Bug 95241

Summary: null pointer assignment in dwc2 driver
Product: Drivers Reporter: Joerg Schueler-Maroldt (joerg)
Component: USBAssignee: Greg Kroah-Hartman (greg)
Status: NEW ---    
Severity: normal CC: howl.nsp
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.10.49 an later Subsystem:
Regression: No Bisected commit-id:

Description Joerg Schueler-Maroldt 2015-03-22 22:59:22 UTC 
Hi,

In "root/drivers/usb/dwc2/hcd.c" line 399:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/drivers/usb/dwc2/hcd.c?id=refs/tags/v3.19.2

399:
	if (qtd->qh->ep_type == USB_ENDPOINT_XFER_BULK &&
		    !(qtd->urb->flags & URB_GIVEBACK_ASAP))
			/*
			 * Do not schedule SG transactions until qtd has
			 * URB_GIVEBACK_ASAP set
			 */
			return 0;

"qtd->urb" may be NULL i get a kernel paging request.

The right code is use:

            !(urb->flags & URB_GIVEBACK_ASAP)

This is the kernel dump fom my mips RALINK RT3052 machine with openwrt.

The "virtual address 0000002c" is the offset to "urb->flags" (44 bytes)
I think this error may be in all kernel with this driver (raspberry pi ...)

[   68.986000] CPU 0 Unable to handle kernel paging request at virtual address 0000002c, epc == 80c2                 4aec, ra == 80c24a94
[   68.997000] Oops[#1]:
[   68.997000] Cpu 0
[   68.997000] $ 0   : 00000000 7f806759 00000000 00000002
[   68.997000] $ 4   : 80f5469c 80f7cb00 00000002 00000002
[   68.997000] $ 8   : 00000000 8010f470 00000001 fffffff8
[   68.997000] $12   : 76e7ae38 77280030 00000000 00410000
[   68.997000] $16   : 80f54680 80f24a00 80f54d80 81b45010
[   68.997000] $20   : 81b9e200 00000000 81b627ac 00000000
[   68.997000] $24   : 004141e8 772d6d48
[   68.997000] $28   : 80f38000 80f39d10 00008020 80c24a94
[   68.997000] Hi    : 00000010
[   68.997000] Lo    : 0fd39040
[   68.997000] epc   : 80c24aec dwc2_hcd_select_transactions+0x534/0x690 [dwc2]
[   68.997000]     Tainted: G           O
[   68.997000] ra    : 80c24a94 dwc2_hcd_select_transactions+0x4dc/0x690 [dwc2]
[   68.997000] Status: 1100a403    KERNEL EXL IE
[   68.997000] Cause : 00800008
[   68.997000] BadVA : 0000002c
[   68.997000] PrId  : 0001964c (MIPS 24KEc)
[   68.997000] Modules linked in: spi_ramips(O) mmc_spi option ftdi_sio usb_wwan usbserial usblp cdc                 _acm ip6t_REJECT ip6t_LOG ip6t_rt ip6t_hbh ip6t_mh ip6t_ipv6header ip6t_frag ip6t_eui64 ip6t_ah ip6t                 able_raw ip6_queue ip6table_mangle ip6table_filter ip6_tables nf_conntrack_ipv6 nf_defrag_ipv6 nf_na                 t_irc nf_conntrack_irc nf_nat_ftp nf_conntrack_ftp xt_policy xt_esp ipt_ah xt_HL xt_hl xt_ecn ipt_EC                 N xt_CLASSIFY xt_time xt_tcpmss xt_statistic xt_mark xt_length xt_DSCP xt_dscp ipt_MASQUERADE iptabl                 e_nat nf_nat xt_recent xt_helper xt_connmark xt_connbytes pppoe xt_conntrack xt_CT xt_NOTRACK iptabl                 e_raw xt_state nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack pppox ipt_REJECT xt_TCPMSS ipt_LOG xt_c                 omment xt_multiport xt_mac xt_limit iptable_mangle iptable_filter ip_tables xt_tcpudp x_tables sit i                 pcomp6 xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_transport xfrm6_mode_beet esp6 ah6 ipcomp xfrm4_tun                 nel xfrm4_mode_tunnel xfrm4_mode_transport xfrm4_mode_beet esp4 ah4 ip6_tunnel tunnel6 tunnel4 tun p                 pp_async ppp_generic slhc xfrm_user xfrm_ipcomp af_key rt2800soc(O) rt2x00soc(O) rt2800mmio(O) rt280                 0lib(O) rt2x00mmio(O) rt2x00lib(O) mac80211(O) crc7 crc_itu_t crc_ccitt ipv6 eeprom_93cx6 cfg80211(O                 ) compat(O) chainiv eseqiv crypto_wq sha1_generic krng rng md5 hmac des_generic deflate cbc authenc                  arc4 aes_generic crypto_blkcipher cryptomgr aead mmc_block mmc_core usb_storage dwc2_platform(O) dwc                 2(O) sd_mod usbcore usb_common scsi_mod crypto_hash crypto_algapi
[   68.997000] Process chat (pid: 1198, threadinfo=80f38000, task=80f8a990, tls=77333440)
[   68.997000] Stack : 80f39d10 80f39d10 802d0008 00000001 00000000 00000000 80f24a00 81b9e200
[   68.997000]         80f24a08 00000000 00000020 80f070d4 00000001 80f070d4 80f07108 80c07030
[   68.997000]         00000000 3b9aca00 00000020 80f2892c 00000001 00000000 0000005c 00000000
[   68.997000]         3b9aca00 80f07000 80f07000 00000001 80f070e0 00000001 80f24a00 80f070d4
[   68.997000]         00000001 80f1b050 00000000 3b9aca00 00000001 80f070b0 00000001 00000001
[   68.997000]         ...
[   68.997000] Call Trace:
[   68.997000] [<80c24aec>] dwc2_hcd_select_transactions+0x534/0x690 [dwc2]
[   68.997000]
[   68.997000]
[   68.997000] Code: 14620006  00000000  8e020014 <8c42002c> 30420001  10400050  00000000  41706000                   32100001
Comment 1 Greg Kroah-Hartman 2015-03-23 07:35:41 UTC 
On Sun, Mar 22, 2015 at 10:59:22PM +0000, bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=95241
> 
>             Bug ID: 95241
>            Summary: null pointer assignment in dwc2 driver

Please send to the linux-usb@vger.kernel.org mailing list
Comment 2 David Santamaría Rogado 2015-11-03 22:16:10 UTC 
I'm having the exact same problem with another router. Don't know if it have been already reported in linux-usb so I'm going to report it now.
Comment 3 Joerg Schueler-Maroldt 2015-11-04 10:09:32 UTC 
I have not reported it to linux-usb, because i am lasy and, i don't know exact how to do it without spam.
I have patched a second problem:
With my hardware i switched off power to reset the usb-devive complete.
Sometimes the driver never works until reboot bevor this patch.

I think ras-pi must work with this driver, what is your hardware ?



--- C:/Users/joerg/AppData/Local/Temp/TortoiseGit/hcd75B6.tmp/hcd-de44f65-left.c	Wed Nov 04 11:00:56 2015
+++ D:/cc/M2M/Linux/jsmDriver/dwc2/src/hcd.c	Wed Apr 22 11:16:28 2015
@@ -1479,6 +1479,9 @@
 }
 
 /* Handles hub class-specific requests */
+// jsm
+//#define dev_dbg dev_warn
+
 static int dwc2_hcd_hub_control(struct dwc2_hsotg *hsotg, u16 typereq,
 				u16 wvalue, u16 windex, char *buf, u16 wlength)
 {
@@ -1699,8 +1702,12 @@
 		dev_dbg(hsotg->dev, "SetPortFeature\n");
 		if (wvalue != USB_PORT_FEAT_TEST && (!windex || windex > 1))
 			goto error;
-
-		if (!hsotg->flags.b.port_connect_status) {
+        // jsm: 
+        // Allways do power
+        // Example: 
+        //      if "overcurrent change" before any device connected 
+        //      we will never get new devices until reboot or unload of driver
+        if (wvalue != USB_PORT_FEAT_POWER && !hsotg->flags.b.port_connect_status) {
 			/*
 			 * The port is disconnected, which means the core is
 			 * either in device mode or it soon will be. Just
Comment 4 David Santamaría Rogado 2015-11-04 11:03:19 UTC 
I have forwarded it to the mailing list I have an email address just for public mailing lists http://www.spinics.net/lists/linux-usb/msg132062.html

I have an Astoria Networks ARV7519RW22 http://wiki.openwrt.org/toh/arcadyan/arv7519 uboot modified to allow OpenWrt and the image I'm using is not the official one but a modified one with little patches.

This is the dump I get:
[  157.324000] CPU 0 Unable to handle kernel paging request at virtual address 0000002c, epc == 87b95298, ra == 87b9523c
[  157.332000] Oops[#1]:
[  157.332000] CPU: 0 PID: 1096 Comm: dnsmasq Not tainted 3.18.20 #1
[  157.332000] task: 87385a18 ti: 8732e000 task.ti: 8732e000
[  157.332000] $ 0   : 00000000 00000001 00000000 00000002
[  157.332000] $ 4   : 8719da9c 87363780 873637b0 87b8147c
[  157.332000] $ 8   : 00000000 8000ab50 007f0000 86c91c00
[  157.332000] $12   : 00800000 00400000 878ad43e 87198340
[  157.332000] $16   : 86c8d100 87322380 87b81200 00000000
[  157.332000] $20   : 8719da80 87a8a090 00000020 87b81410
[  157.332000] $24   : 00000002 800283c4                  
[  157.332000] $28   : 8732e000 8732f878 00008020 87b9523c
[  157.332000] Hi    : 00000007
[  157.332000] Lo    : 55555559
[  157.332000] epc   : 87b95298 0x87b95298 [dwc2@87b90000+0xbf30]
[  157.332000]     Not tainted
[  157.332000] ra    : 87b9523c 0x87b9523c [dwc2@87b90000+0xbf30]
[  157.332000] Status: 1100fc03 KERNEL EXL IE 
[  157.332000] Cause : 00800008
[  157.332000] BadVA : 0000002c
[  157.332000] PrId  : 00019556 (MIPS 34Kc)
[  157.332000] Modules linked in: ltq_ptm_vr9 rt2800usb rt2800lib iptable_nat rt2x00usb rt2x00lib pppoe nf_nat_ipv4 nf_conntrack_ipv6 nf_conntrack_ipd
[  157.332000] Process dnsmasq (pid: 1096, threadinfo=8732e000, task=87385a18, tls=775d5440)
[  157.332000] Stack : 8750e840 80006430 8044880c 80059b88 00000000 87381cfc 86c8d100 87b81200
          8043cc60 86c8d108 00000000 00000020 8700eb60 871a65d0 0000005d 80270300
          00000007 80016790 00000002 00000013 872e49b8 00000001 00000000 80010f48
          00080000 8728828c 87198aa0 872f9ec0 87be3720 00000000 872f2ac0 80006430
          804402f0 872a6ccc ffffffff 00000000 00000020 8732fa18 871d3180 8732f958
          ...
[  157.332000] Call Trace:[<80006430>] 0x80006430
[  157.332000] [<80059b88>] 0x80059b88
[  157.332000] [<80270300>] 0x80270300
[  157.332000] [<80016790>] 0x80016790
[  157.332000] [<80010f48>] 0x80010f48
[  157.332000] [<8728828c>] 0x8728828c [mac80211@87280000+0x5ff80]
[  157.332000] [<80006430>] 0x80006430
[  157.332000] [<872a6ccc>] 0x872a6ccc [mac80211@87280000+0x5ff80]
[  157.332000] [<870d14e8>] 0x870d14e8 [nf_conntrack@870d0000+0xbca0]
[  157.332000] [<870c8a6c>] 0x870c8a6c [nf_nat@870c8000+0x2620]
[  157.332000] [<87238d64>] 0x87238d64 [rt2x00usb@87238000+0x1d90]
[  157.332000] [<87238bd4>] 0x87238bd4 [rt2x00usb@87238000+0x1d90]
[  157.332000] [<871c3ac8>] 0x871c3ac8 [rt2x00lib@871c0000+0x83c0]
[  157.332000] [<870c92a4>] 0x870c92a4 [nf_nat@870c8000+0x2620]
[  157.332000] [<870d14e8>] 0x870d14e8 [nf_conntrack@870d0000+0xbca0]
[  157.332000] [<872397b4>] 0x872397b4 [rt2x00usb@87238000+0x1d90]
[  157.332000] [<87238bd4>] 0x87238bd4 [rt2x00usb@87238000+0x1d90]
[  157.332000] [<871c519c>] 0x871c519c [rt2x00lib@871c0000+0x83c0]
[  157.332000] [<872d0244>] 0x872d0244 [mac80211@87280000+0x5ff80]
[  157.332000] [<8728828c>] 0x8728828c [mac80211@87280000+0x5ff80]
[  157.332000] [<871c240c>] 0x871c240c [rt2x00lib@871c0000+0x83c0]
[  157.332000] [<872a6ccc>] 0x872a6ccc [mac80211@87280000+0x5ff80]
[  157.332000] [<872a7680>] 0x872a7680 [mac80211@87280000+0x5ff80]
[  157.332000] [<871a7068>] 0x871a7068 [ipt_MASQUERADE@871a7000+0x220]
[  157.332000] [<872a8270>] 0x872a8270 [mac80211@87280000+0x5ff80]
[  157.332000] [<872a9fc4>] 0x872a9fc4 [mac80211@87280000+0x5ff80]
[  157.332000] [<802b06a4>] 0x802b06a4
[  157.332000] [<872a9fe8>] 0x872a9fe8 [mac80211@87280000+0x5ff80]
[  157.332000] [<802b0758>] 0x802b0758
[  157.332000] [<802b0ce8>] 0x802b0ce8
[  157.332000] [<870cfa10>] 0x870cfa10 [nf_nat_ipv4@870cf000+0xfe0]
[  157.332000] [<802cc534>] 0x802cc534
[  157.332000] [<802a95f8>] 0x802a95f8
[  157.332000] [<802e7c5c>] 0x802e7c5c
[  157.332000] [<802b108c>] 0x802b108c
[  157.332000] [<802e6b3c>] 0x802e6b3c
[  157.332000] [<802e8624>] 0x802e8624
[  157.332000] [<802e9e3c>] 0x802e9e3c
[  157.332000] [<802e94cc>] 0x802e94cc
[  157.332000] [<802ea9f0>] 0x802ea9f0
[  157.332000] [<80460000>] 0x80460000
[  157.332000] [<8030ffa8>] 0x8030ffa8
[  157.332000] [<803127a0>] 0x803127a0
[  157.332000] [<8005f4d8>] 0x8005f4d8
[  157.332000] [<8004028c>] 0x8004028c
[  157.332000] [<802e88b0>] 0x802e88b0
[  157.332000] [<802944f8>] 0x802944f8
[  157.332000] [<8030f644>] 0x8030f644
[  157.332000] [<80311b90>] 0x80311b90
[  157.332000] [<8030f644>] 0x8030f644
[  157.332000] [<80296dac>] 0x80296dac
[  157.332000] [<8031db38>] 0x8031db38
[  157.332000] [<8029687c>] 0x8029687c
[  157.332000] [<800bc63c>] 0x800bc63c
[  157.332000] [<800bc7a0>] 0x800bc7a0
[  157.332000] [<800cf4c0>] 0x800cf4c0
[  157.332000] [<80294a40>] 0x80294a40
[  157.332000] [<8000875c>] 0x8000875c
[  157.332000] 
[  157.332000] 
Code: 14620006  00000000  8e820014 <8c42002c> 30420001  1040004c  8fa20010  41716000  32310001 
[  157.808000] ---[ end trace 1fae8cce81bc19bc ]---
[  157.816000] Kernel panic - not syncing: Fatal exception in interrupt
[  157.816000] Rebooting in 3 seconds..

I'm wating for the one who made the OpenWrt image to response if he could compile a new one at least with the qtd->urb->flags to urb->flags change.

I haven't seen the second issue but I haven't messed too much with the device.
Comment 5 David Santamaría Rogado 2015-11-04 11:05:49 UTC 
Forget to say that is OpenWrt Chaos Calmer 15.05, it comes with 3.18 kernel.
Comment 6 David Santamaría Rogado 2015-11-06 22:28:06 UTC 
With the patch applied it takes more to appear a kernel panic but it's still there and the address show is 00000004 instead of 0000002c.

[ 2472.540000] CPU 0 Unable to handle kernel paging request at virtual address 00000004, epc == 87b95284, ra == 87b9523c
[ 2472.548000] Oops[#1]:
[ 2472.548000] CPU: 0 PID: 6 Comm: kworker/u2:0 Not tainted 3.18.23 #1
[ 2472.548000] Workqueue: phy0 rt2x00usb_watchdog [rt2x00usb]
[ 2472.548000] task: 87827028 ti: 8783e000 task.ti: 8783e000
[ 2472.548000] $ 0   : 00000000 00000001 00000004 868935b0
[ 2472.548000] $ 4   : 868c4b9c 86893580 868935b0 87b5f47c
[ 2472.548000] $ 8   : 00000000 8000ab50 007f0000 86893100
[ 2472.548000] $12   : 00800000 00400000 869a806a 87b7f100
[ 2472.548000] $16   : 871da980 871f0b00 87b5f200 00000000
[ 2472.548000] $20   : 868c4b80 87b7ac90 00000020 87b5f410
[ 2472.548000] $24   : 00000002 800287bc                  
[ 2472.548000] $28   : 8783e000 8783f748 00008020 87b9523c
[ 2472.548000] Hi    : 00000006
[ 2472.548000] Lo    : 00000003
[ 2472.548000] epc   : 87b95284 dwc2_hcd_queue_transactions+0x748/0x8cc [dwc2]
[ 2472.548000]     Not tainted
[ 2472.548000] ra    : 87b9523c dwc2_hcd_queue_transactions+0x700/0x8cc [dwc2]
[ 2472.548000] Status: 1100fc03 KERNEL EXL IE 
[ 2472.548000] Cause : 00800008
[ 2472.548000] BadVA : 00000004
[ 2472.548000] PrId  : 00019556 (MIPS 34Kc)
[ 2472.548000] Modules linked in: ltq_ptm_vr9 rt2800usb rt2800lib iptable_nat rt2x00usb rt2x00lib pppoe nf_nat_ipv4 nf_conntrack_ipv6 nf_conntrack_ipd
[ 2472.548000] Process kworker/u2:0 (pid: 6, threadinfo=8783e000, task=87827028, tls=00000000)
[ 2472.548000] Stack : 00000002 00000088 00000005 871b7d80 00000000 8798e8bc 871da980 87b5f200
          8042ec60 871da988 00000000 00000020 87349b60 86a03dd0 00000056 8025e300
          87b5f410 8025c640 87b5f410 878b2480 878b24b8 87b5f410 87b5f484 87b94da0
          87245180 00000005 000005a8 87b96394 00000001 87b5f410 87245180 8697d500
          878b2480 00000005 00000002 87b97400 80988a00 00000002 878b2480 00000000
          ...
[ 2472.548000] Call Trace:
[ 2472.548000] [<87b95284>] dwc2_hcd_queue_transactions+0x748/0x8cc [dwc2]
[ 2472.548000] 
[ 2472.548000] 
Code: 14400055  8fa20010  8e820018 <90430000> 24020002  14620005  00000000  8e22002c  30420001 
[ 2472.784000] ---[ end trace efb00c260ee11fba ]---
[ 2472.792000] Kernel panic - not syncing: Fatal exception in interrupt
[ 2472.792000] Rebooting in 3 seconds..
Comment 7 David Santamaría Rogado 2015-11-07 14:47:48 UTC 
In the kernel-usb mailing list are entering a lot of patches for different aspects of the dwc2 driver, if I could I will try to see what happens in OpenWrt trunk as it comes with kernel 4.3, but uses 4.1.11 for the target of the router I have.
Comment 8 David Santamaría Rogado 2015-11-22 22:22:49 UTC 
I have flashed a new unofficial openwrt image with lastest openwrt patches created by medber and the bug is resolved.

I think this is the patch that solves it https://dev.openwrt.org/changeset/47563 so the problem is with the parameters for ltq not included yet in the mainstream kernel.

Joerg, check if you use the same parameter definition for your router and apply the patch. If not check the parameters that are defined for your board and try to improve it to see if that makes stable the dwc2 module for you.
Comment 9 David Santamaría Rogado 2015-11-23 23:33:11 UTC 
I comment too early, with the ltq parameters tunned with the blogic patch only makes the kernel panic to happen on some boots. Sometimes the system doesn't autoreboot with panic but the usb gets locked and the work, then locked again, then work... no reboot but no stable usb transfer.
Comment 10 David Santamaría Rogado 2016-01-31 13:23:07 UTC 
It's solved within the 4.4 kernel dwc2 module changes.