = BUF_STATE_SENDING;
> +       dev_info(&common->gadget->dev, "Bulk in start %p\n", bh);
>         if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq))
>                 bh->state = BUF_STATE_EMPTY;
>         return true;
> @@ -557,6 +561,8 @@ static bool start_out_transfer(struct fs
>         if (!fsg_is_set(common))
>                 return false;
>         bh->state = BUF_STATE_RECEIVING;
> +       dev_info(&common->gadget->dev, "Bulk out start %p\n", bh);
> +       dump_stack();
>         if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq))
>                 bh->state = BUF_STATE_FULL;
>         return true;
> @@ -2310,12 +2316,15 @@ reset:
>
>                 /* Disable the endpoints */
>                 if (fsg->bulk_in_enabled) {
> +                       dev_info(&fsg->gadget->dev, "Disable bulk in A\n");
>                         usb_ep_disable(fsg->bulk_in);
>                         fsg->bulk_in_enabled = 0;
>                 }
>                 if (fsg->bulk_out_enabled) {
> +                       dev_info(&fsg->gadget->dev, "Disable bulk out A\n");
>                         usb_ep_disable(fsg->bulk_out);
>                         fsg->bulk_out_enabled = 0;
> +                       dev_info(&fsg->gadget->dev, "Disable bulk out A finished\n");
>                 }
>
>                 common->fsg = NULL;
> @@ -2333,6 +2342,7 @@ reset:
>         rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in);
>         if (rc)
>                 goto reset;
> +       dev_info(&fsg->gadget->dev, "Enable bulk in\n");
>         rc = usb_ep_enable(fsg->bulk_in);
>         if (rc)
>                 goto reset;
> @@ -2343,6 +2353,7 @@ reset:
>                                 fsg->bulk_out);
>         if (rc)
>                 goto reset;
> +       dev_info(&fsg->gadget->dev, "Enable bulk out\n");
>         rc = usb_ep_enable(fsg->bulk_out);
>         if (rc)
>                 goto reset;
> @@ -2392,12 +2403,15 @@ static void fsg_disable(struct usb_funct
>
>         /* Disable the endpoints */
>         if (fsg->bulk_in_enabled) {
> +               dev_info(&fsg->gadget->dev, "Disable bulk in B\n");
>                 usb_ep_disable(fsg->bulk_in);
>                 fsg->bulk_in_enabled = 0;
>         }
>         if (fsg->bulk_out_enabled) {
> +               dev_info(&fsg->gadget->dev, "Disable bulk out B\n");
>                 usb_ep_disable(fsg->bulk_out);
>                 fsg->bulk_out_enabled = 0;
> +               dev_info(&fsg->gadget->dev, "Disable bulk out B finished\n");
>         }
>
>         __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL);
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ