lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZQTlz9Koe2CQIsrC@pengutronix.de>
Date:   Sat, 16 Sep 2023 01:16:31 +0200
From:   Michael Grzeschik <mgr@...gutronix.de>
To:     Avichal Rakesh <arakesh@...gle.com>
Cc:     Laurent Pinchart <laurent.pinchart@...asonboard.com>,
        Daniel Scally <dan.scally@...asonboard.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1 0/2] usb: gadget: uvc: stability fixes when stopping
 streams

Hi Avichal

On Thu, Sep 14, 2023 at 04:05:36PM -0700, Avichal Rakesh wrote:
>On Mon, Sep 11, 2023 at 9:19 PM Avichal Rakesh <arakesh@...gle.com> wrote:
>>
>> We have been seeing two main bugs when stopping stream:
>> 1. attempting to queue usb_requests on a disabled usb endpoint, and
>> 2. use-after-free problems for inflight requests
>>
>> Avichal Rakesh (2):
>>   usb: gadget: uvc: prevent use of disabled endpoint
>>   usb: gadget: uvc: prevent de-allocating inflight usb_requests
>>
>>  drivers/usb/gadget/function/f_uvc.c     | 11 ++++----
>>  drivers/usb/gadget/function/f_uvc.h     |  2 +-
>>  drivers/usb/gadget/function/uvc.h       |  5 +++-
>>  drivers/usb/gadget/function/uvc_v4l2.c  | 21 ++++++++++++---
>>  drivers/usb/gadget/function/uvc_video.c | 34 +++++++++++++++++++++++--
>>  5 files changed, 60 insertions(+), 13 deletions(-)
>>
>
>Bumping this thread up. Laurent, Dan, and Michael could you take a look?

I tested the patches against my setup and it did not help.

In fact I saw two different issues when calling the streamoff event.

One issue was a stalled pipeline after the streamoff from the host came in.
The streaming application did not handle any events anymore.

The second issue was when the streamoff event is triggered sometimes the
following trace is shown, even with your patches applied.


[  104.202689] Unable to handle kernel paging request at virtual address 005bf43a692a5fd5
[  104.235122] Mem abort info:
[  104.238257]   ESR = 0x0000000096000004
[  104.242449]   EC = 0x25: DABT (current EL), IL = 32 bits
[  104.248391]   SET = 0, FnV = 0
[  104.251803]   EA = 0, S1PTW = 0
[  104.255313]   FSC = 0x04: level 0 translation fault
[  104.260765] Data abort info:
[  104.263982]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[  104.270114]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[  104.275760]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[  104.281698] [005bf43a692a5fd5] address between user and kernel address ranges
[  104.290042] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[  104.297060] Dumping ftrace buffer:
[  104.300869]    (ftrace buffer empty)
[  104.304862] Modules linked in: st1232 hantro_vpu v4l2_vp9 v4l2_h264 uio_pdrv_genirq fuse [last unloaded: rockchip_vpu(C)]
[  104.312080] panfrost fde60000.gpu: Panfrost Dump: BO has no sgt, cannot dump
[  104.317137] CPU: 0 PID: 465 Comm: irq/46-dwc3 Tainted: G         C         6.5.0-20230831-2+ #5
[  104.317144] Hardware name: WolfVision PF5 (DT)
[  104.317148] pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  104.317154] pc : __list_del_entry_valid+0x48/0xe8
[  104.352728] lr : dwc3_gadget_giveback+0x3c/0x1b0
[  104.357893] sp : ffffffc08381bc60
[  104.361593] x29: ffffffc08381bc60 x28: ffffff80047d4000 x27: ffffff80047de440
[  104.369576] x26: 0000000000000000 x25: ffffffc08135b2d0 x24: ffffffc08381bd00
[  104.377559] x23: 00000000ffffff98 x22: ffffff8004204880 x21: ffffff80047d4000
[  104.385541] x20: ffffff800718dea0 x19: ffffff800718dea0 x18: 0000000000000000
[  104.393523] x17: 7461747320687469 x16: 7720646574656c70 x15: 6d6f632074736575
[  104.401504] x14: 716572205356203a x13: 2e3430312d207375 x12: 7461747320687469
[  104.409486] x11: ffffffc0815c98f0 x10: 0000000000000000 x9 : ffffffc0808f4fa0
[  104.417468] x8 : ffffffc082415000 x7 : ffffffc0808f4e2c x6 : ffffffc0823d0928
[  104.425450] x5 : 0000000000000282 x4 : 0000000000000201 x3 : d85bf43a692a5fcd
[  104.433431] x2 : ffffff80047d4048 x1 : ffffff800718dea0 x0 : dead000000000122
[  104.441413] Call trace:
[  104.444142]  __list_del_entry_valid+0x48/0xe8
[  104.449013]  dwc3_gadget_giveback+0x3c/0x1b0
[  104.453786]  dwc3_gadget_ep_cleanup_cancelled_requests+0xe0/0x170
[  104.460599]  dwc3_process_event_buf+0x2a8/0xbb0
[  104.465662]  dwc3_thread_interrupt+0x4c/0x90
[  104.470435]  irq_thread_fn+0x34/0xb8
[  104.474431]  irq_thread+0x1a0/0x290
[  104.478327]  kthread+0x10c/0x120
[  104.481933]  ret_from_fork+0x10/0x20

The error path triggering these list errors are usually in the
dwc3 driver handling the cancelled or completed list.

Regards,
Michael

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ