From: Yunseong Kim <ysk@kzalloc.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: linux-usb@vger.kernel.org, gregkh@linuxfoundation.org,
Andrey Konovalov <andreyknvl@google.com>,
Shuah Khan <skhan@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Clark Williams <clrkwllms@kernel.org>,
Steven Rostedt <rostedt@goodmis.org>,
linux-rt-users@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller@googlegroups.com
Subject: Re: [BUG] usbip: vhci: Sleeping function called from invalid context in vhci_urb_enqueue on PREEMPT_RT
Date: Sat, 16 Aug 2025 11:18:02 +0900 [thread overview]
Message-ID: <28544110-3021-43da-b32e-9785c81a42c1@kzalloc.com> (raw)
In-Reply-To: <f6cdf21a-642f-458c-85c1-0c2e1526f539@rowland.harvard.edu>
Hi Alan,
On 8/16/25 10:51 AM, Alan Stern wrote:
> On Sat, Aug 16, 2025 at 10:29:34AM +0900, Yunseong Kim wrote:
>> While testing a PREEMPT_RT enabled kernel (based on v6.17.0-rc1),
>> I encountered a "BUG: sleeping function called from invalid context"
>> error originating from the USB/IP VHCI driver.
>>
>> On PREEMPT_RT configurations, standard spin_lock() calls are replaced by
>> rt_spin_lock(). Since rt_spin_lock() may sleep when contended, it must not
>> be called from an atomic context (e.g., with interrupts disabled).
>>
>> The issue occurs within the vhci_urb_enqueue function This function
>> explicitly disables local interrupts using local_irq_disable() immediately
>> before calling usb_hcd_giveback_urb(), adhering to HCD requirements.
>
> ...
>
>> This error reported after this work:
>> It occurs after going through the code below:
>>
>> static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flags)
>> {
>>
>> ...
>>
>> no_need_unlink:
>> spin_unlock_irqrestore(&vhci->lock, flags);
>> if (!ret) {
>> /* usb_hcd_giveback_urb() should be called with
>> * irqs disabled
>> */
>> local_irq_disable(); // <--- Entering atomic context (IRQs disabled)
>> usb_hcd_giveback_urb(hcd, urb, urb->status);
>> local_irq_enable();
>> }
>> return ret;
>> }
>>
>> static void mon_bus_complete(struct mon_bus *mbus, struct urb *urb, int status)
>> {
>> ...
>> spin_lock_irqsave(&mbus->lock, flags);
> ^
> ------------------^
>
>> ...
>> }
>>
>> When called with interrupts disabled, usb_hcd_giveback_urb() eventually
>> leads to mon_complete() in the USB monitoring, if usbmon is enabled,
>> via __usb_hcd_giveback_urb().
>>
>> mon_complete() attempts to acquire a lock via spin_lock(), observed in the
>> trace within the inlined mon_bus_complete.
>
> Look again. mon_bus_complete() calls spin_lock_irqsave(), not
> spin_lock().
>
> Is the kernel tree that you are using different from Linus's tree?
I think this part is a macro, so it appears this way.
Link: https://github.com/torvalds/linux/blob/v6.17-rc1/include/linux/spinlock_rt.h#L96
#define spin_lock_irqsave(lock, flags) \
do { \
typecheck(unsigned long, flags); \
flags = 0; \
spin_lock(lock); \
} while (0)
My tree is indeed 6.17-rc1. I made a mistake in the diagram,
which caused the misunderstanding. I’ve redrawn the diagram:
kworker (hub_event)
|
v
vhci_urb_enqueue() [drivers/usb/usbip/vhci_hcd.c]
|
|---> spin_unlock_irqrestore(&vhci->lock, flags);
| (Context: IRQs Enabled, Process Context)
|---> local_irq_disable();
|
| *** STATE CHANGE: IRQs Disabled (Atomic Context) ***
|
+-----> usb_hcd_giveback_urb() [drivers/usb/core/hcd.c]
|
v
__usb_hcd_giveback_urb()
|
v
mon_complete() [drivers/usb/mon/mon_main.c]
|
|---> spin_lock_irqsave() [include/linux/spinlock_rt.h]
|
v https://github.com/torvalds/linux/blob/v6.17-rc1/include/linux/spinlock_rt.h#L96
spin_lock() [kernel/locking/spinlock_rt.c] <--- Attempts to acquire lock
|
| [On PREEMPT_RT]
v
rt_spin_lock() [kernel/locking/spinlock_rt.c]
|
v
[May Sleep if contended]
|
X <----------- BUG: Sleeping in atomic context (IRQs are disabled!)
|
|---> local_irq_enable();
(Context: IRQs Enabled)
> Alan Stern
Thank you!
Yunseong Kim
next prev parent reply other threads:[~2025-08-16 2:18 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-16 1:29 [BUG] usbip: vhci: Sleeping function called from invalid context in vhci_urb_enqueue on PREEMPT_RT Yunseong Kim
2025-08-16 1:47 ` Yunseong Kim
2025-08-16 1:51 ` Alan Stern
2025-08-16 2:18 ` Yunseong Kim [this message]
2025-08-16 14:16 ` Alan Stern
2025-08-17 14:27 ` Alan Stern
2025-08-19 11:04 ` Sebastian Andrzej Siewior
2025-08-19 14:12 ` Alan Stern
2025-08-19 14:57 ` Sebastian Andrzej Siewior
2025-08-19 15:44 ` Alan Stern
2025-08-20 16:26 ` Sebastian Andrzej Siewior
2025-08-20 20:53 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=28544110-3021-43da-b32e-9785c81a42c1@kzalloc.com \
--to=ysk@kzalloc.com \
--cc=andreyknvl@google.com \
--cc=bigeasy@linutronix.de \
--cc=clrkwllms@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rt-users@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=skhan@linuxfoundation.org \
--cc=stern@rowland.harvard.edu \
--cc=syzkaller@googlegroups.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox