UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

cancel
Showing results for 
Search instead for 
Did you mean: 
Observer chrisjrh
Observer
327 Views
Registered: ‎06-05-2017

USB2 UAS NULL pointer dereference

I can mount an external drive using USB2 and the uas driver with no issues. After a few seconds of copying a 1GB file I get the a null pointer dereference.

Steps to reproduce:

  • Attach a uas capable drive with a USB2 cable
  • Mount the disk
  • Copy a 1GB file to the disk
  • Observe the following over serial after a few seconds of transfer
Unable to handle kernel NULL pointer dereference at virtual address 00000098
[  172.373906] Mem abort info:
[  172.376688]   Exception class = DABT (current EL), IL = 32 bits
[  172.382591]   SET = 0, FnV = 0
[  172.385636]   EA = 0, S1PTW = 0
[  172.388760] Data abort info:
[  172.391625]   ISV = 0, ISS = 0x00000006
[  172.395445]   CM = 0, WnR = 0
[  172.398398] user pgtable: 4k pages, 39-bit VAs, pgd = ffffffc879dcb000
[  172.404917] [0000000000000098] *pgd=0000000879f65003, *pud=0000000879f65003, *pmd=0000000000000000
[  172.413870] Internal error: Oops: 96000006 [#1] SMP
[  172.418735] Modules linked in: nfsd lsm303d uio_pdrv_genirq xt_conntrack xt_nat iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack
[  172.435880] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.14.0 #1
[  172.442137] Hardware name: ZynqMP (DT)
[  172.446746] task: ffffff8008b21480 task.stack: ffffff8008b10000
[  172.452663] PC is at uas_stat_cmplt+0x2c/0x3a8
[  172.457097] LR is at __usb_hcd_giveback_urb+0x74/0xe8
[  172.462136] pc : [<ffffff8008622a8c>] lr : [<ffffff80085f5174>] pstate: 600001c5
[  172.469526] sp : ffffff8008003c10
[  172.472829] x29: ffffff8008003c10 x28: 0000000000000006 
[  172.478133] x27: ffffff8008e8d0a0 x26: ffffffc87ab0c000 
[  172.483437] x25: ffffff8008003e6c x24: 0000000000000000 
[  172.488740] x23: ffffffc87ae0ec80 x22: ffffffc87a910274 
[  172.494044] x21: ffffffc87b1a2810 x20: 00000000000001c0 
[  172.499347] x19: ffffffc879d2e300 x18: ffffff800c0bb710 
[  172.504651] x17: 6db6db6db6db6db7 x16: ffffffbf00000000 
[  172.509955] x15: 0000000000004c61 x14: 0000000000000001 
[  172.515258] x13: 0000000000000024 x12: 0000000000000070 
[  172.520561] x11: ffffffc879d2e300 x10: ffffffc87ae0eb08 
[  172.525865] x9 : ffffffc87b400358 x8 : 0000000000000000 
[  172.531169] x7 : 0000000078416f80 x6 : 0000000073fff000 
[  172.536472] x5 : dead000000000100 x4 : dead000000000200 
[  172.541775] x3 : ffffffc879d2ba30 x2 : 00000000000007f1 
[  172.547079] x1 : ffffff8008622a60 x0 : 0000000000000000 
[  172.552384] Process swapper/0 (pid: 0, stack limit = 0xffffff8008b10000)
[  172.559076] Call trace:
[  172.561515] Exception stack(0xffffff8008003ad0 to 0xffffff8008003c10)
[  172.567949] 3ac0:                                   0000000000000000 ffffff8008622a60
[  172.575772] 3ae0: 00000000000007f1 ffffffc879d2ba30 dead000000000200 dead000000000100
[  172.583592] 3b00: 0000000073fff000 0000000078416f80 0000000000000000 ffffffc87b400358
[  172.591413] 3b20: ffffffc87ae0eb08 ffffffc879d2e300 0000000000000070 0000000000000024
[  172.599233] 3b40: 0000000000000001 0000000000004c61 ffffffbf00000000 6db6db6db6db6db7
[  172.607054] 3b60: ffffff800c0bb710 ffffffc879d2e300 00000000000001c0 ffffffc87b1a2810
[  172.614875] 3b80: ffffffc87a910274 ffffffc87ae0ec80 0000000000000000 ffffff8008003e6c
[  172.622696] 3ba0: ffffffc87ab0c000 ffffff8008e8d0a0 0000000000000006 ffffff8008003c10
[  172.630517] 3bc0: ffffff80085f5174 ffffff8008003c10 ffffff8008622a8c 00000000600001c5
[  172.638337] 3be0: ffffff8008003c20 ffffff80085f4ff8 0000008000000000 ffffffc87a910000
[  172.646157] 3c00: ffffff8008003c10 ffffff8008622a8c
[  172.651029] [<ffffff8008622a8c>] uas_stat_cmplt+0x2c/0x3a8
[  172.656507] [<ffffff80085f5174>] __usb_hcd_giveback_urb+0x74/0xe8
[  172.662589] [<ffffff80085f5310>] usb_hcd_giveback_urb+0x40/0xe8
[  172.668505] [<ffffff8008617ee4>] xhci_giveback_urb_in_irq.isra.26+0x8c/0xb8
[  172.675464] [<ffffff80086180d8>] xhci_td_cleanup+0xc8/0x110
[  172.681024] [<ffffff800861b954>] finish_td.isra.45+0xec/0x128
[  172.686763] [<ffffff800861c288>] xhci_irq+0x8f8/0x12c8
[  172.691895] [<ffffff80085f4e6c>] usb_hcd_irq+0x2c/0x48
[  172.697026] [<ffffff80080e5a8c>] __handle_irq_event_percpu+0x9c/0x128
[  172.703456] [<ffffff80080e5b34>] handle_irq_event_percpu+0x1c/0x58
[  172.709629] [<ffffff80080e5bb4>] handle_irq_event+0x44/0x78
[  172.715192] [<ffffff80080e981c>] handle_fasteoi_irq+0x9c/0x190
[  172.721015] [<ffffff80080e4b8c>] generic_handle_irq+0x24/0x38
[  172.726754] [<ffffff80080e520c>] __handle_domain_irq+0x5c/0xb8
[  172.732577] [<ffffff80080814c0>] gic_handle_irq+0x68/0xc8
[  172.737964] Exception stack(0xffffff8008b13d80 to 0xffffff8008b13ec0)
[  172.744398] 3d80: 0000000000000000 ffffffc87ff7ce80 0000004877474000 00000000000179ee
[  172.752220] 3da0: 0000000000000016 00ffffffffffffff 000000000a612cc7 00000000000032a0
[  172.760041] 3dc0: 000000000000143c ffffffc87ff7be84 ffffffc87ff7be64 0000000000000cfd
[  172.767861] 3de0: 071c71c71c71c71c 0000000000000024 0000000000000001 0000000000004c61
[  172.775682] 3e00: ffffffbf00000000 6db6db6db6db6db7 ffffff800c0bb710 0000002821cc74e8
[  172.783503] 3e20: ffffffc87af5ae00 0000000000000000 ffffffc87b30d000 ffffffc87b30d000
[  172.791324] 3e40: 0000002820f4fbf7 ffffff8008b21480 000000007feddaec 0000000000000400
[  172.799145] 3e60: 0000000000aa0018 ffffff8008b13ec0 ffffff8008660f58 ffffff8008b13ec0
[  172.806965] 3e80: ffffff8008660f5c 0000000060000145 ffffffc87b30d018 ffffffc87af5ae00
[  172.814786] 3ea0: ffffffffffffffff ffffffc87b30d000 ffffff8008b13ec0 ffffff8008660f5c
[  172.822608] [<ffffff80080830f0>] el1_irq+0xb0/0x140
[  172.827479] [<ffffff8008660f5c>] cpuidle_enter_state+0x154/0x200
[  172.833476] [<ffffff8008661040>] cpuidle_enter+0x18/0x20
[  172.838778] [<ffffff80080d9c00>] call_cpuidle+0x18/0x30
[  172.843997] [<ffffff80080d9e3c>] do_idle+0x19c/0x1d8
[  172.848952] [<ffffff80080d9fe0>] cpu_startup_entry+0x20/0x28
[  172.854603] [<ffffff80088335a4>] rest_init+0xac/0xb8
[  172.859557] [<ffffff8008aa0b88>] start_kernel+0x39c/0x3b0
[  172.864950] Code: b9406018 f9405800 f9403677 f9401c00 (f9404c14) 
[  172.871033] ---[ end trace b27cd50f161de741 ]---
[  172.875639] Kernel panic - not syncing: Fatal exception in interrupt
[  172.881987] SMP: stopping secondary CPUs
[  172.885957] Kernel Offset: disabled
[  172.889432] CPU features: 0x002004
[  172.892823] Memory Limit: none
[  172.895864] ---[ end Kernel panic - not syncing: Fatal exception in interrupt

This happens within the uas_stat_cmplt function inside uas.c. After a few seconds of copy it gets in to a state where this function is called and cmd->device is equal to NULL, causing the above error when it executes the line: 

struct uas_dev_info *devinfo = struct uas_dev_info *)cmnd->device->hostdata;

 At present I am not too sure where the device pointer becomes NULL. I have observed this on the 2018.2 and 2018.3 releases. USB3 seems to work fine, as does USB2 when using a device that uses the usb-storage driver instead of uas.

After a power cycle, I will get the following from the kernel:

usb 1-1: device descriptor read/64, error -110 (Connection timed out)
usb 1-1: device descriptor read/64, error -110
usb 1-1 new high-speed USB device number 3 using xhci-hcd
usb 1-1: device descriptor read/64, error -110
usb 1-1: device descriptor read/64, error -110
usb 1-1 new high-speed USB device number 4 using xhci-hcd
xhci-hcd xhci-hcd.0.auto: Timeout while waiting for setup device command
xhci-hcd xhci-hcd.0.auto: Timeout while waiting for setup device command
usb 1-1: device not accepting address 4, error -62 (Timer expired)
usb 1-1 new high-speed USB device number 5 using xhci-hcd
xhci-hcd xhci-hcd.0.auto: Timeout while waiting for setup device command
xhci-hcd xhci-hcd.0.auto: Timeout while waiting for setup device command
usb 1-1: device not accepting address 5, error -62
usb usb1-port1: unable to enumerate USB device

 The previous null pointer exception leaves the drive in a bad state that is only recoverable by unplugging the drive. Subsequent reboot's will give the above errors, only when I remove the USB cable and plug it back in will the drive appear as a storage device without these errors.

Comparing the Xilinx Linux fork against the mainline repo I came accross the following commit which suggests a hardware issue that causes issues with dwc3 and uas compatible devices:

https://github.com/Xilinx/linux-xlnx/commit/ef875d2e98b626659f7e02cdedbbb20d5865b636

Could this be linked to the above?

I would appreciate some help / advice on debugging this further.

Many thanks!

Tags (4)
0 Kudos
1 Reply
Observer chrisjrh
Observer
251 Views
Registered: ‎06-05-2017

Re: USB2 UAS NULL pointer dereference

To add to the above I have observed the same on a ZCU102 board running the 2018.2 Petalinux release.

The device I'm using is a Delock 42488 2.5” enclosure:

https://www.delock.com/produkte/S_42488/merkmale.html

I have used a USB2 device that uses the usb-storage driver with no issues. Using the Delock with USB 3.0 and the UAS driver is fine, it's just when using a USB 2.0 cable the UAS driver encounters the NULL pointer dereference.

Has anyone successfully used a USB 2.0 device that uses the UAS driver, instead of the usb-storage (BOT) driver?

 

0 Kudos