All of lore.kernel.org
 help / color / mirror / Atom feed
From: Vegard Nossum <vegard.nossum@oracle.com>
To: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	ruslan.bilovol@gmail.com, b.zolnierkie@samsung.com,
	maxime.ripard@free-electrons.com, peter.chen@freescale.com,
	Felipe Balbi <balbi@kernel.org>
Subject: gadgetfs WARNING at drivers/usb/gadget/udc/dummy_hcd.c:674
Date: Tue, 9 Feb 2016 10:37:36 +0100	[thread overview]
Message-ID: <56B9B360.9090202@oracle.com> (raw)

Hi again Marek,

With your two patches on top of latest mainline I've run into this warning:

gadgetfs: connected
gadgetfs: disconnected
------------[ cut here ]------------
WARNING: CPU: 0 PID: 35 at drivers/usb/gadget/udc/dummy_hcd.c:674 
dummy_free_request+0x92/0xa0()
CPU: 0 PID: 35 Comm: afl-fuzz Not tainted 4.5.0-rc2 #1
  ffff8800003b6900 ffff88000c847d00 ffffffff8133f0e2 ffff88000c847d40
  ffffffff8108d4bf ffffffff8152b062 ffff88000032d430 ffff88000032d420
  ffff88000032d430 ffffffff8185fc80 ffff8800001caf08 ffff88000c847d50
Call Trace:
  [<ffffffff8133f0e2>] dump_stack+0x19/0x27
  [<ffffffff8108d4bf>] warn_slowpath_common+0xaf/0x110
  [<ffffffff8152b062>] ? dummy_free_request+0x92/0xa0
  [<ffffffff8108d6b5>] warn_slowpath_null+0x15/0x20
  [<ffffffff8152b062>] dummy_free_request+0x92/0xa0
  [<ffffffff81536484>] gadgetfs_unbind+0x194/0x210
  [<ffffffff815362f0>] ? destroy_ep_files+0x560/0x560
  [<ffffffff81520b6c>] usb_gadget_remove_driver+0x1dc/0x460
  [<ffffffff81523951>] usb_gadget_unregister_driver+0x151/0x240
  [<ffffffff81533b2a>] dev_release+0x7a/0x160
  [<ffffffff811f0ccb>] __fput+0x11b/0x490
  [<ffffffff811f10a9>] ____fput+0x9/0x10
  [<ffffffff810c8881>] task_work_run+0xf1/0x190
  [<ffffffff811ea9ea>] ? filp_close+0x8a/0xe0
  [<ffffffff81001c3c>] exit_to_usermode_loop+0xec/0x100
  [<ffffffff81002531>] syscall_return_slowpath+0x91/0xc0
  [<ffffffff817a42c9>] int_ret_from_sys_call+0x25/0x8f
---[ end trace e6edc2c9995ff81b ]---

To be specific, it's the

WARN_ON(!list_empty(&req->queue));

that is triggering. I think it's probably not related to your patches, 
but rather more bugs which were hidden until now :-)

Some time later it also shows:

usb 1-1: new high-speed USB device number 7 using dummy_hcd
BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<          (null)>]           (null)
PGD c830067 PUD c854067 PMD 0
Oops: 0010 [#1] DEBUG_PAGEALLOC KASAN
CPU: 0 PID: 0 Comm: swapper Tainted: G        W       4.5.0-rc2 #1
task: ffffffff8192d680 ti: ffffffff81910000 task.ti: ffffffff81910000
RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
RSP: 0018:ffffffff81946c08  EFLAGS: 00010046
RAX: dffffc0000000000 RBX: ffff88000032d2d0 RCX: ffff88000032d2c0
RDX: 1ffff10000065a60 RSI: ffff88000032d2d0 RDI: ffff8800001ca070
RBP: ffffffff81946c20 R08: ffff88000032d2c0 R09: 000000000000319e
R10: ffffffff81946e80 R11: 0000000000000001 R12: ffff8800001ca070
R13: 0000000000000000 R14: ffff8800001ca030 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffffffff8193f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000000c850000 CR4: 00000000001406b0
Stack:
  ffffffff81522226 ffff88000032d2c0 0000000000000080 ffffffff81946e00
  ffffffff8152d09b ffff88000027a448 0000000000000246 ffff8800001caf20
  1ffffffff0328daf 0000000000000001 ffff8800003b6900 0000000000000086
Call Trace:
  <IRQ>
  [<ffffffff81522226>] ? usb_gadget_giveback_request+0x36/0x50
  [<ffffffff8152d09b>] dummy_timer+0x202b/0x2980
  [<ffffffff810e1a26>] ? enqueue_task_fair+0x1f6/0x580
  [<ffffffff810dd7c5>] ? sched_clock_cpu+0x45/0x60
  [<ffffffff8152b070>] ? dummy_free_request+0xa0/0xa0
  [<ffffffff81115df0>] ? process_cpu_nsleep+0x10/0x10
  [<ffffffff81109280>] ? detach_if_pending+0x350/0x350
  [<ffffffff8152b070>] ? dummy_free_request+0xa0/0xa0
  [<ffffffff81109566>] call_timer_fn.isra.5+0x16/0x70
  [<ffffffff8152b070>] ? dummy_free_request+0xa0/0xa0
  [<ffffffff81109a85>] run_timer_softirq+0x365/0x590
  [<ffffffff81070ce6>] ? kvm_clock_get_cycles+0x16/0x20
  [<ffffffff81109720>] ? cascade.constprop.6+0x160/0x160
  [<ffffffff81070cc6>] ? kvm_clock_read+0x16/0x20
  [<ffffffff810dd5fc>] ? sched_clock_local.constprop.4+0xc/0x80
  [<ffffffff81096329>] __do_softirq+0x199/0x400
  [<ffffffff81096710>] irq_exit+0xa0/0xc0
  [<ffffffff81061ad5>] smp_trace_apic_timer_interrupt+0x95/0xd0
  [<ffffffff81061b19>] smp_apic_timer_interrupt+0x9/0x10
  [<ffffffff817a4d0d>] apic_timer_interrupt+0x7d/0x90
  <EOI>
  [<ffffffff81071066>] ? native_safe_halt+0x6/0x10
  [<ffffffff81013ff9>] default_idle+0x9/0x10
  [<ffffffff81014cda>] arch_cpu_idle+0xa/0x10
  [<ffffffff810e8496>] default_idle_call+0x46/0x60
  [<ffffffff810e86dd>] cpu_startup_entry+0x22d/0x310
  [<ffffffff810d5945>] ? finish_task_switch+0x135/0x450
  [<ffffffff810e84b0>] ? default_idle_call+0x60/0x60
  [<ffffffff81799ff1>] ? __schedule+0x451/0xd50
  [<ffffffff8179aa26>] ? schedule+0xc6/0x180
  [<ffffffff8179760a>] rest_init+0x9a/0xa0
  [<ffffffff81a4b2ab>] start_kernel+0x3fa/0x422
  [<ffffffff81a4aeb1>] ? thread_info_cache_init+0x6/0x6
  [<ffffffff81a8c906>] ? memblock_reserve+0x4a/0x4f
  [<ffffffff81a4a120>] ? early_idt_handler_array+0x120/0x120
  [<ffffffff81a4a31c>] x86_64_start_reservations+0x2a/0x2c
  [<ffffffff81a4a408>] x86_64_start_kernel+0xea/0xf7
Code:  Bad RIP value.
RIP  [<          (null)>]           (null)
  RSP <ffffffff81946c08>
CR2: 0000000000000000
---[ end trace f62ab933aa78d176 ]---
Kernel panic - not syncing: Fatal exception in interrupt

This one I did see before and I think it's just req->complete which is
NULL (but I have no idea why).


Vegard

                 reply	other threads:[~2016-02-09  9:38 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56B9B360.9090202@oracle.com \
    --to=vegard.nossum@oracle.com \
    --cc=b.zolnierkie@samsung.com \
    --cc=balbi@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=m.szyprowski@samsung.com \
    --cc=maxime.ripard@free-electrons.com \
    --cc=peter.chen@freescale.com \
    --cc=ruslan.bilovol@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.