System hang when plug/pull USB 3.1 key via thunderbolt port over 5 times

Bug #1616318 reported by AceLan Kao on 2016-08-24
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
HWE Next
Undecided
Unassigned
linux (Ubuntu)
Medium
AceLan Kao
Xenial
Medium
Unassigned

Bug Description

Steps:
1) Install Ubuntu 16.04
2) Enter to Dekstop.
3) Insert the USB 3.1 key in the thunderbolt port.
4) Remove the USB 3.1 key from the thunderbolt port.
5) Insert the USB 3.1 key in the thunderbolt port.

Expected results: Can detect the USB 3.1 key and system will not hang.

Actual results: System Hang

AceLan Kao (acelankao) wrote :
Download full text (3.5 KiB)

This commit can fix this issue

commit ab2a4bf83902c170d29ba130a8abb5f9d90559e1
Author: Alan Stern <email address hidden>
Date: Mon Jun 27 10:23:10 2016 -0400

    USB: don't free bandwidth_mutex too early

    The USB core contains a bug that can show up when a USB-3 host
    controller is removed. If the primary (USB-2) hcd structure is
    released before the shared (USB-3) hcd, the core will try to do a
    double-free of the common bandwidth_mutex.

    The problem was described in graphical form by Chung-Geol Kim, who
    first reported it:

    =================================================
         At *remove USB(3.0) Storage
         sequence <1> --> <5> ((Problem Case))
    =================================================
                                      VOLD
    ------------------------------------|------------
                                     (uevent)
                                ________|_________
                               |<1> |
                               |dwc3_otg_sm_work |
                               |usb_put_hcd |
                               |peer_hcd(kref=2)|
                               |__________________|
                                ________|_________
                               |<2> |
                               |New USB BUS #2 |
                               | |
                               |peer_hcd(kref=1) |
                               | |
                             --(Link)-bandXX_mutex|
                             | |__________________|
                             |
        ___________________ |
       |<3> | |
       |dwc3_otg_sm_work | |
       |usb_put_hcd | |
       |primary_hcd(kref=1)| |
       |___________________| |
        _________|_________ |
       |<4> | |
       |New USB BUS #1 | |
       |hcd_release | |
       |primary_hcd(kref=0)| |
       | | |
       |bandXX_mutex(free) |<-
       |___________________|
                                   (( VOLD ))
                                ______|___________
                               |<5> |
                               | SCSI |
                               |usb_put_hcd |
                               |peer_hcd(kref=0) |
                               |*hcd_release |
                               |bandXX_mutex(free*)|<- double free
                               |__________________|

    =================================================

    This happens because hcd_release() frees the bandwidth_mutex whenever
    it sees a primary hcd being released (which is not a very good idea
    in any case), but in the course of releasing the primary hcd, it
    changes the pointers in the shared hcd in such a way that the shared
    hcd will appear to be primary when it gets released.

    This patch fixes the problem by changing hcd_release() so that it
    deallocates the bandwidth_mutex only when the _last_ hcd structure
    referencing it is released. The patch also removes an unnecessary
  ...

Read more...

AceLan Kao (acelankao) on 2016-08-24
description: updated
tags: added: patch
Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
AceLan Kao (acelankao) on 2016-08-25
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
tags: added: cherry-pick
Changed in linux (Ubuntu):
importance: Undecided → Medium
Changed in linux (Ubuntu Xenial):
importance: Undecided → Medium
Tim Gardner (timg-tpi) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
AceLan Kao (acelankao) wrote :

With kernel 4.4.0-38.57, I can't reproduce this issue.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :
Download full text (22.8 KiB)

This bug was fixed in the package linux - 4.4.0-38.57

---------------
linux (4.4.0-38.57) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1620658

  * CIFS client: access problems after updating to kernel 4.4.0-29-generic
    (LP: #1612135)
    - Revert "UBUNTU: SAUCE: (namespace) Bypass sget() capability check for nfs"
    - fs: Call d_automount with the filesystems creds

  * apt-key add fails in overlayfs (LP: #1618572)
    - SAUCE: overlayfs: fix regression in whiteout detection

linux (4.4.0-37.56) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1618040

  * [Feature] Instruction decoder support for new SKX instructions- AVX512
    (LP: #1591655)
    - x86/insn: perf tools: Fix vcvtph2ps instruction decoding
    - x86/insn: Add AVX-512 support to the instruction decoder
    - perf tools: Add AVX-512 support to the instruction decoder used by Intel PT
    - perf tools: Add AVX-512 instructions to the new instructions test

  * [Ubuntu 16.04] FCoE Lun not visible in OS with inbox driver - Issue with
    ioremap() call on 32bit kernel (LP: #1608652)
    - lpfc: Correct issue with ioremap() call on 32bit kernel

  * [Feature] turbostat support for Skylake-SP server (LP: #1591802)
    - tools/power turbostat: decode more CPUID fields
    - tools/power turbostat: CPUID(0x16) leaf shows base, max, and bus frequency
    - tools/power turbostat: decode HWP registers
    - tools/power turbostat: Decode MSR_MISC_PWR_MGMT
    - tools/power turbostat: allow sub-sec intervals
    - tools/power turbostat: Intel Xeon x200: fix erroneous bclk value
    - tools/power turbostat: Intel Xeon x200: fix turbo-ratio decoding
    - tools/power turbostat: re-name "%Busy" field to "Busy%"
    - tools/power turbostat: add --out option for saving output in a file
    - tools/power turbostat: fix compiler warnings
    - tools/power turbostat: make fewer systems calls
    - tools/power turbostat: show IRQs per CPU
    - tools/power turbostat: show GFXMHz
    - tools/power turbostat: show GFX%rc6
    - tools/power turbostat: detect and work around syscall jitter
    - tools/power turbostat: indicate SMX and SGX support
    - tools/power turbostat: call __cpuid() instead of __get_cpuid()
    - tools/power turbostat: correct output for MSR_NHM_SNB_PKG_CST_CFG_CTL dump
    - tools/power turbostat: bugfix: TDP MSRs print bits fixing
    - tools/power turbostat: SGX state should print only if --debug
    - tools/power turbostat: print IRTL MSRs
    - tools/power turbostat: initial BXT support
    - tools/power turbostat: decode BXT TSC frequency via CPUID
    - tools/power turbostat: initial SKX support

  * [BYT] display hotplug doesn't work on console (LP: #1616894)
    - drm/i915/vlv: Make intel_crt_reset() per-encoder
    - drm/i915/vlv: Reset the ADPA in vlv_display_power_well_init()
    - drm/i915/vlv: Disable HPD in valleyview_crt_detect_hotplug()
    - drm/i915: Enable polling when we don't have hpd

  * [Feature]intel_idle enabling on Broxton-P (LP: #1520446)
    - intel_idle: add BXT support

  * [Feature] EDAC: Update driver for SKX-SP (LP: #1591815)
    - [Config] CONFIG_EDAC_SKX=m
    - EDAC, skx_edac: Ad...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Changed in hwe-next:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers