Commit d328df9085b05f4f3ccdbe2ca1f980d72844641f (USB: devio: Don't corrupt user memory) causes the XHCI Host Controller to die on passthrough of audio devices. I've tried 2 different physical devices, both exhibiting the same behaviour: - 0d8c:0012 (C-Media Electronics, Inc.) - 0d8c:000c (C-Media Electronics, Inc. Audio Adapter) So far it seems limited to audio devices (maybe even C-Media devices?) as I've also tried forwarding a keyboard and mouse, as well as a bluetooth module, none of which caused the host controller to die. The devices are assigned to a VM using 'virsh attach-device' and have the following definitions: <hostdev mode='subsystem' type='usb'> <source> <vendor id='0x0d8c'/> <product id='0x0012'/> </source> </hostdev> <hostdev mode='subsystem' type='usb'> <source> <vendor id='0x0d8c'/> <product id='0x000c'/> </source> </hostdev> At this point the XHCI Host Controller dies with the following trace and messages, starting with the warning message introduced in the above mentioned commit: okt 14 02:47:00 Omar-PC kernel: uurb->buffer_length is too short 6144 vs 0 okt 14 02:47:00 Omar-PC kernel: ------------[ cut here ]------------ okt 14 02:47:00 Omar-PC kernel: WARNING: CPU: 6 PID: 708 at drivers/usb/core/devio.c:1583 proc_do_submiturb+0x993/0xd60 [usbcore] okt 14 02:47:00 Omar-PC kernel: Modules linked in: vhost_net vhost tap tun ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter devlink nct6775 hwmon_vid mousedev input_leds joydev hid_gen okt 14 02:47:00 Omar-PC kernel: snd_hda_codec snd_hda_core led_class mxm_wmi snd_hwdep video i2c_algo_bit snd_pcm ttm e1000e snd_timer tpm_tis snd ptp mei_me tpm_tis_core raid6_pq intel_rapl_perf pcsp okt 14 02:47:00 Omar-PC kernel: CPU: 6 PID: 708 Comm: qemu-system-x86 Tainted: P O 4.13.6-1-ARCH #1 okt 14 02:47:00 Omar-PC kernel: Hardware name: ASUS All Series/X99-A, BIOS 3701 03/31/2017 okt 14 02:47:00 Omar-PC kernel: task: ffff91e315f44b00 task.stack: ffff9e6904e48000 okt 14 02:47:00 Omar-PC kernel: RIP: 0010:proc_do_submiturb+0x993/0xd60 [usbcore] okt 14 02:47:00 Omar-PC kernel: RSP: 0018:ffff9e6904e4bd38 EFLAGS: 00010282 okt 14 02:47:00 Omar-PC kernel: RAX: 000000000000002a RBX: ffff91e3025a69c0 RCX: ffffffffa5a55328 okt 14 02:47:00 Omar-PC kernel: RDX: 0000000000000000 RSI: 0000000000000096 RDI: 0000000000000283 okt 14 02:47:00 Omar-PC kernel: RBP: ffff9e6904e4bdc0 R08: 00000000000004cd R09: ffffffffa5ca68e0 okt 14 02:47:00 Omar-PC kernel: R10: 0000000000000200 R11: 0000000000000000 R12: 0000000000000001 okt 14 02:47:00 Omar-PC kernel: R13: ffff91e3174a9240 R14: 00007f335e711fb8 R15: ffff9e6904e4be00 okt 14 02:47:00 Omar-PC kernel: FS: 00007f337013a340(0000) GS:ffff91e31f380000(0000) knlGS:0000000000000000 okt 14 02:47:00 Omar-PC kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 okt 14 02:47:00 Omar-PC kernel: CR2: 0000561451d69fe0 CR3: 0000000802458000 CR4: 00000000001426e0 okt 14 02:47:00 Omar-PC kernel: Call Trace: okt 14 02:47:00 Omar-PC kernel: ? compat_poll_select_copy_remaining+0x120/0x120 okt 14 02:47:00 Omar-PC kernel: usbdev_do_ioctl+0xa34/0x1170 [usbcore] okt 14 02:47:00 Omar-PC kernel: ? compat_poll_select_copy_remaining+0x120/0x120 okt 14 02:47:00 Omar-PC kernel: usbdev_ioctl+0xe/0x20 [usbcore] okt 14 02:47:00 Omar-PC kernel: do_vfs_ioctl+0xa5/0x600 okt 14 02:47:00 Omar-PC kernel: ? __fget+0x6e/0x90 okt 14 02:47:00 Omar-PC kernel: SyS_ioctl+0x79/0x90 okt 14 02:47:00 Omar-PC kernel: entry_SYSCALL_64_fastpath+0x1a/0xa5 okt 14 02:47:00 Omar-PC kernel: RIP: 0033:0x7f3368f4c157 okt 14 02:47:00 Omar-PC kernel: RSP: 002b:00007ffcbea032e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 okt 14 02:47:00 Omar-PC kernel: RAX: ffffffffffffffda RBX: 00007ffcbea03570 RCX: 00007f3368f4c157 okt 14 02:47:00 Omar-PC kernel: RDX: 00007f335e711f80 RSI: 000000008038550a RDI: 000000000000004b okt 14 02:47:00 Omar-PC kernel: RBP: 00007f335e6acc40 R08: 0000000000000008 R09: fffffffffffffff8 okt 14 02:47:00 Omar-PC kernel: R10: 00007f335e7a4400 R11: 0000000000000246 R12: 00007ffcbea035d4 okt 14 02:47:00 Omar-PC kernel: R13: 00007f335e6acc40 R14: 0000557de855dd78 R15: 0000557de897d200 okt 14 02:47:00 Omar-PC kernel: Code: 00 c7 45 a8 00 00 00 00 48 c7 45 b8 00 00 00 00 0f 85 5e f8 ff ff 89 c2 48 c7 c7 40 8f 0d c1 c6 05 37 2b 01 00 01 e8 8e 0c 01 e4 <0f> ff 49 63 47 18 e9 3e f8 ff ff okt 14 02:47:00 Omar-PC kernel: ---[ end trace 9d1e179a0ff04407 ]--- okt 14 02:47:00 Omar-PC kernel: DMAR: DRHD: handling fault status reg 2 okt 14 02:47:00 Omar-PC kernel: DMAR: [DMA Read] Request device [00:14.0] fault addr 0 [fault reason 06] PTE Read access is not set okt 14 02:47:06 Omar-PC kernel: xhci_hcd 0000:00:14.0: xHCI host not responding to stop endpoint command. okt 14 02:47:06 Omar-PC kernel: xhci_hcd 0000:00:14.0: xHCI host controller not responding, assume dead okt 14 02:47:06 Omar-PC kernel: xhci_hcd 0000:00:14.0: HC died; cleaning up This is not reproducible in 4.13.5 and the passthrough works fine. By the nature of the commit it'd seem the commit itself may not be the root cause (I'd expect the buffer to be >0 in the first place) but it does cause the whole XHCI Host Controller to die now that it doesn't just overwrites the size.
On Sat, Oct 14, 2017 at 02:21:06AM +0000, bugzilla-daemon@bugzilla.kernel.org wrote: > https://bugzilla.kernel.org/show_bug.cgi?id=197275 > > Bug ID: 197275 > Summary: Commit d328df9 causes the XHCI host controller to die > on passthrough of audio device > Product: Drivers > Version: 2.5 > Kernel Version: 4.13.6 All USB bugs should be sent to the linux-usb@vger.kernel.org mailing list, and not entered into bugzilla. Please bring this issue up there, if it is still a problem in the latest kernel release.