Kernel panic on xhci_trb_show (3.10.0-1160.45.1.el7.x86_64)

Latest response

Kernel version

Linux version 3.10.0-1160.45.1.el7.x86_64 (mockbuild@x86-vm-37.build.eng.bos.redhat.com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Fri Sep 24 10:17:16 UTC 2021

I am working on the security company. our customer use redhat linux.
I got a dump from our customer and analyze it.
I think it might be kernel bug.

the below is what I analyze.
I think xhci-debugfs.c file creation must check parent alive.

  1. A lot of usb error
...
[1994159.974407] usb 1-2: device descriptor read/64, error -71
[1994160.187902] usb 1-2: new low-speed USB device number 36 using xhci_hcd
[1994160.302634] usb 1-2: device descriptor read/64, error -71
[1994160.562027] usb 1-2: device descriptor read/64, error -71
[1994160.663789] usb usb1-port2: unable to enumerate USB device
[1994162.256029] usb 1-2: new low-speed USB device number 37 using xhci_hcd
[1994162.370764] usb 1-2: device descriptor read/64, error -71
[1994162.585258] usb 1-2: device descriptor read/64, error -71
[1994162.797751] usb 1-2: new low-speed USB device number 38 using xhci_hcd
[1994162.912484] usb 1-2: device descriptor read/64, error -71
[1994163.141944] usb 1-2: device descriptor read/64, error -71
[1994163.243712] usb usb1-port2: attempt power cycle.
...
  1. After that panic happend and I got a dump.
    The cause of panic reading /sys/kernel/debug/trbs which is abnormal.
    (which have bad xhci_ring private data)
    the file must be on the /sys/kernel/debug/usb/~~~.
sh> bt
PID: 91416  TASK: ffff8d68fcc54200  CPU: 1   COMMAND: "v3fbmond"
 #0 [ffff8d679a6cbad0] machine_kexec at ffffffff9e2662c4
 #1 [ffff8d679a6cbb30] __crash_kexec at ffffffff9e322a32
 #2 [ffff8d679a6cbc00] crash_kexec at ffffffff9e322b20
 #3 [ffff8d679a6cbc18] oops_end at ffffffff9e98d798
 #4 [ffff8d679a6cbc40] no_context at ffffffff9e275d14
 #5 [ffff8d679a6cbc90] __bad_area_nosemaphore at ffffffff9e275fe2
 #6 [ffff8d679a6cbce0] bad_area_nosemaphore at ffffffff9e276104
 #7 [ffff8d679a6cbcf0] __do_page_fault at ffffffff9e990750
 #8 [ffff8d679a6cbd60] do_page_fault at ffffffff9e990975
 #9 [ffff8d679a6cbd90] page_fault at ffffffff9e98c778
    [exception RIP: xhci_ring_trb_show+29]
    RIP: ffffffff9e76005d  RSP: ffff8d679a6cbe40  RFLAGS: 00010246
    RAX: ffff8d497b0fe018  RBX: 0000000000000000  RCX: 0000001309207f9b
    RDX: fffffffffffffff4  RSI: 0000000000000001  RDI: ffff8d6939b8fd40
    RBP: ffff8d679a6cbe60   R8: ffff8d49ffa5f1a0   R9: ffff8d3b3fc07300
    R10: ffff8d3b3fc07300  R11: ffffffff9e3de9fd  R12: 0000000000000000
    R13: 0000000000000000  R14: ffff8d6939b8fd40  R15: ffff8d6939b8fd40
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
#10 [ffff8d679a6cbe68] seq_read at ffffffff9e476d10
#11 [ffff8d679a6cbed8] vfs_read at ffffffff9e44e3ff
#12 [ffff8d679a6cbf08] sys_read at ffffffff9e44f27f
#13 [ffff8d679a6cbf50] system_call_fastpath at ffffffff9e995f92
    RIP: 00007f5f9749f6fd  RSP: 00007f5f84c73700  RFLAGS: 00000293
    RAX: 0000000000000000  RBX: 00007f5f7066a390  RCX: ffffffffffffffff
    RDX: 0000000000000400  RSI: 00007f5f706d2270  RDI: 0000000000000016
    RBP: 00007f5f706d2270   R8: 00007f5f953e73a0   R9: 00007f5f953e7388
    R10: 0000000000000040  R11: 0000000000000293  R12: 0000000000000400
    R13: 00007f5f84c7354c  R14: 0000000022100004  R15: 00007f5f866c5368
    ORIG_RAX: 0000000000000000  CS: 0033  SS: 002b
  1. I found a another abnormal xhci debugfs file ep_context in dump.
    Check xhci_slot_priv is alive and find the root is NULL.
crash> files -d 0xffff8d68fe8f0000
     DENTRY           INODE           SUPERBLK     TYPE PATH
ffff8d68fe8f0000 ffff8d489e979e10 ffff8d3b19169800 REG  /sys/kernel/debug/ep-context

crash > struct xchi_slot_priv 0xffff8d4812492c0
struct xhci_slot_priv {
...
  root = 0x0,
...
  dev = 0xffff8d497b0fe000
}
  1. Looking into the kernel code, I finally concluded that
    /sys/fs/debug/"interface file" could be made.
drivers/usb/host/xhci-debugfs.c
xhci_debugfs_create_slot function
...
priv->root = debugfs_create_dir(priv->name, xhci->debugfs_slots); // root can be NULL
...
 xhci_debugfs_create_ring_dir(xhci, &dev->eps[0].ring,
                                     "ep00", priv->root); // make a file
...

fs/debugfs/inode.c
__create_file
...
static struct dentry *__create_file(const char *name, umode_t mode,
                                    struct dentry *parent, void *data,
                                    const struct file_operations *fops)
{

        /* If the parent is not specified, we create it in the root.
         * We need the root dentry to do this, which is in the super
         * block. A pointer to that is in the struct vfsmount that we
         * have around.
         */
        if (!parent)
                parent = debugfs_mount->mnt_root; // parent will be "/sys/kernel/debug
if (!parent)
        parent = debugfs_mount->mnt_root; // make a file on /sys/kernel/debug
yp

Responses