Hi, I think I have a bug in the OHCI driver.
Kernel version: 4.4.11 (some old 3.14 seems fine, didn't try others)
Hardware: AMD SB850, Eagle III USB ADSL modem
Steps to reproduce:
1. boot with a USB keyboard
2. connect the modem
3. wait for the firmware, re-enumeration, etc
4. disconnect the modem when ueagle-atm says 'waiting for
synchronization' - instant panic
or
1. disconnect the keyboard
2. connect the modem
3. connect the keyboard on 'waiting for synchronization'
4. disconnect the modem - nothing yet
5. disconnect the keyboard - boom
Nothing bad happens without the keyboard. Nothing bad happens on
another machine with PS/2 keyboard and USB mouse, until I start X.
Then it crashes too.
I'm including two logs. One shows NULL dereference which can be
produced with the above steps, the other shows LIST_POISON dereference
which I can't reproduce (came from random monkeying).
Offending code is from ohci-q.c, function finish_unlinks, line 1086:
1082 if (list_empty(&ed->td_list)) {
1083 *last = ed->ed_next;
1084 ed->ed_next = NULL;
1085 ed->state = ED_IDLE;
1086 list_del(&ed->in_use_list);
1087 } else if (ohci->rh_state == OHCI_RH_RUNNING) {
1088 *last = ed->ed_next;
1089 ed->ed_next = NULL;
1090 ed_schedule(ohci, ed);
list_del fails because in_use_list's ->next and ->prev are NULL or
LIST_POISON (see registers RAX, RDX).
Not sure what's so special about ueagle-atm, but other USB 1.0 devices
(keyboards, mice, audio) work fine.
Log 1:
[ 58.787543] usb 5-5: new full-speed USB device number 3 using ohci-pci
[ 59.006343] usb 5-5: New USB device found, idVendor=1110, idProduct=9032
[ 59.086567] usb 5-5: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 59.177810] NET: Registered protocol family 8
[ 59.230009] NET: Registered protocol family 20
[ 59.285627] usb 5-5: [ueagle-atm] ADSL device founded vid (0X1110) pid (0X9032) Rev (0X2000): Eagle III
[ 59.520541] usb 5-5: reset full-speed USB device number 3 using ohci-pci
[ 59.741335] usb 5-5: [ueagle-atm] pre-firmware device, uploading firmware
[ 59.822563] usb 5-5: [ueagle-atm] loading firmware ueagle-atm/eagleIII.fw
[ 59.903836] usbcore: registered new interface driver ueagle-atm
[ 61.169321] usb 5-5: [ueagle-atm] firmware uploaded
[ 61.191987] usb 5-5: USB disconnect, device number 3
[ 63.551534] usb 5-5: new full-speed USB device number 4 using ohci-pci
[ 63.776306] usb 5-5: New USB device found, idVendor=1110, idProduct=9031
[ 63.856494] usb 5-5: New USB device strings: Mfr=0, Product=2, SerialNumber=3
[ 63.941882] usb 5-5: Product: ADSL-USB Modem
[ 63.992947] usb 5-5: SerialNumber: 00604C8D86AA
[ 64.098336] usb 5-5: [ueagle-atm] ADSL device founded vid (0X1110) pid (0X9031) Rev (0X200B): Eagle III
[ 64.333538] usb 5-5: reset full-speed USB device number 4 using ohci-pci
[ 64.612298] usb 5-5: [ueagle-atm] using iso mode
[ 64.668301] ATM dev 0: usbatm_submit_urb: urb 0xffff8807f1568b00 submission failed (-28)!
[ 64.766206] usb 5-5: [ueagle-atm] (re)booting started
[ 66.518285] usb 5-5: [ueagle-atm] ATU-R firmware version : 44e2ea17
[ 66.593362] usb 5-5: Direct firmware load for ueagle-atm/CMVep.bin.v2 failed with error -2
[ 66.692352] usb 5-5: [Ueagle-atm] requesting firmware ueagle-atm/CMVep.bin.v2 failed, try to get older cmvs
[ 66.809162] usb 5-5: [Ueagle-atm] use deprecated cmvs version, please update your firmware
[ 66.948277] usb 5-5: [ueagle-atm] modem started, waiting synchronization...
[ 81.713955] usb 5-5: USB disconnect, device number 4
[ 81.717161] usb 5-5: [UEAGLE-ATM] uea_intr() failed with -62
[ 81.841145] ATM dev 0: usbatm_complete: urb 0xffff8807f1568b00 failed (-2)!
[ 81.925151] ATM dev 0: usbatm_complete: urb 0xffff8807f1568000 failed (-2)!
[ 82.009150] ATM dev 0: usbatm_complete: urb 0xffff8807f1568500 failed (-2)!
[ 82.092484] usb 5-5: [UEAGLE-ATM] usb_control_msg error -19
[ 82.159210] usb 5-5: [UEAGLE-ATM] reading cmv failed with error -19
[ 82.160190] ATM dev 0: usbatm_complete: urb 0xffff8807f1568900 failed (-2)!
[ 82.160197] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
[ 82.160202] IP: [<ffffffff816c8c07>] ohci_work.part.6+0x2a7/0x5a0
[ 82.160202] PGD 0
[ 82.160204] Oops: 0002 [#1] PREEMPT SMP
[ 82.160207] Modules linked in: ueagle_atm usbatm atm 8021q ext2 atkbd snd_pcsp serio_raw asus_atk0110
[ 82.160209] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 4.4.11+ #44
[ 82.160210] Hardware name: System manufacturer System Product Name/M4A88TD-M EVO, BIOS 1801 08/09/2012
[ 82.160210] task: ffff8807fc2e0a00 ti: ffff8807fc2f0000 task.ti: ffff8807fc2f0000
[ 82.160212] RIP: 0010:[<ffffffff816c8c07>] [<ffffffff816c8c07>] ohci_work.part.6+0x2a7/0x5a0
[ 82.160213] RSP: 0018:ffff88081fd03e18 EFLAGS: 00010046
[ 82.160214] RAX: 0000000000000000 RBX: ffff8800df8411f0 RCX: ffffffff81edd6f8
[ 82.160214] RDX: 0000000000000000 RSI: ffff8800df8411f0 RDI: ffff8807faa29a40
[ 82.160215] RBP: ffff88081fd03e78 R08: 0000000000000000 R09: 000000000000003f
[ 82.160215] R10: 0000000000000001 R11: 0000000000080000 R12: ffff8807f1568900
[ 82.160216] R13: ffff8800df8411f0 R14: ffff8800df8411c0 R15: ffff8800df8411c8
[ 82.160216] FS: 00007f65a9174940(0000) GS:ffff88081fd00000(0000) knlGS:0000000000000000
[ 82.160217] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 82.160218] CR2: 0000000000000008 CR3: 0000000001e0a000 CR4: 00000000000006e0
[ 82.160218] Stack:
[ 82.160219] ffff8807faa29a60 ffff8800df8411c8 d71bffff810e3600 ffff8807faa29a40
[ 82.160220] ffff8807faa29a60 0000000100000001 ffff8800df8411c0 ffff8807faa29800
[ 82.160221] 0000000000000004 ffffc90000076000 ffff8807faa29a40 0000000000000000
[ 82.160221] Call Trace:
[ 82.160224] <IRQ>
[ 82.160224] [<ffffffff816cc6ad>] ohci_irq+0x1ed/0x270
[ 82.160226] [<ffffffff816a6bd5>] usb_hcd_irq+0x25/0x40
[ 82.160228] [<ffffffff810d243c>] handle_irq_event_percpu+0x4c/0x1f0
[ 82.160230] [<ffffffff810d2620>] handle_irq_event+0x40/0x70
[ 82.160232] [<ffffffff810d57e8>] handle_fasteoi_irq+0x98/0x150
[ 82.160233] [<ffffffff8104eeca>] handle_irq+0x1a/0x30
[ 82.160235] [<ffffffff818ade1a>] do_IRQ+0x5a/0xf0
[ 82.160236] [<ffffffff818ac43c>] common_interrupt+0x7c/0x7c
[ 82.160239] <EOI>
[ 82.160239] [<ffffffff8172ecda>] ? cpuidle_enter_state+0x11a/0x2b0
[ 82.160240] [<ffffffff8172eea7>] cpuidle_enter+0x17/0x20
[ 82.160242] [<ffffffff810c1da2>] call_cpuidle+0x32/0x60
[ 82.160242] [<ffffffff8172ee83>] ? cpuidle_select+0x13/0x20
[ 82.160244] [<ffffffff810c2046>] cpu_startup_entry+0x276/0x360
[ 82.160245] [<ffffffff8106c9e3>] start_secondary+0xf3/0x100
[ 82.160255] Code: 39 de 0f 85 2d ff ff ff 49 89 c6 49 8b 46 20 48 8b 55 c0 48 89 02 49 8b 46 48 49 8b 56 40 49 c7 46 20 00 00 00 00 41 c6 46 50 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 49 89 46 40
[ 82.160257] RIP [<ffffffff816c8c07>] ohci_work.part.6+0x2a7/0x5a0
[ 82.160257] RSP <ffff88081fd03e18>
[ 82.160257] CR2: 0000000000000008
[ 82.170281] ---[ end trace 3535fcd0a1cd21cc ]---
[ 82.170282] Kernel panic - not syncing: Fatal exception in interrupt
[ 82.234180] Kernel Offset: disabled
[ 85.642960] ---[ end Kernel panic - not syncing: Fatal exception in interrupt
Log 2:
[ 143.404546] usb 5-5: [ueagle-atm] modem started, waiting synchronization...
[ 171.401500] usb 5-5: USB disconnect, device number 6
[ 171.404305] usbatm_submit_urb: 1 callbacks suppressed
[ 171.404307] ATM dev 0: usbatm_submit_urb: urb 0xffff8807fa037600 submission failed (-19)!
[ 171.405294] usb 5-5: [UEAGLE-ATM] uea_intr() failed with -62
[ 171.407303] ATM dev 0: usbatm_submit_urb: urb 0xffff8807fa037600 submission failed (-19)!
[ 171.410303] ATM dev 0: usbatm_submit_urb: urb 0xffff8807fa037600 submission failed (-19)!
[ 171.413342] ATM dev 0: usbatm_submit_urb: urb 0xffff8807fa037600 submission failed (-19)!
[ 171.517262] usb 5-5: [UEAGLE-ATM] usb_control_msg error -19
[ 171.517263] usb 5-5: [UEAGLE-ATM] reading cmv failed with error -19
[ 171.521387] ATM dev 0: usbatm_submit_urb: urb 0xffff8807fa037600 submission failed (-19)!
[ 171.686955] ATM dev 0: usbatm_submit_urb: urb 0xffff8807fa037600 submission failed (-19)!
[ 171.882699] ATM dev 0: usbatm_submit_urb: urb 0xffff8807fa037600 submission failed (-19)!
[ 172.122229] ATM dev 0: usbatm_submit_urb: urb 0xffff8807fa037600 submission failed (-19)!
[ 172.415834] ATM dev 0: usbatm_submit_urb: urb 0xffff8807fa037600 submission failed (-19)!
[ 172.516829] usb 5-5: [ueagle-atm] (re)booting started
[ 172.516831] usb 5-5: [UEAGLE-ATM] usb_control_msg error -19
[ 172.516832] usb 5-5: [UEAGLE-ATM] usb_control_msg error -19
[ 172.516833] usb 5-5: [UEAGLE-ATM] usb_control_msg error -19
[ 172.616778] usb 5-5: [UEAGLE-ATM] usb_control_msg error -19
[ 172.616780] usb 5-5: [UEAGLE-ATM] usb_control_msg error -19
[ 172.616781] usb 5-5: [UEAGLE-ATM] usb_control_msg error -19
[ 172.616781] usb 5-5: [UEAGLE-ATM] usb_control_msg error -19
[ 172.672003] ATM dev 0: usbatm_submit_urb: urb 0xffff8807fa037600 submission failed (-19)!
[ 173.236610] usb 5-5: [UEAGLE-ATM] usb_control_msg error -19
[ 173.303374] usb 5-5: [ueagle-atm] ADSL device removed
[ 215.107044] general protection fault: 0000 [#1] PREEMPT SMP
[ 215.175100] Modules linked in: ueagle_atm usbatm atm 8021q ext2 atkbd snd_pcsp serio_raw asus_atk0110
[ 215.286491] CPU: 5 PID: 0 Comm: swapper/5 Not tainted 4.4.11+ #44
[ 215.359399] Hardware name: System manufacturer System Product Name/M4A88TD-M EVO, BIOS 1801 08/09/2012
[ 215.473910] task: ffff8807fc2e1400 ti: ffff8807fc2f4000 task.ti: ffff8807fc2f4000
[ 215.563460] RIP: 0010:[<ffffffff816c8c07>] [<ffffffff816c8c07>] ohci_work.part.6+0x2a7/0x5a0
[ 215.665594] RSP: 0018:ffff88081fd43e18 EFLAGS: 00010046
[ 215.729142] RAX: dead000000000200 RBX: ffff8800df82d0a0 RCX: ffffffff81edd6f8
[ 215.814532] RDX: dead000000000100 RSI: ffff8800df82d0a0 RDI: ffff8807faa1c240
[ 215.899921] RBP: ffff88081fd43e78 R08: 0000000000000000 R09: 0000000000000010
[ 215.985310] R10: ffff8807fa0cd800 R11: 0000000000000004 R12: ffff8807fabd16c0
[ 216.070700] R13: ffff8800df82d0a0 R14: ffff8800df82d070 R15: ffff8800df82d078
[ 216.156090] FS: 00007facce5e1700(0000) GS:ffff88081fd40000(0000) knlGS:0000000000000000
[ 216.252918] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 216.321668] CR2: 00007fba4be16b40 CR3: 00000007f7a29000 CR4: 00000000000006e0
[ 216.407055] Stack:
[ 216.431082] ffff8807faa1c260 ffff8800df82d078 3d5b88081fd43e50 ffff8807faa1c240
[ 216.520007] ffff8807faa1c260 0000000100000001 ffff8800df82d070 ffff8807faa1c000
[ 216.608933] 0000000000000004 ffffc90000064000 ffff8807faa1c240 0000000000000000
[ 216.697859] Call Trace:
[ 216.727086] <IRQ>
[ 216.750072] [<ffffffff816cc6ad>] ohci_irq+0x1ed/0x270
[ 216.813725] [<ffffffff816a6bd5>] usb_hcd_irq+0x25/0x40
[ 216.813728] [<ffffffff810d243c>] handle_irq_event_percpu+0x4c/0x1f0
[ 216.813729] [<ffffffff810d2620>] handle_irq_event+0x40/0x70
[ 216.813731] [<ffffffff810d57e8>] handle_fasteoi_irq+0x98/0x150
[ 216.813734] [<ffffffff8104eeca>] handle_irq+0x1a/0x30
[ 216.813736] [<ffffffff818ade1a>] do_IRQ+0x5a/0xf0
[ 216.813738] [<ffffffff818ac43c>] common_interrupt+0x7c/0x7c
[ 216.813740] <EOI>
[ 216.813740] [<ffffffff8172ecda>] ? cpuidle_enter_state+0x11a/0x2b0
[ 216.813741] [<ffffffff8172eea7>] cpuidle_enter+0x17/0x20
[ 216.813743] [<ffffffff810c1da2>] call_cpuidle+0x32/0x60
[ 216.813743] [<ffffffff8172ee83>] ? cpuidle_select+0x13/0x20
[ 216.813744] [<ffffffff810c2046>] cpu_startup_entry+0x276/0x360
[ 216.813746] [<ffffffff8106c9e3>] start_secondary+0xf3/0x100
[ 216.813756] Code: 39 de 0f 85 2d ff ff ff 49 89 c6 49 8b 46 20 48 8b 55 c0 48 89 02 49 8b 46 48 49 8b 56 40 49 c7 46 20 00 00 00 00 41 c6 46 50 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 49 89 46 40
[ 216.813758] RIP [<ffffffff816c8c07>] ohci_work.part.6+0x2a7/0x5a0
[ 216.813758] RSP <ffff88081fd43e18>
[ 216.823769] ---[ end trace 97aa62091fdf89db ]---
[ 216.823770] Kernel panic - not syncing: Fatal exception in interrupt
[ 216.876231] Kernel Offset: disabled
[ 218.226129] ---[ end Kernel panic - not syncing: Fatal exception in interrupt
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
