From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756384AbcBIJiD (ORCPT ); Tue, 9 Feb 2016 04:38:03 -0500 Received: from userp1040.oracle.com ([156.151.31.81]:31954 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756113AbcBIJh6 (ORCPT ); Tue, 9 Feb 2016 04:37:58 -0500 From: Vegard Nossum Subject: gadgetfs WARNING at drivers/usb/gadget/udc/dummy_hcd.c:674 To: Marek Szyprowski Cc: "linux-usb@vger.kernel.org" , LKML , ruslan.bilovol@gmail.com, b.zolnierkie@samsung.com, maxime.ripard@free-electrons.com, peter.chen@freescale.com, Felipe Balbi Message-ID: <56B9B360.9090202@oracle.com> Date: Tue, 9 Feb 2016 10:37:36 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: userv0021.oracle.com [156.151.31.71] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi again Marek, With your two patches on top of latest mainline I've run into this warning: gadgetfs: connected gadgetfs: disconnected ------------[ cut here ]------------ WARNING: CPU: 0 PID: 35 at drivers/usb/gadget/udc/dummy_hcd.c:674 dummy_free_request+0x92/0xa0() CPU: 0 PID: 35 Comm: afl-fuzz Not tainted 4.5.0-rc2 #1 ffff8800003b6900 ffff88000c847d00 ffffffff8133f0e2 ffff88000c847d40 ffffffff8108d4bf ffffffff8152b062 ffff88000032d430 ffff88000032d420 ffff88000032d430 ffffffff8185fc80 ffff8800001caf08 ffff88000c847d50 Call Trace: [] dump_stack+0x19/0x27 [] warn_slowpath_common+0xaf/0x110 [] ? dummy_free_request+0x92/0xa0 [] warn_slowpath_null+0x15/0x20 [] dummy_free_request+0x92/0xa0 [] gadgetfs_unbind+0x194/0x210 [] ? destroy_ep_files+0x560/0x560 [] usb_gadget_remove_driver+0x1dc/0x460 [] usb_gadget_unregister_driver+0x151/0x240 [] dev_release+0x7a/0x160 [] __fput+0x11b/0x490 [] ____fput+0x9/0x10 [] task_work_run+0xf1/0x190 [] ? filp_close+0x8a/0xe0 [] exit_to_usermode_loop+0xec/0x100 [] syscall_return_slowpath+0x91/0xc0 [] int_ret_from_sys_call+0x25/0x8f ---[ end trace e6edc2c9995ff81b ]--- To be specific, it's the WARN_ON(!list_empty(&req->queue)); that is triggering. I think it's probably not related to your patches, but rather more bugs which were hidden until now :-) Some time later it also shows: usb 1-1: new high-speed USB device number 7 using dummy_hcd BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) PGD c830067 PUD c854067 PMD 0 Oops: 0010 [#1] DEBUG_PAGEALLOC KASAN CPU: 0 PID: 0 Comm: swapper Tainted: G W 4.5.0-rc2 #1 task: ffffffff8192d680 ti: ffffffff81910000 task.ti: ffffffff81910000 RIP: 0010:[<0000000000000000>] [< (null)>] (null) RSP: 0018:ffffffff81946c08 EFLAGS: 00010046 RAX: dffffc0000000000 RBX: ffff88000032d2d0 RCX: ffff88000032d2c0 RDX: 1ffff10000065a60 RSI: ffff88000032d2d0 RDI: ffff8800001ca070 RBP: ffffffff81946c20 R08: ffff88000032d2c0 R09: 000000000000319e R10: ffffffff81946e80 R11: 0000000000000001 R12: ffff8800001ca070 R13: 0000000000000000 R14: ffff8800001ca030 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffffffff8193f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000000c850000 CR4: 00000000001406b0 Stack: ffffffff81522226 ffff88000032d2c0 0000000000000080 ffffffff81946e00 ffffffff8152d09b ffff88000027a448 0000000000000246 ffff8800001caf20 1ffffffff0328daf 0000000000000001 ffff8800003b6900 0000000000000086 Call Trace: [] ? usb_gadget_giveback_request+0x36/0x50 [] dummy_timer+0x202b/0x2980 [] ? enqueue_task_fair+0x1f6/0x580 [] ? sched_clock_cpu+0x45/0x60 [] ? dummy_free_request+0xa0/0xa0 [] ? process_cpu_nsleep+0x10/0x10 [] ? detach_if_pending+0x350/0x350 [] ? dummy_free_request+0xa0/0xa0 [] call_timer_fn.isra.5+0x16/0x70 [] ? dummy_free_request+0xa0/0xa0 [] run_timer_softirq+0x365/0x590 [] ? kvm_clock_get_cycles+0x16/0x20 [] ? cascade.constprop.6+0x160/0x160 [] ? kvm_clock_read+0x16/0x20 [] ? sched_clock_local.constprop.4+0xc/0x80 [] __do_softirq+0x199/0x400 [] irq_exit+0xa0/0xc0 [] smp_trace_apic_timer_interrupt+0x95/0xd0 [] smp_apic_timer_interrupt+0x9/0x10 [] apic_timer_interrupt+0x7d/0x90 [] ? native_safe_halt+0x6/0x10 [] default_idle+0x9/0x10 [] arch_cpu_idle+0xa/0x10 [] default_idle_call+0x46/0x60 [] cpu_startup_entry+0x22d/0x310 [] ? finish_task_switch+0x135/0x450 [] ? default_idle_call+0x60/0x60 [] ? __schedule+0x451/0xd50 [] ? schedule+0xc6/0x180 [] rest_init+0x9a/0xa0 [] start_kernel+0x3fa/0x422 [] ? thread_info_cache_init+0x6/0x6 [] ? memblock_reserve+0x4a/0x4f [] ? early_idt_handler_array+0x120/0x120 [] x86_64_start_reservations+0x2a/0x2c [] x86_64_start_kernel+0xea/0xf7 Code: Bad RIP value. RIP [< (null)>] (null) RSP CR2: 0000000000000000 ---[ end trace f62ab933aa78d176 ]--- Kernel panic - not syncing: Fatal exception in interrupt This one I did see before and I think it's just req->complete which is NULL (but I have no idea why). Vegard