Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Alan Stern <stern@rowland.harvard.edu>
To: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Cc: Felipe Balbi <balbi@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	syzbot <syzbot+abd2e0dafb481b621869@syzkaller.appspotmail.com>,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	syzkaller-bugs@googlegroups.com,
	Pavel Skripkin <paskripkin@gmail.com>,
	Thierry Escande <thierry.escande@collabora.com>,
	Andrey Konovalov <andreyknvl@gmail.com>
Subject: Re: [syzbot] INFO: task hung in port100_probe
Date: Mon, 25 Oct 2021 14:54:26 -0400	[thread overview]
Message-ID: <20211025185426.GF1258186@rowland.harvard.edu> (raw)
In-Reply-To: <1927ec9b-d1d0-9c70-992b-925ddfbba79a@canonical.com>

On Mon, Oct 25, 2021 at 07:13:59PM +0200, Krzysztof Kozlowski wrote:
> On 25/10/2021 18:22, Alan Stern wrote:
> > On Mon, Oct 25, 2021 at 04:57:23PM +0200, Krzysztof Kozlowski wrote:
> >> The URB which causes crazy loop is the port100 driver second URB, the
> >> one called ack or in_urb.
> >>
> >> The flow is:
> >> 1. probe()
> >> 2. port100_get_command_type_mask()
> >> 3. port100_send_cmd_async()
> >> 4. port100_send_frame_async()
> >> 5. usb_submit_urb(dev->out_urb)
> >>    The call succeeds, the dummy_hcd picks it up and immediately ends the
> >> timer-loop with -EPROTO
> > 
> > So that URB completes immediately.
> > 
> >> The completion here does not resubmit another/same URB. I checked this
> >> carefully and I hope I did not miss anything.
> > 
> > Yeah, I see the same thing.
> > 
> >> 6. port100_submit_urb_for_ack() which sends the in_urb:
> >>    usb_submit_urb(dev->in_urb)
> >> ... wait for completion
> >> ... dummy_hcd loops on this URB around line 2000:
> >> if (status == -EINPROGRESS)
> >>   continue
> > 
> > Do I understand this correctly?  You're saying that dummy-hcd executes 
> > the following jump at line 1975:
> > 
> > 		/* incomplete transfer? */
> > 		if (status == -EINPROGRESS)
> > 			continue;
> > 
> > which goes back up to the loop head on line 1831:
> > 
> > 	list_for_each_entry_safe(urbp, tmp, &dum_hcd->urbp_list, urbp_list) {
> > 
> > Is that right?
> 
> Yes, exactly. The loop continues, iterating over list finishes thus the
> loops and dummy timer function exits. Then immediately it is being
> rescheduled by something (I don't know by what yet).

There's a timer (dum_hcd->timer) which fires every millisecond.  If 
syzbot creates a lot of dummy-hcd instances then each instance will have 
its own timer, which could use up a large part of the available CPU 
time.  But you say this isn't the real problem...

> To remind - the syzbot reproducer must run at least two threads
> (spawning USB gadgets so creating separate dummy devices) at the same
> time. However only one of dummy HCD devices seems to timer-loop
> endlessly... but this might not be important, e.g. maybe it's how syzbot
> reproducer works.
> 
> >  I don't see why this should cause any problem.  It won't 
> > loop back to the same URB; it will make its way through the list.  
> > (Unless the list has somehow gotten corrupted...)  dum_hcd->urbp_list 
> > should be short (perhaps 32 entries at most), so the loop should reach 
> > the end of the list fairly quickly.
> 
> The list has actually only one element - only this one URB coming from
> port100 device (which I was always calling second URB/ack, in_urb).

Okay, good.

> > Now, doing all this 1000 times per second could use up a significant 
> > portion of the available time.  Do you think that's the reason for the 
> > problem?  It seems pretty unlikely.
> 
> No, this timer-looping itself is not a problem. Problem is that this URB
> never reaches some final state, e.g. -EPROTO.

The -EPROTO completion should happen very quickly once the gadget driver 
unregisters or disconnects itself.  This is because the call to 
find_endpoint at line 1856 should return NULL:

		ep = find_endpoint(dum, address);
		if (!ep) {
			/* set_configuration() disagreement */
			dev_dbg(dummy_dev(dum_hcd),
				"no ep configured for urb %p\n",
				urb);
			status = -EPROTO;
			goto return_urb;
		}

The NULL return should be caused by the !is_active test at the 
beginning of find_endpoint:

static struct dummy_ep *find_endpoint(struct dummy *dum, u8 address)
{
	int		i;

	if (!is_active((dum->gadget.speed == USB_SPEED_SUPER ?
			dum->ss_hcd : dum->hs_hcd)))
		return NULL;

is_active is defined as a macro:

#define is_active(dum_hcd)	((dum_hcd->port_status & \
		(USB_PORT_STAT_CONNECTION | USB_PORT_STAT_ENABLE | \
			USB_PORT_STAT_SUSPEND)) \
		== (USB_PORT_STAT_CONNECTION | USB_PORT_STAT_ENABLE))

and a disconnection should turn off the USB_PORT_STAT_CONNECTION bit, as 
follows:

	usb_gadget_unregister_driver calls usb_gadget_remove_driver
		(in drivers/usb/gadget/udc/core.c),

	which calls usb_gadget_disconnect,

	which calls dummy_pullup with value = 0,

	which sets dum->pullup to 0 and calls set_link_state,

	which calls set_link_state_by_speed,

	which turns off the USB_PORT_STATE_CONNECTION bit in 
		dum_hcd->port_status because dum->pullup is 0.

You can try tracing through this sequence of events to see if they're 
not taking place as intended.

> In normal operation, e.g. when reproducer did not hit the issue, both
> URBs from port100 (the first out_urb and second in_urb) complete with
> -EPROTO. In the case leading to hang ("task kworker/0:0:5 blocked for
> more than 143 seconds"), the in_urb does not complete therefore the
> port100 driver waits.

Those "... blocked for more than 143 seconds" errors occur when some 
task or interrupt loop is using up all the CPU time, preventing normal 
processes from running.  In this case the culprit has got to be the 
timer routine and loop in dummy_hcd.  However, the loop should terminate 
once the gadget driver unregisters itself, as described above.

> Whether this intensive timer-loop is important (processing the same URB
> and continuing), I don't know.

Yes, that's how dummy_hcd gets its work done.

Alan Stern

  reply	other threads:[~2021-10-25 18:54 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-22 15:43 syzbot
2021-06-22 16:07 ` Pavel Skripkin
2021-06-22 16:21   ` syzbot
2021-07-22 14:20 ` Krzysztof Kozlowski
2021-07-22 14:23   ` Krzysztof Kozlowski
2021-07-22 14:47   ` Alan Stern
2021-07-23  9:05     ` Krzysztof Kozlowski
2021-07-23 13:07       ` Alan Stern
2021-10-20 20:56     ` Krzysztof Kozlowski
2021-10-20 22:05       ` Alan Stern
2021-10-25 14:57         ` Krzysztof Kozlowski
2021-10-25 16:22           ` Alan Stern
2021-10-25 17:13             ` Krzysztof Kozlowski
2021-10-25 18:54               ` Alan Stern [this message]
2022-03-09 19:33 ` Pavel Skripkin
2022-03-09 19:56   ` syzbot
     [not found] <20220310084247.1148-1-hdanton@sina.com>
2022-03-10 14:22 ` syzbot
     [not found] ` <20220311053751.1226-1-hdanton@sina.com>
2022-03-11 19:17   ` Pavel Skripkin
2022-03-11 19:18     ` syzbot
2022-03-11 19:19       ` Pavel Skripkin
2022-03-11 19:32         ` syzbot
     [not found]   ` <20220312005624.1310-1-hdanton@sina.com>
2022-03-12 10:36     ` Pavel Skripkin
     [not found]     ` <20220312115854.1399-1-hdanton@sina.com>
2022-03-12 12:44       ` Pavel Skripkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211025185426.GF1258186@rowland.harvard.edu \
    --to=stern@rowland.harvard.edu \
    --cc=andreyknvl@gmail.com \
    --cc=balbi@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=krzysztof.kozlowski@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=paskripkin@gmail.com \
    --cc=syzbot+abd2e0dafb481b621869@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=thierry.escande@collabora.com \
    --subject='Re: [syzbot] INFO: task hung in port100_probe' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).