[PATCH][Xenial] System hang when plug/pull USB 3.1 key

AceLan Kao acelan.kao at canonical.com
Wed Aug 24 06:30:52 UTC 2016 

BugLink: http://bugs.launchpad.net/bugs/1616318

Impact:
Plug/unplug USB 3.1 key leads to double free and hang sometimes.

BUG: unable to handle kernel paging request at 00007f2d64d7e000
IP: [<ffffffff811eb987>] kmem_cache_alloc+0x77/0x1f0
PGD 17780e067 PUD 177fa8067 PMD 1744ed067 PTE 8000000172d53865
Oops: 0001 [#1] SMP
Modules linked in: uas usb_storage rfcomm arc4 nvram msr bnep uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core v4l2_common videodev media btusb btrtl hid_multitouch nls_iso8859_1 snd_hda_codec_hdmi(OE) dell_led ath10k_pci ath10k_core x86_pkg_temp_thermal coretemp kvm_intel i2c_designware_platform dell_laptop ath i2c_designware_core dcdbas kvm dell_wmi snd_hda_codec_realtek(OE) snd_hda_codec_generic(OE) mac80211 irqbypass snd_hda_intel(OE) crct10dif_pclmul snd_hda_codec(OE) crc32_pclmul snd_hda_core(OE) snd_hwdep aesni_intel cfg80211 snd_pcm aes_x86_64 lrw gf128mul snd_seq_midi glue_helper snd_seq_midi_event ablk_helper rtsx_pci_ms snd_rawmidi cryptd memstick snd_seq snd_seq_device snd_timer joydev snd input_leds serio_raw soundcore idma64 mei_me virt_dma shpchp
 mei processor_thermal_device intel_lpss_pci intel_soc_dts_iosf hci_uart btbcm btqca btintel bluetooth int3403_thermal soc_button_array acpi_als intel_vbtn(OE) intel_lpss_acpi int340x_thermal_zone int3400_thermal intel_lpss kfifo_buf intel_hid(OE) acpi_thermal_rel tpm_crb mac_hid industrialio acpi_pad sparse_keymap parport_pc ppdev lp parport autofs4 btrfs xor raid6_pq dm_mirror dm_region_hash dm_log rtsx_pci_sdmmc i915_bpo intel_ips i2c_algo_bit drm_kms_helper psmouse syscopyarea sysfillrect sysimgblt fb_sys_fops drm ahci rtsx_pci libahci wmi i2c_hid hid pinctrl_sunrisepoint video pinctrl_intel fjes
CPU: 0 PID: 348 Comm: systemd-udevd Tainted: G           OE   4.4.0-31-generic #50 
Hardware name: Dell Inc. XPS 13 9xxx/      , BIOS 0.1.9 07/08/2016 
task: ffff8801744ae740 ti: ffff880176fc4000 task.ti: ffff880176fc4000
RIP: 0010:[<ffffffff811eb987>]  [<ffffffff811eb987>] kmem_cache_alloc+0x77/0x1f0
RSP: 0018:ffff880176fc7d18  EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000002000200 RCX: 0000000000016b24
RDX: 0000000000016b23 RSI: 0000000002000200 RDI: 0000000000019f80
RBP: ffff880176fc7d48 R08: ffff88017e419f80 R09: 00007f2d64d7e000
R10: ffff88017e7f9000 R11: 0000000000000000 R12: 0000000002000200
R13: ffffffff811cc1cc R14: ffff880179801b00 R15: ffff880179801b00
FS:  00007f2d655b48c0(0000) GS:ffff88017e400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2d64d7e000 CR3: 000000017519e000 CR4: 00000000003406f0
Stack:
 00007f2d64f87000 ffff880176ed2258 0000000000000000 ffff880174a46400
 0000000000000001 ffff880178201740 ffff880176fc7da0 ffffffff811cc1cc
 ffff880177fa8940 ffff880174952e10 ffff880176ed22d0 ffff880174952e88
Call Trace:
 [<ffffffff811cc1cc>] anon_vma_clone+0x6c/0x200
 [<ffffffff811cc392>] anon_vma_fork+0x32/0x140
 [<ffffffff8107fbf1>] copy_process+0x1491/0x1ae0
 [<ffffffff810803d0>] _do_fork+0x80/0x360
 [<ffffffff81080759>] SyS_clone+0x19/0x20
 [<ffffffff8182dc72>] entry_SYSCALL_64_fastpath+0x16/0x71
Code: 08 65 4c 03 05 23 e8 e1 7e 49 83 78 10 00 4d 8b 08 0f 84 29 01 00 00 4d 85 c9 0f 84 20 01 00 00 49 63 47 20 48 8d 4a 01 49 8b 3f <49> 8b 1c 01 4c 89 c8 65 48 0f c7 0f 0f 94 c0 84 c0 74 bb 49 63
RIP  [<ffffffff811eb987>] kmem_cache_alloc+0x77/0x1f0
 RSP <ffff880176fc7d18>
CR2: 00007f2d64d7e000
---[ end trace b9e09010f7e6a2c6 ]---

Fix:
This patch fixes the problem by changing hcd_release() so that it
deallocates the bandwidth_mutex only when the _last_ hcd structure
referencing it is released.

Tested:
Tested on Dell Dino2 and Dino2 MLK

Alan Stern (1):
  USB: don't free bandwidth_mutex too early

 drivers/usb/core/hcd.c | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

-- 
2.7.4

More information about the kernel-team mailing list