From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.cybernetics.com ([173.71.130.66]:64899 "EHLO
	mail.cybernetics.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S965109AbcBSOj6 (ORCPT
	<rfc822;stable@vger.kernel.org>); Fri, 19 Feb 2016 09:39:58 -0500
To: linux-usb@vger.kernel.org, "Du, Changbin" <changbin.du@intel.com>,
	stable <stable@vger.kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
From: Tony Battersby <tonyb@cybernetics.com>
Subject: USB oops regression caused by -stable patch
Message-ID: <56C7293D.2040105@cybernetics.com>
Date: Fri, 19 Feb 2016 09:39:57 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

This upstream commit is causing an oops:
d8f00cd685f5 ("usb: hub: do not clear BOS field during reset device")

This patch has already been included in several -stable kernels.  Here
are the affected kernels:
4.5.0-rc4 (current git)
4.4.2
4.3.6 (currently in review)
4.1.18
3.18.27
3.14.61

How to reproduce the problem:
Boot kernel with slub debugging enabled (otherwise memory corruption
will cause random oopses later instead of immediately)
Plug in USB 3.0 disk to xhci USB 3.0 port
dd if=/dev/sdc of=/dev/null bs=65536
(where /dev/sdc is the USB 3.0 disk)
Unplug USB cable while dd is still going
Oops is immediate:

blk_update_request: I/O error, dev sdc, sector 864768
blk_update_request: I/O error, dev sdc, sector 865008
blk_update_request: I/O error, dev sdc, sector 865024
blk_update_request: I/O error, dev sdc, sector 865264
blk_update_request: I/O error, dev sdc, sector 864768
Buffer I/O error on dev sdc, logical block 108096, async page read
general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC 
Modules linked in: netconsole igb i2c_algo_bit ptp pps_core sg eeprom i2c_i801
CPU: 3 PID: 24 Comm: kworker/3:0 Not tainted 4.5.0-rc4-00095-g2850713 #14
Hardware name: Supermicro X8DTH-i/6/iF/6F/X8DTH, BIOS 2.1b       05/04/12  
Workqueue: usb_hub_wq hub_event
task: ffff88042b09f080 ti: ffff88042b0a4000 task.ti: ffff88042b0a4000
RIP: 0010:[<ffffffff8030bcd9>]  [<ffffffff8030bcd9>] kfree+0x49/0x110
RSP: 0018:ffff88042b0a7988  EFLAGS: 00010207
RAX: ffffea0000000000 RBX: 6b6b6b6b00000100 RCX: 0000000000000018
RDX: 0000000000000018 RSI: 0000000000000000 RDI: 01ad998dac000000
RBP: ffff88042b0a79c8 R08: ffffea0010a72210 R09: ffffea0010a72218
R10: ffff880429c88548 R11: 0000000000000001 R12: ffff8800bb1b8000
R13: ffff880429a21ce0 R14: ffff8800bb1a0690 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff88043dc60000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f3a6186b990 CR3: 0000000000a0a000 CR4: 00000000000006e0
Stack:
 ffffea0002ea2220 0000000000000000 ffff880429c88548 0000000000000001
 ffff88042b0a79e8 ffffffff804f56cb ffff880401002801 ffff880429c80948
 ffff88042b0a79e8 ffffffff804f3df0 ffff8800bb1a0690 ffff880429c80948
Call Trace:
 [<ffffffff804f56cb>] ? usb_destroy_configuration+0x11b/0x140
 [<ffffffff804f3df0>] usb_release_bos_descriptor+0x20/0x40
 [<ffffffff804e6b2c>] usb_release_dev+0x2c/0x70
 [<ffffffff804a5433>] device_release+0x33/0xa0
 [<ffffffff80402a57>] kobject_release+0x47/0x90
 [<ffffffff80402acc>] kobject_put+0x2c/0x60
 [<ffffffff804a4d12>] put_device+0x12/0x20
 [<ffffffff804eac4b>] usb_disconnect+0x1cb/0x220
 [<ffffffff804ebcca>] hub_event+0x46a/0x1070
 [<ffffffff80287eca>] ? dequeue_task_fair+0x73a/0x820
 [<ffffffff802e6c15>] ? next_zone+0x25/0x30
 [<ffffffff8028a9d9>] ? pick_next_task_fair+0xa9/0x850
 [<ffffffff80274471>] process_one_work+0x151/0x3c0
 [<ffffffff802a4909>] ? mod_timer+0xe9/0x160
 [<ffffffff802a4715>] ? lock_timer_base+0x55/0x70
 [<ffffffff806088bb>] ? schedule+0x3b/0xa0
 [<ffffffff80274838>] worker_thread+0x158/0x6b0
 [<ffffffff8060830a>] ? __schedule+0x27a/0x6e0
 [<ffffffff80282fbd>] ? default_wake_function+0xd/0x10
 [<ffffffff8028fb31>] ? __wake_up_common+0x51/0x80
 [<ffffffff806088bb>] ? schedule+0x3b/0xa0
 [<ffffffff802746e0>] ? process_one_work+0x3c0/0x3c0
 [<ffffffff80279817>] kthread+0xc7/0xf0
 [<ffffffff80279750>] ? kthread_parkme+0x20/0x20
 [<ffffffff8060bd9f>] ret_from_fork+0x3f/0x70
 [<ffffffff80279750>] ? kthread_parkme+0x20/0x20
Code: 00 00 80 ff 77 00 00 48 01 df 48 0f 42 05 50 33 70 00 48 8d 3c 38 48 b8 00 00 00 00 00 ea ff ff 48 c1 ef 0c 48 c1 e7 06 48 01 c7 <48> 8b 47 20 48 89 45 e0 a8 01 75 64 48 8b 47 20 48 8d 57 20 48 
RIP  [<ffffffff8030bcd9>] kfree+0x49/0x110
 RSP <ffff88042b0a7988>
---[ end trace a3bcfa253dbef567 ]---
BUG: unable to handle kernel paging request at ffffffffffffffd8
IP: [<ffffffff8027923b>] kthread_data+0xb/0x20
PGD a0b067 PUD a0d067 PMD 0 
Oops: 0000 [#2] SMP DEBUG_PAGEALLOC 
Modules linked in: netconsole igb i2c_algo_bit ptp pps_core sg eeprom i2c_i801
CPU: 3 PID: 24 Comm: kworker/3:0 Tainted: G      D         4.5.0-rc4-00095-g2850713 #14
Hardware name: Supermicro X8DTH-i/6/iF/6F/X8DTH, BIOS 2.1b       05/04/12  
task: ffff88042b09f080 ti: ffff88042b0a4000 task.ti: ffff88042b0a4000
RIP: 0010:[<ffffffff8027923b>]  [<ffffffff8027923b>] kthread_data+0xb/0x20
RSP: 0018:ffff88042b0a7608  EFLAGS: 00010096
RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffff88043dc73840
RDX: ffff88042b09f080 RSI: 0000000000000003 RDI: ffff88042b09f080
RBP: ffff88042b0a7608 R08: ffff88043dc738a8 R09: 0000000000016800
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000013840
R13: ffff88042b09f4c8 R14: 0000000000000003 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88043dc60000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000028 CR3: 0000000000a0a000 CR4: 00000000000006e0
Stack:
 ffff88042b0a7648 ffffffff802731c0 ffff88042b0a7648 ffffffff8027d642
 ffff88042b09f448 ffff88043dc73840 0000000000013840 ffff88043dc73840
 ffff88042b0a76f8 ffffffff80608438 ffff88042b09f3e0 ffff88042b09f080
Call Trace:
 [<ffffffff802731c0>] wq_worker_sleeping+0x10/0xa0
 [<ffffffff8027d642>] ? deactivate_task+0x52/0x60
 [<ffffffff80608438>] __schedule+0x3a8/0x6e0
 [<ffffffff8026215d>] ? exit_notify+0xed/0x1e0
 [<ffffffff806088bb>] schedule+0x3b/0xa0
 [<ffffffff802625ea>] do_exit+0x39a/0x580
 [<ffffffff80296cba>] ? vprintk_default+0x1a/0x20
 [<ffffffff802cf886>] ? printk+0x41/0x43
 [<ffffffff80205bd2>] oops_end+0x72/0xa0
 [<ffffffff80205cf6>] die+0x56/0x80
 [<ffffffff8020415e>] do_general_protection+0xce/0x150
 [<ffffffff8060d11f>] general_protection+0x1f/0x30
 [<ffffffff8030bcd9>] ? kfree+0x49/0x110
 [<ffffffff804f3e5a>] ? usb_release_interface_cache+0x4a/0x60
 [<ffffffff804f56cb>] ? usb_destroy_configuration+0x11b/0x140
 [<ffffffff804f3df0>] usb_release_bos_descriptor+0x20/0x40
 [<ffffffff804e6b2c>] usb_release_dev+0x2c/0x70
 [<ffffffff804a5433>] device_release+0x33/0xa0
 [<ffffffff80402a57>] kobject_release+0x47/0x90
 [<ffffffff80402acc>] kobject_put+0x2c/0x60
 [<ffffffff804a4d12>] put_device+0x12/0x20
 [<ffffffff804eac4b>] usb_disconnect+0x1cb/0x220
 [<ffffffff804ebcca>] hub_event+0x46a/0x1070
 [<ffffffff80287eca>] ? dequeue_task_fair+0x73a/0x820
 [<ffffffff802e6c15>] ? next_zone+0x25/0x30
 [<ffffffff8028a9d9>] ? pick_next_task_fair+0xa9/0x850
 [<ffffffff80274471>] process_one_work+0x151/0x3c0
 [<ffffffff802a4909>] ? mod_timer+0xe9/0x160
 [<ffffffff802a4715>] ? lock_timer_base+0x55/0x70
 [<ffffffff806088bb>] ? schedule+0x3b/0xa0
 [<ffffffff80274838>] worker_thread+0x158/0x6b0
 [<ffffffff8060830a>] ? __schedule+0x27a/0x6e0
 [<ffffffff80282fbd>] ? default_wake_function+0xd/0x10
 [<ffffffff8028fb31>] ? __wake_up_common+0x51/0x80
 [<ffffffff806088bb>] ? schedule+0x3b/0xa0
 [<ffffffff802746e0>] ? process_one_work+0x3c0/0x3c0
 [<ffffffff80279817>] kthread+0xc7/0xf0
 [<ffffffff80279750>] ? kthread_parkme+0x20/0x20
 [<ffffffff8060bd9f>] ret_from_fork+0x3f/0x70
 [<ffffffff80279750>] ? kthread_parkme+0x20/0x20
Code: 25 00 ac 00 00 48 8b 80 e8 03 00 00 48 8b 40 c8 c9 48 d1 e8 83 e0 01 c3 0f 1f 84 00 00 00 00 00 55 48 8b 87 e8 03 00 00 48 89 e5 <48> 8b 40 d8 c9 c3 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 
RIP  [<ffffffff8027923b>] kthread_data+0xb/0x20
 RSP <ffff88042b0a7608>
CR2: ffffffffffffffd8
---[ end trace a3bcfa253dbef568 ]---
Fixing recursive fault but reboot is needed!

With the patch reverted, everything works fine.

So far I have been unable to reproduce the problem using EHCI (USB 2.0).

Tony Battersby
Cybernetics