* usb HC busted?
@ 2018-05-24 13:35 Mathias Nyman
  0 siblings, 0 replies; 39+ messages in thread
From: Mathias Nyman @ 2018-05-24 13:35 UTC (permalink / raw)
  To: Sudip Mukherjee; +Cc: Mathias Nyman, linux-usb, lukaszx.szulc
Hi
On 24.05.2018 00:29, Sudip Mukherjee wrote:
> Hi Mathias,
> 
> On Fri, May 18, 2018 at 04:19:02PM +0300, Mathias Nyman wrote:
>> On 18.05.2018 16:04, Sudip Mukherjee wrote:
>>> Hi Mathias,
>>>
>>> On Fri, May 18, 2018 at 03:55:04PM +0300, Mathias Nyman wrote:
>>>> Hi,
>>>>
>>>> Looks like event for Transfer block (TRB) at 0x32a21060 was never completed,
>>>> or at least not handled by xhci driver.
>>>> (either the event was never issued by hw, or something got messed up in the driver along the way)
>>>>
>>>> HC doesn't look busted, it continues sending transfer completions events.
>>>> it is already at event 0x32a211d0, which is 23 TRBS later. (one TRB is 0x10)
>>>>
>>>> This small log sinppet doesnt' say much about the reasons.
>>>>
>>>> Can you enable tracing for xhci and send me the output.
>>>
> We have finally reproduced the error while traces were on. The trace and
> the relevant part of the dmesg (when the error starts) are in:
> https://drive.google.com/open?id=1PbcYwL1a9ndtHw1MNjE6uVqb0fFX9jV8
> 
> Will request you to have a look and suggest what might be going wrong here.
> 
Log show two rings having the same TRB segment dma address, this will completely mess up the transfer:
While allocating rigs the enque pointers for the two rings are the same:
461.859315: xhci_ring_alloc: ISOC efa4e580: enq 0x0000000033386000(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000) segs 2 stream 0 ...bs
461.859320: xhci_ring_alloc: ISOC f0ce1f00: enq 0x0000000033386000(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000) segs 2 stream 0 ...
URBs for ISOC IN transfers are queued on EP3 at enqueue address (33386000 to 33386140)
461.859998: xhci_urb_enqueue: ep3in-isoc: urb f0ec0e00 pipe 4294528 slot 8 length 0/170 sgs 0/0 stream 0 flags 00010302
461.860004: xhci_queue_trb: ISOC: Buffer 000000002b480240 length 17 TD size 0 intr 0 type 'Isoch' flags b:i:I:c:s:I:e:c
461.860006: xhci_inc_enq: ISOC f0ce1f00: enq 0x0000000033386010(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000
Later URBs for ISOC OUT transfers are queued at the same address, this should not happen:
461.901175: xhci_urb_enqueue: ep3out-isoc: urb ecec2600 pipe 100096 slot 8 length 0/51 sgs 0/0 stream 0 flags 00010002
461.901180: xhci_queue_trb: ISOC: Buffer 000000002d9fa805 length 17 TD size 0 intr 0 type 'Isoch' flags b:i:I:c:s:i:e:c
461.901181: xhci_inc_enq: ISOC efa4e580: enq 0x0000000033386010(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000)
So something goes really wrong when allocating or setting up the rings in one of these functions:
xhci_ring_alloc()
xhci_alloc_segments_for_ring()
xhci_initialize_ring_info()
xhci_segment_alloc()
xhci_link_segments()
dma_pool_zalloc()
To verify and rule out dma_pool_zalloc(), could you apply the attached patch and reproduce with new logs?
Thanks
-Mathias
From 7aee4db28204fddff6cbc1534b8d50f13fd0b141 Mon Sep 17 00:00:00 2001
From: Mathias Nyman <mathias.nyman@linux.intel.com>
Date: Thu, 24 May 2018 15:37:41 +0300
Subject: [PATCH] xhci: testpatch, add custom trace for ring segment alloc
for custom debugging only
---
 drivers/usb/host/xhci-mem.c   | 10 ++++++++++
 drivers/usb/host/xhci-trace.h |  5 +++++
 2 files changed, 15 insertions(+)
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index e5ace89..7d343ad 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -44,10 +44,15 @@ static struct xhci_segment *xhci_segment_alloc(struct xhci_hcd *xhci,
 		return NULL;
 	}
 
+	xhci_dbg_trace(xhci,  trace_xhci_ring_mem_detail,
+		       "MATTU xhci_segment_alloc dma @ %pad", &dma);
+
 	if (max_packet) {
 		seg->bounce_buf = kzalloc(max_packet, flags);
 		if (!seg->bounce_buf) {
 			dma_pool_free(xhci->segment_pool, seg->trbs, dma);
+			xhci_dbg_trace(xhci,  trace_xhci_ring_mem_detail,
+				       "MATTU xhci segment free dma @ %pad", &dma);
 			kfree(seg);
 			return NULL;
 		}
@@ -58,6 +63,9 @@ static struct xhci_segment *xhci_segment_alloc(struct xhci_hcd *xhci,
 			seg->trbs[i].link.control |= cpu_to_le32(TRB_CYCLE);
 	}
 	seg->dma = dma;
+	xhci_dbg_trace(xhci,  trace_xhci_ring_mem_detail,
+		       "MATTU xhci segment alloc seg->dma @ %pad", &seg->dma);
+
 	seg->next = NULL;
 
 	return seg;
@@ -67,6 +75,8 @@ static void xhci_segment_free(struct xhci_hcd *xhci, struct xhci_segment *seg)
 {
 	if (seg->trbs) {
 		dma_pool_free(xhci->segment_pool, seg->trbs, seg->dma);
+		xhci_dbg_trace(xhci,  trace_xhci_ring_mem_detail,
+			       "MATTU xhci segment free seg->dma @ %p", &seg->dma);
 		seg->trbs = NULL;
 	}
 	kfree(seg->bounce_buf);
diff --git a/drivers/usb/host/xhci-trace.h b/drivers/usb/host/xhci-trace.h
index 35bdd06..951e371 100644
--- a/drivers/usb/host/xhci-trace.h
+++ b/drivers/usb/host/xhci-trace.h
@@ -72,6 +72,11 @@ DEFINE_EVENT(xhci_log_msg, xhci_dbg_ring_expansion,
 	TP_ARGS(vaf)
 );
 
+DEFINE_EVENT(xhci_log_msg, xhci_ring_mem_detail,
+	TP_PROTO(struct va_format *vaf),
+	TP_ARGS(vaf)
+);
+
 DECLARE_EVENT_CLASS(xhci_log_ctx,
 	TP_PROTO(struct xhci_hcd *xhci, struct xhci_container_ctx *ctx,
 		 unsigned int ep_num),
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-03 19:37 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-06-03 19:37 UTC (permalink / raw)
  To: Mathias Nyman; +Cc: Mathias Nyman, linux-usb, lukaszx.szulc
Hi Mathias,
On Thu, May 24, 2018 at 04:35:34PM +0300, Mathias Nyman wrote:
> Hi
> 
> On 24.05.2018 00:29, Sudip Mukherjee wrote:
> >Hi Mathias,
> >
> >>>On Fri, May 18, 2018 at 03:55:04PM +0300, Mathias Nyman wrote:
> >>>>Hi,
<snip>
> >>>>
> >>>>
> >>>>Can you enable tracing for xhci and send me the output.
> >>>
> >We have finally reproduced the error while traces were on. The trace and
> >the relevant part of the dmesg (when the error starts) are in:
> >https://drive.google.com/open?id=1PbcYwL1a9ndtHw1MNjE6uVqb0fFX9jV8
> >
> >Will request you to have a look and suggest what might be going wrong here.
> >
> 
> Log show two rings having the same TRB segment dma address, this will completely mess up the transfer:
> 
> While allocating rigs the enque pointers for the two rings are the same:
> 
> 461.859315: xhci_ring_alloc: ISOC efa4e580: enq 0x0000000033386000(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000) segs 2 stream 0 ...bs
> 461.859320: xhci_ring_alloc: ISOC f0ce1f00: enq 0x0000000033386000(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000) segs 2 stream 0 ...
> 
> URBs for ISOC IN transfers are queued on EP3 at enqueue address (33386000 to 33386140)
> 
> 461.859998: xhci_urb_enqueue: ep3in-isoc: urb f0ec0e00 pipe 4294528 slot 8 length 0/170 sgs 0/0 stream 0 flags 00010302
> 461.860004: xhci_queue_trb: ISOC: Buffer 000000002b480240 length 17 TD size 0 intr 0 type 'Isoch' flags b:i:I:c:s:I:e:c
> 461.860006: xhci_inc_enq: ISOC f0ce1f00: enq 0x0000000033386010(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000
> 
> Later URBs for ISOC OUT transfers are queued at the same address, this should not happen:
> 
> 461.901175: xhci_urb_enqueue: ep3out-isoc: urb ecec2600 pipe 100096 slot 8 length 0/51 sgs 0/0 stream 0 flags 00010002
> 461.901180: xhci_queue_trb: ISOC: Buffer 000000002d9fa805 length 17 TD size 0 intr 0 type 'Isoch' flags b:i:I:c:s:i:e:c
> 461.901181: xhci_inc_enq: ISOC efa4e580: enq 0x0000000033386010(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000)
> 
> So something goes really wrong when allocating or setting up the rings in one of these functions:
> xhci_ring_alloc()
> xhci_alloc_segments_for_ring()
> xhci_initialize_ring_info()
> xhci_segment_alloc()
> xhci_link_segments()
> dma_pool_zalloc()
> 
> To verify and rule out dma_pool_zalloc(), could you apply the attached patch and reproduce with new logs?
We tested for the full week but still could not reproduce with the patch
applied. We are still trying and will be setting up automated tests for
this. And, since we are not able to reproduce it, I was wondering if it
is somekind of race and the applied patch with extra tracing has changed
the timing in such a way that it is not seen now. And also, wondering if
2b3ff282dff3 ("xhci: Don't add a virt_dev to the devs array before it's fully allocated")
will be of any help to us.
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-04 15:28 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-06-04 15:28 UTC (permalink / raw)
  To: Mathias Nyman; +Cc: Mathias Nyman, linux-usb, lukaszx.szulc
Hi Mathias,
On Thu, May 24, 2018 at 04:35:34PM +0300, Mathias Nyman wrote:
> Hi
> 
> On 24.05.2018 00:29, Sudip Mukherjee wrote:
> > Hi Mathias,
> > 
> > On Fri, May 18, 2018 at 04:19:02PM +0300, Mathias Nyman wrote:
> > > On 18.05.2018 16:04, Sudip Mukherjee wrote:
<snip>
> > > > 
> > We have finally reproduced the error while traces were on. The trace and
> > the relevant part of the dmesg (when the error starts) are in:
> > https://drive.google.com/open?id=1PbcYwL1a9ndtHw1MNjE6uVqb0fFX9jV8
> > 
> > Will request you to have a look and suggest what might be going wrong here.
> > 
> 
> Log show two rings having the same TRB segment dma address, this will completely mess up the transfer:
> 
> While allocating rigs the enque pointers for the two rings are the same:
> 
> 461.859315: xhci_ring_alloc: ISOC efa4e580: enq 0x0000000033386000(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000) segs 2 stream 0 ...bs
> 461.859320: xhci_ring_alloc: ISOC f0ce1f00: enq 0x0000000033386000(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000) segs 2 stream 0 ...
> 
> URBs for ISOC IN transfers are queued on EP3 at enqueue address (33386000 to 33386140)
> 
> 461.859998: xhci_urb_enqueue: ep3in-isoc: urb f0ec0e00 pipe 4294528 slot 8 length 0/170 sgs 0/0 stream 0 flags 00010302
> 461.860004: xhci_queue_trb: ISOC: Buffer 000000002b480240 length 17 TD size 0 intr 0 type 'Isoch' flags b:i:I:c:s:I:e:c
> 461.860006: xhci_inc_enq: ISOC f0ce1f00: enq 0x0000000033386010(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000
> 
> Later URBs for ISOC OUT transfers are queued at the same address, this should not happen:
> 
> 461.901175: xhci_urb_enqueue: ep3out-isoc: urb ecec2600 pipe 100096 slot 8 length 0/51 sgs 0/0 stream 0 flags 00010002
> 461.901180: xhci_queue_trb: ISOC: Buffer 000000002d9fa805 length 17 TD size 0 intr 0 type 'Isoch' flags b:i:I:c:s:i:e:c
> 461.901181: xhci_inc_enq: ISOC efa4e580: enq 0x0000000033386010(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000)
> 
> So something goes really wrong when allocating or setting up the rings in one of these functions:
> xhci_ring_alloc()
> xhci_alloc_segments_for_ring()
> xhci_initialize_ring_info()
> xhci_segment_alloc()
> xhci_link_segments()
> dma_pool_zalloc()
> 
> To verify and rule out dma_pool_zalloc(), could you apply the attached patch and reproduce with new logs?
I spoke too soon in my yesterday's mail. We were able to reproduce it
on the automated tests. The log and the trace is at:
https://drive.google.com/open?id=1h-3r-1lfjg8oblBGkzdRIq8z3ZNgGZx-
Will request you to have a look at it.
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-06 14:12 Mathias Nyman
  0 siblings, 0 replies; 39+ messages in thread
From: Mathias Nyman @ 2018-06-06 14:12 UTC (permalink / raw)
  To: Sudip Mukherjee
  Cc: Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu, Andy Shevchenko
On 04.06.2018 18:28, Sudip Mukherjee wrote:
> On Thu, May 24, 2018 at 04:35:34PM +0300, Mathias Nyman wrote:
>>
>> Log show two rings having the same TRB segment dma address, this will completely mess up the transfer:
>>
>> While allocating rigs the enque pointers for the two rings are the same:
>>
>> 461.859315: xhci_ring_alloc: ISOC efa4e580: enq 0x0000000033386000(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000) segs 2 stream 0 ...bs
>> 461.859320: xhci_ring_alloc: ISOC f0ce1f00: enq 0x0000000033386000(0x0000000033386000) deq 0x0000000033386000(0x0000000033386000) segs 2 stream 0 ...
>>
>> So something goes really wrong when allocating or setting up the rings in one of these functions:
>>
>> To verify and rule out dma_pool_zalloc(), could you apply the attached patch and reproduce with new logs?
> 
> I spoke too soon in my yesterday's mail. We were able to reproduce it
> on the automated tests. The log and the trace is at:
> https://drive.google.com/open?id=1h-3r-1lfjg8oblBGkzdRIq8z3ZNgGZx-
> 
> Will request you to have a look at it.
> 
Odd and unlikely, but to me this looks like some issue in allocating dma memory
from pool using dma_pool_zalloc()
Adding people with DMA knowledge to cc, maybe someone knows what is going on.
Here's the story:
Sudip sees usb issues on a Intel Atom based board with 4.14.2 kernel.
All tracing points to dma_pool_zalloc() returning the same dma address block on
consecutive calls.
In the failing case dma_pool_zalloc() is called 3 - 6us apart.
<...>-26362 [002] ....  1186.756739: xhci_ring_mem_detail: MATTU xhci_segment_alloc dma @ 0x000000002d92b000
<...>-26362 [002] ....  1186.756745: xhci_ring_mem_detail: MATTU xhci_segment_alloc dma @ 0x000000002d92b000
<...>-26362 [002] ....  1186.756748: xhci_ring_mem_detail: MATTU xhci_segment_alloc dma @ 0x000000002d92b000
dma_pool_zalloc() is called from xhci_segment_alloc() in drivers/usb/host/xhci-mem.c
see:
https://elixir.bootlin.com/linux/v4.14.2/source/drivers/usb/host/xhci-mem.c#L52
prints above are custom traces added right after dma_pool_zalloc()
@@ -44,10 +44,15 @@ static struct xhci_segment *xhci_segment_alloc(struct xhci_hcd *xhci,
  		return NULL;
  	}
  
+	xhci_dbg_trace(xhci,  trace_xhci_ring_mem_detail,
+		       "MATTU xhci_segment_alloc dma @ %pad", &dma);
+
Any idea what's going on?
dma_pool_alloc() has a comment that it drops &pool->lock if it needs to allocate
a page, can it be related?
Thanks
-Mathias
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-06 15:36 Andy Shevchenko
  0 siblings, 0 replies; 39+ messages in thread
From: Andy Shevchenko @ 2018-06-06 15:36 UTC (permalink / raw)
  To: Mathias Nyman, Sudip Mukherjee
  Cc: Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
On Wed, 2018-06-06 at 17:12 +0300, Mathias Nyman wrote:
> On 04.06.2018 18:28, Sudip Mukherjee wrote:
> > On Thu, May 24, 2018 at 04:35:34PM +0300, Mathias Nyman wrote:
> > > 
> Odd and unlikely, but to me this looks like some issue in allocating
> dma memory
> from pool using dma_pool_zalloc()
> 
> Adding people with DMA knowledge to cc, maybe someone knows what is
> going on.
> 
> Here's the story:
> Sudip sees usb issues on a Intel Atom based board with 4.14.2 kernel.
> All tracing points to dma_pool_zalloc() returning the same dma address
> block on
> consecutive calls.
> 
> In the failing case dma_pool_zalloc() is called 3 - 6us apart.
> 
> <...>-26362 [002] ....  1186.756739: xhci_ring_mem_detail: MATTU
> xhci_segment_alloc dma @ 0x000000002d92b000
> <...>-26362 [002] ....  1186.756745: xhci_ring_mem_detail: MATTU
> xhci_segment_alloc dma @ 0x000000002d92b000
> <...>-26362 [002] ....  1186.756748: xhci_ring_mem_detail: MATTU
> xhci_segment_alloc dma @ 0x000000002d92b000
> 
> dma_pool_zalloc() is called from xhci_segment_alloc() in
> drivers/usb/host/xhci-mem.c
> see:
> https://elixir.bootlin.com/linux/v4.14.2/source/drivers/usb/host/xhci-
> mem.c#L52
> 
> prints above are custom traces added right after dma_pool_zalloc()
For better understanding it would be good to have dma_pool_free() calls
debugged as well.
Is it possible that something in parallel just fast enough to free the
allocated resource from pool?
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-06 16:42 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-06-06 16:42 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu, Andy Shevchenko
On Wed, Jun 06, 2018 at 05:12:21PM +0300, Mathias Nyman wrote:
> On 04.06.2018 18:28, Sudip Mukherjee wrote:
> > On Thu, May 24, 2018 at 04:35:34PM +0300, Mathias Nyman wrote:
> > > 
<snip>
> > 
> > Will request you to have a look at it.
> > 
> 
> Odd and unlikely, but to me this looks like some issue in allocating dma memory
> from pool using dma_pool_zalloc()
> 
> Adding people with DMA knowledge to cc, maybe someone knows what is going on.
Thanks Mathias.
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-06 16:45 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-06-06 16:45 UTC (permalink / raw)
  To: Andy Shevchenko
  Cc: Mathias Nyman, Mathias Nyman, linux-usb, lukaszx.szulc,
	Christoph Hellwig, Marek Szyprowski, iommu
Hi Andy,
And we meet again. :)
On Wed, Jun 06, 2018 at 06:36:35PM +0300, Andy Shevchenko wrote:
> On Wed, 2018-06-06 at 17:12 +0300, Mathias Nyman wrote:
> > On 04.06.2018 18:28, Sudip Mukherjee wrote:
> > > On Thu, May 24, 2018 at 04:35:34PM +0300, Mathias Nyman wrote:
> > > > 
> 
> > Odd and unlikely, but to me this looks like some issue in allocating
> > dma memory
> > from pool using dma_pool_zalloc()
> > 
> > Adding people with DMA knowledge to cc, maybe someone knows what is
> > going on.
> > 
> > Here's the story:
> > Sudip sees usb issues on a Intel Atom based board with 4.14.2 kernel.
> > All tracing points to dma_pool_zalloc() returning the same dma address
> > block on
> > consecutive calls.
> > 
> > In the failing case dma_pool_zalloc() is called 3 - 6us apart.
> > 
> > <...>-26362 [002] ....  1186.756739: xhci_ring_mem_detail: MATTU
> > xhci_segment_alloc dma @ 0x000000002d92b000
> > <...>-26362 [002] ....  1186.756745: xhci_ring_mem_detail: MATTU
> > xhci_segment_alloc dma @ 0x000000002d92b000
> > <...>-26362 [002] ....  1186.756748: xhci_ring_mem_detail: MATTU
> > xhci_segment_alloc dma @ 0x000000002d92b000
> > 
> > dma_pool_zalloc() is called from xhci_segment_alloc() in
> > drivers/usb/host/xhci-mem.c
> > see:
> > https://elixir.bootlin.com/linux/v4.14.2/source/drivers/usb/host/xhci-
> > mem.c#L52
> > 
> > prints above are custom traces added right after dma_pool_zalloc()
> 
> For better understanding it would be good to have dma_pool_free() calls
> debugged as well.
So, I am adding another trace event for dma_pool_free() and continuing
with the test. Is there anything else that I should be adding as debug?
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-07  7:40 Mathias Nyman
  0 siblings, 0 replies; 39+ messages in thread
From: Mathias Nyman @ 2018-06-07  7:40 UTC (permalink / raw)
  To: Sudip Mukherjee, Andy Shevchenko
  Cc: Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
On 06.06.2018 19:45, Sudip Mukherjee wrote:
> Hi Andy,
> 
> And we meet again. :)
> 
> On Wed, Jun 06, 2018 at 06:36:35PM +0300, Andy Shevchenko wrote:
>> On Wed, 2018-06-06 at 17:12 +0300, Mathias Nyman wrote:
>>> On 04.06.2018 18:28, Sudip Mukherjee wrote:
>>>> On Thu, May 24, 2018 at 04:35:34PM +0300, Mathias Nyman wrote:
>>>>>
>>
>>> Odd and unlikely, but to me this looks like some issue in allocating
>>> dma memory
>>> from pool using dma_pool_zalloc()
>>>
>>> Adding people with DMA knowledge to cc, maybe someone knows what is
>>> going on.
>>>
>>> Here's the story:
>>> Sudip sees usb issues on a Intel Atom based board with 4.14.2 kernel.
>>> All tracing points to dma_pool_zalloc() returning the same dma address
>>> block on
>>> consecutive calls.
>>>
>>> In the failing case dma_pool_zalloc() is called 3 - 6us apart.
>>>
>>> <...>-26362 [002] ....  1186.756739: xhci_ring_mem_detail: MATTU
>>> xhci_segment_alloc dma @ 0x000000002d92b000
>>> <...>-26362 [002] ....  1186.756745: xhci_ring_mem_detail: MATTU
>>> xhci_segment_alloc dma @ 0x000000002d92b000
>>> <...>-26362 [002] ....  1186.756748: xhci_ring_mem_detail: MATTU
>>> xhci_segment_alloc dma @ 0x000000002d92b000
>>>
>>> dma_pool_zalloc() is called from xhci_segment_alloc() in
>>> drivers/usb/host/xhci-mem.c
>>> see:
>>> https://elixir.bootlin.com/linux/v4.14.2/source/drivers/usb/host/xhci-
>>> mem.c#L52
>>>
>>> prints above are custom traces added right after dma_pool_zalloc()
>>
>> For better understanding it would be good to have dma_pool_free() calls
>> debugged as well.
> 
> So, I am adding another trace event for dma_pool_free() and continuing
> with the test. Is there anything else that I should be adding as debug?
> 
The patch traced both dma_pool_zalloc() and dma_pool_free() calls from xhci,
no need to retry.
Sudip has a full (394M unpacked) trace at:
https://drive.google.com/open?id=1h-3r-1lfjg8oblBGkzdRIq8z3ZNgGZx-
Interesting part is:
<...>-26362 [002] ....  1186.756728: xhci_ring_mem_detail: MATTU xhci_segment_alloc dma @ 0x000000002d34d000
<...>-26362 [002] ....  1186.756735: xhci_ring_mem_detail: MATTU xhci segment alloc seg->dma @ 0x000000002d34d000
<...>-26362 [002] ....  1186.756739: xhci_ring_mem_detail: MATTU xhci_segment_alloc dma @ 0x000000002d92b000
<...>-26362 [002] ....  1186.756740: xhci_ring_mem_detail: MATTU xhci segment alloc seg->dma @ 0x000000002d92b000
<...>-26362 [002] ....  1186.756743: xhci_ring_alloc: ISOC eefa0580: enq 0x000000002d34d000(0x000000002d34d000) deq 0x000000002d34d000(0x000000002d34d000) segs 2 stream 0 free_trbs 509 bounce 17 cycle 1
<...>-26362 [002] ....  1186.756745: xhci_ring_mem_detail: MATTU xhci_segment_alloc dma @ 0x000000002d92b000
<...>-26362 [002] ....  1186.756746: xhci_ring_mem_detail: MATTU xhci segment alloc seg->dma @ 0x000000002d92b000
<...>-26362 [002] ....  1186.756748: xhci_ring_mem_detail: MATTU xhci_segment_alloc dma @ 0x000000002d92b000
<...>-26362 [002] ....  1186.756751: xhci_ring_mem_detail: MATTU xhci segment alloc seg->dma @ 0x000000002d92b000
<...>-26362 [002] ....  1186.756752: xhci_ring_alloc: ISOC f19d7c80: enq 0x000000002d92b000(0x000000002d92b000) deq 0x000000002d92b000(0x000000002d92b000) segs 2 stream 0 free_trbs 509 bounce 17 cycle 1
<...>-26362 [002] d..1  1186.756761: xhci_queue_trb: CMD: Configure Endpoint Command: ctx 000000002ce96000 slot 7 flags d:C
<...>-26362 [002] d..1  1186.756762: xhci_inc_enq: CMD ed930b80: enq 0x000000002d93adb0(0x000000002d93a000) deq 0x000000002d93ada0(0x000000002d93a000) segs 1 stream 0 free_trbs 253 bounce 0 \
cycle 1
<...>-26362 [002] ....  1186.757066: xhci_dbg_context_change: Successful Endpoint Configure command
<...>-26362 [002] ....  1186.757072: xhci_ring_free: ISOC eefd9380: enq 0x000000002c482000(0x000000002c482000) deq 0x000000002c482000(0x000000002c482000) segs 2 stream 0 free_trbs 509 bounce0 cycle 1
<...>-26362 [002] ....  1186.757075: xhci_ring_mem_detail: MATTU xhci segment free seg->dma @ ee2d23c8
<...>-26362 [002] ....  1186.757078: xhci_ring_mem_detail: MATTU xhci segment free seg->dma @ c7a93488
<...>-26362 [002] ....  1186.757080: xhci_ring_free: ISOC eef0d800: enq 0x000000002c50a000(0x000000002c50a000) deq 0x000000002c50a000(0x000000002c50a000) segs 2 stream 0 free_trbs 509 bounce0 cycle 1
What is shown is the allocation of two ISOC transfer rings, each ring has 2 segments (two dma_pool_zalloc() calls per ring)
First ring looks normal, ring1 get dma memory at 0x2d34d000 for first ring segment, and dma memory at 0x2d92b000 for second segment.
But then it gets stuck, for the whole ring2 dma_pool_zalloc() just returns the same dma address as the last segment for
ring1:0x2d92b000. Last part of trace snippet is just another ring being freed.
Full testpatch looked like this:
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index e5ace89..7d343ad 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -44,10 +44,15 @@ static struct xhci_segment *xhci_segment_alloc(struct xhci_hcd *xhci,
  		return NULL;
  	}
  
+	xhci_dbg_trace(xhci,  trace_xhci_ring_mem_detail,
+		       "MATTU xhci_segment_alloc dma @ %pad", &dma);
+
  	if (max_packet) {
  		seg->bounce_buf = kzalloc(max_packet, flags);
  		if (!seg->bounce_buf) {
  			dma_pool_free(xhci->segment_pool, seg->trbs, dma);
+			xhci_dbg_trace(xhci,  trace_xhci_ring_mem_detail,
+				       "MATTU xhci segment free dma @ %pad", &dma);
  			kfree(seg);
  			return NULL;
  		}
@@ -58,6 +63,9 @@ static struct xhci_segment *xhci_segment_alloc(struct xhci_hcd *xhci,
  			seg->trbs[i].link.control |= cpu_to_le32(TRB_CYCLE);
  	}
  	seg->dma = dma;
+	xhci_dbg_trace(xhci,  trace_xhci_ring_mem_detail,
+		       "MATTU xhci segment alloc seg->dma @ %pad", &seg->dma);
+
  	seg->next = NULL;
  
  	return seg;
@@ -67,6 +75,8 @@ static void xhci_segment_free(struct xhci_hcd *xhci, struct xhci_segment *seg)
  {
  	if (seg->trbs) {
  		dma_pool_free(xhci->segment_pool, seg->trbs, seg->dma);
+		xhci_dbg_trace(xhci,  trace_xhci_ring_mem_detail,
+			       "MATTU xhci segment free seg->dma @ %p", &seg->dma);
  		seg->trbs = NULL;
  	}
  	kfree(seg->bounce_buf);
diff --git a/drivers/usb/host/xhci-trace.h b/drivers/usb/host/xhci-trace.h
index 35bdd06..951e371 100644
--- a/drivers/usb/host/xhci-trace.h
+++ b/drivers/usb/host/xhci-trace.h
@@ -72,6 +72,11 @@ DEFINE_EVENT(xhci_log_msg, xhci_dbg_ring_expansion,
  	TP_ARGS(vaf)
  );
  
+DEFINE_EVENT(xhci_log_msg, xhci_ring_mem_detail,
+	TP_PROTO(struct va_format *vaf),
+	TP_ARGS(vaf)
+);
+
  DECLARE_EVENT_CLASS(xhci_log_ctx,
  	TP_PROTO(struct xhci_hcd *xhci, struct xhci_container_ctx *ctx,
  		 unsigned int ep_num),
^ permalink raw reply related	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-08  9:07 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-06-08  9:07 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Andy Shevchenko, Mathias Nyman, linux-usb, lukaszx.szulc,
	Christoph Hellwig, Marek Szyprowski, iommu
Hi All,
On Thu, Jun 07, 2018 at 10:40:03AM +0300, Mathias Nyman wrote:
> On 06.06.2018 19:45, Sudip Mukherjee wrote:
> > Hi Andy,
> > 
> > And we meet again. :)
> > 
> > On Wed, Jun 06, 2018 at 06:36:35PM +0300, Andy Shevchenko wrote:
> > > On Wed, 2018-06-06 at 17:12 +0300, Mathias Nyman wrote:
> > > > On 04.06.2018 18:28, Sudip Mukherjee wrote:
> > > > > On Thu, May 24, 2018 at 04:35:34PM +0300, Mathias Nyman wrote:
> > > > > > 
> > > 
> > > > Odd and unlikely, but to me this looks like some issue in allocating
> > > > dma memory
> > > > from pool using dma_pool_zalloc()
> > > > 
> > > > Adding people with DMA knowledge to cc, maybe someone knows what is
> > > > going on.
> > > > 
> > > > Here's the story:
> > > > Sudip sees usb issues on a Intel Atom based board with 4.14.2 kernel.
> > > > All tracing points to dma_pool_zalloc() returning the same dma address
> > > > block on
> > > > consecutive calls.
We have started testing with v4.14.47 now and we are seeing the issue
with it also. :(
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-21  0:53 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-06-21  0:53 UTC (permalink / raw)
  To: Mathias Nyman, Andy Shevchenko
  Cc: Andy Shevchenko, Mathias Nyman, linux-usb, lukaszx.szulc,
	Christoph Hellwig, Marek Szyprowski, iommu
Hi Mathias, Andy,
On Thu, Jun 07, 2018 at 10:40:03AM +0300, Mathias Nyman wrote:
> On 06.06.2018 19:45, Sudip Mukherjee wrote:
> > Hi Andy,
> > 
> > And we meet again. :)
> > 
> > On Wed, Jun 06, 2018 at 06:36:35PM +0300, Andy Shevchenko wrote:
> > > On Wed, 2018-06-06 at 17:12 +0300, Mathias Nyman wrote:
> > > > On 04.06.2018 18:28, Sudip Mukherjee wrote:
> > > > > On Thu, May 24, 2018 at 04:35:34PM +0300, Mathias Nyman wrote:
> > > > > > 
> > > 
> > > > Odd and unlikely, but to me this looks like some issue in allocating
> > > > dma memory
> > > > from pool using dma_pool_zalloc()
> > > > 
> > > > 
> > > > Here's the story:
> > > > Sudip sees usb issues on a Intel Atom based board with 4.14.2 kernel.
> > > > All tracing points to dma_pool_zalloc() returning the same dma address
> > > > block on
> > > > consecutive calls.
> > > > 
> > > > In the failing case dma_pool_zalloc() is called 3 - 6us apart.
> > > > 
> > > > <...>-26362 [002] ....  1186.756739: xhci_ring_mem_detail: MATTU
> > > > xhci_segment_alloc dma @ 0x000000002d92b000
> > > > <...>-26362 [002] ....  1186.756745: xhci_ring_mem_detail: MATTU
> > > > xhci_segment_alloc dma @ 0x000000002d92b000
> > > > <...>-26362 [002] ....  1186.756748: xhci_ring_mem_detail: MATTU
> > > > xhci_segment_alloc dma @ 0x000000002d92b000
> > > > 
> > > > dma_pool_zalloc() is called from xhci_segment_alloc() in
> > > > drivers/usb/host/xhci-mem.c
> > > > see:
> > > > https://elixir.bootlin.com/linux/v4.14.2/source/drivers/usb/host/xhci-
> > > > mem.c#L52
> > > > 
> > > > prints above are custom traces added right after dma_pool_zalloc()
> > > 
> > > For better understanding it would be good to have dma_pool_free() calls
> > > debugged as well.
> > 
> 
> Sudip has a full (394M unpacked) trace at:
> https://drive.google.com/open?id=1h-3r-1lfjg8oblBGkzdRIq8z3ZNgGZx-
> 
<snip>
> But then it gets stuck, for the whole ring2 dma_pool_zalloc() just returns the same dma address as the last segment for
> ring1:0x2d92b000. Last part of trace snippet is just another ring being freed.
A gentle ping on this. Any idea on what the problem might be and any
possible fix?
---
regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-21 11:01 Mathias Nyman
  0 siblings, 0 replies; 39+ messages in thread
From: Mathias Nyman @ 2018-06-21 11:01 UTC (permalink / raw)
  To: Sudip Mukherjee, Andy Shevchenko
  Cc: Andy Shevchenko, Mathias Nyman, linux-usb, lukaszx.szulc,
	Christoph Hellwig, Marek Szyprowski, iommu
On 21.06.2018 03:53, Sudip Mukherjee wrote:
> Hi Mathias, Andy,
> 
> On Thu, Jun 07, 2018 at 10:40:03AM +0300, Mathias Nyman wrote:
>> On 06.06.2018 19:45, Sudip Mukherjee wrote:
>>> Hi Andy,
>>>
>>> And we meet again. :)
>>>
>>> On Wed, Jun 06, 2018 at 06:36:35PM +0300, Andy Shevchenko wrote:
>>>> On Wed, 2018-06-06 at 17:12 +0300, Mathias Nyman wrote:
>>>>> On 04.06.2018 18:28, Sudip Mukherjee wrote:
>>>>>> On Thu, May 24, 2018 at 04:35:34PM +0300, Mathias Nyman wrote:
>>>>>>>
>>>>
>>>>> Odd and unlikely, but to me this looks like some issue in allocating
>>>>> dma memory
>>>>> from pool using dma_pool_zalloc()
>>>>>
>>>>>
>>>>> Here's the story:
>>>>> Sudip sees usb issues on a Intel Atom based board with 4.14.2 kernel.
>>>>> All tracing points to dma_pool_zalloc() returning the same dma address
>>>>> block on
>>>>> consecutive calls.
>>>>>
>>>>> In the failing case dma_pool_zalloc() is called 3 - 6us apart.
>>>>>
>>>>> <...>-26362 [002] ....  1186.756739: xhci_ring_mem_detail: MATTU
>>>>> xhci_segment_alloc dma @ 0x000000002d92b000
>>>>> <...>-26362 [002] ....  1186.756745: xhci_ring_mem_detail: MATTU
>>>>> xhci_segment_alloc dma @ 0x000000002d92b000
>>>>> <...>-26362 [002] ....  1186.756748: xhci_ring_mem_detail: MATTU
>>>>> xhci_segment_alloc dma @ 0x000000002d92b000
>>>>>
>>>>> dma_pool_zalloc() is called from xhci_segment_alloc() in
>>>>> drivers/usb/host/xhci-mem.c
>>>>> see:
>>>>> https://elixir.bootlin.com/linux/v4.14.2/source/drivers/usb/host/xhci-
>>>>> mem.c#L52
>>>>>
>>>>> prints above are custom traces added right after dma_pool_zalloc()
>>>>
>>>> For better understanding it would be good to have dma_pool_free() calls
>>>> debugged as well.
>>>
>>
>> Sudip has a full (394M unpacked) trace at:
>> https://drive.google.com/open?id=1h-3r-1lfjg8oblBGkzdRIq8z3ZNgGZx-
>>
> 
> <snip>
> 
>> But then it gets stuck, for the whole ring2 dma_pool_zalloc() just returns the same dma address as the last segment for
>> ring1:0x2d92b000. Last part of trace snippet is just another ring being freed.
> 
> A gentle ping on this. Any idea on what the problem might be and any
> possible fix?
> 
I tried to reproduce it by quickly hacking xhci to allocate and free 50 segments each time
we normally allocate one segment from dmapool.
I let it run for 3 days on a Atom based platform, but could not reproduce it.
xhci testhack can be found here:
git://git.kernel.org/pub/scm/linux/kernel/git/mnyman/xhci.git dmapool-test
https://git.kernel.org/pub/scm/linux/kernel/git/mnyman/xhci.git/log/?h=dmapool-test
Tested by just leaving the following running for a few days:
while true; do echo 0 > authorized; sleep 3; echo 1 > authorized; sleep 3; done;
For some usb device (for example: /sys/bus/usb/devices/1-8)
Then grep logs for "MATTU dmatest match! "
Can you share a bit more details on the platform you are using, and what types of test you are running.
Does my test above trigger the case? (show "MATTU dmatest match!")
-Mathias
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-25 16:15 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-06-25 16:15 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Andy Shevchenko, Andy Shevchenko, Mathias Nyman, linux-usb,
	lukaszx.szulc, Christoph Hellwig, Marek Szyprowski, iommu
Hi Mathias,
On Thu, Jun 21, 2018 at 02:01:30PM +0300, Mathias Nyman wrote:
> On 21.06.2018 03:53, Sudip Mukherjee wrote:
> > Hi Mathias, Andy,
> > 
> > On Thu, Jun 07, 2018 at 10:40:03AM +0300, Mathias Nyman wrote:
> > > On 06.06.2018 19:45, Sudip Mukherjee wrote:
<snip>
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/mnyman/xhci.git dmapool-test
> https://git.kernel.org/pub/scm/linux/kernel/git/mnyman/xhci.git/log/?h=dmapool-test
> 
> Tested by just leaving the following running for a few days:
> 
> while true; do echo 0 > authorized; sleep 3; echo 1 > authorized; sleep 3; done;
> For some usb device (for example: /sys/bus/usb/devices/1-8)
> 
> Then grep logs for "MATTU dmatest match! "
> 
> Can you share a bit more details on the platform you are using, and what types of test you are running.
Sorry for the delayed reply, I was in Tokyo for the OSS.
It is a board based on "Intel(R) Atom(TM) CPU  E3840  @ 1.91GHz".
The usb device in question is a bluetooth device:
Bus 001 Device 012: ID 8087:07dc Intel Corp.
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass          224 Wireless
  bDeviceSubClass         1 Radio Frequency
  bDeviceProtocol         1 Bluetooth
  bMaxPacketSize0        64
  idVendor           0x8087 Intel Corp.
  idProduct          0x07dc
  bcdDevice            0.01
  iManufacturer           0
  iProduct                0
  iSerial                 0
  bNumConfigurations      1
And the problem that we are seeing is with phone calls via bluetooth.
> Does my test above trigger the case? (show "MATTU dmatest match!")
I have kept it for tonight, will see the results tomorrow morning.
And I am using that same device in the usb script to change "authrized".
But looking at the code for dma_pool_alloc(), it seems 'dma' can have
same value again only if "*(int *)(page->vaddr + offset)" gets a value
of 0 in pool_initialise_page(). But I can't think of anyway how it
can be 0. I have also added some more debugs in the kernel to see what
might be going wrong there.
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-27 11:59 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-06-27 11:59 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Andy Shevchenko, Andy Shevchenko, Mathias Nyman, linux-usb,
	lukaszx.szulc, Christoph Hellwig, Marek Szyprowski, iommu
Hi Mathias,
On Mon, Jun 25, 2018 at 05:15:00PM +0100, Sudip Mukherjee wrote:
> Hi Mathias,
> 
> On Thu, Jun 21, 2018 at 02:01:30PM +0300, Mathias Nyman wrote:
> > On 21.06.2018 03:53, Sudip Mukherjee wrote:
> > > Hi Mathias, Andy,
> > > 
> > > On Thu, Jun 07, 2018 at 10:40:03AM +0300, Mathias Nyman wrote:
> > > > On 06.06.2018 19:45, Sudip Mukherjee wrote:
<snip>
> > 
> > Can you share a bit more details on the platform you are using, and what types of test you are running.
> 
> Sorry for the delayed reply, I was in Tokyo for the OSS.
> 
> It is a board based on "Intel(R) Atom(TM) CPU  E3840  @ 1.91GHz".
> The usb device in question is a bluetooth device:
> 
> Bus 001 Device 012: ID 8087:07dc Intel Corp.
<snip>
> 
> And the problem that we are seeing is with phone calls via bluetooth.
> 
> > Does my test above trigger the case? (show "MATTU dmatest match!")
> 
> I have kept it for tonight, will see the results tomorrow morning.
> And I am using that same device in the usb script to change "authrized".
No, your test did not trigger the error. :(
But, my last night's test (with an added debug to get some extra trace for addresses) showed the same error of -
"Looking for event-dma", but looking at the ftrace, I could not see it getting same address from dma_pool_zalloc().
Can you please have a look at the dmesg and ftrace at:
https://drive.google.com/open?id=1nMy_qVxOQzcZNYa9bw7az9WiS2MZzdKo
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-27 12:20 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-06-27 12:20 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Andy Shevchenko, Andy Shevchenko, Mathias Nyman, linux-usb,
	lukaszx.szulc, Christoph Hellwig, Marek Szyprowski, iommu
On Wed, Jun 27, 2018 at 12:59:48PM +0100, Sudip Mukherjee wrote:
> Hi Mathias,
> 
> On Mon, Jun 25, 2018 at 05:15:00PM +0100, Sudip Mukherjee wrote:
> > Hi Mathias,
> > 
> > On Thu, Jun 21, 2018 at 02:01:30PM +0300, Mathias Nyman wrote:
> > > On 21.06.2018 03:53, Sudip Mukherjee wrote:
> > > > Hi Mathias, Andy,
> > > > 
> > > > On Thu, Jun 07, 2018 at 10:40:03AM +0300, Mathias Nyman wrote:
> > > > > On 06.06.2018 19:45, Sudip Mukherjee wrote:
> <snip>
> > > 
> > > Can you share a bit more details on the platform you are using, and what types of test you are running.
> > 
> > Sorry for the delayed reply, I was in Tokyo for the OSS.
> > 
> > It is a board based on "Intel(R) Atom(TM) CPU  E3840  @ 1.91GHz".
> > The usb device in question is a bluetooth device:
> > 
> > Bus 001 Device 012: ID 8087:07dc Intel Corp.
> <snip>
> > 
> > And the problem that we are seeing is with phone calls via bluetooth.
> > 
> > > Does my test above trigger the case? (show "MATTU dmatest match!")
> > 
> > I have kept it for tonight, will see the results tomorrow morning.
> > And I am using that same device in the usb script to change "authrized".
> 
> No, your test did not trigger the error. :(
> 
> But, my last night's test (with an added debug to get some extra trace for addresses) showed the same error of -
> "Looking for event-dma", but looking at the ftrace, I could not see it getting same address from dma_pool_zalloc().
> 
> Can you please have a look at the dmesg and ftrace at:
> https://drive.google.com/open?id=1nMy_qVxOQzcZNYa9bw7az9WiS2MZzdKo
And to add to my previous mail, in another cycle where I do see the
same problem and my extra debugs give the following:
           <...>-23974 [002] ....   495.991276: xhci_ring_mem_detail: MATTU xhci_segment_alloc dma @ 0x000000002d21c000
           <...>-23974 [002] ....   495.991285: xhci_ring_mem_detail: SUDIP page details dma=0x000000002d21c000, vaddr=ed21c000, inuse=1, offset=0
           <...>-23974 [002] ....   495.991289: xhci_ring_mem_detail: MATTU xhci_segment_alloc dma @ 0x000000002d21c000
           <...>-23974 [002] ....   495.991292: xhci_ring_mem_detail: SUDIP page details dma=0x000000002d21c000, vaddr=ed21c000, inuse=2, offset=0
           <...>-23974 [002] ....   495.991295: xhci_ring_alloc: ISOC f0b62900: enq 0x000000002d21c000(0x000000002d21c000) deq 0x000000002d21c000(0x000000002d21c000) segs 2 stream 0 free_trbs 509 bounce 17 cycle 1
           <...>-23974 [002] ....   495.991298: xhci_ring_mem_detail: MATTU xhci_segment_alloc dma @ 0x000000002d21c000
           <...>-23974 [002] ....   495.991301: xhci_ring_mem_detail: SUDIP page details dma=0x000000002d21c000, vaddr=ed21c000, inuse=3, offset=0
           <...>-23974 [002] ....   495.991304: xhci_ring_mem_detail: MATTU xhci_segment_alloc dma @ 0x000000002d21c000
           <...>-23974 [002] ....   495.991306: xhci_ring_mem_detail: SUDIP page details dma=0x000000002d21c000, vaddr=ed21c000, inuse=4, offset=0
I am totally lost now. Are we looking at two different issues?
This log shows same addresses, my previous mail and log did not show
the same addresses. :(
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-29 11:41 Mathias Nyman
  0 siblings, 0 replies; 39+ messages in thread
From: Mathias Nyman @ 2018-06-29 11:41 UTC (permalink / raw)
  To: Sudip Mukherjee
  Cc: Andy Shevchenko, Andy Shevchenko, Mathias Nyman, linux-usb,
	lukaszx.szulc, Christoph Hellwig, Marek Szyprowski, iommu
On 27.06.2018 14:59, Sudip Mukherjee wrote:
>>> Can you share a bit more details on the platform you are using, and what types of test you are running.
>>
>> It is a board based on "Intel(R) Atom(TM) CPU  E3840  @ 1.91GHz".
>> The usb device in question is a bluetooth device:
>>
>> Bus 001 Device 012: ID 8087:07dc Intel Corp.
> <snip>
>>
>> And the problem that we are seeing is with phone calls via bluetooth.
>>
>>> Does my test above trigger the case? (show "MATTU dmatest match!")
>>
>> I have kept it for tonight, will see the results tomorrow morning.
>> And I am using that same device in the usb script to change "authrized".
> 
> No, your test did not trigger the error. :(
> 
> But, my last night's test (with an added debug to get some extra trace for addresses) showed the same error of -
> "Looking for event-dma", but looking at the ftrace, I could not see it getting same address from dma_pool_zalloc().
> 
> Can you please have a look at the dmesg and ftrace at:
> https://drive.google.com/open?id=1nMy_qVxOQzcZNYa9bw7az9WiS2MZzdKo
> 
There is however freeing of the same dma address:
<...>-28448 [003] ....   492.025808: xhci_ring_free: ISOC f1ffb700: enq 0x000000002d31bcc0(0x000000002d31b000) deq 0x000000002d31b000(0x000000002d31b000) segs 2 stream 0 free_trbs 305 bounce 17 cycle 0
<...>-28448 [003] ....   492.025818: xhci_ring_mem_detail: MATTU xhci segment free seg->dma @ 0x000000002d31b000
<...>-28448 [003] ....   492.025823: xhci_ring_mem_detail: MATTU xhci segment free seg->dma @ 0x000000002d31b000
<...>-28448 [003] ....   492.025826: xhci_ring_free: ISOC f1f9b380: enq 0x000000002d31b140(0x000000002d31b000) deq 0x000000002d31b000(0x000000002d31b000) segs 2 stream 0 free_trbs 489 bounce 17 cycle 1
<...>-28448 [003] ....   492.025828: xhci_ring_mem_detail: MATTU xhci segment free seg->dma @ 0x000000002d31b000
<...>-28448 [003] ....   492.025830: xhci_ring_mem_detail: MATTU xhci segment free seg->dma @ 0x000000002d31b000
I'd guess it's still the same cause, maybe trace is not complete?
-Mathias
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-06-30 21:07 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-06-30 21:07 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Andy Shevchenko, Andy Shevchenko, Mathias Nyman, linux-usb,
	lukaszx.szulc, Christoph Hellwig, Marek Szyprowski, iommu
Hi Mathias,
On Fri, Jun 29, 2018 at 02:41:13PM +0300, Mathias Nyman wrote:
> On 27.06.2018 14:59, Sudip Mukherjee wrote:
> > > > Can you share a bit more details on the platform you are using, and what types of test you are running.
> > > 
> > > It is a board based on "Intel(R) Atom(TM) CPU  E3840  @ 1.91GHz".
> > > The usb device in question is a bluetooth device:
> > > 
<snip>
> > 
> 
> There is however freeing of the same dma address:
> 
> <...>-28448 [003] ....   492.025808: xhci_ring_free: ISOC f1ffb700: enq 0x000000002d31bcc0(0x000000002d31b000) deq 0x000000002d31b000(0x000000002d31b000) segs 2 stream 0 free_trbs 305 bounce 17 cycle 0
> <...>-28448 [003] ....   492.025818: xhci_ring_mem_detail: MATTU xhci segment free seg->dma @ 0x000000002d31b000
> <...>-28448 [003] ....   492.025823: xhci_ring_mem_detail: MATTU xhci segment free seg->dma @ 0x000000002d31b000
> <...>-28448 [003] ....   492.025826: xhci_ring_free: ISOC f1f9b380: enq 0x000000002d31b140(0x000000002d31b000) deq 0x000000002d31b000(0x000000002d31b000) segs 2 stream 0 free_trbs 489 bounce 17 cycle 1
> <...>-28448 [003] ....   492.025828: xhci_ring_mem_detail: MATTU xhci segment free seg->dma @ 0x000000002d31b000
> <...>-28448 [003] ....   492.025830: xhci_ring_mem_detail: MATTU xhci segment free seg->dma @ 0x000000002d31b000
> 
> I'd guess it's still the same cause, maybe trace is not complete?
It is either mutiple freeing of the same address or mutiple allocation
of the same address or a combination of both. To track the mutiple
allocation I added few extra debugging and it seems that the mutiple
allocation is only happening when someone accesses that memory and
makes the first 4 bytes (which holds the offset data) as 0. I have not
yet checked in what condition does it try to free the same address more
than once.
Then to track what is going on, I added the slub debugging and :(
I have attached part of dmesg for you to check.
Will appreciate your help in finding out the problem.
---
Regards
Sudip
[  383.096204] =============================================================================
[  383.096212] BUG kmalloc-96 (Tainted: G     U     O   ): Poison overwritten
[  383.096213] -----------------------------------------------------------------------------
[  383.096215] Disabling lock debugging due to kernel taint
[  383.096218] INFO: 0xdccd1b78-0xdccd1b7f. First byte 0x78 instead of 0x6b
[  383.096232] INFO: Allocated in xhci_ring_alloc.constprop.14+0x31/0x125 [xhci_hcd] age=227516 cpu=2 pid=21
[  383.096240] 	___slab_alloc.constprop.24+0x1fc/0x292
[  383.096243] 	__slab_alloc.isra.18.constprop.23+0x1c/0x25
[  383.096246] 	kmem_cache_alloc_trace+0x78/0x141
[  383.096252] 	xhci_ring_alloc.constprop.14+0x31/0x125 [xhci_hcd]
[  383.096259] 	xhci_endpoint_init+0x25f/0x30a [xhci_hcd]
[  383.096265] 	xhci_add_endpoint+0x126/0x149 [xhci_hcd]
[  383.096276] 	usb_hcd_alloc_bandwidth+0x26a/0x2a0 [usbcore]
[  383.096287] 	usb_set_interface+0xeb/0x25d [usbcore]
[  383.096292] 	btusb_work+0xeb/0x324 [btusb]
[  383.096296] 	process_one_work+0x163/0x2b2
[  383.096299] 	worker_thread+0x1a9/0x25c
[  383.096301] 	kthread+0xf8/0xfd
[  383.096306] 	ret_from_fork+0x2e/0x38
[  383.096314] INFO: Freed in xhci_ring_free+0xa7/0xc6 [xhci_hcd] age=197020 cpu=0 pid=324
[  383.096317] 	__slab_free+0x4b/0x27a
[  383.096319] 	kfree+0x12e/0x155
[  383.096325] 	xhci_ring_free+0xa7/0xc6 [xhci_hcd]
[  383.096331] 	xhci_free_endpoint_ring+0x16/0x20 [xhci_hcd]
[  383.096338] 	xhci_check_bandwidth+0x1bf/0x20e [xhci_hcd]
[  383.096348] 	usb_hcd_alloc_bandwidth+0x205/0x2a0 [usbcore]
[  383.096358] 	usb_set_interface+0xeb/0x25d [usbcore]
[  383.096361] 	btusb_work+0x228/0x324 [btusb]
[  383.096364] 	process_one_work+0x163/0x2b2
[  383.096367] 	worker_thread+0x1a9/0x25c
[  383.096370] 	kthread+0xf8/0xfd
[  383.096373] 	ret_from_fork+0x2e/0x38
[  383.096376] INFO: Slab 0xf457e080 objects=29 used=29 fp=0x  (null) flags=0x40008100
[  383.096379] INFO: Object 0xdccd1b60 @offset=7008 fp=0xdccd0350
[  383.096383] Redzone dccd1b58: bb bb bb bb bb bb bb bb                          ........
[  383.096386] Object dccd1b60: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[  383.096388] Object dccd1b70: 6b 6b 6b 6b 6b 6b 6b 6b 78 1b cd dc 78 1b cd dc  kkkkkkkkx...x...
[  383.096390] Object dccd1b80: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[  383.096393] Object dccd1b90: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[  383.096395] Object dccd1ba0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[  383.096397] Object dccd1bb0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.
[  383.096400] Redzone dccd1bc0: bb bb bb bb                                      ....
[  383.096402] Padding dccd1c68: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
[  383.096407] CPU: 2 PID: 133 Comm: weston Tainted: G    BU     O    4.14.47-20180606-dca26511b26cdcd4446c1eba652b573a6fbca607 #1
[  383.096409] Hardware name: xxx yyy/zzz, BIOS 2017.01-00087-g43e04de 08/30/2017
[  383.096411] Call Trace:
[  383.096417]  dump_stack+0x47/0x5b
[  383.096421]  print_trailer+0x12b/0x133
[  383.096425]  check_bytes_and_report+0x6c/0xae
[  383.096428]  check_object+0x10a/0x1db
[  383.096433]  alloc_debug_processing+0x79/0x123
[  383.096436]  ___slab_alloc.constprop.24+0x1fc/0x292
[  383.096442]  ? drm_atomic_helper_setup_commit+0x60/0x2f4
[  383.096446]  ? drm_atomic_helper_setup_commit+0x60/0x2f4
[  383.096450]  ? vlv_compute_intermediate_wm+0x157/0x16c
[  383.096454]  ? skl_ddb_min_alloc+0xf3/0xf3
[  383.096459]  ? intel_crtc_atomic_check+0xd4/0x198
[  383.096463]  __slab_alloc.isra.18.constprop.23+0x1c/0x25
[  383.096466]  ? __slab_alloc.isra.18.constprop.23+0x1c/0x25
[  383.096470]  kmem_cache_alloc_trace+0x78/0x141
[  383.096474]  ? drm_atomic_helper_setup_commit+0x60/0x2f4
[  383.096478]  drm_atomic_helper_setup_commit+0x60/0x2f4
[  383.096482]  ? intel_atomic_commit_tail+0xa84/0xa84
[  383.096486]  intel_atomic_commit+0x21/0x1b2
[  383.096490]  ? intel_atomic_commit_tail+0xa84/0xa84
[  383.096495]  drm_atomic_nonblocking_commit+0x42/0x4c
[  383.096499]  drm_mode_atomic_ioctl+0x680/0x75e
[  383.096505]  ? drm_atomic_set_property+0x442/0x442
[  383.096509]  drm_ioctl_kernel+0x52/0x88
[  383.096513]  drm_ioctl+0x1fc/0x2c1
[  383.096516]  ? drm_atomic_set_property+0x442/0x442
[  383.096522]  ? probe_sched_wakeup+0x2e/0x30
[  383.096526]  ? ttwu_do_wakeup.isra.19+0x157/0x167
[  383.096530]  ? ttwu_do_activate+0x65/0x6e
[  383.096534]  ? drm_getstats+0x17/0x17
[  383.096538]  vfs_ioctl+0x1f/0x29
[  383.096541]  do_vfs_ioctl+0x4f3/0x562
[  383.096545]  ? smk_curacc+0x24/0x29
[  383.096550]  ? smack_file_ioctl+0x4d/0x52
[  383.096553]  ? smack_file_lock+0x29/0x29
[  383.096556]  ? security_file_ioctl+0x34/0x45
[  383.096559]  SyS_ioctl+0x42/0x5b
[  383.096564]  do_fast_syscall_32+0xd3/0x171
[  383.096568]  entry_SYSENTER_32+0x47/0x71
[  383.096571] EIP: 0xb7f1aab1
[  383.096573] EFLAGS: 00200282 CPU: 2
[  383.096575] EAX: ffffffda EBX: 0000000f ECX: c03864bb EDX: bfa84338
[  383.096578] ESI: bfa84338 EDI: c03864bb EBP: bfa842d8 ESP: bfa84298
[  383.096580]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
[  383.096585] FIX kmalloc-96: Restoring 0xdccd1b78-0xdccd1b7f=0x6b
[  383.096587] FIX kmalloc-96: Marking all objects used
[  405.587632] xhci_hcd 0000:00:14.0: dma_pool_alloc xHCI ring segments, eca42000 (corrupted)
[  405.587639] 00000000: 00 10 00 00 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587642] 00000010: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587644] 00000020: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587647] 00000030: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587649] 00000040: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587651] 00000050: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587654] 00000060: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587656] 00000070: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587658] 00000080: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587661] 00000090: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587663] 000000a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587665] 000000b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587668] 000000c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587670] 000000d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587672] 000000e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587675] 000000f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587677] 00000100: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587679] 00000110: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587682] 00000120: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587684] 00000130: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587686] 00000140: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587689] 00000150: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587691] 00000160: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587694] 00000170: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587696] 00000180: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587698] 00000190: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587701] 000001a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587703] 000001b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587705] 000001c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587708] 000001d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587710] 000001e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587712] 000001f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587715] 00000200: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587717] 00000210: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587720] 00000220: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587722] 00000230: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587724] 00000240: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587727] 00000250: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587729] 00000260: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587731] 00000270: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587734] 00000280: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587736] 00000290: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587738] 000002a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587741] 000002b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587743] 000002c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587746] 000002d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587748] 000002e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587750] 000002f0: 00 00 00 00 00 00 00 00 00 00 00 00 01 20 00 00  ............. ..
[  405.587753] 00000300: 00 00 00 00 00 00 00 00 00 00 00 00 01 20 00 00  ............. ..
[  405.587755] 00000310: 00 00 00 00 00 00 00 00 00 00 00 00 01 20 00 00  ............. ..
[  405.587757] 00000320: 00 00 00 00 00 00 00 00 00 00 00 00 01 20 00 00  ............. ..
[  405.587760] 00000330: 00 00 00 00 00 00 00 00 00 00 00 00 01 20 00 00  ............. ..
[  405.587762] 00000340: 00 00 00 00 00 00 00 00 00 00 00 00 01 20 00 00  ............. ..
[  405.587764] 00000350: 00 00 00 00 00 00 00 00 00 00 00 00 01 20 00 00  ............. ..
[  405.587766] 00000360: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587769] 00000370: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587771] 00000380: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587773] 00000390: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587776] 000003a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587778] 000003b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587780] 000003c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587783] 000003d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587785] 000003e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587787] 000003f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587790] 00000400: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587792] 00000410: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587794] 00000420: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587797] 00000430: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587799] 00000440: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587801] 00000450: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587804] 00000460: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587806] 00000470: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587808] 00000480: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587811] 00000490: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587813] 000004a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587816] 000004b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587818] 000004c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587820] 000004d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587823] 000004e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587825] 000004f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587827] 00000500: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587830] 00000510: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587832] 00000520: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587834] 00000530: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587837] 00000540: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587839] 00000550: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587841] 00000560: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587844] 00000570: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587846] 00000580: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587848] 00000590: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587851] 000005a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587853] 000005b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587855] 000005c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587858] 000005d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587860] 000005e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587862] 000005f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587865] 00000600: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587867] 00000610: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587869] 00000620: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587872] 00000630: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587874] 00000640: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587876] 00000650: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587879] 00000660: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587881] 00000670: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587883] 00000680: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587886] 00000690: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587888] 000006a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587890] 000006b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587893] 000006c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587895] 000006d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587897] 000006e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587900] 000006f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587902] 00000700: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587904] 00000710: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587907] 00000720: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587909] 00000730: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587912] 00000740: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587914] 00000750: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587916] 00000760: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587919] 00000770: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587921] 00000780: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587923] 00000790: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587926] 000007a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587928] 000007b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587930] 000007c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587933] 000007d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587935] 000007e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587937] 000007f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587940] 00000800: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587942] 00000810: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587944] 00000820: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587947] 00000830: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587949] 00000840: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587952] 00000850: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587954] 00000860: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587956] 00000870: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587959] 00000880: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587961] 00000890: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587963] 000008a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587966] 000008b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587968] 000008c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587970] 000008d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587973] 000008e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587975] 000008f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587977] 00000900: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587980] 00000910: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587982] 00000920: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587985] 00000930: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587987] 00000940: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587989] 00000950: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587992] 00000960: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587994] 00000970: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587996] 00000980: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.587999] 00000990: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588001] 000009a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588003] 000009b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588006] 000009c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588009] 000009d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588011] 000009e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588013] 000009f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588016] 00000a00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588018] 00000a10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588020] 00000a20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588023] 00000a30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588025] 00000a40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588028] 00000a50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588030] 00000a60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588033] 00000a70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588035] 00000a80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588037] 00000a90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588040] 00000aa0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588042] 00000ab0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588044] 00000ac0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588047] 00000ad0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588049] 00000ae0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588052] 00000af0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588054] 00000b00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588056] 00000b10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588059] 00000b20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588061] 00000b30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588063] 00000b40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588066] 00000b50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588068] 00000b60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588070] 00000b70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588073] 00000b80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588075] 00000b90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588078] 00000ba0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588080] 00000bb0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588082] 00000bc0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588085] 00000bd0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588087] 00000be0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588089] 00000bf0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588092] 00000c00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588094] 00000c10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588096] 00000c20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588099] 00000c30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588101] 00000c40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588103] 00000c50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588106] 00000c60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588108] 00000c70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588111] 00000c80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588113] 00000c90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588115] 00000ca0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588118] 00000cb0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588120] 00000cc0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588122] 00000cd0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588125] 00000ce0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588127] 00000cf0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588130] 00000d00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588132] 00000d10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588134] 00000d20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588137] 00000d30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588139] 00000d40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588141] 00000d50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588144] 00000d60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588146] 00000d70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588148] 00000d80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588151] 00000d90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588153] 00000da0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588155] 00000db0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588158] 00000dc0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588160] 00000dd0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588163] 00000de0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588165] 00000df0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588167] 00000e00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588170] 00000e10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588172] 00000e20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588174] 00000e30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588177] 00000e40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588179] 00000e50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588181] 00000e60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588184] 00000e70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588186] 00000e80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588189] 00000e90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588191] 00000ea0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588193] 00000eb0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588196] 00000ec0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588198] 00000ed0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588200] 00000ee0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588203] 00000ef0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588205] 00000f00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588207] 00000f10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588210] 00000f20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588212] 00000f30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588215] 00000f40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588217] 00000f50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588219] 00000f60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588222] 00000f70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588224] 00000f80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588226] 00000f90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588229] 00000fa0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588231] 00000fb0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588233] 00000fc0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588236] 00000fd0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588238] 00000fe0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.588241] 00000ff0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  405.589593] BLUETOOTH: isoc_rx_ep_wMaxPacketSize 17
[  405.589618] BLUETOOTH: isoc_rx_ep_wMaxPacketSize 17
[  405.599447] btusb_isoc_complete: 380 callbacks suppressed
[  405.599450] BLUETOOTH:  SCO usb pack length 0
[  405.599453] BLUETOOTH:  SCO usb pack length 0
[  405.599455] BLUETOOTH:  SCO usb pack length 0
[  405.599457] BLUETOOTH:  SCO usb pack length 0
[  405.599458] BLUETOOTH:  SCO usb pack length 0
[  405.599460] BLUETOOTH:  SCO usb pack length 0
[  405.599461] BLUETOOTH:  SCO usb pack length 0
[  405.599463] BLUETOOTH:  SCO usb pack length 0
[  405.599464] BLUETOOTH:  SCO usb pack length 0
[  405.599466] BLUETOOTH:  SCO usb pack length 0
[  405.639502] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  405.639520] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  405.649536] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  405.649556] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  405.649566] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  405.649575] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  405.659529] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  410.611473] btusb_isoc_complete: 5000 callbacks suppressed
[  410.611476] BLUETOOTH:  SCO usb pack length 17
[  410.611491] BLUETOOTH:  SCO usb pack length 17
[  410.611493] BLUETOOTH:  SCO usb pack length 17
[  410.611504] BLUETOOTH:  SCO usb pack length 17
[  410.611516] BLUETOOTH:  SCO usb pack length 17
[  410.611518] BLUETOOTH:  SCO usb pack length 17
[  410.611521] BLUETOOTH:  SCO usb pack length 17
[  410.611532] BLUETOOTH:  SCO usb pack length 17
[  410.611534] BLUETOOTH:  SCO usb pack length 17
[  410.611537] BLUETOOTH:  SCO usb pack length 17
[  415.623476] btusb_isoc_complete: 5000 callbacks suppressed
[  415.623479] BLUETOOTH:  SCO usb pack length 17
[  415.623495] BLUETOOTH:  SCO usb pack length 17
[  415.623497] BLUETOOTH:  SCO usb pack length 17
[  415.623508] BLUETOOTH:  SCO usb pack length 17
[  415.623522] BLUETOOTH:  SCO usb pack length 17
[  415.623524] BLUETOOTH:  SCO usb pack length 17
[  415.623527] BLUETOOTH:  SCO usb pack length 17
[  415.623537] BLUETOOTH:  SCO usb pack length 17
[  415.623539] BLUETOOTH:  SCO usb pack length 17
[  415.623542] BLUETOOTH:  SCO usb pack length 17
[  420.635481] btusb_isoc_complete: 5000 callbacks suppressed
[  420.635483] BLUETOOTH:  SCO usb pack length 17
[  420.635499] BLUETOOTH:  SCO usb pack length 17
[  420.635501] BLUETOOTH:  SCO usb pack length 17
[  420.635513] BLUETOOTH:  SCO usb pack length 17
[  420.635527] BLUETOOTH:  SCO usb pack length 17
[  420.635529] BLUETOOTH:  SCO usb pack length 17
[  420.635531] BLUETOOTH:  SCO usb pack length 17
[  420.635542] BLUETOOTH:  SCO usb pack length 17
[  420.635544] BLUETOOTH:  SCO usb pack length 17
[  420.635547] BLUETOOTH:  SCO usb pack length 17
[  425.647489] btusb_isoc_complete: 5000 callbacks suppressed
[  425.647492] BLUETOOTH:  SCO usb pack length 17
[  425.647508] BLUETOOTH:  SCO usb pack length 17
[  425.647510] BLUETOOTH:  SCO usb pack length 17
[  425.647523] BLUETOOTH:  SCO usb pack length 17
[  425.647536] BLUETOOTH:  SCO usb pack length 17
[  425.647537] BLUETOOTH:  SCO usb pack length 17
[  425.647540] BLUETOOTH:  SCO usb pack length 17
[  425.647551] BLUETOOTH:  SCO usb pack length 17
[  425.647553] BLUETOOTH:  SCO usb pack length 17
[  425.647556] BLUETOOTH:  SCO usb pack length 17
[  430.659487] btusb_isoc_complete: 5000 callbacks suppressed
[  430.659489] BLUETOOTH:  SCO usb pack length 17
[  430.659505] BLUETOOTH:  SCO usb pack length 17
[  430.659507] BLUETOOTH:  SCO usb pack length 17
[  430.659518] BLUETOOTH:  SCO usb pack length 17
[  430.659530] BLUETOOTH:  SCO usb pack length 17
[  430.659532] BLUETOOTH:  SCO usb pack length 17
[  430.659535] BLUETOOTH:  SCO usb pack length 17
[  430.659546] BLUETOOTH:  SCO usb pack length 17
[  430.659548] BLUETOOTH:  SCO usb pack length 17
[  430.659551] BLUETOOTH:  SCO usb pack length 17
[  435.671494] btusb_isoc_complete: 5000 callbacks suppressed
[  435.671496] BLUETOOTH:  SCO usb pack length 17
[  435.671511] BLUETOOTH:  SCO usb pack length 17
[  435.671513] BLUETOOTH:  SCO usb pack length 17
[  435.671526] BLUETOOTH:  SCO usb pack length 17
[  435.671539] BLUETOOTH:  SCO usb pack length 17
[  435.671541] BLUETOOTH:  SCO usb pack length 17
[  435.671543] BLUETOOTH:  SCO usb pack length 17
[  435.671555] BLUETOOTH:  SCO usb pack length 17
[  435.671556] BLUETOOTH:  SCO usb pack length 17
[  435.671559] BLUETOOTH:  SCO usb pack length 17
[  436.089810] Bluetooth: hci0 SCO packet for unknown connection handle 266
[  436.089822] Bluetooth: hci0 SCO packet for unknown connection handle 266
[  436.089838] Bluetooth: hci0 SCO packet for unknown connection handle 266
[  467.960870] BLUETOOTH: isoc_rx_ep_wMaxPacketSize 17
[  467.960893] BLUETOOTH: isoc_rx_ep_wMaxPacketSize 17
[  467.970389] btusb_isoc_complete: 410 callbacks suppressed
[  467.970392] BLUETOOTH:  SCO usb pack length 0
[  467.970395] BLUETOOTH:  SCO usb pack length 0
[  467.970397] BLUETOOTH:  SCO usb pack length 0
[  467.970398] BLUETOOTH:  SCO usb pack length 0
[  467.970400] BLUETOOTH:  SCO usb pack length 0
[  467.970401] BLUETOOTH:  SCO usb pack length 0
[  467.970403] BLUETOOTH:  SCO usb pack length 0
[  467.970404] BLUETOOTH:  SCO usb pack length 0
[  467.970406] BLUETOOTH:  SCO usb pack length 0
[  467.970407] BLUETOOTH:  SCO usb pack length 0
[  468.010493] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  468.010507] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  468.010529] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  468.020504] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  468.020522] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  468.020532] Bluetooth: hci0 SCO packet for unknown connection handle 0
[  472.982396] btusb_isoc_complete: 5000 callbacks suppressed
[  472.982399] BLUETOOTH:  SCO usb pack length 17
[  472.982412] BLUETOOTH:  SCO usb pack length 17
[  472.982427] BLUETOOTH:  SCO usb pack length 17
[  472.982430] BLUETOOTH:  SCO usb pack length 17
[  472.982435] BLUETOOTH:  SCO usb pack length 17
[  472.982447] BLUETOOTH:  SCO usb pack length 17
[  472.982449] BLUETOOTH:  SCO usb pack length 17
[  472.982455] BLUETOOTH:  SCO usb pack length 17
[  472.982471] BLUETOOTH:  SCO usb pack length 17
[  472.982473] BLUETOOTH:  SCO usb pack length 17
[  477.994400] btusb_isoc_complete: 5000 callbacks suppressed
[  477.994402] BLUETOOTH:  SCO usb pack length 17
[  477.994411] BLUETOOTH:  SCO usb pack length 17
[  477.994425] BLUETOOTH:  SCO usb pack length 17
[  477.994427] BLUETOOTH:  SCO usb pack length 17
[  477.994433] BLUETOOTH:  SCO usb pack length 17
[  477.994446] BLUETOOTH:  SCO usb pack length 17
[  477.994448] BLUETOOTH:  SCO usb pack length 17
[  477.994453] BLUETOOTH:  SCO usb pack length 17
[  477.994466] BLUETOOTH:  SCO usb pack length 17
[  477.994468] BLUETOOTH:  SCO usb pack length 17
[  480.687305] =============================================================================
[  480.687313] BUG kmalloc-96 (Tainted: G    BU     O   ): Poison overwritten
[  480.687314] -----------------------------------------------------------------------------
[  480.687318] INFO: 0xdd3409f8-0xdd3409ff. First byte 0xf8 instead of 0x6b
[  480.687332] INFO: Allocated in xhci_ring_alloc.constprop.14+0x31/0x125 [xhci_hcd] age=262619 cpu=0 pid=324
[  480.687340] 	___slab_alloc.constprop.24+0x1fc/0x292
[  480.687343] 	__slab_alloc.isra.18.constprop.23+0x1c/0x25
[  480.687346] 	kmem_cache_alloc_trace+0x78/0x141
[  480.687352] 	xhci_ring_alloc.constprop.14+0x31/0x125 [xhci_hcd]
[  480.687359] 	xhci_endpoint_init+0x25f/0x30a [xhci_hcd]
[  480.687365] 	xhci_add_endpoint+0x126/0x149 [xhci_hcd]
[  480.687377] 	usb_hcd_alloc_bandwidth+0x26a/0x2a0 [usbcore]
[  480.687387] 	usb_set_interface+0xeb/0x25d [usbcore]
[  480.687393] 	btusb_work+0xeb/0x324 [btusb]
[  480.687398] 	process_one_work+0x163/0x2b2
[  480.687401] 	worker_thread+0x1a9/0x25c
[  480.687404] 	kthread+0xf8/0xfd
[  480.687409] 	ret_from_fork+0x2e/0x38
[  480.687417] INFO: Freed in xhci_ring_free+0xa7/0xc6 [xhci_hcd] age=232052 cpu=0 pid=324
[  480.687419] 	__slab_free+0x4b/0x27a
[  480.687422] 	kfree+0x12e/0x155
[  480.687428] 	xhci_ring_free+0xa7/0xc6 [xhci_hcd]
[  480.687434] 	xhci_free_endpoint_ring+0x16/0x20 [xhci_hcd]
[  480.687440] 	xhci_check_bandwidth+0x1bf/0x20e [xhci_hcd]
[  480.687451] 	usb_hcd_alloc_bandwidth+0x205/0x2a0 [usbcore]
[  480.687461] 	usb_set_interface+0xeb/0x25d [usbcore]
[  480.687464] 	btusb_work+0x228/0x324 [btusb]
[  480.687467] 	process_one_work+0x163/0x2b2
[  480.687470] 	worker_thread+0x1a9/0x25c
[  480.687473] 	kthread+0xf8/0xfd
[  480.687476] 	ret_from_fork+0x2e/0x38
[  480.687480] INFO: Slab 0xf458e200 objects=29 used=29 fp=0x  (null) flags=0x40008100
[  480.687482] INFO: Object 0xdd3409e0 @offset=2528 fp=0xdd340e40
[  480.687486] Redzone dd3409d8: bb bb bb bb bb bb bb bb                          ........
[  480.687489] Object dd3409e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[  480.687491] Object dd3409f0: 6b 6b 6b 6b 6b 6b 6b 6b f8 09 34 dd f8 09 34 dd  kkkkkkkk..4...4.
[  480.687494] Object dd340a00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[  480.687496] Object dd340a10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[  480.687498] Object dd340a20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[  480.687501] Object dd340a30: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.
[  480.687503] Redzone dd340a40: bb bb bb bb                                      ....
[  480.687505] Padding dd340ae8: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
[  480.687510] CPU: 2 PID: 133 Comm: weston Tainted: G    BU     O    4.14.47-20180606-dca26511b26cdcd4446c1eba652b573a6fbca607 #1
[  480.687512] Hardware name: xxx yyy/zzz, BIOS 2017.01-00087-g43e04de 08/30/2017
[  480.687514] Call Trace:
[  480.687521]  dump_stack+0x47/0x5b
[  480.687525]  print_trailer+0x12b/0x133
[  480.687528]  check_bytes_and_report+0x6c/0xae
[  480.687532]  check_object+0x10a/0x1db
[  480.687536]  alloc_debug_processing+0x79/0x123
[  480.687540]  ___slab_alloc.constprop.24+0x1fc/0x292
[  480.687546]  ? drm_atomic_helper_setup_commit+0x60/0x2f4
[  480.687549]  ? drm_atomic_helper_setup_commit+0x60/0x2f4
[  480.687554]  ? vlv_compute_intermediate_wm+0x157/0x16c
[  480.687558]  ? skl_ddb_min_alloc+0xf3/0xf3
[  480.687563]  ? intel_crtc_atomic_check+0xd4/0x198
[  480.687567]  __slab_alloc.isra.18.constprop.23+0x1c/0x25
[  480.687570]  ? __slab_alloc.isra.18.constprop.23+0x1c/0x25
[  480.687574]  kmem_cache_alloc_trace+0x78/0x141
[  480.687578]  ? drm_atomic_helper_setup_commit+0x60/0x2f4
[  480.687582]  drm_atomic_helper_setup_commit+0x60/0x2f4
[  480.687586]  ? intel_atomic_commit_tail+0xa84/0xa84
[  480.687590]  intel_atomic_commit+0x21/0x1b2
[  480.687594]  ? intel_atomic_commit_tail+0xa84/0xa84
[  480.687599]  drm_atomic_nonblocking_commit+0x42/0x4c
[  480.687604]  drm_mode_atomic_ioctl+0x680/0x75e
[  480.687610]  ? drm_atomic_set_property+0x442/0x442
[  480.687614]  drm_ioctl_kernel+0x52/0x88
[  480.687618]  drm_ioctl+0x1fc/0x2c1
[  480.687622]  ? drm_atomic_set_property+0x442/0x442
[  480.687627]  ? probe_sched_wakeup+0x2e/0x30
[  480.687632]  ? ttwu_do_wakeup.isra.19+0x157/0x167
[  480.687636]  ? ttwu_do_activate+0x65/0x6e
[  480.687639]  ? __fget+0x5f/0x67
[  480.687642]  ? drm_getstats+0x17/0x17
[  480.687646]  vfs_ioctl+0x1f/0x29
[  480.687650]  do_vfs_ioctl+0x4f3/0x562
[  480.687654]  ? smk_curacc+0x24/0x29
[  480.687659]  ? smack_file_ioctl+0x4d/0x52
[  480.687663]  ? smack_file_lock+0x29/0x29
[  480.687666]  ? security_file_ioctl+0x34/0x45
[  480.687669]  SyS_ioctl+0x42/0x5b
[  480.687674]  do_fast_syscall_32+0xd3/0x171
[  480.687678]  entry_SYSENTER_32+0x47/0x71
[  480.687681] EIP: 0xb7f1aab1
[  480.687683] EFLAGS: 00200282 CPU: 2
[  480.687686] EAX: ffffffda EBX: 0000000f ECX: c03864bb EDX: bfa84438
[  480.687688] ESI: bfa84438 EDI: c03864bb EBP: bfa843d8 ESP: bfa84398
[  480.687691]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
[  480.687696] FIX kmalloc-96: Restoring 0xdd3409f8-0xdd3409ff=0x6b
[  480.687698] FIX kmalloc-96: Marking all objects used
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 11:41 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-07-17 11:41 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Andy Shevchenko, Andy Shevchenko, Mathias Nyman, linux-usb,
	lukaszx.szulc, Christoph Hellwig, Marek Szyprowski, iommu
Hi Mathias,
On Sat, Jun 30, 2018 at 10:07:04PM +0100, Sudip Mukherjee wrote:
> Hi Mathias,
> 
> On Fri, Jun 29, 2018 at 02:41:13PM +0300, Mathias Nyman wrote:
> > On 27.06.2018 14:59, Sudip Mukherjee wrote:
> > > > > Can you share a bit more details on the platform you are using, and what types of test you are running.
> > > > 
<snip>
> Then to track what is going on, I added the slub debugging and :(
> I have attached part of dmesg for you to check.
> Will appreciate your help in finding out the problem.
I did some more debugging. Tested with a KASAN enabled kernel and that
shows the problem. The report is attached.
To my understanding:
btusb_work() is calling usb_set_interface() with alternate = 0. which
again calls usb_hcd_alloc_bandwidth() and that frees the rings by
xhci_free_endpoint_ring(). But then usb_set_interface() continues and
calls usb_disable_interface() -> usb_hcd_flush_endpoint()->unlink1()->
xhci_urb_dequeue() which at the end gives the command to stop endpoint.
In all the cycles I have tested I see that only in the fail case
handle_cmd_completion() gets called, but in the cycles where the error
is not there handle_cmd_completion() is not called with that command.
I am not sure what is happening, and you are the best person to understand
what is happening. :)
But for now (untill you are back from holiday and suggest a proper solution),
I made a hacky patch (attached) which is working and I donot get any
corruption after that. Both KASAN and slub debug are also happy.
So, now waiting for you to analyze what is going on and suggest a proper
fix.
Thanks in advance.
---
Regards
Sudip
[  236.814156] ==================================================================
[  236.814187] BUG: KASAN: use-after-free in xhci_trb_virt_to_dma+0x2e/0x74 [xhci_hcd]
[  236.814193] Read of size 8 at addr ffff8800789329c8 by task weston/138
[  236.814203] CPU: 0 PID: 138 Comm: weston Tainted: G     U  W  O    4.14.47-20180606+ #7
[  236.814206] Hardware name: xxx, BIOS 2017.01-00087-g43e04de 08/30/2017
[  236.814209] Call Trace:
[  236.814214]  <IRQ>
[  236.814226]  dump_stack+0x46/0x59
[  236.814238]  print_address_description+0x6b/0x23b
[  236.814255]  ? xhci_trb_virt_to_dma+0x2e/0x74 [xhci_hcd]
[  236.814262]  kasan_report+0x220/0x246
[  236.814278]  xhci_trb_virt_to_dma+0x2e/0x74 [xhci_hcd]
[  236.814294]  trb_in_td+0x3b/0x1cd [xhci_hcd]
[  236.814311]  handle_cmd_completion+0x1181/0x2c9b [xhci_hcd]
[  236.814329]  ? xhci_queue_new_dequeue_state+0x5d9/0x5d9 [xhci_hcd]
[  236.814337]  ? drm_handle_vblank+0x4ec/0x590
[  236.814352]  xhci_irq+0x529/0x3294 [xhci_hcd]
[  236.814362]  ? __accumulate_pelt_segments+0x24/0x33
[  236.814378]  ? finish_td.isra.40+0x223/0x223 [xhci_hcd]
[  236.814384]  ? __accumulate_pelt_segments+0x24/0x33
[  236.814390]  ? __accumulate_pelt_segments+0x24/0x33
[  236.814405]  ? xhci_irq+0x3294/0x3294 [xhci_hcd]
[  236.814412]  __handle_irq_event_percpu+0x149/0x3db
[  236.814421]  handle_irq_event_percpu+0x65/0x109
[  236.814428]  ? __handle_irq_event_percpu+0x3db/0x3db
[  236.814436]  ? ttwu_do_wakeup.isra.18+0x3a2/0x3ce
[  236.814442]  handle_irq_event+0xa8/0x10a
[  236.814449]  handle_edge_irq+0x4b2/0x538
[  236.814458]  handle_irq+0x3e/0x45
[  236.814465]  do_IRQ+0x5c/0x126
[  236.814474]  common_interrupt+0x7a/0x7a
[  236.814478]  </IRQ>
[  236.814483] RIP: 0023:0xf79d3d82
[  236.814486] RSP: 002b:00000000ffc588e8 EFLAGS: 00200282 ORIG_RAX: ffffffffffffffdc
[  236.814493] RAX: 0000000000000000 RBX: 00000000f7bebd5c RCX: 0000000000000000
[  236.814496] RDX: 0000000008d4197c RSI: 0000000000000000 RDI: 00000000f746c020
[  236.814499] RBP: 00000000ffc588e8 R08: 0000000000000000 R09: 0000000000000000
[  236.814503] R10: 0000000000000000 R11: 0000000000200206 R12: 0000000000000000
[  236.814506] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  236.814513] Allocated by task 2082:
[  236.814521]  kasan_kmalloc.part.1+0x51/0xc7
[  236.814526]  kmem_cache_alloc_trace+0x178/0x187
[  236.814540]  xhci_segment_alloc.isra.11+0x9d/0x3bf [xhci_hcd]
[  236.814553]  xhci_alloc_segments_for_ring+0x9e/0x176 [xhci_hcd]
[  236.814566]  xhci_ring_alloc.constprop.16+0x197/0x4ba [xhci_hcd]
[  236.814579]  xhci_endpoint_init+0x77a/0x9ba [xhci_hcd]
[  236.814592]  xhci_add_endpoint+0x3bc/0x43b [xhci_hcd]
[  236.814615]  usb_hcd_alloc_bandwidth+0x7ef/0x857 [usbcore]
[  236.814637]  usb_set_interface+0x294/0x681 [usbcore]
[  236.814645]  btusb_work+0x2e6/0x981 [btusb]
[  236.814651]  process_one_work+0x579/0x9e9
[  236.814656]  worker_thread+0x68f/0x804
[  236.814662]  kthread+0x31c/0x32b
[  236.814668]  ret_from_fork+0x35/0x40
[  236.814672] Freed by task 1533:
[  236.814678]  kasan_slab_free+0xb3/0x15e
[  236.814683]  kfree+0x103/0x1a9
[  236.814696]  xhci_ring_free+0x205/0x286 [xhci_hcd]
[  236.814709]  xhci_free_endpoint_ring+0x4d/0x83 [xhci_hcd]
[  236.814722]  xhci_check_bandwidth+0x57b/0x65a [xhci_hcd]
[  236.814743]  usb_hcd_alloc_bandwidth+0x665/0x857 [usbcore]
[  236.814765]  usb_set_interface+0x294/0x681 [usbcore]
[  236.814772]  btusb_work+0x664/0x981 [btusb]
[  236.814777]  process_one_work+0x579/0x9e9
[  236.814782]  worker_thread+0x68f/0x804
[  236.814788]  kthread+0x31c/0x32b
[  236.814793]  ret_from_fork+0x35/0x40
[  236.814799] The buggy address belongs to the object at ffff8800789329c8
 which belongs to the cache kmalloc-64 of size 64
[  236.814804] The buggy address is located 0 bytes inside of
 64-byte region [ffff8800789329c8, ffff880078932a08)
[  236.814806] The buggy address belongs to the page:
[  236.814812] page:ffffea0001e24c80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[  236.825813] flags: 0x4000000000008100(slab|head)
[  236.830981] raw: 4000000000008100 0000000000000000 0000000000000000 0000000100130013
[  236.830988] raw: ffffea0000cfbaa0 ffffea00010ddf20 ffff88013b80f640 0000000000000000
[  236.830990] page dumped because: kasan: bad access detected
[  236.830993] Memory state around the buggy address:
[  236.830999]  ffff880078932880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  236.831004]  ffff880078932900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  236.831008] >ffff880078932980: fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
[  236.831011]                                               ^
[  236.831015]  ffff880078932a00: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  236.831019]  ffff880078932a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  236.831021] ==================================================================
[  236.831024] Disabling lock debugging due to kernel taint
From cbbe6dc59ac90a4f2c358de56e58e254320171e0 Mon Sep 17 00:00:00 2001
From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Date: Tue, 10 Jul 2018 09:50:00 +0100
Subject: [PATCH] hacky solution to mem-corruption
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
---
 drivers/usb/core/message.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 7cd4ec33dbf4..7fdf7a27611d 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1398,7 +1398,8 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate)
 		remove_intf_ep_devs(iface);
 		usb_remove_sysfs_intf_files(iface);
 	}
-	usb_disable_interface(dev, iface, true);
+	if (!(iface->cur_altsetting && alt))
+		usb_disable_interface(dev, iface, true);
 
 	iface->cur_altsetting = alt;
 
-- 
2.11.0
^ permalink raw reply related	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 12:04 Greg Kroah-Hartman
  0 siblings, 0 replies; 39+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-17 12:04 UTC (permalink / raw)
  To: Sudip Mukherjee
  Cc: Mathias Nyman, Andy Shevchenko, Andy Shevchenko, Mathias Nyman,
	linux-usb, lukaszx.szulc, Christoph Hellwig, Marek Szyprowski,
	iommu
On Tue, Jul 17, 2018 at 12:41:04PM +0100, Sudip Mukherjee wrote:
> Hi Mathias,
> 
> On Sat, Jun 30, 2018 at 10:07:04PM +0100, Sudip Mukherjee wrote:
> > Hi Mathias,
> > 
> > On Fri, Jun 29, 2018 at 02:41:13PM +0300, Mathias Nyman wrote:
> > > On 27.06.2018 14:59, Sudip Mukherjee wrote:
> > > > > > Can you share a bit more details on the platform you are using, and what types of test you are running.
> > > > > 
> <snip>
> > Then to track what is going on, I added the slub debugging and :(
> > I have attached part of dmesg for you to check.
> > Will appreciate your help in finding out the problem.
> 
> I did some more debugging. Tested with a KASAN enabled kernel and that
> shows the problem. The report is attached.
> 
> To my understanding:
> 
> btusb_work() is calling usb_set_interface() with alternate = 0. which
> again calls usb_hcd_alloc_bandwidth() and that frees the rings by
> xhci_free_endpoint_ring(). But then usb_set_interface() continues and
> calls usb_disable_interface() -> usb_hcd_flush_endpoint()->unlink1()->
> xhci_urb_dequeue() which at the end gives the command to stop endpoint.
> 
> In all the cycles I have tested I see that only in the fail case
> handle_cmd_completion() gets called, but in the cycles where the error
> is not there handle_cmd_completion() is not called with that command.
> 
> I am not sure what is happening, and you are the best person to understand
> what is happening. :)
> 
> But for now (untill you are back from holiday and suggest a proper solution),
> I made a hacky patch (attached) which is working and I donot get any
> corruption after that. Both KASAN and slub debug are also happy.
> 
> So, now waiting for you to analyze what is going on and suggest a proper
> fix.
> 
> Thanks in advance.
> 
> --
> Regards
> Sudip
> [  236.814156] ==================================================================
> [  236.814187] BUG: KASAN: use-after-free in xhci_trb_virt_to_dma+0x2e/0x74 [xhci_hcd]
> [  236.814193] Read of size 8 at addr ffff8800789329c8 by task weston/138
> 
> [  236.814203] CPU: 0 PID: 138 Comm: weston Tainted: G     U  W  O    4.14.47-20180606+ #7
> [  236.814206] Hardware name: xxx, BIOS 2017.01-00087-g43e04de 08/30/2017
> [  236.814209] Call Trace:
> [  236.814214]  <IRQ>
> [  236.814226]  dump_stack+0x46/0x59
> [  236.814238]  print_address_description+0x6b/0x23b
> [  236.814255]  ? xhci_trb_virt_to_dma+0x2e/0x74 [xhci_hcd]
> [  236.814262]  kasan_report+0x220/0x246
> [  236.814278]  xhci_trb_virt_to_dma+0x2e/0x74 [xhci_hcd]
> [  236.814294]  trb_in_td+0x3b/0x1cd [xhci_hcd]
> [  236.814311]  handle_cmd_completion+0x1181/0x2c9b [xhci_hcd]
> [  236.814329]  ? xhci_queue_new_dequeue_state+0x5d9/0x5d9 [xhci_hcd]
> [  236.814337]  ? drm_handle_vblank+0x4ec/0x590
> [  236.814352]  xhci_irq+0x529/0x3294 [xhci_hcd]
> [  236.814362]  ? __accumulate_pelt_segments+0x24/0x33
> [  236.814378]  ? finish_td.isra.40+0x223/0x223 [xhci_hcd]
> [  236.814384]  ? __accumulate_pelt_segments+0x24/0x33
> [  236.814390]  ? __accumulate_pelt_segments+0x24/0x33
> [  236.814405]  ? xhci_irq+0x3294/0x3294 [xhci_hcd]
> [  236.814412]  __handle_irq_event_percpu+0x149/0x3db
> [  236.814421]  handle_irq_event_percpu+0x65/0x109
> [  236.814428]  ? __handle_irq_event_percpu+0x3db/0x3db
> [  236.814436]  ? ttwu_do_wakeup.isra.18+0x3a2/0x3ce
> [  236.814442]  handle_irq_event+0xa8/0x10a
> [  236.814449]  handle_edge_irq+0x4b2/0x538
> [  236.814458]  handle_irq+0x3e/0x45
> [  236.814465]  do_IRQ+0x5c/0x126
> [  236.814474]  common_interrupt+0x7a/0x7a
> [  236.814478]  </IRQ>
> [  236.814483] RIP: 0023:0xf79d3d82
> [  236.814486] RSP: 002b:00000000ffc588e8 EFLAGS: 00200282 ORIG_RAX: ffffffffffffffdc
> [  236.814493] RAX: 0000000000000000 RBX: 00000000f7bebd5c RCX: 0000000000000000
> [  236.814496] RDX: 0000000008d4197c RSI: 0000000000000000 RDI: 00000000f746c020
> [  236.814499] RBP: 00000000ffc588e8 R08: 0000000000000000 R09: 0000000000000000
> [  236.814503] R10: 0000000000000000 R11: 0000000000200206 R12: 0000000000000000
> [  236.814506] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> 
> [  236.814513] Allocated by task 2082:
> [  236.814521]  kasan_kmalloc.part.1+0x51/0xc7
> [  236.814526]  kmem_cache_alloc_trace+0x178/0x187
> [  236.814540]  xhci_segment_alloc.isra.11+0x9d/0x3bf [xhci_hcd]
> [  236.814553]  xhci_alloc_segments_for_ring+0x9e/0x176 [xhci_hcd]
> [  236.814566]  xhci_ring_alloc.constprop.16+0x197/0x4ba [xhci_hcd]
> [  236.814579]  xhci_endpoint_init+0x77a/0x9ba [xhci_hcd]
> [  236.814592]  xhci_add_endpoint+0x3bc/0x43b [xhci_hcd]
> [  236.814615]  usb_hcd_alloc_bandwidth+0x7ef/0x857 [usbcore]
> [  236.814637]  usb_set_interface+0x294/0x681 [usbcore]
> [  236.814645]  btusb_work+0x2e6/0x981 [btusb]
> [  236.814651]  process_one_work+0x579/0x9e9
> [  236.814656]  worker_thread+0x68f/0x804
> [  236.814662]  kthread+0x31c/0x32b
> [  236.814668]  ret_from_fork+0x35/0x40
> 
> [  236.814672] Freed by task 1533:
> [  236.814678]  kasan_slab_free+0xb3/0x15e
> [  236.814683]  kfree+0x103/0x1a9
> [  236.814696]  xhci_ring_free+0x205/0x286 [xhci_hcd]
> [  236.814709]  xhci_free_endpoint_ring+0x4d/0x83 [xhci_hcd]
> [  236.814722]  xhci_check_bandwidth+0x57b/0x65a [xhci_hcd]
> [  236.814743]  usb_hcd_alloc_bandwidth+0x665/0x857 [usbcore]
> [  236.814765]  usb_set_interface+0x294/0x681 [usbcore]
> [  236.814772]  btusb_work+0x664/0x981 [btusb]
> [  236.814777]  process_one_work+0x579/0x9e9
> [  236.814782]  worker_thread+0x68f/0x804
> [  236.814788]  kthread+0x31c/0x32b
> [  236.814793]  ret_from_fork+0x35/0x40
> 
> [  236.814799] The buggy address belongs to the object at ffff8800789329c8
>  which belongs to the cache kmalloc-64 of size 64
> [  236.814804] The buggy address is located 0 bytes inside of
>  64-byte region [ffff8800789329c8, ffff880078932a08)
> [  236.814806] The buggy address belongs to the page:
> [  236.814812] page:ffffea0001e24c80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
> [  236.825813] flags: 0x4000000000008100(slab|head)
> [  236.830981] raw: 4000000000008100 0000000000000000 0000000000000000 0000000100130013
> [  236.830988] raw: ffffea0000cfbaa0 ffffea00010ddf20 ffff88013b80f640 0000000000000000
> [  236.830990] page dumped because: kasan: bad access detected
> 
> [  236.830993] Memory state around the buggy address:
> [  236.830999]  ffff880078932880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  236.831004]  ffff880078932900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  236.831008] >ffff880078932980: fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
> [  236.831011]                                               ^
> [  236.831015]  ffff880078932a00: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  236.831019]  ffff880078932a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  236.831021] ==================================================================
> [  236.831024] Disabling lock debugging due to kernel taint
> >From cbbe6dc59ac90a4f2c358de56e58e254320171e0 Mon Sep 17 00:00:00 2001
> From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> Date: Tue, 10 Jul 2018 09:50:00 +0100
> Subject: [PATCH] hacky solution to mem-corruption
> 
> Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> ---
>  drivers/usb/core/message.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
> index 7cd4ec33dbf4..7fdf7a27611d 100644
> --- a/drivers/usb/core/message.c
> +++ b/drivers/usb/core/message.c
> @@ -1398,7 +1398,8 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate)
>  		remove_intf_ep_devs(iface);
>  		usb_remove_sysfs_intf_files(iface);
>  	}
> -	usb_disable_interface(dev, iface, true);
> +	if (!(iface->cur_altsetting && alt))
> +		usb_disable_interface(dev, iface, true);
This feels like a "correct" patch anyway, why would a driver keep
calling set_interface to an interface that it was already set to?
But can't we check for this higher up in the function?  This hack will
just not disable an interface but it will do all of the other stuff
being asked for.  Does the patch below also solve this for you?  It's
not a good solution of course, but it might work around the problem a
bit better.
thanks,
greg k-h
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 1a15392326fc..0f718f1a1ca3 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1376,6 +1376,14 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate)
 		return -EINVAL;
 	}
 
+	if (iface->cur_altsetting == alt) {
+		/*
+		 * foolish bluetooth stack, don't try to set a setting you are
+		 * already set to...
+		 */
+		return 0;
+	}
+
 	/* Make sure we have enough bandwidth for this alternate interface.
 	 * Remove the current alt setting and add the new alt setting.
 	 */
^ permalink raw reply related	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 13:20 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-07-17 13:20 UTC (permalink / raw)
  To: Greg KH
  Cc: Mathias Nyman, Andy Shevchenko, Andy Shevchenko, Mathias Nyman,
	linux-usb, lukaszx.szulc, Christoph Hellwig, Marek Szyprowski,
	iommu
Hi Greg,
On Tue, Jul 17, 2018 at 02:04:11PM +0200, Greg KH wrote:
> On Tue, Jul 17, 2018 at 12:41:04PM +0100, Sudip Mukherjee wrote:
> > Hi Mathias,
> > 
> > On Sat, Jun 30, 2018 at 10:07:04PM +0100, Sudip Mukherjee wrote:
> > > Hi Mathias,
> > > 
> > > On Fri, Jun 29, 2018 at 02:41:13PM +0300, Mathias Nyman wrote:
> > > > On 27.06.2018 14:59, Sudip Mukherjee wrote:
> > > > > > > Can you share a bit more details on the platform you are using, and what types of test you are running.
> > > > > > 
> > <snip>
> > > Then to track what is going on, I added the slub debugging and :(
> > > I have attached part of dmesg for you to check.
> > > Will appreciate your help in finding out the problem.
> > 
> > I did some more debugging. Tested with a KASAN enabled kernel and that
> > shows the problem. The report is attached.
> > 
> > To my understanding:
> > 
> > btusb_work() is calling usb_set_interface() with alternate = 0. which
> > again calls usb_hcd_alloc_bandwidth() and that frees the rings by
> > xhci_free_endpoint_ring(). But then usb_set_interface() continues and
> > calls usb_disable_interface() -> usb_hcd_flush_endpoint()->unlink1()->
> > xhci_urb_dequeue() which at the end gives the command to stop endpoint.
> > 
> > In all the cycles I have tested I see that only in the fail case
> > handle_cmd_completion() gets called, but in the cycles where the error
> > is not there handle_cmd_completion() is not called with that command.
> > 
> > I am not sure what is happening, and you are the best person to understand
> > what is happening. :)
> > 
> > But for now (untill you are back from holiday and suggest a proper solution),
> > I made a hacky patch (attached) which is working and I donot get any
> > corruption after that. Both KASAN and slub debug are also happy.
> > 
> > So, now waiting for you to analyze what is going on and suggest a proper
> > fix.
> > 
> > Thanks in advance.
> > 
> > --
> > Regards
> > Sudip
> 
> > [  236.814156] ==================================================================
> > [  236.814187] BUG: KASAN: use-after-free in xhci_trb_virt_to_dma+0x2e/0x74 [xhci_hcd]
> > [  236.814193] Read of size 8 at addr ffff8800789329c8 by task weston/138
> > 
> > [  236.814203] CPU: 0 PID: 138 Comm: weston Tainted: G     U  W  O    4.14.47-20180606+ #7
> > [  236.814206] Hardware name: xxx, BIOS 2017.01-00087-g43e04de 08/30/2017
> > [  236.814209] Call Trace:
> > [  236.814214]  <IRQ>
> > [  236.814226]  dump_stack+0x46/0x59
> > [  236.814238]  print_address_description+0x6b/0x23b
> > [  236.814255]  ? xhci_trb_virt_to_dma+0x2e/0x74 [xhci_hcd]
> > [  236.814262]  kasan_report+0x220/0x246
> > [  236.814278]  xhci_trb_virt_to_dma+0x2e/0x74 [xhci_hcd]
> > [  236.814294]  trb_in_td+0x3b/0x1cd [xhci_hcd]
> > [  236.814311]  handle_cmd_completion+0x1181/0x2c9b [xhci_hcd]
> > [  236.814329]  ? xhci_queue_new_dequeue_state+0x5d9/0x5d9 [xhci_hcd]
> > [  236.814337]  ? drm_handle_vblank+0x4ec/0x590
> > [  236.814352]  xhci_irq+0x529/0x3294 [xhci_hcd]
> > [  236.814362]  ? __accumulate_pelt_segments+0x24/0x33
> > [  236.814378]  ? finish_td.isra.40+0x223/0x223 [xhci_hcd]
> > [  236.814384]  ? __accumulate_pelt_segments+0x24/0x33
> > [  236.814390]  ? __accumulate_pelt_segments+0x24/0x33
> > [  236.814405]  ? xhci_irq+0x3294/0x3294 [xhci_hcd]
> > [  236.814412]  __handle_irq_event_percpu+0x149/0x3db
> > [  236.814421]  handle_irq_event_percpu+0x65/0x109
> > [  236.814428]  ? __handle_irq_event_percpu+0x3db/0x3db
> > [  236.814436]  ? ttwu_do_wakeup.isra.18+0x3a2/0x3ce
> > [  236.814442]  handle_irq_event+0xa8/0x10a
> > [  236.814449]  handle_edge_irq+0x4b2/0x538
> > [  236.814458]  handle_irq+0x3e/0x45
> > [  236.814465]  do_IRQ+0x5c/0x126
> > [  236.814474]  common_interrupt+0x7a/0x7a
> > [  236.814478]  </IRQ>
> > [  236.814483] RIP: 0023:0xf79d3d82
> > [  236.814486] RSP: 002b:00000000ffc588e8 EFLAGS: 00200282 ORIG_RAX: ffffffffffffffdc
> > [  236.814493] RAX: 0000000000000000 RBX: 00000000f7bebd5c RCX: 0000000000000000
> > [  236.814496] RDX: 0000000008d4197c RSI: 0000000000000000 RDI: 00000000f746c020
> > [  236.814499] RBP: 00000000ffc588e8 R08: 0000000000000000 R09: 0000000000000000
> > [  236.814503] R10: 0000000000000000 R11: 0000000000200206 R12: 0000000000000000
> > [  236.814506] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> > 
> > [  236.814513] Allocated by task 2082:
> > [  236.814521]  kasan_kmalloc.part.1+0x51/0xc7
> > [  236.814526]  kmem_cache_alloc_trace+0x178/0x187
> > [  236.814540]  xhci_segment_alloc.isra.11+0x9d/0x3bf [xhci_hcd]
> > [  236.814553]  xhci_alloc_segments_for_ring+0x9e/0x176 [xhci_hcd]
> > [  236.814566]  xhci_ring_alloc.constprop.16+0x197/0x4ba [xhci_hcd]
> > [  236.814579]  xhci_endpoint_init+0x77a/0x9ba [xhci_hcd]
> > [  236.814592]  xhci_add_endpoint+0x3bc/0x43b [xhci_hcd]
> > [  236.814615]  usb_hcd_alloc_bandwidth+0x7ef/0x857 [usbcore]
> > [  236.814637]  usb_set_interface+0x294/0x681 [usbcore]
> > [  236.814645]  btusb_work+0x2e6/0x981 [btusb]
> > [  236.814651]  process_one_work+0x579/0x9e9
> > [  236.814656]  worker_thread+0x68f/0x804
> > [  236.814662]  kthread+0x31c/0x32b
> > [  236.814668]  ret_from_fork+0x35/0x40
> > 
> > [  236.814672] Freed by task 1533:
> > [  236.814678]  kasan_slab_free+0xb3/0x15e
> > [  236.814683]  kfree+0x103/0x1a9
> > [  236.814696]  xhci_ring_free+0x205/0x286 [xhci_hcd]
> > [  236.814709]  xhci_free_endpoint_ring+0x4d/0x83 [xhci_hcd]
> > [  236.814722]  xhci_check_bandwidth+0x57b/0x65a [xhci_hcd]
> > [  236.814743]  usb_hcd_alloc_bandwidth+0x665/0x857 [usbcore]
> > [  236.814765]  usb_set_interface+0x294/0x681 [usbcore]
> > [  236.814772]  btusb_work+0x664/0x981 [btusb]
> > [  236.814777]  process_one_work+0x579/0x9e9
> > [  236.814782]  worker_thread+0x68f/0x804
> > [  236.814788]  kthread+0x31c/0x32b
> > [  236.814793]  ret_from_fork+0x35/0x40
> > 
> > [  236.814799] The buggy address belongs to the object at ffff8800789329c8
> >  which belongs to the cache kmalloc-64 of size 64
> > [  236.814804] The buggy address is located 0 bytes inside of
> >  64-byte region [ffff8800789329c8, ffff880078932a08)
> > [  236.814806] The buggy address belongs to the page:
> > [  236.814812] page:ffffea0001e24c80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
> > [  236.825813] flags: 0x4000000000008100(slab|head)
> > [  236.830981] raw: 4000000000008100 0000000000000000 0000000000000000 0000000100130013
> > [  236.830988] raw: ffffea0000cfbaa0 ffffea00010ddf20 ffff88013b80f640 0000000000000000
> > [  236.830990] page dumped because: kasan: bad access detected
> > 
> > [  236.830993] Memory state around the buggy address:
> > [  236.830999]  ffff880078932880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > [  236.831004]  ffff880078932900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > [  236.831008] >ffff880078932980: fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
> > [  236.831011]                                               ^
> > [  236.831015]  ffff880078932a00: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > [  236.831019]  ffff880078932a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > [  236.831021] ==================================================================
> > [  236.831024] Disabling lock debugging due to kernel taint
> 
> > >From cbbe6dc59ac90a4f2c358de56e58e254320171e0 Mon Sep 17 00:00:00 2001
> > From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> > Date: Tue, 10 Jul 2018 09:50:00 +0100
> > Subject: [PATCH] hacky solution to mem-corruption
> > 
> > Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> > ---
> >  drivers/usb/core/message.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
> > index 7cd4ec33dbf4..7fdf7a27611d 100644
> > --- a/drivers/usb/core/message.c
> > +++ b/drivers/usb/core/message.c
> > @@ -1398,7 +1398,8 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate)
> >  		remove_intf_ep_devs(iface);
> >  		usb_remove_sysfs_intf_files(iface);
> >  	}
> > -	usb_disable_interface(dev, iface, true);
> > +	if (!(iface->cur_altsetting && alt))
> > +		usb_disable_interface(dev, iface, true);
> 
> 
> 
> This feels like a "correct" patch anyway, why would a driver keep
> calling set_interface to an interface that it was already set to?
> 
> But can't we check for this higher up in the function?  This hack will
> just not disable an interface but it will do all of the other stuff
> being asked for.  Does the patch below also solve this for you?  It's
> not a good solution of course, but it might work around the problem a
> bit better.
It did not solve the problem and I can see the xHCI ring segments getting
corrupted. Then I modified your patch a little bit to have some debugging
info. Modified patch is attached. And that dmesg shows that the "if"
condition is not true and it is going to the "else" block.
Attached is the modified patch and the part of dmesg.
---
Regards
Sudip
[  436.809574] BLUETOOTH:  SCO usb pack length 17
[  436.809579] BLUETOOTH:  SCO usb pack length 17
[  436.809594] BLUETOOTH:  SCO usb pack length 17
[  436.809608] BLUETOOTH:  SCO usb pack length 17
[  436.809610] BLUETOOTH:  SCO usb pack length 17
[  436.809614] BLUETOOTH:  SCO usb pack length 17
[  436.809626] BLUETOOTH:  SCO usb pack length 17
[  436.809628] BLUETOOTH:  SCO usb pack length 17
[  436.809632] BLUETOOTH:  SCO usb pack length 17
[  436.809644] BLUETOOTH:  SCO usb pack length 17
[  437.204373] sudip: in else
[  437.205779] Bluetooth: hci0 SCO packet for unknown connection handle 266
[  437.205794] Bluetooth: hci0 SCO packet for unknown connection handle 266
[  469.246674] sudip: in else
[  469.246722] xhci_hcd 0000:00:14.0: dma_pool_alloc xHCI ring segments, ef9d6000 (corrupted)
[  469.246727] 00000000: 00 10 00 00 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246729] 00000010: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246732] 00000020: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246734] 00000030: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246736] 00000040: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246739] 00000050: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246741] 00000060: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246743] 00000070: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246746] 00000080: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246748] 00000090: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246750] 000000a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246753] 000000b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246755] 000000c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246758] 000000d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246760] 000000e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246762] 000000f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246765] 00000100: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246767] 00000110: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246770] 00000120: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246772] 00000130: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246774] 00000140: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246777] 00000150: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246779] 00000160: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246781] 00000170: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246784] 00000180: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246786] 00000190: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246788] 000001a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246791] 000001b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246793] 000001c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246796] 000001d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246798] 000001e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246800] 000001f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246803] 00000200: 00 00 00 00 00 00 00 00 00 00 00 00 01 20 00 00  ............. ..
[  469.246805] 00000210: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246808] 00000220: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246810] 00000230: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246812] 00000240: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246815] 00000250: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246817] 00000260: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246819] 00000270: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246822] 00000280: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246824] 00000290: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246826] 000002a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246829] 000002b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246831] 000002c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246834] 000002d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246836] 000002e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246838] 000002f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246841] 00000300: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246843] 00000310: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246845] 00000320: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246848] 00000330: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246850] 00000340: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246852] 00000350: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246855] 00000360: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246857] 00000370: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246859] 00000380: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246862] 00000390: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246864] 000003a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246867] 000003b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246869] 000003c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246871] 000003d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246874] 000003e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246876] 000003f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246878] 00000400: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246881] 00000410: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246883] 00000420: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246886] 00000430: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246888] 00000440: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246890] 00000450: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246893] 00000460: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246895] 00000470: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246897] 00000480: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246900] 00000490: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246902] 000004a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246904] 000004b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246907] 000004c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246909] 000004d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246911] 000004e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246914] 000004f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246916] 00000500: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246919] 00000510: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246921] 00000520: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246923] 00000530: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246926] 00000540: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246928] 00000550: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246930] 00000560: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246933] 00000570: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246935] 00000580: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246938] 00000590: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246940] 000005a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246942] 000005b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246945] 000005c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246947] 000005d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246949] 000005e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246952] 000005f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246954] 00000600: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246956] 00000610: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246959] 00000620: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246961] 00000630: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246963] 00000640: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246966] 00000650: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246968] 00000660: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246971] 00000670: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246973] 00000680: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246975] 00000690: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246978] 000006a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246980] 000006b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246982] 000006c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246985] 000006d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246987] 000006e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246990] 000006f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246992] 00000700: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246994] 00000710: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246997] 00000720: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.246999] 00000730: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247001] 00000740: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247004] 00000750: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247006] 00000760: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247009] 00000770: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247011] 00000780: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247013] 00000790: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247016] 000007a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247018] 000007b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247020] 000007c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247023] 000007d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247025] 000007e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247027] 000007f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247030] 00000800: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247032] 00000810: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247034] 00000820: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247037] 00000830: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247039] 00000840: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247041] 00000850: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247044] 00000860: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247046] 00000870: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247049] 00000880: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247051] 00000890: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247053] 000008a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247056] 000008b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247058] 000008c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247060] 000008d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247063] 000008e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247065] 000008f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247068] 00000900: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247070] 00000910: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247072] 00000920: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247075] 00000930: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247077] 00000940: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247079] 00000950: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247082] 00000960: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247084] 00000970: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247086] 00000980: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247089] 00000990: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247091] 000009a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247094] 000009b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247096] 000009c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247098] 000009d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247101] 000009e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247103] 000009f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247105] 00000a00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247108] 00000a10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247110] 00000a20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247112] 00000a30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247115] 00000a40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247117] 00000a50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247120] 00000a60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247122] 00000a70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247124] 00000a80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247127] 00000a90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247129] 00000aa0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247131] 00000ab0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247134] 00000ac0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247136] 00000ad0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247139] 00000ae0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247141] 00000af0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247143] 00000b00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247146] 00000b10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247148] 00000b20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247150] 00000b30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247153] 00000b40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247155] 00000b50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247158] 00000b60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247160] 00000b70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247162] 00000b80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247165] 00000b90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247167] 00000ba0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247169] 00000bb0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247172] 00000bc0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247174] 00000bd0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247176] 00000be0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247179] 00000bf0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247181] 00000c00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247184] 00000c10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247186] 00000c20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247188] 00000c30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247191] 00000c40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247193] 00000c50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247195] 00000c60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247198] 00000c70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247200] 00000c80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247202] 00000c90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247205] 00000ca0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247207] 00000cb0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247209] 00000cc0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247212] 00000cd0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247214] 00000ce0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247216] 00000cf0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247219] 00000d00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247221] 00000d10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247224] 00000d20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247226] 00000d30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247228] 00000d40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247231] 00000d50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247233] 00000d60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247235] 00000d70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247238] 00000d80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247240] 00000d90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247242] 00000da0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247245] 00000db0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247247] 00000dc0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247249] 00000dd0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247252] 00000de0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247254] 00000df0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247257] 00000e00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247259] 00000e10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247261] 00000e20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247264] 00000e30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247266] 00000e40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247268] 00000e50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247271] 00000e60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247273] 00000e70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247276] 00000e80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247278] 00000e90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247280] 00000ea0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247283] 00000eb0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247285] 00000ec0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247287] 00000ed0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247290] 00000ee0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247292] 00000ef0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247295] 00000f00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247297] 00000f10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247299] 00000f20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247302] 00000f30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247304] 00000f40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247306] 00000f50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247309] 00000f60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247311] 00000f70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247313] 00000f80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247316] 00000f90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247318] 00000fa0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247321] 00000fb0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247323] 00000fc0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247325] 00000fd0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247328] 00000fe0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
[  469.247330] 00000ff0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 7cd4ec33dbf4..6ba32f4d3b8b 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1338,6 +1338,17 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate)
 		return -EINVAL;
 	}
 
+	if (iface->cur_altsetting == alt) {
+		/*
+		 * foolish bluetooth stack, don't try to set a setting you are
+		 * already set to...
+		 */
+		pr_err("sudip: returning\n");
+		return 0;
+	} else {
+		pr_err("sudip: in else\n");
+	}
+
 	/* Make sure we have enough bandwidth for this alternate interface.
 	 * Remove the current alt setting and add the new alt setting.
 	 */
^ permalink raw reply related	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 13:53 Greg Kroah-Hartman
  0 siblings, 0 replies; 39+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-17 13:53 UTC (permalink / raw)
  To: Sudip Mukherjee
  Cc: Mathias Nyman, Andy Shevchenko, Andy Shevchenko, Mathias Nyman,
	linux-usb, lukaszx.szulc, Christoph Hellwig, Marek Szyprowski,
	iommu
On Tue, Jul 17, 2018 at 02:20:00PM +0100, Sudip Mukherjee wrote:
> Hi Greg,
> 
> On Tue, Jul 17, 2018 at 02:04:11PM +0200, Greg KH wrote:
> > On Tue, Jul 17, 2018 at 12:41:04PM +0100, Sudip Mukherjee wrote:
> > > Hi Mathias,
> > > 
> > > On Sat, Jun 30, 2018 at 10:07:04PM +0100, Sudip Mukherjee wrote:
> > > > Hi Mathias,
> > > > 
> > > > On Fri, Jun 29, 2018 at 02:41:13PM +0300, Mathias Nyman wrote:
> > > > > On 27.06.2018 14:59, Sudip Mukherjee wrote:
> > > > > > > > Can you share a bit more details on the platform you are using, and what types of test you are running.
> > > > > > > 
> > > <snip>
> > > > Then to track what is going on, I added the slub debugging and :(
> > > > I have attached part of dmesg for you to check.
> > > > Will appreciate your help in finding out the problem.
> > > 
> > > I did some more debugging. Tested with a KASAN enabled kernel and that
> > > shows the problem. The report is attached.
> > > 
> > > To my understanding:
> > > 
> > > btusb_work() is calling usb_set_interface() with alternate = 0. which
> > > again calls usb_hcd_alloc_bandwidth() and that frees the rings by
> > > xhci_free_endpoint_ring(). But then usb_set_interface() continues and
> > > calls usb_disable_interface() -> usb_hcd_flush_endpoint()->unlink1()->
> > > xhci_urb_dequeue() which at the end gives the command to stop endpoint.
> > > 
> > > In all the cycles I have tested I see that only in the fail case
> > > handle_cmd_completion() gets called, but in the cycles where the error
> > > is not there handle_cmd_completion() is not called with that command.
> > > 
> > > I am not sure what is happening, and you are the best person to understand
> > > what is happening. :)
> > > 
> > > But for now (untill you are back from holiday and suggest a proper solution),
> > > I made a hacky patch (attached) which is working and I donot get any
> > > corruption after that. Both KASAN and slub debug are also happy.
> > > 
> > > So, now waiting for you to analyze what is going on and suggest a proper
> > > fix.
> > > 
> > > Thanks in advance.
> > > 
> > > --
> > > Regards
> > > Sudip
> > 
> > > [  236.814156] ==================================================================
> > > [  236.814187] BUG: KASAN: use-after-free in xhci_trb_virt_to_dma+0x2e/0x74 [xhci_hcd]
> > > [  236.814193] Read of size 8 at addr ffff8800789329c8 by task weston/138
> > > 
> > > [  236.814203] CPU: 0 PID: 138 Comm: weston Tainted: G     U  W  O    4.14.47-20180606+ #7
> > > [  236.814206] Hardware name: xxx, BIOS 2017.01-00087-g43e04de 08/30/2017
> > > [  236.814209] Call Trace:
> > > [  236.814214]  <IRQ>
> > > [  236.814226]  dump_stack+0x46/0x59
> > > [  236.814238]  print_address_description+0x6b/0x23b
> > > [  236.814255]  ? xhci_trb_virt_to_dma+0x2e/0x74 [xhci_hcd]
> > > [  236.814262]  kasan_report+0x220/0x246
> > > [  236.814278]  xhci_trb_virt_to_dma+0x2e/0x74 [xhci_hcd]
> > > [  236.814294]  trb_in_td+0x3b/0x1cd [xhci_hcd]
> > > [  236.814311]  handle_cmd_completion+0x1181/0x2c9b [xhci_hcd]
> > > [  236.814329]  ? xhci_queue_new_dequeue_state+0x5d9/0x5d9 [xhci_hcd]
> > > [  236.814337]  ? drm_handle_vblank+0x4ec/0x590
> > > [  236.814352]  xhci_irq+0x529/0x3294 [xhci_hcd]
> > > [  236.814362]  ? __accumulate_pelt_segments+0x24/0x33
> > > [  236.814378]  ? finish_td.isra.40+0x223/0x223 [xhci_hcd]
> > > [  236.814384]  ? __accumulate_pelt_segments+0x24/0x33
> > > [  236.814390]  ? __accumulate_pelt_segments+0x24/0x33
> > > [  236.814405]  ? xhci_irq+0x3294/0x3294 [xhci_hcd]
> > > [  236.814412]  __handle_irq_event_percpu+0x149/0x3db
> > > [  236.814421]  handle_irq_event_percpu+0x65/0x109
> > > [  236.814428]  ? __handle_irq_event_percpu+0x3db/0x3db
> > > [  236.814436]  ? ttwu_do_wakeup.isra.18+0x3a2/0x3ce
> > > [  236.814442]  handle_irq_event+0xa8/0x10a
> > > [  236.814449]  handle_edge_irq+0x4b2/0x538
> > > [  236.814458]  handle_irq+0x3e/0x45
> > > [  236.814465]  do_IRQ+0x5c/0x126
> > > [  236.814474]  common_interrupt+0x7a/0x7a
> > > [  236.814478]  </IRQ>
> > > [  236.814483] RIP: 0023:0xf79d3d82
> > > [  236.814486] RSP: 002b:00000000ffc588e8 EFLAGS: 00200282 ORIG_RAX: ffffffffffffffdc
> > > [  236.814493] RAX: 0000000000000000 RBX: 00000000f7bebd5c RCX: 0000000000000000
> > > [  236.814496] RDX: 0000000008d4197c RSI: 0000000000000000 RDI: 00000000f746c020
> > > [  236.814499] RBP: 00000000ffc588e8 R08: 0000000000000000 R09: 0000000000000000
> > > [  236.814503] R10: 0000000000000000 R11: 0000000000200206 R12: 0000000000000000
> > > [  236.814506] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> > > 
> > > [  236.814513] Allocated by task 2082:
> > > [  236.814521]  kasan_kmalloc.part.1+0x51/0xc7
> > > [  236.814526]  kmem_cache_alloc_trace+0x178/0x187
> > > [  236.814540]  xhci_segment_alloc.isra.11+0x9d/0x3bf [xhci_hcd]
> > > [  236.814553]  xhci_alloc_segments_for_ring+0x9e/0x176 [xhci_hcd]
> > > [  236.814566]  xhci_ring_alloc.constprop.16+0x197/0x4ba [xhci_hcd]
> > > [  236.814579]  xhci_endpoint_init+0x77a/0x9ba [xhci_hcd]
> > > [  236.814592]  xhci_add_endpoint+0x3bc/0x43b [xhci_hcd]
> > > [  236.814615]  usb_hcd_alloc_bandwidth+0x7ef/0x857 [usbcore]
> > > [  236.814637]  usb_set_interface+0x294/0x681 [usbcore]
> > > [  236.814645]  btusb_work+0x2e6/0x981 [btusb]
> > > [  236.814651]  process_one_work+0x579/0x9e9
> > > [  236.814656]  worker_thread+0x68f/0x804
> > > [  236.814662]  kthread+0x31c/0x32b
> > > [  236.814668]  ret_from_fork+0x35/0x40
> > > 
> > > [  236.814672] Freed by task 1533:
> > > [  236.814678]  kasan_slab_free+0xb3/0x15e
> > > [  236.814683]  kfree+0x103/0x1a9
> > > [  236.814696]  xhci_ring_free+0x205/0x286 [xhci_hcd]
> > > [  236.814709]  xhci_free_endpoint_ring+0x4d/0x83 [xhci_hcd]
> > > [  236.814722]  xhci_check_bandwidth+0x57b/0x65a [xhci_hcd]
> > > [  236.814743]  usb_hcd_alloc_bandwidth+0x665/0x857 [usbcore]
> > > [  236.814765]  usb_set_interface+0x294/0x681 [usbcore]
> > > [  236.814772]  btusb_work+0x664/0x981 [btusb]
> > > [  236.814777]  process_one_work+0x579/0x9e9
> > > [  236.814782]  worker_thread+0x68f/0x804
> > > [  236.814788]  kthread+0x31c/0x32b
> > > [  236.814793]  ret_from_fork+0x35/0x40
> > > 
> > > [  236.814799] The buggy address belongs to the object at ffff8800789329c8
> > >  which belongs to the cache kmalloc-64 of size 64
> > > [  236.814804] The buggy address is located 0 bytes inside of
> > >  64-byte region [ffff8800789329c8, ffff880078932a08)
> > > [  236.814806] The buggy address belongs to the page:
> > > [  236.814812] page:ffffea0001e24c80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
> > > [  236.825813] flags: 0x4000000000008100(slab|head)
> > > [  236.830981] raw: 4000000000008100 0000000000000000 0000000000000000 0000000100130013
> > > [  236.830988] raw: ffffea0000cfbaa0 ffffea00010ddf20 ffff88013b80f640 0000000000000000
> > > [  236.830990] page dumped because: kasan: bad access detected
> > > 
> > > [  236.830993] Memory state around the buggy address:
> > > [  236.830999]  ffff880078932880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > > [  236.831004]  ffff880078932900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > > [  236.831008] >ffff880078932980: fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
> > > [  236.831011]                                               ^
> > > [  236.831015]  ffff880078932a00: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > > [  236.831019]  ffff880078932a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > > [  236.831021] ==================================================================
> > > [  236.831024] Disabling lock debugging due to kernel taint
> > 
> > > >From cbbe6dc59ac90a4f2c358de56e58e254320171e0 Mon Sep 17 00:00:00 2001
> > > From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> > > Date: Tue, 10 Jul 2018 09:50:00 +0100
> > > Subject: [PATCH] hacky solution to mem-corruption
> > > 
> > > Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> > > ---
> > >  drivers/usb/core/message.c | 3 ++-
> > >  1 file changed, 2 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
> > > index 7cd4ec33dbf4..7fdf7a27611d 100644
> > > --- a/drivers/usb/core/message.c
> > > +++ b/drivers/usb/core/message.c
> > > @@ -1398,7 +1398,8 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate)
> > >  		remove_intf_ep_devs(iface);
> > >  		usb_remove_sysfs_intf_files(iface);
> > >  	}
> > > -	usb_disable_interface(dev, iface, true);
> > > +	if (!(iface->cur_altsetting && alt))
> > > +		usb_disable_interface(dev, iface, true);
> > 
> > 
> > 
> > This feels like a "correct" patch anyway, why would a driver keep
> > calling set_interface to an interface that it was already set to?
> > 
> > But can't we check for this higher up in the function?  This hack will
> > just not disable an interface but it will do all of the other stuff
> > being asked for.  Does the patch below also solve this for you?  It's
> > not a good solution of course, but it might work around the problem a
> > bit better.
> 
> It did not solve the problem and I can see the xHCI ring segments getting
> corrupted. Then I modified your patch a little bit to have some debugging
> info. Modified patch is attached. And that dmesg shows that the "if"
> condition is not true and it is going to the "else" block.
> 
> Attached is the modified patch and the part of dmesg.
> 
> --
> Regards
> Sudip
> [  436.809574] BLUETOOTH:  SCO usb pack length 17
> [  436.809579] BLUETOOTH:  SCO usb pack length 17
> [  436.809594] BLUETOOTH:  SCO usb pack length 17
> [  436.809608] BLUETOOTH:  SCO usb pack length 17
> [  436.809610] BLUETOOTH:  SCO usb pack length 17
> [  436.809614] BLUETOOTH:  SCO usb pack length 17
> [  436.809626] BLUETOOTH:  SCO usb pack length 17
> [  436.809628] BLUETOOTH:  SCO usb pack length 17
> [  436.809632] BLUETOOTH:  SCO usb pack length 17
> [  436.809644] BLUETOOTH:  SCO usb pack length 17
> [  437.204373] sudip: in else
> [  437.205779] Bluetooth: hci0 SCO packet for unknown connection handle 266
> [  437.205794] Bluetooth: hci0 SCO packet for unknown connection handle 266
> [  469.246674] sudip: in else
> [  469.246722] xhci_hcd 0000:00:14.0: dma_pool_alloc xHCI ring segments, ef9d6000 (corrupted)
> [  469.246727] 00000000: 00 10 00 00 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246729] 00000010: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246732] 00000020: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246734] 00000030: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246736] 00000040: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246739] 00000050: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246741] 00000060: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246743] 00000070: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246746] 00000080: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246748] 00000090: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246750] 000000a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246753] 000000b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246755] 000000c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246758] 000000d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246760] 000000e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246762] 000000f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246765] 00000100: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246767] 00000110: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246770] 00000120: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246772] 00000130: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246774] 00000140: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246777] 00000150: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246779] 00000160: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246781] 00000170: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246784] 00000180: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246786] 00000190: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246788] 000001a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246791] 000001b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246793] 000001c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246796] 000001d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246798] 000001e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246800] 000001f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246803] 00000200: 00 00 00 00 00 00 00 00 00 00 00 00 01 20 00 00  ............. ..
> [  469.246805] 00000210: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246808] 00000220: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246810] 00000230: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246812] 00000240: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246815] 00000250: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246817] 00000260: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246819] 00000270: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246822] 00000280: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246824] 00000290: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246826] 000002a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246829] 000002b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246831] 000002c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246834] 000002d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246836] 000002e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246838] 000002f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246841] 00000300: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246843] 00000310: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246845] 00000320: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246848] 00000330: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246850] 00000340: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246852] 00000350: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246855] 00000360: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246857] 00000370: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246859] 00000380: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246862] 00000390: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246864] 000003a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246867] 000003b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246869] 000003c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246871] 000003d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246874] 000003e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246876] 000003f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246878] 00000400: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246881] 00000410: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246883] 00000420: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246886] 00000430: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246888] 00000440: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246890] 00000450: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246893] 00000460: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246895] 00000470: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246897] 00000480: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246900] 00000490: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246902] 000004a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246904] 000004b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246907] 000004c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246909] 000004d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246911] 000004e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246914] 000004f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246916] 00000500: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246919] 00000510: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246921] 00000520: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246923] 00000530: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246926] 00000540: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246928] 00000550: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246930] 00000560: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246933] 00000570: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246935] 00000580: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246938] 00000590: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246940] 000005a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246942] 000005b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246945] 000005c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246947] 000005d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246949] 000005e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246952] 000005f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246954] 00000600: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246956] 00000610: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246959] 00000620: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246961] 00000630: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246963] 00000640: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246966] 00000650: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246968] 00000660: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246971] 00000670: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246973] 00000680: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246975] 00000690: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246978] 000006a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246980] 000006b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246982] 000006c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246985] 000006d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246987] 000006e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246990] 000006f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246992] 00000700: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246994] 00000710: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246997] 00000720: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.246999] 00000730: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247001] 00000740: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247004] 00000750: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247006] 00000760: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247009] 00000770: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247011] 00000780: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247013] 00000790: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247016] 000007a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247018] 000007b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247020] 000007c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247023] 000007d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247025] 000007e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247027] 000007f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247030] 00000800: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247032] 00000810: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247034] 00000820: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247037] 00000830: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247039] 00000840: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247041] 00000850: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247044] 00000860: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247046] 00000870: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247049] 00000880: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247051] 00000890: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247053] 000008a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247056] 000008b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247058] 000008c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247060] 000008d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247063] 000008e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247065] 000008f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247068] 00000900: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247070] 00000910: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247072] 00000920: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247075] 00000930: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247077] 00000940: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247079] 00000950: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247082] 00000960: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247084] 00000970: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247086] 00000980: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247089] 00000990: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247091] 000009a0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247094] 000009b0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247096] 000009c0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247098] 000009d0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247101] 000009e0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247103] 000009f0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247105] 00000a00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247108] 00000a10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247110] 00000a20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247112] 00000a30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247115] 00000a40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247117] 00000a50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247120] 00000a60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247122] 00000a70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247124] 00000a80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247127] 00000a90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247129] 00000aa0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247131] 00000ab0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247134] 00000ac0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247136] 00000ad0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247139] 00000ae0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247141] 00000af0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247143] 00000b00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247146] 00000b10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247148] 00000b20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247150] 00000b30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247153] 00000b40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247155] 00000b50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247158] 00000b60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247160] 00000b70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247162] 00000b80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247165] 00000b90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247167] 00000ba0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247169] 00000bb0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247172] 00000bc0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247174] 00000bd0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247176] 00000be0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247179] 00000bf0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247181] 00000c00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247184] 00000c10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247186] 00000c20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247188] 00000c30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247191] 00000c40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247193] 00000c50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247195] 00000c60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247198] 00000c70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247200] 00000c80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247202] 00000c90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247205] 00000ca0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247207] 00000cb0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247209] 00000cc0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247212] 00000cd0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247214] 00000ce0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247216] 00000cf0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247219] 00000d00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247221] 00000d10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247224] 00000d20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247226] 00000d30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247228] 00000d40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247231] 00000d50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247233] 00000d60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247235] 00000d70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247238] 00000d80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247240] 00000d90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247242] 00000da0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247245] 00000db0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247247] 00000dc0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247249] 00000dd0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247252] 00000de0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247254] 00000df0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247257] 00000e00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247259] 00000e10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247261] 00000e20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247264] 00000e30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247266] 00000e40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247268] 00000e50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247271] 00000e60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247273] 00000e70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247276] 00000e80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247278] 00000e90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247280] 00000ea0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247283] 00000eb0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247285] 00000ec0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247287] 00000ed0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247290] 00000ee0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247292] 00000ef0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247295] 00000f00: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247297] 00000f10: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247299] 00000f20: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247302] 00000f30: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247304] 00000f40: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247306] 00000f50: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247309] 00000f60: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247311] 00000f70: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247313] 00000f80: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247316] 00000f90: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247318] 00000fa0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247321] 00000fb0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247323] 00000fc0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247325] 00000fd0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247328] 00000fe0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> [  469.247330] 00000ff0: a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7 a7  ................
> 
> diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
> index 7cd4ec33dbf4..6ba32f4d3b8b 100644
> --- a/drivers/usb/core/message.c
> +++ b/drivers/usb/core/message.c
> @@ -1338,6 +1338,17 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate)
>  		return -EINVAL;
>  	}
>  
> +	if (iface->cur_altsetting == alt) {
> +		/*
> +		 * foolish bluetooth stack, don't try to set a setting you are
> +		 * already set to...
> +		 */
> +		pr_err("sudip: returning\n");
> +		return 0;
> +	} else {
> +		pr_err("sudip: in else\n");
> +	}
> +
Ok, nevermind, then how does your patch work?  The interface is or is
not being asked to be changed?
confused,
greg k-h
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 14:28 Alan Stern
  0 siblings, 0 replies; 39+ messages in thread
From: Alan Stern @ 2018-07-17 14:28 UTC (permalink / raw)
  To: Sudip Mukherjee
  Cc: Mathias Nyman, Andy Shevchenko, Andy Shevchenko, Mathias Nyman,
	linux-usb, lukaszx.szulc, Christoph Hellwig, Marek Szyprowski,
	iommu
On Tue, 17 Jul 2018, Sudip Mukherjee wrote:
> I did some more debugging. Tested with a KASAN enabled kernel and that
> shows the problem. The report is attached.
> 
> To my understanding:
> 
> btusb_work() is calling usb_set_interface() with alternate = 0. which
> again calls usb_hcd_alloc_bandwidth() and that frees the rings by
> xhci_free_endpoint_ring().
That doesn't sound like the right thing to do.  The rings shouldn't be 
freed until xhci_endpoint_disable() is called.  
On the other hand, there doesn't appear to be any 
xhci_endpoint_disable() routine, although a comment refers to it.  
Maybe this is the real problem?
Alan Stern
> But then usb_set_interface() continues and
> calls usb_disable_interface() -> usb_hcd_flush_endpoint()->unlink1()->
> xhci_urb_dequeue() which at the end gives the command to stop endpoint.
> 
> In all the cycles I have tested I see that only in the fail case
> handle_cmd_completion() gets called, but in the cycles where the error
> is not there handle_cmd_completion() is not called with that command.
> 
> I am not sure what is happening, and you are the best person to understand
> what is happening. :)
> 
> But for now (untill you are back from holiday and suggest a proper solution),
> I made a hacky patch (attached) which is working and I donot get any
> corruption after that. Both KASAN and slub debug are also happy.
> 
> So, now waiting for you to analyze what is going on and suggest a proper
> fix.
> 
> Thanks in advance.
> 
> --
> Regards
> Sudip
>
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 14:31 Alan Stern
  0 siblings, 0 replies; 39+ messages in thread
From: Alan Stern @ 2018-07-17 14:31 UTC (permalink / raw)
  To: Greg KH
  Cc: Sudip Mukherjee, Mathias Nyman, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
On Tue, 17 Jul 2018, Greg KH wrote:
> > From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> > Date: Tue, 10 Jul 2018 09:50:00 +0100
> > Subject: [PATCH] hacky solution to mem-corruption
> > 
> > Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> > ---
> >  drivers/usb/core/message.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
> > index 7cd4ec33dbf4..7fdf7a27611d 100644
> > --- a/drivers/usb/core/message.c
> > +++ b/drivers/usb/core/message.c
> > @@ -1398,7 +1398,8 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate)
> >  		remove_intf_ep_devs(iface);
> >  		usb_remove_sysfs_intf_files(iface);
> >  	}
> > -	usb_disable_interface(dev, iface, true);
> > +	if (!(iface->cur_altsetting && alt))
> > +		usb_disable_interface(dev, iface, true);
> 
> 
> 
> This feels like a "correct" patch anyway, why would a driver keep
> calling set_interface to an interface that it was already set to?
> 
> But can't we check for this higher up in the function?  This hack will
> just not disable an interface but it will do all of the other stuff
> being asked for.  Does the patch below also solve this for you?  It's
> not a good solution of course, but it might work around the problem a
> bit better.
> 
> thanks,
> 
> greg k-h
> 
> diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
> index 1a15392326fc..0f718f1a1ca3 100644
> --- a/drivers/usb/core/message.c
> +++ b/drivers/usb/core/message.c
> @@ -1376,6 +1376,14 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate)
>  		return -EINVAL;
>  	}
>  
> +	if (iface->cur_altsetting == alt) {
> +		/*
> +		 * foolish bluetooth stack, don't try to set a setting you are
> +		 * already set to...
> +		 */
> +		return 0;
> +	}
> +
>  	/* Make sure we have enough bandwidth for this alternate interface.
>  	 * Remove the current alt setting and add the new alt setting.
>  	 */
No, neither of these is right.  It's possible to use 
usb_set_interface() as a kind of "soft" reset.  Even when the new 
altsetting is specified to be the same as the current one, we still 
have to tell the lower-layer drivers and hardware about it.
Alan Stern
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 14:40 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-07-17 14:40 UTC (permalink / raw)
  To: Alan Stern
  Cc: Mathias Nyman, Andy Shevchenko, Andy Shevchenko, Mathias Nyman,
	linux-usb, lukaszx.szulc, Christoph Hellwig, Marek Szyprowski,
	iommu
Hi Alan,
On Tue, Jul 17, 2018 at 10:28:14AM -0400, Alan Stern wrote:
> On Tue, 17 Jul 2018, Sudip Mukherjee wrote:
> 
> > I did some more debugging. Tested with a KASAN enabled kernel and that
> > shows the problem. The report is attached.
> > 
> > To my understanding:
> > 
> > btusb_work() is calling usb_set_interface() with alternate = 0. which
> > again calls usb_hcd_alloc_bandwidth() and that frees the rings by
> > xhci_free_endpoint_ring().
> 
> That doesn't sound like the right thing to do.  The rings shouldn't be 
> freed until xhci_endpoint_disable() is called.  
> 
> On the other hand, there doesn't appear to be any 
> xhci_endpoint_disable() routine, although a comment refers to it.  
> Maybe this is the real problem?
one of your old mail might help :)
https://www.spinics.net/lists/linux-usb/msg98123.html
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 14:49 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-07-17 14:49 UTC (permalink / raw)
  To: Alan Stern
  Cc: Mathias Nyman, Andy Shevchenko, Andy Shevchenko, Mathias Nyman,
	linux-usb, lukaszx.szulc, Christoph Hellwig, Marek Szyprowski,
	iommu
On Tue, Jul 17, 2018 at 03:40:22PM +0100, Sudip Mukherjee wrote:
> Hi Alan,
> 
> On Tue, Jul 17, 2018 at 10:28:14AM -0400, Alan Stern wrote:
> > On Tue, 17 Jul 2018, Sudip Mukherjee wrote:
> > 
> > > I did some more debugging. Tested with a KASAN enabled kernel and that
> > > shows the problem. The report is attached.
> > > 
> > > To my understanding:
> > > 
> > > btusb_work() is calling usb_set_interface() with alternate = 0. which
> > > again calls usb_hcd_alloc_bandwidth() and that frees the rings by
> > > xhci_free_endpoint_ring().
> > 
> > That doesn't sound like the right thing to do.  The rings shouldn't be 
> > freed until xhci_endpoint_disable() is called.  
> > 
> > On the other hand, there doesn't appear to be any 
> > xhci_endpoint_disable() routine, although a comment refers to it.  
> > Maybe this is the real problem?
> 
> one of your old mail might help :)
> 
> https://www.spinics.net/lists/linux-usb/msg98123.html
Wrote too soon.
Is it the one you are looking for -
usb_disable_endpoint() is in drivers/usb/core/message.c
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 15:08 Alan Stern
  0 siblings, 0 replies; 39+ messages in thread
From: Alan Stern @ 2018-07-17 15:08 UTC (permalink / raw)
  To: Sudip Mukherjee
  Cc: Mathias Nyman, Andy Shevchenko, Andy Shevchenko, Mathias Nyman,
	linux-usb, lukaszx.szulc, Christoph Hellwig, Marek Szyprowski,
	iommu
On Tue, 17 Jul 2018, Sudip Mukherjee wrote:
> On Tue, Jul 17, 2018 at 03:40:22PM +0100, Sudip Mukherjee wrote:
> > Hi Alan,
> > 
> > On Tue, Jul 17, 2018 at 10:28:14AM -0400, Alan Stern wrote:
> > > On Tue, 17 Jul 2018, Sudip Mukherjee wrote:
> > > 
> > > > I did some more debugging. Tested with a KASAN enabled kernel and that
> > > > shows the problem. The report is attached.
> > > > 
> > > > To my understanding:
> > > > 
> > > > btusb_work() is calling usb_set_interface() with alternate = 0. which
> > > > again calls usb_hcd_alloc_bandwidth() and that frees the rings by
> > > > xhci_free_endpoint_ring().
> > > 
> > > That doesn't sound like the right thing to do.  The rings shouldn't be 
> > > freed until xhci_endpoint_disable() is called.  
> > > 
> > > On the other hand, there doesn't appear to be any 
> > > xhci_endpoint_disable() routine, although a comment refers to it.  
> > > Maybe this is the real problem?
> > 
> > one of your old mail might help :)
> > 
> > https://www.spinics.net/lists/linux-usb/msg98123.html
That message seems to say the same thing as what I just wrote, more or 
less.
> Wrote too soon.
> 
> Is it the one you are looking for -
> usb_disable_endpoint() is in drivers/usb/core/message.c
No, I'm talking about xhci_endpoint_disable(), which would be called by 
usb_hcd_disable_endpoint() if it existed.  Of course, 
usb_hcd_disable_endpoint() is called by usb_disable_endpoint().
Alan Stern
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 15:10 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-07-17 15:10 UTC (permalink / raw)
  To: Alan Stern, Greg KH
  Cc: Mathias Nyman, Andy Shevchenko, Andy Shevchenko, Mathias Nyman,
	linux-usb, lukaszx.szulc, Christoph Hellwig, Marek Szyprowski,
	iommu
Hi Alan, Greg,
On Tue, Jul 17, 2018 at 03:49:18PM +0100, Sudip Mukherjee wrote:
> On Tue, Jul 17, 2018 at 03:40:22PM +0100, Sudip Mukherjee wrote:
> > Hi Alan,
> > 
> > On Tue, Jul 17, 2018 at 10:28:14AM -0400, Alan Stern wrote:
> > > On Tue, 17 Jul 2018, Sudip Mukherjee wrote:
> > > 
> > > > I did some more debugging. Tested with a KASAN enabled kernel and that
> > > > shows the problem. The report is attached.
> > > > 
> > > > To my understanding:
> > > > 
> > > > btusb_work() is calling usb_set_interface() with alternate = 0. which
> > > > again calls usb_hcd_alloc_bandwidth() and that frees the rings by
> > > > xhci_free_endpoint_ring().
> > > 
> > > That doesn't sound like the right thing to do.  The rings shouldn't be 
> > > freed until xhci_endpoint_disable() is called.  
> > > 
> > > On the other hand, there doesn't appear to be any 
> > > xhci_endpoint_disable() routine, although a comment refers to it.  
> > > Maybe this is the real problem?
> > 
> > one of your old mail might help :)
> > 
> > https://www.spinics.net/lists/linux-usb/msg98123.html
> 
> Wrote too soon.
> 
> Is it the one you are looking for -
> usb_disable_endpoint() is in drivers/usb/core/message.c
I think now I understand what the problem is.
usb_set_interface() calls usb_disable_interface() which again calls
usb_disable_endpoint(). This usb_disable_endpoint() gets the pointer
to 'ep', marks it as NULL and sends the pointer to usb_hcd_flush_endpoint().
After flushing the endpoints usb_disable_endpoint() calls
usb_hcd_disable_endpoint() which tries to do:
	if (hcd->driver->endpoint_disable)
		hcd->driver->endpoint_disable(hcd, ep);
but there is no endpoint_disable() callback in xhci, so the endpoint is
never marked as disabled. So, next time usb_hcd_flush_endpoint() is
called I get this corruption. 
And this is exactly where I used to see the problem happening.
And, my hacky patch worked as I prevented it from calling
usb_disable_interface() in this particular case.
Greg - answering your question here. My hacky patch was based on the
fact that usb_hcd_alloc_bandwidth() is calling hcd->driver->drop_endpoint()
and hcd->driver->add_endpoint() if (cur_alt && new_alt). So, I prevented
usb_disable_interface() to be called for that same condition. And that
worked as the call to usb_hcd_flush_endpoint() was not executed.
I know it is not correct and I might be having memory leaks for this, but
I have the system working till we get the actual fix.
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 15:52 Greg Kroah-Hartman
  0 siblings, 0 replies; 39+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-17 15:52 UTC (permalink / raw)
  To: Alan Stern
  Cc: Sudip Mukherjee, Mathias Nyman, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
On Tue, Jul 17, 2018 at 10:31:38AM -0400, Alan Stern wrote:
> On Tue, 17 Jul 2018, Greg KH wrote:
> 
> > > From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> > > Date: Tue, 10 Jul 2018 09:50:00 +0100
> > > Subject: [PATCH] hacky solution to mem-corruption
> > > 
> > > Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> > > ---
> > >  drivers/usb/core/message.c | 3 ++-
> > >  1 file changed, 2 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
> > > index 7cd4ec33dbf4..7fdf7a27611d 100644
> > > --- a/drivers/usb/core/message.c
> > > +++ b/drivers/usb/core/message.c
> > > @@ -1398,7 +1398,8 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate)
> > >  		remove_intf_ep_devs(iface);
> > >  		usb_remove_sysfs_intf_files(iface);
> > >  	}
> > > -	usb_disable_interface(dev, iface, true);
> > > +	if (!(iface->cur_altsetting && alt))
> > > +		usb_disable_interface(dev, iface, true);
> > 
> > 
> > 
> > This feels like a "correct" patch anyway, why would a driver keep
> > calling set_interface to an interface that it was already set to?
> > 
> > But can't we check for this higher up in the function?  This hack will
> > just not disable an interface but it will do all of the other stuff
> > being asked for.  Does the patch below also solve this for you?  It's
> > not a good solution of course, but it might work around the problem a
> > bit better.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> > diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
> > index 1a15392326fc..0f718f1a1ca3 100644
> > --- a/drivers/usb/core/message.c
> > +++ b/drivers/usb/core/message.c
> > @@ -1376,6 +1376,14 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate)
> >  		return -EINVAL;
> >  	}
> >  
> > +	if (iface->cur_altsetting == alt) {
> > +		/*
> > +		 * foolish bluetooth stack, don't try to set a setting you are
> > +		 * already set to...
> > +		 */
> > +		return 0;
> > +	}
> > +
> >  	/* Make sure we have enough bandwidth for this alternate interface.
> >  	 * Remove the current alt setting and add the new alt setting.
> >  	 */
> 
> No, neither of these is right.  It's possible to use 
> usb_set_interface() as a kind of "soft" reset.  Even when the new 
> altsetting is specified to be the same as the current one, we still 
> have to tell the lower-layer drivers and hardware about it.
You are right, it's a hacky soft reset, I was just trying to figure out
what the bluetooth driver was trying to do.  I wouldn't expect it to be
calling that function a lot, but I guess it does :(
thanks,
greg k-h
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 15:59 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-07-17 15:59 UTC (permalink / raw)
  To: Greg KH
  Cc: Alan Stern, Mathias Nyman, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
On Tue, Jul 17, 2018 at 05:52:59PM +0200, Greg KH wrote:
> On Tue, Jul 17, 2018 at 10:31:38AM -0400, Alan Stern wrote:
> > On Tue, 17 Jul 2018, Greg KH wrote:
> > 
> > > > From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> > > > Date: Tue, 10 Jul 2018 09:50:00 +0100
> > > > Subject: [PATCH] hacky solution to mem-corruption
> > > > 
> > > > Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> > > > ---
<snip>
> > 
> > No, neither of these is right.  It's possible to use 
> > usb_set_interface() as a kind of "soft" reset.  Even when the new 
> > altsetting is specified to be the same as the current one, we still 
> > have to tell the lower-layer drivers and hardware about it.
> 
> You are right, it's a hacky soft reset, I was just trying to figure out
> what the bluetooth driver was trying to do.  I wouldn't expect it to be
> calling that function a lot, but I guess it does :(
usb_set_interface() is being called two times from bluetooth event. But
I am now adding more debugs to see why your patch did not work.
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-17 17:01 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-07-17 17:01 UTC (permalink / raw)
  To: Greg KH
  Cc: Alan Stern, Mathias Nyman, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
On Tue, Jul 17, 2018 at 04:59:01PM +0100, Sudip Mukherjee wrote:
> On Tue, Jul 17, 2018 at 05:52:59PM +0200, Greg KH wrote:
> > On Tue, Jul 17, 2018 at 10:31:38AM -0400, Alan Stern wrote:
> > > On Tue, 17 Jul 2018, Greg KH wrote:
> > > 
> > > > > From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> > > > > Date: Tue, 10 Jul 2018 09:50:00 +0100
> > > > > Subject: [PATCH] hacky solution to mem-corruption
> > > > > 
> > > > > Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> > > > > ---
> <snip>
> > > 
> > > No, neither of these is right.  It's possible to use 
> > > usb_set_interface() as a kind of "soft" reset.  Even when the new 
> > > altsetting is specified to be the same as the current one, we still 
> > > have to tell the lower-layer drivers and hardware about it.
> > 
> > You are right, it's a hacky soft reset, I was just trying to figure out
> > what the bluetooth driver was trying to do.  I wouldn't expect it to be
> > calling that function a lot, but I guess it does :(
> 
> usb_set_interface() is being called two times from bluetooth event. But
> I am now adding more debugs to see why your patch did not work.
So, a very simple debug to see the sequence of functions being called.
I have attached the patch I used.
In a good case:
[  124.287991] sudip: xhci_urb_dequeue
[  124.287997] sudip: xhci_queue_stop_endpoint cmd=ee032950
[  124.288016] sudip: handle_cmd_completion cmd=ee032950
[  124.288173] sudip: xhci_urb_dequeue
[  124.288176] sudip: xhci_queue_stop_endpoint cmd=ee032950
[  124.288189] sudip: handle_cmd_completion cmd=ee032950
[  124.290647] sudip: usb_hcd_flush_endpoint
[  124.290652] sudip: usb_hcd_flush_endpoint
But in a bad case:
[  186.786900] sudip: xhci_urb_dequeue
[  186.786905] sudip: xhci_queue_stop_endpoint cmd=ebe47cb0
[  186.786923] sudip: handle_cmd_completion cmd=ebe47cb0
[  186.789040] sudip: xhci_urb_dequeue
[  186.789047] sudip: xhci_queue_stop_endpoint cmd=ebe47cb0
[  186.789069] sudip: handle_cmd_completion cmd=ebe47cb0
[  186.790082] sudip: usb_hcd_flush_endpoint
[  186.790094] sudip: xhci_urb_dequeue
[  186.790097] sudip: xhci_queue_stop_endpoint cmd=ebe47290
[  186.790150] sudip: handle_cmd_completion cmd=ebe47290
[  186.790202] sudip: usb_hcd_flush_endpoint
So, when usb_hcd_flush_endpoint() is called by usb_disable_endpoint() it
finds urbs still on the urb_list of the ep. And in the process of unlinking
them, it again sends the command to stop the endpoint, although that endpoint
has already been stopped.
So Greg's patch did not work as the memory got corrupted on the first call
to usb_set_interface(), whereas that patch was preventing the second call
to usb_set_interface().
---
Regards
Sudip
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index 467bedeb542a..8d28f120ec0a 100644
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -1885,6 +1885,7 @@ void usb_hcd_flush_endpoint(struct usb_device *udev,
 	might_sleep();
 	hcd = bus_to_hcd(udev->bus);
 
+	pr_err("sudip: %s\n", __func__);
 	/* No more submits can occur */
 	spin_lock_irq(&hcd_urb_list_lock);
 rescan:
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 6996235e34a9..4f80791fdfc5 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1450,6 +1450,7 @@ static void handle_cmd_completion(struct xhci_hcd *xhci,
 	case TRB_STOP_RING:
 		WARN_ON(slot_id != TRB_TO_SLOT_ID(
 				le32_to_cpu(cmd_trb->generic.field[3])));
+		pr_err("sudip: %s cmd=%p\n", __func__, cmd);
 		xhci_handle_cmd_stop_ep(xhci, slot_id, cmd_trb, event);
 		break;
 	case TRB_SET_DEQ:
@@ -4009,6 +4010,7 @@ int xhci_queue_stop_endpoint(struct xhci_hcd *xhci, struct xhci_command *cmd,
 	u32 type = TRB_TYPE(TRB_STOP_RING);
 	u32 trb_suspend = SUSPEND_PORT_FOR_TRB(suspend);
 
+	pr_err("sudip: %s cmd=%p\n", __func__, cmd);
 	return queue_command(xhci, cmd, 0, 0, 0,
 			trb_slot_id | trb_ep_index | type | trb_suspend, false);
 }
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index db1de6113db2..3832128107ff 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1516,6 +1516,7 @@ static int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
 		ep->stop_cmd_timer.expires = jiffies +
 			XHCI_STOP_EP_CMD_TIMEOUT * HZ;
 		add_timer(&ep->stop_cmd_timer);
+		pr_err("sudip: %s\n", __func__);
 		xhci_queue_stop_endpoint(xhci, command, urb->dev->slot_id,
 					 ep_index, 0);
 		xhci_ring_cmd_db(xhci);
^ permalink raw reply related	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-19 10:59 Mathias Nyman
  0 siblings, 0 replies; 39+ messages in thread
From: Mathias Nyman @ 2018-07-19 10:59 UTC (permalink / raw)
  To: Sudip Mukherjee, Alan Stern, Greg KH
  Cc: Andy Shevchenko, Andy Shevchenko, Mathias Nyman, linux-usb,
	lukaszx.szulc, Christoph Hellwig, Marek Szyprowski, iommu
On 17.07.2018 18:10, Sudip Mukherjee wrote:
> Hi Alan, Greg,
> 
> On Tue, Jul 17, 2018 at 03:49:18PM +0100, Sudip Mukherjee wrote:
>> On Tue, Jul 17, 2018 at 03:40:22PM +0100, Sudip Mukherjee wrote:
>>> Hi Alan,
>>>
>>> On Tue, Jul 17, 2018 at 10:28:14AM -0400, Alan Stern wrote:
>>>> On Tue, 17 Jul 2018, Sudip Mukherjee wrote:
>>>>
>>>>> I did some more debugging. Tested with a KASAN enabled kernel and that
>>>>> shows the problem. The report is attached.
>>>>>
>>>>> To my understanding:
>>>>>
>>>>> btusb_work() is calling usb_set_interface() with alternate = 0. which
>>>>> again calls usb_hcd_alloc_bandwidth() and that frees the rings by
>>>>> xhci_free_endpoint_ring().
>>>>
>>>> That doesn't sound like the right thing to do.  The rings shouldn't be
>>>> freed until xhci_endpoint_disable() is called.
>>>>
>>>> On the other hand, there doesn't appear to be any
>>>> xhci_endpoint_disable() routine, although a comment refers to it.
>>>> Maybe this is the real problem?
>>>
>>> one of your old mail might help :)
>>>
>>> https://www.spinics.net/lists/linux-usb/msg98123.html
>>
>> Wrote too soon.
>>
>> Is it the one you are looking for -
>> usb_disable_endpoint() is in drivers/usb/core/message.c
> 
> I think now I understand what the problem is.
> usb_set_interface() calls usb_disable_interface() which again calls
> usb_disable_endpoint(). This usb_disable_endpoint() gets the pointer
> to 'ep', marks it as NULL and sends the pointer to usb_hcd_flush_endpoint().
> After flushing the endpoints usb_disable_endpoint() calls
> usb_hcd_disable_endpoint() which tries to do:
> 	if (hcd->driver->endpoint_disable)
> 		hcd->driver->endpoint_disable(hcd, ep);
> but there is no endpoint_disable() callback in xhci, so the endpoint is
> never marked as disabled. So, next time usb_hcd_flush_endpoint() is
> called I get this corruption.
> And this is exactly where I used to see the problem happening.
> 
> And, my hacky patch worked as I prevented it from calling
> usb_disable_interface() in this particular case.
> 
Back for a few days, looking at this
xhci driver will set up all the endpoints for the new altsetting already in
usb_hcd_alloc_bandwidth().
New endpoints will be ready and rings running after this. I don't know the exact
history behind this, but I assume it is because xhci does all of the steps to
drop/add, disable/enable endpoints and check bandwidth in a single configure
endpoint command, that will return errors if there is not enough bandwidth.
This command is issued in hcd->driver->check_bandwidth()
This means that xhci doesn't really do much in hcd->driver->endpoint_disable or
hcd->driver->endpoint_enable
It also means that xhci driver assumes rings are empty when
hcd->driver->check_bandwidth is called. It will bluntly free dropped rings.
If there are URBs left on a endpoint ring that was dropped+added
(freed+reallocated) then those URBs will contain pointers to freed ring,
causing issues when usb_hcd_flush_endpoint() cancels those URBs.
usb_set_interface()
   usb_hcd_alloc_bandwidth()
     hcd->driver->drop_endpoint()
     hcd->driver->add_endpoint() // allocates new rings
     hcd->driver->check_bandwidth() // issues configure endpoint command, free rings.
   usb_disable_interface(iface, true)
     usb_disable_endpoint()
       usb_hcd_flush_endpoint() // will access freed ring if URBs found!!
       usb_hcd_disable_endpoint()
         hcd->driver->endpoint_disable()  // xhci does nothing
   usb_enable_interface(iface, true)
     usb_enable_endpoint(ep_addrss, true) // not really doing much on xhci side.
As first aid I could try to implement checks that make sure the flushed URBs
trb pointers really are on the current endpoint ring, and also add some warning
if we are we are dropping endpoints with URBs still queued.
But we need to fix this properly as well.
xhci needs to be more in sync with usb core in usb_set_interface(), currently xhci
has the altssetting up and running when usb core hasn't event started flushing endpoints.
-Mathias
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-19 11:34 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-07-19 11:34 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Alan Stern, Greg KH, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
Hi Mathias,
On Thu, Jul 19, 2018 at 01:59:01PM +0300, Mathias Nyman wrote:
> On 17.07.2018 18:10, Sudip Mukherjee wrote:
> > Hi Alan, Greg,
> > 
> > On Tue, Jul 17, 2018 at 03:49:18PM +0100, Sudip Mukherjee wrote:
> > > On Tue, Jul 17, 2018 at 03:40:22PM +0100, Sudip Mukherjee wrote:
> > > > Hi Alan,
> > > > 
> > > > On Tue, Jul 17, 2018 at 10:28:14AM -0400, Alan Stern wrote:
> > > > > On Tue, 17 Jul 2018, Sudip Mukherjee wrote:
> > > > > 
> > > > > > I did some more debugging. Tested with a KASAN enabled kernel and that
> > > > > > shows the problem. The report is attached.
> > > > > > 
<snip>
> > 
> > And, my hacky patch worked as I prevented it from calling
> > usb_disable_interface() in this particular case.
> > 
> 
> Back for a few days, looking at this
I hope you had a good holiday. :)
> 
> xhci driver will set up all the endpoints for the new altsetting already in
> usb_hcd_alloc_bandwidth().
> 
<snip>
> 
> As first aid I could try to implement checks that make sure the flushed URBs
> trb pointers really are on the current endpoint ring, and also add some warning
> if we are we are dropping endpoints with URBs still queued.
Yes, please. I think your first-aid will be a much better option than
the hacky patch I am using atm.
> 
> But we need to fix this properly as well.
> xhci needs to be more in sync with usb core in usb_set_interface(), currently xhci
> has the altssetting up and running when usb core hasn't event started flushing endpoints.
I am able to reproduce this on almost all cycles, so I can always test
the fix for you after you are fully back from your holiday.
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-19 14:57 Alan Stern
  0 siblings, 0 replies; 39+ messages in thread
From: Alan Stern @ 2018-07-19 14:57 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Sudip Mukherjee, Greg KH, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
On Thu, 19 Jul 2018, Mathias Nyman wrote:
> xhci driver will set up all the endpoints for the new altsetting already in
> usb_hcd_alloc_bandwidth().
> 
> New endpoints will be ready and rings running after this. I don't know the exact
> history behind this, but I assume it is because xhci does all of the steps to
> drop/add, disable/enable endpoints and check bandwidth in a single configure
> endpoint command, that will return errors if there is not enough bandwidth.
That's right; Sarah and I spent some time going over this while she was 
working on it.  But it looks like the approach isn't adequate.
> This command is issued in hcd->driver->check_bandwidth()
> This means that xhci doesn't really do much in hcd->driver->endpoint_disable or
> hcd->driver->endpoint_enable
> 
> It also means that xhci driver assumes rings are empty when
> hcd->driver->check_bandwidth is called. It will bluntly free dropped rings.
> If there are URBs left on a endpoint ring that was dropped+added
> (freed+reallocated) then those URBs will contain pointers to freed ring,
> causing issues when usb_hcd_flush_endpoint() cancels those URBs.
> 
> usb_set_interface()
>    usb_hcd_alloc_bandwidth()
>      hcd->driver->drop_endpoint()
>      hcd->driver->add_endpoint() // allocates new rings
>      hcd->driver->check_bandwidth() // issues configure endpoint command, free rings.
>    usb_disable_interface(iface, true)
>      usb_disable_endpoint()
>        usb_hcd_flush_endpoint() // will access freed ring if URBs found!!
>        usb_hcd_disable_endpoint()
>          hcd->driver->endpoint_disable()  // xhci does nothing
>    usb_enable_interface(iface, true)
>      usb_enable_endpoint(ep_addrss, true) // not really doing much on xhci side.
> 
> As first aid I could try to implement checks that make sure the flushed URBs
> trb pointers really are on the current endpoint ring, and also add some warning
> if we are we are dropping endpoints with URBs still queued.
> 
> But we need to fix this properly as well.
> xhci needs to be more in sync with usb core in usb_set_interface(), currently xhci
> has the altssetting up and running when usb core hasn't event started flushing endpoints.
Absolutely.  The core tries to be compatible with host controller
drivers that either allocate bandwidth as it is requested or else
allocate bandwidth all at once when an altsetting is installed.  
xhci-hcd falls into the second category.  However, this approach
requires the bandwidth verification for the new altsetting to be
performed before the old altsetting has been disabled, and the xHCI
hardware can't do this.
We may need to change the core so that the old endpoints are disabled 
before the bandwidth check is done, instead of after.  Of course, this 
leads to an awkward situation if the check fails -- we'd probably have 
to go back and re-install the old altsetting.
Alan Stern
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-19 15:42 Mathias Nyman
  0 siblings, 0 replies; 39+ messages in thread
From: Mathias Nyman @ 2018-07-19 15:42 UTC (permalink / raw)
  To: Sudip Mukherjee
  Cc: Alan Stern, Greg KH, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
>> As first aid I could try to implement checks that make sure the flushed URBs
>> trb pointers really are on the current endpoint ring, and also add some warning
>> if we are we are dropping endpoints with URBs still queued.
> 
> Yes, please. I think your first-aid will be a much better option than
> the hacky patch I am using atm.
> 
Attached a patch that checks canceled URB td/trb pointers.
I haven't tested it at all (well compiles and boots, but new code never exercised)
Does it work for you?
>>
>> But we need to fix this properly as well.
>> xhci needs to be more in sync with usb core in usb_set_interface(), currently xhci
>> has the altssetting up and running when usb core hasn't event started flushing endpoints.
> 
> I am able to reproduce this on almost all cycles, so I can always test
> the fix for you after you are fully back from your holiday.
Nice, thanks
-Mathias
From a7d4af3129a91811c95ea642f6c916b1c1ca6d46 Mon Sep 17 00:00:00 2001
From: Mathias Nyman <mathias.nyman@linux.intel.com>
Date: Thu, 19 Jul 2018 18:06:18 +0300
Subject: [PATCH] xhci: when dequeing a URB make sure it exists on the current
 endpoint ring.
If the endpoint ring has been reallocated since the URB was enqueued,
then URB may contain TD and TRB pointers to a already freed ring.
If this the case then manuallt return the URB, and don't try to stop
the ring. It would be useless.
This can happened if endpoint is not flushed before it is dropped and
re-added, which is the case in usb_set_interface() as xhci does
things in an odd order.
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
---
 drivers/usb/host/xhci.c | 43 ++++++++++++++++++++++++++++++++-----------
 1 file changed, 32 insertions(+), 11 deletions(-)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 711da33..5bedab7 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -37,6 +37,21 @@ static unsigned int quirks;
 module_param(quirks, uint, S_IRUGO);
 MODULE_PARM_DESC(quirks, "Bit flags for quirks to be enabled as default");
 
+static bool td_on_ring(struct xhci_td *td, struct xhci_ring *ring)
+{
+	struct xhci_segment *seg = ring->first_seg;
+
+	if (!td || !td->start_seg)
+		return false;
+	do {
+		if (seg == td->start_seg)
+			return true;
+		seg = seg->next;
+	} while (seg && seg != ring->first_seg);
+
+	return false;
+}
+
 /* TODO: copied from ehci-hcd.c - can this be refactored? */
 /*
  * xhci_handshake - spin reading hc until handshake completes or fails
@@ -1467,19 +1482,16 @@ static int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
 		goto done;
 	}
 
+	/* check ring is not re-allocated since URB was enqueued */
+	if (!td_on_ring(&urb_priv->td[0], ep_ring)) {
+		xhci_err(xhci, "Canceled URB td not found on endpoint ring");
+		goto err_unlink_giveback;
+	}
+
 	if (xhci->xhc_state & XHCI_STATE_HALTED) {
 		xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
-				"HC halted, freeing TD manually.");
-		for (i = urb_priv->num_tds_done;
-		     i < urb_priv->num_tds;
-		     i++) {
-			td = &urb_priv->td[i];
-			if (!list_empty(&td->td_list))
-				list_del_init(&td->td_list);
-			if (!list_empty(&td->cancelled_td_list))
-				list_del_init(&td->cancelled_td_list);
-		}
-		goto err_giveback;
+			       "HC halted, freeing TD manually.");
+		goto err_unlink_giveback;
 	}
 
 	i = urb_priv->num_tds_done;
@@ -1519,6 +1531,15 @@ static int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
 	spin_unlock_irqrestore(&xhci->lock, flags);
 	return ret;
 
+err_unlink_giveback:
+	for (i = urb_priv->num_tds_done; i < urb_priv->num_tds; i++) {
+		td = &urb_priv->td[i];
+		if (!list_empty(&td->td_list))
+			list_del_init(&td->td_list);
+		if (!list_empty(&td->cancelled_td_list))
+			list_del_init(&td->cancelled_td_list);
+	}
+
 err_giveback:
 	if (urb_priv)
 		xhci_urb_free_priv(urb_priv);
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-19 17:32 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-07-19 17:32 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Alan Stern, Greg KH, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
Hi Mathias,
On Thu, Jul 19, 2018 at 06:42:19PM +0300, Mathias Nyman wrote:
> > > As first aid I could try to implement checks that make sure the flushed URBs
> > > trb pointers really are on the current endpoint ring, and also add some warning
> > > if we are we are dropping endpoints with URBs still queued.
> > 
> > Yes, please. I think your first-aid will be a much better option than
> > the hacky patch I am using atm.
> > 
> 
> Attached a patch that checks canceled URB td/trb pointers.
> I haven't tested it at all (well compiles and boots, but new code never exercised)
> 
> Does it work for you?
No, not exactly. :(
I can see your message getting printed.
[  249.518394] xhci_hcd 0000:00:14.0: Canceled URB td not found on endpoint ring
[  249.518431] xhci_hcd 0000:00:14.0: Canceled URB td not found on endpoint ring
But I can see the message from slub debug again:
[  348.279986] =============================================================================
[  348.279993] BUG kmalloc-96 (Tainted: G     U     O   ): Poison overwritten
[  348.279995] -----------------------------------------------------------------------------
[  348.279997] Disabling lock debugging due to kernel taint
[  348.280000] INFO: 0xe5acda60-0xe5acda67. First byte 0x60 instead of 0x6b
[  348.280012] INFO: Allocated in xhci_ring_alloc.constprop.14+0x31/0x125 [xhci_hcd] age=129264 cpu=0 pid=33
[  348.280019] 	___slab_alloc.constprop.24+0x1fc/0x292
[  348.280023] 	__slab_alloc.isra.18.constprop.23+0x1c/0x25
[  348.280026] 	kmem_cache_alloc_trace+0x78/0x141
[  348.280032] 	xhci_ring_alloc.constprop.14+0x31/0x125 [xhci_hcd]
[  348.280038] 	xhci_endpoint_init+0x25f/0x30a [xhci_hcd]
[  348.280044] 	xhci_add_endpoint+0x126/0x149 [xhci_hcd]
[  348.280057] 	usb_hcd_alloc_bandwidth+0x26a/0x2a0 [usbcore]
[  348.280067] 	usb_set_interface+0xeb/0x25d [usbcore]
[  348.280071] 	btusb_work+0xeb/0x324 [btusb]
[  348.280076] 	process_one_work+0x163/0x2b2
[  348.280080] 	worker_thread+0x1a9/0x25c
[  348.280083] 	kthread+0xf8/0xfd
[  348.280087] 	ret_from_fork+0x2e/0x38
[  348.280095] INFO: Freed in xhci_ring_free+0xa7/0xc6 [xhci_hcd] age=98722 cpu=0 pid=33
[  348.280098] 	__slab_free+0x4b/0x27a
[  348.280100] 	kfree+0x12e/0x155
[  348.280106] 	xhci_ring_free+0xa7/0xc6 [xhci_hcd]
[  348.280112] 	xhci_free_endpoint_ring+0x16/0x20 [xhci_hcd]
[  348.280118] 	xhci_check_bandwidth+0x1c2/0x211 [xhci_hcd]
[  348.280129] 	usb_hcd_alloc_bandwidth+0x205/0x2a0 [usbcore]
[  348.280139] 	usb_set_interface+0xeb/0x25d [usbcore]
[  348.280142] 	btusb_work+0x228/0x324 [btusb]
[  348.280145] 	process_one_work+0x163/0x2b2
[  348.280148] 	worker_thread+0x1a9/0x25c
[  348.280151] 	kthread+0xf8/0xfd
[  348.280154] 	ret_from_fork+0x2e/0x38
[  348.280158] INFO: Slab 0xf46e0fe0 objects=29 used=29 fp=0x  (null) flags=0x40008100
[  348.280160] INFO: Object 0xe5acda48 @offset=6728 fp=0xe5acd700
[  348.280164] Redzone e5acda40: bb bb bb bb bb bb bb bb                          ........
[  348.280167] Object e5acda48: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[  348.280169] Object e5acda58: 6b 6b 6b 6b 6b 6b 6b 6b 60 da ac e5 60 da ac e5  kkkkkkkk`...`...
[  348.280171] Object e5acda68: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[  348.280174] Object e5acda78: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[  348.280176] Object e5acda88: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[  348.280179] Object e5acda98: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.
[  348.280181] Redzone e5acdaa8: bb bb bb bb                                      ....
[  348.280183] Padding e5acdb50: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
[  348.280188] CPU: 0 PID: 133 Comm: weston Tainted: G    BU     O    4.14.55-20180712+ #2
[  348.280190] Hardware name: xxx, BIOS 2017.01-00087-g43e04de 08/30/2017
[  348.280192] Call Trace:
[  348.280199]  dump_stack+0x47/0x5b
[  348.280202]  print_trailer+0x12b/0x133
[  348.280206]  check_bytes_and_report+0x6c/0xae
[  348.280210]  check_object+0x10a/0x1db
[  348.280214]  alloc_debug_processing+0x79/0x123
[  348.280218]  ___slab_alloc.constprop.24+0x1fc/0x292
[  348.280224]  ? drm_mode_atomic_ioctl+0x374/0x75e
[  348.280227]  ? drm_mode_atomic_ioctl+0x374/0x75e
[  348.280231]  ? drm_mode_object_get+0x28/0x3a
[  348.280235]  ? __radix_tree_lookup+0x27/0x7e
[  348.280238]  ? drm_mode_object_get+0x28/0x3a
[  348.280242]  ? drm_mode_object_put+0x28/0x4c
[  348.280246]  __slab_alloc.isra.18.constprop.23+0x1c/0x25
[  348.280249]  ? __slab_alloc.isra.18.constprop.23+0x1c/0x25
[  348.280253]  kmem_cache_alloc_trace+0x78/0x141
[  348.280257]  ? drm_mode_atomic_ioctl+0x374/0x75e
[  348.280261]  drm_mode_atomic_ioctl+0x374/0x75e
[  348.280267]  ? drm_atomic_set_property+0x442/0x442
[  348.280272]  drm_ioctl_kernel+0x52/0x88
[  348.280275]  drm_ioctl+0x1fc/0x2c1
[  348.280279]  ? drm_atomic_set_property+0x442/0x442
[  348.280288]  ? xhci_irq+0x109f/0x10a9 [xhci_hcd]
[  348.280293]  ? __fget+0x5f/0x67
[  348.280297]  ? drm_getstats+0x17/0x17
[  348.280301]  vfs_ioctl+0x1f/0x29
[  348.280304]  do_vfs_ioctl+0x4f3/0x562
[  348.280309]  ? smk_curacc+0x24/0x29
[  348.280314]  ? smack_file_ioctl+0x4d/0x52
[  348.280317]  ? smack_file_lock+0x29/0x29
[  348.280321]  ? security_file_ioctl+0x34/0x45
[  348.280324]  SyS_ioctl+0x42/0x5b
[  348.280328]  do_fast_syscall_32+0xd3/0x171
[  348.280333]  entry_SYSENTER_32+0x47/0x71
[  348.280336] EIP: 0xb7eedab1
[  348.280338] EFLAGS: 00200286 CPU: 0
[  348.280340] EAX: ffffffda EBX: 0000000f ECX: c03864bb EDX: bfeb2228
[  348.280342] ESI: bfeb2228 EDI: c03864bb EBP: bfeb21c8 ESP: bfeb2188
[  348.280345]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
[  348.280350] FIX kmalloc-96: Restoring 0xe5acda60-0xe5acda67=0x6b
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-20 11:10 Mathias Nyman
  0 siblings, 0 replies; 39+ messages in thread
From: Mathias Nyman @ 2018-07-20 11:10 UTC (permalink / raw)
  To: Sudip Mukherjee
  Cc: Alan Stern, Greg KH, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
On 19.07.2018 20:32, Sudip Mukherjee wrote:
> Hi Mathias,
> 
> On Thu, Jul 19, 2018 at 06:42:19PM +0300, Mathias Nyman wrote:
>>>> As first aid I could try to implement checks that make sure the flushed URBs
>>>> trb pointers really are on the current endpoint ring, and also add some warning
>>>> if we are we are dropping endpoints with URBs still queued.
>>>
>>> Yes, please. I think your first-aid will be a much better option than
>>> the hacky patch I am using atm.
>>>
>>
>> Attached a patch that checks canceled URB td/trb pointers.
>> I haven't tested it at all (well compiles and boots, but new code never exercised)
>>
>> Does it work for you?
> 
> No, not exactly. :(
> 
> I can see your message getting printed.
> [  249.518394] xhci_hcd 0000:00:14.0: Canceled URB td not found on endpoint ring
> [  249.518431] xhci_hcd 0000:00:14.0: Canceled URB td not found on endpoint ring
> 
> But I can see the message from slub debug again:
> 
> [  348.279986] =============================================================================
> [  348.279993] BUG kmalloc-96 (Tainted: G     U     O   ): Poison overwritten
> [  348.279995] -----------------------------------------------------------------------------
> 
> [  348.279997] Disabling lock debugging due to kernel taint
> [  348.280000] INFO: 0xe5acda60-0xe5acda67. First byte 0x60 instead of 0x6b
> [  348.280012] INFO: Allocated in xhci_ring_alloc.constprop.14+0x31/0x125 [xhci_hcd] age=129264 cpu=0 pid=33
...
> [  348.280095] INFO: Freed in xhci_ring_free+0xa7/0xc6 [xhci_hcd] age=98722 cpu=0 pid=33
...
> [  348.280158] INFO: Slab 0xf46e0fe0 objects=29 used=29 fp=0x  (null) flags=0x40008100
> [  348.280160] INFO: Object 0xe5acda48 @offset=6728 fp=0xe5acd700
> 
> [  348.280164] Redzone e5acda40: bb bb bb bb bb bb bb bb                          ........
> [  348.280167] Object e5acda48: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
> [  348.280169] Object e5acda58: 6b 6b 6b 6b 6b 6b 6b 6b 60 da ac e5 60 da ac e5  kkkkkkkk`...`...
So poison is overwritten at e5acda58 with almost its own address, (reading backwards) e5 ac da 60, twice.
looks like something (32bit?)is pointing to itself twice, maybe a linked list node next and prev pointer
being set to point to itself as last item was removed from list.
The cancelled_td_list is part of struct xhci_virt_ep, so that should be fine.
But td_list is part of struct xhci_ring, which was freed. and we removed the URBs tds from the td_list when
flushing the ring after ring was freed
I changed the patch (attached) to make sure it doesn't touch the td_list when canceling a URB after
ring is freed.
How about this one, any improvements?
-Mathias
From ee48d9f9c2d82058489dcdc38faa34a3cbdb08d1 Mon Sep 17 00:00:00 2001
From: Mathias Nyman <mathias.nyman@linux.intel.com>
Date: Thu, 19 Jul 2018 18:06:18 +0300
Subject: [PATCH v2] xhci: when dequeing a URB make sure it exists on the
 current endpoint ring.
If the endpoint ring has been reallocated since the URB was enqueued,
then URB may contain TD and TRB pointers to a already freed ring.
If this the case then manuallt return the URB without touching any of the
freed ring structure data.
Don't try to stop the ring. It would be useless.
This can happened if endpoint is not flushed before it is dropped and
re-added, which is the case in usb_set_interface() as xhci does
things in an odd order.
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
---
 drivers/usb/host/xhci.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 711da33..7093341 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -37,6 +37,21 @@ static unsigned int quirks;
 module_param(quirks, uint, S_IRUGO);
 MODULE_PARM_DESC(quirks, "Bit flags for quirks to be enabled as default");
 
+static bool td_on_ring(struct xhci_td *td, struct xhci_ring *ring)
+{
+	struct xhci_segment *seg = ring->first_seg;
+
+	if (!td || !td->start_seg)
+		return false;
+	do {
+		if (seg == td->start_seg)
+			return true;
+		seg = seg->next;
+	} while (seg && seg != ring->first_seg);
+
+	return false;
+}
+
 /* TODO: copied from ehci-hcd.c - can this be refactored? */
 /*
  * xhci_handshake - spin reading hc until handshake completes or fails
@@ -1467,6 +1482,21 @@ static int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
 		goto done;
 	}
 
+	/*
+	 * check ring is not re-allocated since URB was enqueued. If it is, then
+	 * make sure none of the ring related pointers in this URB private data
+	 * are touched, such as td_list, otherwise we overwrite freed data
+	 */
+	if (!td_on_ring(&urb_priv->td[0], ep_ring)) {
+		xhci_err(xhci, "Canceled URB td not found on endpoint ring");
+		for (i = urb_priv->num_tds_done; i < urb_priv->num_tds; i++) {
+			td = &urb_priv->td[i];
+			if (!list_empty(&td->cancelled_td_list))
+				list_del_init(&td->cancelled_td_list);
+		}
+		goto err_giveback;
+	}
+
 	if (xhci->xhc_state & XHCI_STATE_HALTED) {
 		xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
 				"HC halted, freeing TD manually.");
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-20 11:46 Mathias Nyman
  0 siblings, 0 replies; 39+ messages in thread
From: Mathias Nyman @ 2018-07-20 11:46 UTC (permalink / raw)
  To: Alan Stern
  Cc: Sudip Mukherjee, Greg KH, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
On 19.07.2018 17:57, Alan Stern wrote:
> On Thu, 19 Jul 2018, Mathias Nyman wrote:
> 
>> xhci driver will set up all the endpoints for the new altsetting already in
>> usb_hcd_alloc_bandwidth().
>>
>> New endpoints will be ready and rings running after this. I don't know the exact
>> history behind this, but I assume it is because xhci does all of the steps to
>> drop/add, disable/enable endpoints and check bandwidth in a single configure
>> endpoint command, that will return errors if there is not enough bandwidth.
> 
> That's right; Sarah and I spent some time going over this while she was
> working on it.  But it looks like the approach isn't adequate.
> 
>> This command is issued in hcd->driver->check_bandwidth()
>> This means that xhci doesn't really do much in hcd->driver->endpoint_disable or
>> hcd->driver->endpoint_enable
>>
>> It also means that xhci driver assumes rings are empty when
>> hcd->driver->check_bandwidth is called. It will bluntly free dropped rings.
>> If there are URBs left on a endpoint ring that was dropped+added
>> (freed+reallocated) then those URBs will contain pointers to freed ring,
>> causing issues when usb_hcd_flush_endpoint() cancels those URBs.
>>
>> usb_set_interface()
>>     usb_hcd_alloc_bandwidth()
>>       hcd->driver->drop_endpoint()
>>       hcd->driver->add_endpoint() // allocates new rings
>>       hcd->driver->check_bandwidth() // issues configure endpoint command, free rings.
>>     usb_disable_interface(iface, true)
>>       usb_disable_endpoint()
>>         usb_hcd_flush_endpoint() // will access freed ring if URBs found!!
>>         usb_hcd_disable_endpoint()
>>           hcd->driver->endpoint_disable()  // xhci does nothing
>>     usb_enable_interface(iface, true)
>>       usb_enable_endpoint(ep_addrss, true) // not really doing much on xhci side.
>>
>> As first aid I could try to implement checks that make sure the flushed URBs
>> trb pointers really are on the current endpoint ring, and also add some warning
>> if we are we are dropping endpoints with URBs still queued.
>>
>> But we need to fix this properly as well.
>> xhci needs to be more in sync with usb core in usb_set_interface(), currently xhci
>> has the altssetting up and running when usb core hasn't event started flushing endpoints.
> 
> Absolutely.  The core tries to be compatible with host controller
> drivers that either allocate bandwidth as it is requested or else
> allocate bandwidth all at once when an altsetting is installed.
> 
> xhci-hcd falls into the second category.  However, this approach
> requires the bandwidth verification for the new altsetting to be
> performed before the old altsetting has been disabled, and the xHCI
> hardware can't do this.
> 
> We may need to change the core so that the old endpoints are disabled
> before the bandwidth check is done, instead of after.  Of course, this
> leads to an awkward situation if the check fails -- we'd probably have
> to go back and re-install the old altsetting.
That would help xhci a lot.
If we want to avoid the awkward altsetting re-install after bandwidth failure
then adding a extra endpoint flush before checking the bandwidth would already help a lot.
The endpoint disabling can then be remain after bandwidth checking.
Does that work for other host controllers?
-Mathias
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-20 12:54 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-07-20 12:54 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Alan Stern, Greg KH, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
Hi Mathias,
On Fri, Jul 20, 2018 at 02:10:58PM +0300, Mathias Nyman wrote:
> On 19.07.2018 20:32, Sudip Mukherjee wrote:
> > Hi Mathias,
> > 
> > On Thu, Jul 19, 2018 at 06:42:19PM +0300, Mathias Nyman wrote:
> > > > > As first aid I could try to implement checks that make sure the flushed URBs
> > > > > trb pointers really are on the current endpoint ring, and also add some warning
> > > > > if we are we are dropping endpoints with URBs still queued.
> > > > 
> > > > Yes, please. I think your first-aid will be a much better option than
> > > > the hacky patch I am using atm.
> > > > 
> > > 
<snip>
> So poison is overwritten at e5acda58 with almost its own address, (reading backwards) e5 ac da 60, twice.
> looks like something (32bit?)is pointing to itself twice, maybe a linked list node next and prev pointer
> being set to point to itself as last item was removed from list.
> 
> The cancelled_td_list is part of struct xhci_virt_ep, so that should be fine.
> But td_list is part of struct xhci_ring, which was freed. and we removed the URBs tds from the td_list when
> flushing the ring after ring was freed
> 
> I changed the patch (attached) to make sure it doesn't touch the td_list when canceling a URB after
> ring is freed.
> 
> How about this one, any improvements?
Yes, it worked. :D
So, cycle-1 = no change, just to make sure I can still reproduce the error.
cycle-2 and cycle-3 with your patch, and there was no problem,
slub debug was also happy.
I am starting an autotest with this patch now, and I will have almost
50 cycles tested by tomorrow morning.
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-20 14:09 Alan Stern
  0 siblings, 0 replies; 39+ messages in thread
From: Alan Stern @ 2018-07-20 14:09 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Sudip Mukherjee, Greg KH, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
On Fri, 20 Jul 2018, Mathias Nyman wrote:
> >> But we need to fix this properly as well.
> >> xhci needs to be more in sync with usb core in usb_set_interface(), currently xhci
> >> has the altssetting up and running when usb core hasn't event started flushing endpoints.
> > 
> > Absolutely.  The core tries to be compatible with host controller
> > drivers that either allocate bandwidth as it is requested or else
> > allocate bandwidth all at once when an altsetting is installed.
> > 
> > xhci-hcd falls into the second category.  However, this approach
> > requires the bandwidth verification for the new altsetting to be
> > performed before the old altsetting has been disabled, and the xHCI
> > hardware can't do this.
> > 
> > We may need to change the core so that the old endpoints are disabled
> > before the bandwidth check is done, instead of after.  Of course, this
> > leads to an awkward situation if the check fails -- we'd probably have
> > to go back and re-install the old altsetting.
> 
> That would help xhci a lot.
> 
> If we want to avoid the awkward altsetting re-install after bandwidth failure
> then adding a extra endpoint flush before checking the bandwidth would already help a lot.
> 
> The endpoint disabling can then be remain after bandwidth checking.
> Does that work for other host controllers?
As far as I know, the other host controller drivers don't really care 
how this is done.  xHCI is the only technology where the hardware has 
to verify the bandwidth requirements.  (Maybe some other SuperSpeed 
controller design also cares, but if so then this change is unlikely to 
hurt.)
Alan Stern
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
* usb HC busted?
@ 2018-07-21 10:55 Sudip Mukherjee
  0 siblings, 0 replies; 39+ messages in thread
From: Sudip Mukherjee @ 2018-07-21 10:55 UTC (permalink / raw)
  To: Mathias Nyman
  Cc: Alan Stern, Greg KH, Andy Shevchenko, Andy Shevchenko,
	Mathias Nyman, linux-usb, lukaszx.szulc, Christoph Hellwig,
	Marek Szyprowski, iommu
Hi Mathias,
On Fri, Jul 20, 2018 at 01:54:21PM +0100, Sudip Mukherjee wrote:
> Hi Mathias,
> 
> On Fri, Jul 20, 2018 at 02:10:58PM +0300, Mathias Nyman wrote:
> > On 19.07.2018 20:32, Sudip Mukherjee wrote:
> > > Hi Mathias,
> > > 
> > > On Thu, Jul 19, 2018 at 06:42:19PM +0300, Mathias Nyman wrote:
> > > > > > As first aid I could try to implement checks that make sure the flushed URBs
> > > > > > trb pointers really are on the current endpoint ring, and also add some warning
> > > > > > if we are we are dropping endpoints with URBs still queued.
> > > > > 
> > > > > Yes, please. I think your first-aid will be a much better option than
> > > > > the hacky patch I am using atm.
> > > > > 
> > > > 
> <snip>
> > So poison is overwritten at e5acda58 with almost its own address, (reading backwards) e5 ac da 60, twice.
> > looks like something (32bit?)is pointing to itself twice, maybe a linked list node next and prev pointer
> > being set to point to itself as last item was removed from list.
> > 
> > The cancelled_td_list is part of struct xhci_virt_ep, so that should be fine.
> > But td_list is part of struct xhci_ring, which was freed. and we removed the URBs tds from the td_list when
> > flushing the ring after ring was freed
> > 
> > I changed the patch (attached) to make sure it doesn't touch the td_list when canceling a URB after
> > ring is freed.
> > 
> > How about this one, any improvements?
> 
> Yes, it worked. :D
> 
> So, cycle-1 = no change, just to make sure I can still reproduce the error.
> cycle-2 and cycle-3 with your patch, and there was no problem,
> slub debug was also happy.
> I am starting an autotest with this patch now, and I will have almost
> 50 cycles tested by tomorrow morning.
I can confirm that your bandaid patch has worked. Total of 67 cycles
tested till now and there was no error. Its continuing to test over the
weekend.
Thank you very much for this one. :)
I guess you will start with the proper fix, that you and Alan had been
discussing, after you are fully back to work.
---
Regards
Sudip
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
^ permalink raw reply	[flat|nested] 39+ messages in thread
end of thread, other threads:[~2018-07-21 10:55 UTC | newest]
Thread overview: 39+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-19 10:59 usb HC busted? Mathias Nyman
  -- strict thread matches above, loose matches on Subject: below --
2018-07-21 10:55 Sudip Mukherjee
2018-07-20 14:09 Alan Stern
2018-07-20 12:54 Sudip Mukherjee
2018-07-20 11:46 Mathias Nyman
2018-07-20 11:10 Mathias Nyman
2018-07-19 17:32 Sudip Mukherjee
2018-07-19 15:42 Mathias Nyman
2018-07-19 14:57 Alan Stern
2018-07-19 11:34 Sudip Mukherjee
2018-07-17 17:01 Sudip Mukherjee
2018-07-17 15:59 Sudip Mukherjee
2018-07-17 15:52 Greg Kroah-Hartman
2018-07-17 15:10 Sudip Mukherjee
2018-07-17 15:08 Alan Stern
2018-07-17 14:49 Sudip Mukherjee
2018-07-17 14:40 Sudip Mukherjee
2018-07-17 14:31 Alan Stern
2018-07-17 14:28 Alan Stern
2018-07-17 13:53 Greg Kroah-Hartman
2018-07-17 13:20 Sudip Mukherjee
2018-07-17 12:04 Greg Kroah-Hartman
2018-07-17 11:41 Sudip Mukherjee
2018-06-30 21:07 Sudip Mukherjee
2018-06-29 11:41 Mathias Nyman
2018-06-27 12:20 Sudip Mukherjee
2018-06-27 11:59 Sudip Mukherjee
2018-06-25 16:15 Sudip Mukherjee
2018-06-21 11:01 Mathias Nyman
2018-06-21  0:53 Sudip Mukherjee
2018-06-08  9:07 Sudip Mukherjee
2018-06-07  7:40 Mathias Nyman
2018-06-06 16:45 Sudip Mukherjee
2018-06-06 16:42 Sudip Mukherjee
2018-06-06 15:36 Andy Shevchenko
2018-06-06 14:12 Mathias Nyman
2018-06-04 15:28 Sudip Mukherjee
2018-06-03 19:37 Sudip Mukherjee
2018-05-24 13:35 Mathias Nyman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).