XHCI NULL pointer with device reset

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Mathias,

I managed to reliably reproduce a NULL pointer deref by issues a series
of Device Resets and killing off my application (using libusb) midway
through the test.

Attached you can find a tarball with serial console capture. Note that I
only managed to trigger the faul after running my msc test which does a
series of different reads and writes to a mass storage device. Then the
device-reset application, just has a loop calling libusb_reset_device()
multiple times. Both applications you can find at [1].

Here's an exerpt of the logs:

[  692.500312] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[  692.508822] pgd = ee574000
[  692.511678] [00000000] *pgd=ad779831, *pte=00000000, *ppte=00000000
[  692.518261] Internal error: Oops: 17 [#1] SMP ARM
[  692.523187] Modules linked in: usb_storage xhci_plat_hcd xhci_hcd usbcore snd_soc_davinci_mcasp snd_soc_edma snd_soc_tlv320aic3x snd_soc_evm snd_soc_omap joydev dwc3 snd_soc_core omapfb udc_core usb_common cfbfillrect evdev cfbimgblt panel_dpi cfbcopyarea snd_compress omapdss snd_pcm_dmaengine snd_pcm snd_timer leds_gpio matrix_keypad led_class pwm_bl matrix_keymap snd dwc3_omap lis3lv02d_i2c extcon_class lis3lv02d pwm_tiecap soundcore input_polldev tps65218_pwrbutton spi_ti_qspi phy_omap_usb2 rtc_omap omap_wdt phy_omap_control ipv6 autofs4
[  692.573565] CPU: 0 PID: 331 Comm: device-reset Not tainted 3.19.0-rc6-00188-gc9453dd4fe92 #1118
[  692.582667] Hardware name: Generic AM43 (Flattened Device Tree)
[  692.588857] task: ee424400 ti: ee3f8000 task.ti: ee3f8000
[  692.594555] PC is at xhci_endpoint_init+0x170/0x4a4 [xhci_hcd]
[  692.600664] LR is at lock_classes+0x0/0x21fef0
[  692.605314] pc : [<bf213a7c>]    lr : [<c0a1a5f8>]    psr: 200f0013
[  692.605314] sp : ee3f9d48  ip : 00000000  fp : ed724800
[  692.617310] r10: 00000000  r9 : ed720000  r8 : ee5aa000
[  692.622778] r7 : f0c57100  r6 : 00000002  r5 : ee69a0c0  r4 : f0c57000
[  692.629606] r3 : ed720148  r2 : 0000001d  r1 : ee69a340  r0 : 00000000
[  692.636428] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  692.643896] Control: 10c5387d  Table: ae574059  DAC: 00000015
[  692.649895] Process device-reset (pid: 331, stack limit = 0xee3f8240)
[  692.656635] Stack: (0xee3f9d48 to 0xee3fa000)
[  692.661190] 9d40:                   ee7409c0 ee3f9d70 00000003 00000002 f0c57000 00000100
[  692.669747] 9d60: 00000001 f0c57000 ee69a0c0 ed724800 00000000 00000008 ed720000 ee5aa000
[  692.678304] 9d80: ee5b0308 bf20f570 00000010 600f0013 ee4b6000 ed724800 00000000 00000000
[  692.686860] 9da0: ed1830d0 ed183000 00000000 bf172e28 eeebfb18 00000001 00000000 00000000
[  692.695407] 9dc0: a00f0013 ed724800 ed2dac00 00000001 00000000 00000158 ee69d500 00000020
[  692.703951] 9de0: 00000000 bf16c4b8 00000020 c0082c40 ed174668 60030013 c10ab29c c0586590
[  692.712503] 9e00: ee4b6000 00000000 ed724ab0 00000015 00000004 011290b0 00000200 07814000
[  692.721039] 9e20: 01265575 01030201 00000000 ed29ac00 00000001 ed724800 00000000 ed174664
[  692.729584] 9e40: ed183000 ed183050 00000000 bf16c830 00005514 ed72489c ee6edb08 ed724800
[  692.738136] 9e60: ee559100 00000000 ed724868 bf17d788 00000000 00000000 0000000f ee424400
[  692.746683] 9e80: c10ab29c 00000000 c08b830c 00000008 00000598 c0083408 0000000f 00000000
[  692.755230] 9ea0: ee3f8000 00000000 ee424988 ee424980 00000000 ed227200 eeebbfc0 00000000
[  692.763770] 9ec0: ed227200 c05890e8 eeebbfc0 c00603a0 00000001 00000000 c0060358 00000000
[  692.772319] 9ee0: 00000000 eeebbfc0 ee432f80 00000000 ed227200 ee6edb08 00000000 ed179180
[  692.780868] 9f00: 0000000b c015f500 0000000b 00000000 00000000 c015f22c 00000000 00000000
[  692.789416] 9f20: 00000000 c016928c 00000000 ed18ebc8 ee35eac8 60030013 00000000 0000000b
[  692.797963] 9f40: ed1791b8 ed179180 00004000 ee474500 00000000 00005514 0000000b c0169348
[  692.806503] 9f60: 00000000 00000000 ed179181 ed179180 00000000 00005514 0000000b 00000000
[  692.815043] 9f80: 00000000 c015f500 00000000 00000020 000236f0 00000001 00000036 c000e884
[  692.823574] 9fa0: ee3f8000 c000e6c0 00000020 000236f0 0000000b 00005514 00000000 00000000
[  692.832102] 9fc0: 00000020 000236f0 00000001 00000036 000003e8 00005575 00000781 00000000
[  692.840643] 9fe0: b6ee80ac be95dc44 b6ed9c11 b6e70406 40030030 0000000b c09bb7fd 9df464fd
[  692.849209] [<bf213a7c>] (xhci_endpoint_init [xhci_hcd]) from [<bf20f570>] (xhci_add_endpoint+0xdc/0x184 [xhci_hcd])
[  692.860326] [<bf20f570>] (xhci_add_endpoint [xhci_hcd]) from [<bf172e28>] (usb_hcd_alloc_bandwidth+0x130/0x304 [usbcore])
[  692.871852] [<bf172e28>] (usb_hcd_alloc_bandwidth [usbcore]) from [<bf16c4b8>] (usb_reset_and_verify_device+0x34c/0x5a4 [usbcore])
[  692.884170] [<bf16c4b8>] (usb_reset_and_verify_device [usbcore]) from [<bf16c830>] (usb_reset_device+0x120/0x218 [usbcore])
[  692.895883] [<bf16c830>] (usb_reset_device [usbcore]) from [<bf17d788>] (usbdev_ioctl+0x4cc/0x20cc [usbcore])
[  692.906299] [<bf17d788>] (usbdev_ioctl [usbcore]) from [<c015f22c>] (do_vfs_ioctl+0x408/0x670)
[  692.915300] [<c015f22c>] (do_vfs_ioctl) from [<c015f500>] (SyS_ioctl+0x6c/0x7c)
[  692.922960] [<c015f500>] (SyS_ioctl) from [<c000e6c0>] (ret_fast_syscall+0x0/0x4c)
[  692.930879] Code: e5992010 e2422001 e5892010 e593a004 (e59a4000) 
[  692.940670] ---[ end trace b16fb589950a6de6 ]---

[1] https://gitorious.org/usb/usb-tools

-- 
balbi

Attachment: minicom-am437x-sk-xhci-bug.tar.gz
Description: application/gzip

Attachment: signature.asc
Description: Digital signature

[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux