Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Alan Stern <stern@rowland.harvard.edu>
To: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Cc: Felipe Balbi <balbi@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	syzbot <syzbot+abd2e0dafb481b621869@syzkaller.appspotmail.com>,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	syzkaller-bugs@googlegroups.com,
	Pavel Skripkin <paskripkin@gmail.com>,
	Thierry Escande <thierry.escande@collabora.com>,
	Andrey Konovalov <andreyknvl@gmail.com>
Subject: Re: [syzbot] INFO: task hung in port100_probe
Date: Wed, 20 Oct 2021 18:05:03 -0400	[thread overview]
Message-ID: <20211020220503.GB1140001@rowland.harvard.edu> (raw)
In-Reply-To: <b9695fc8-51b5-c61e-0a2f-fec9c2f0bae0@canonical.com>

On Wed, Oct 20, 2021 at 10:56:42PM +0200, Krzysztof Kozlowski wrote:
> Hi Alan, Felipe, Greg and others,
> 
> This is an old issue reported by syzkaller for NFC port100 driver [1].
> There is something similar for pn533 [2].
> 
> I was looking at it some time ago, took a break and now I am trying to
> fix it again. Without success.
> 
> The issue is reproducible via USB gadget on QEMU, not on real HW. I
> looked and debugged the code and I think previously mentioned
> double-URB-submit is not the reason here. Or I miss how the USB works
> (which is quite probable...).
> 
> 1. The port100 driver calls port100_send_cmd_sync() which eventually
> goes to port100_send_frame_async(). After it, it waits for "sync"
> completion.
> 
> 2. In port100_send_frame_async(), driver indeed first submits "out_urb"
> which quite fast is being processed by dummy_hcd with "no ep configured"
> and -EPROTO.
> 
> 3. Then (or sometimes before -EPROTO response from (2) above) the
> port100_send_frame_async() submits "in_urb" via
> port100_submit_urb_for_ack() and waits for its completion. Completion of
> "in_urb" (or the "ack") in port100_recv_ack() would schedule work to
> complete the (1) above - the sync completion.
> 
> 4. Usually, when reproducer works fine (does not trigger issue), the
> dummy_timer() from gadget responds with the same "no ep configured for
> urb" for this "in_urb" (3). This completes "in_urb", which eventually
> completes (1) and probe finishes with error. Error is expected, because
> it's random junk-gadget...
> 
> The syzkaller reproducer fails if >1 of threads are running these usb
> gadgets.  When this happens, no "in_urb" completion happens. No this
> "ack" port100_recv_ack().
> 
> I added some debugs and simply dummy_hcd dummy_timer() is woken up on
> enqueuing in_urb and then is looping crazy on a previous URB (some older
> URB, coming from before port100 driver probe started). The dummy_timer()
> loop never reaches the second "in_urb" to process it, I think.

Is there any way you can track down what's happening in that crazy loop?  
That is, what driver was responsible for the previous URB?

We have seen this sort of thing before, where a driver submits an URB 
for a gadget which has disconnected.  The URB fails with -EPROTO status 
but the URB's completion handler does an automatic resubmit.  That can 
lead to a very tight loop with dummy-hcd, and it could easily prevent 
some other important processing from occurring.  The simple solution is 
to prevent the driver from resubmitting when the completion status is 
-EPROTO.

Alan Stern

> The pn533 NFC driver has similar design, but I have now really doubts it
> is a NFC driver issue. Instead an issue in dummy gadget HCD is somehow
> triggered by the reproducer.
> 
> Reproduction - just follow [1] or [2]. Eventually I slightly tweaked the
> code and put here:
> https://github.com/krzk/tools/tree/master/tests-var/nfc/port100_probe
> $ make
> $ sudo ./port100_probe
> 
> 
> [1] https://syzkaller.appspot.com/bug?extid=abd2e0dafb481b621869
> [2] https://syzkaller.appspot.com/bug?extid=1dc8b460d6d48d7ef9ca
> 
> 
> Best regards,
> Krzysztof

  reply	other threads:[~2021-10-20 22:05 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-22 15:43 syzbot
2021-06-22 16:07 ` Pavel Skripkin
2021-06-22 16:21   ` syzbot
2021-07-22 14:20 ` Krzysztof Kozlowski
2021-07-22 14:23   ` Krzysztof Kozlowski
2021-07-22 14:47   ` Alan Stern
2021-07-23  9:05     ` Krzysztof Kozlowski
2021-07-23 13:07       ` Alan Stern
2021-10-20 20:56     ` Krzysztof Kozlowski
2021-10-20 22:05       ` Alan Stern [this message]
2021-10-25 14:57         ` Krzysztof Kozlowski
2021-10-25 16:22           ` Alan Stern
2021-10-25 17:13             ` Krzysztof Kozlowski
2021-10-25 18:54               ` Alan Stern
2022-03-09 19:33 ` Pavel Skripkin
2022-03-09 19:56   ` syzbot
     [not found] <20220310084247.1148-1-hdanton@sina.com>
2022-03-10 14:22 ` syzbot
     [not found] ` <20220311053751.1226-1-hdanton@sina.com>
2022-03-11 19:17   ` Pavel Skripkin
2022-03-11 19:18     ` syzbot
2022-03-11 19:19       ` Pavel Skripkin
2022-03-11 19:32         ` syzbot
     [not found]   ` <20220312005624.1310-1-hdanton@sina.com>
2022-03-12 10:36     ` Pavel Skripkin
     [not found]     ` <20220312115854.1399-1-hdanton@sina.com>
2022-03-12 12:44       ` Pavel Skripkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211020220503.GB1140001@rowland.harvard.edu \
    --to=stern@rowland.harvard.edu \
    --cc=andreyknvl@gmail.com \
    --cc=balbi@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=krzysztof.kozlowski@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=paskripkin@gmail.com \
    --cc=syzbot+abd2e0dafb481b621869@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=thierry.escande@collabora.com \
    --subject='Re: [syzbot] INFO: task hung in port100_probe' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).