On Mon, Jun 01, 2009 at 11:29:51AM -0400, Alan Stern wrote: > > On Thu, 2009-05-28 at 09:39 +0100, David Woodhouse wrote: > > > Really? To me it looks like pl2303_shutdown() gets called on disconnect > > > and calls usb_set_serial_port_data(..., NULL) -- and then pl2303_close() > > > happily deferences that NULL pointer. Just like FTDI was doing. > > > > > > This seems to be a common error. The next two drivers I looked at > > > (visor, whiteheat) seem to share it. Although maybe with whiteheat it's > > > a use-after-free instead of simple NULL dereference, just for variety. > > > > > > Do we really want to make each driver do refcounting for itself? Perhaps > > > we should remove the 'shutdown' method and split it into 'disconnect' > > > and 'free' -- the latter of which is only called from destroy_serial()? > > Refcounting isn't the issue; the problem is that subdrivers don't > distinguish properly between disconnect and release. Splitting up the > shutdown method is the right thing to do. But let's call the pieces > "disconnect" and "release". This Ooops I got today which seems related, 2.6.30-rc5. [459643.041822] usb 1-4.3: USB disconnect, address 27 [459643.041826] usb 1-4.3: unregistering device [459643.041829] usb 1-4.3: usb_disable_device nuking all URBs [459643.041839] usb 1-4.3: unlink qh1-0601/f72e2580 start 0 [1/2 us] [459643.041847] ehci_hcd 0000:00:02.1: shutdown urb f0ea65c0 ep1in-intr [459643.041853] usb 1-4.3: unregistering interface 1-4.3:1.0 [459643.042218] pl2303 ttyUSB1: pl2303 converter now disconnected from ttyUSB1 [459643.042236] pl2303 1-4.3:1.0: device disconnected [459643.042244] usb 1-4.3:1.0: uevent [459643.042470] usb 1-4.3: uevent[459643.172319] hub 1-4:1.0: debounce: port 3: total 100ms stable 100ms status 0x100[459715.351270] BUG: unable to handle kernel NULL pointer dereference at 00000004[459715.351279] IP: [<c037ec80>] _raw_spin_lock+0xb/0x11a[459715.351288] *pde = 00000000 [459715.351292] Oops: 0000 [#1] PREEMPT SMP [459715.351297] last sysfs file: /sys/class/usb_device/usbdev1.27/dev [459715.351300] Modules linked in: pl2303 snd_usb_caiaq ftdi_sio usbserial cbc snd_rawmidi snd_pcm s nd_timer snd_page_alloc nvidia(P) ppdev lp cpufreq_userspace cpufreq_conservative cpufreq_powersave cpufreq_stats cpufreq_ondemand freq_table nfsd exportfs nfs lockd nfs_acl auth_rpcgss sunrpc dm_cryp t dm_mod aes_generic cryptoloop loop via_rhine mii forcedeth psmouse pcspkr i2c_nforce2 parport_pc t hermal processor button [last unloaded: snd_usb_caiaq] [459715.351345] [459715.351349] Pid: 19388, comm: datalogger Tainted: P W (2.6.30-rc5 #3) MS-7260 [459715.351353] EIP: 0060:[<c037ec80>] EFLAGS: 00010096 CPU: 1 [459715.351356] EIP is at _raw_spin_lock+0xb/0x11a [459715.351359] EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000002 [459715.351362] ESI: 00000246 EDI: 00000000 EBP: f0fb5ccc ESP: f0fb5cb8 [459715.351365] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 [459715.351368] Process datalogger (pid: 19388, ti=f0fb4000 task=f0cbc370 task.ti=f0fb4000) [459715.351371] Stack: [459715.351373] f893f42c 00000010 00000000 00000246 f6608400 f0fb5cec c051f63e 00000000 [459715.351381] 00000002 00000000 f893f42c 00000000 00001d4c f0fb5d28 f893f42c f66084e4 [459715.351391] f0fb5d28 c843a800 f66084e8 f0cbc370 f6608504 22222222 22222222 22222222 [459715.351401] Call Trace: [459715.351403] [<f893f42c>] ? pl2303_close+0x48/0x1af [pl2303] [459715.351412] [<c051f63e>] ? _spin_lock_irqsave+0x35/0x3e [459715.351417] [<f893f42c>] ? pl2303_close+0x48/0x1af [pl2303] [459715.351424] [<f893f42c>] ? pl2303_close+0x48/0x1af [pl2303] [459715.351431] [<f8203a00>] ? serial_close+0x86/0x12d [usbserial] [459715.351441] [<c03cb028>] ? tty_release_dev+0x176/0x3fa [459715.351447] [<c02936b1>] ? generic_delete_inode+0x135/0x142 [459715.351454] [<c02459a8>] ? trace_hardirqs_on+0xb/0xd [459715.351459] [<c03cb2be>] ? tty_release+0x12/0x1c [459715.351464] [<c0284097>] ? __fput+0xca/0x175 [459715.351469] [<c028415b>] ? fput+0x19/0x1b [459715.351473] [<c0281805>] ? filp_close+0x51/0x5b [459715.351478] [<c022885c>] ? put_files_struct+0x68/0xaa [459715.351484] [<c02288d5>] ? exit_files+0x37/0x3c [459715.351488] [<c0229ca3>] ? do_exit+0x1b4/0x5a8 [459715.351493] [<c022a0f5>] ? do_group_exit+0x5e/0x85 [459715.351497] [<c023278d>] ? get_signal_to_deliver+0x384/0x39b [459715.351503] [<c0201e2f>] ? do_notify_resume+0x69/0x6cc [459715.351508] [<c051f45d>] ? _spin_unlock_irqrestore+0x42/0x58 [459715.351513] [<c023aeb5>] ? hrtimer_try_to_cancel+0x63/0x6d [459715.351519] [<c023b1e2>] ? hrtimer_nanosleep+0xbd/0x11d [459715.351524] [<c023a9dc>] ? hrtimer_wakeup+0x0/0x1c [459715.351529] [<c023b284>] ? sys_nanosleep+0x42/0x53 [459715.351534] [<c0202b12>] ? work_notifysig+0x13/0x19 [459715.351539] Code: 0c ba 87 ab 63 c0 89 d8 e8 1b ff ff ff c7 43 0c ff ff ff ff c7 43 08 ff ff ff ff fe 03 5b c9 c3 55 89 e5 57 89 c7 56 53 83 ec 08 <81> 78 04 ad 4e ad de 74 0a ba 71 ab 63 c0 e8 ea fe ff ff 64 a1 [459715.351592] EIP: [<c037ec80>] _raw_spin_lock+0xb/0x11a SS:ESP 0068:f0fb5cb8 [459715.351597] CR2: 0000000000000004 [459715.351601] ---[ end trace aa925af8dd9274f3 ]--- [459715.351603] Fixing recursive fault but reboot is needed! [459715.351607] BUG: scheduling while atomic: datalogger/19388/0x00000002 [459715.351609] INFO: lockdep is turned off. [459715.351611] Modules linked in: pl2303 snd_usb_caiaq ftdi_sio usbserial cbc snd_rawmidi snd_pcm s nd_timer snd_page_alloc nvidia(P) ppdev lp cpufreq_userspace cpufreq_conservative cpufreq_powersave cpufreq_stats cpufreq_ondemand freq_table nfsd exportfs nfs lockd nfs_acl auth_rpcgss sunrpc dm_cryp t dm_mod aes_generic cryptoloop loop via_rhine mii forcedeth psmouse pcspkr i2c_nforce2 parport_pc t hermal processor button [last unloaded: snd_usb_caiaq] [459715.351655] irq event stamp: 0 [459715.351657] hardirqs last enabled at (0): [<(null)>] (null) [459715.351661] hardirqs last disabled at (0): [<c0225b03>] copy_process+0x331/0x10b9 [459715.351666] softirqs last enabled at (0): [<c0225b03>] copy_process+0x331/0x10b9 [459715.351671] softirqs last disabled at (0): [<(null)>] (null) [459715.351676] Pid: 19388, comm: datalogger Tainted: P D W 2.6.30-rc5 #3 [459715.351678] Call Trace: [459715.351684] [<c0220956>] __schedule_bug+0x5e/0x65 [459715.351689] [<c051cb9a>] __schedule+0x89/0x877 [459715.351693] [<c0227bcc>] ? vprintk+0x2d9/0x30e [459715.351698] [<c051d39a>] schedule+0x12/0x2b [459715.351702] [<c0229b8d>] do_exit+0x9e/0x5a8 [459715.351706] [<c051c836>] ? printk+0xf/0x11 [459715.351710] [<c02270c2>] ? oops_exit+0x23/0x28 [459715.351715] [<c0205954>] oops_end+0x92/0x9a [459715.351720] [<c0216ae9>] no_context+0x10c/0x116 [459715.351725] [<c0216c0f>] __bad_area_nosemaphore+0x11c/0x124 [459715.351731] [<c0216c24>] bad_area_nosemaphore+0xd/0x10 [459715.351735] [<c0216e71>] do_page_fault+0xff/0x20a [459715.351739] [<c0216d72>] ? do_page_fault+0x0/0x20a [459715.351743] [<c051fa82>] error_code+0x72/0x78 [459715.351748] [<c0216d72>] ? do_page_fault+0x0/0x20a [459715.351751] [<c037ec80>] ? _raw_spin_lock+0xb/0x11a [459715.351757] [<f893f42c>] ? pl2303_close+0x48/0x1af [pl2303] [459715.351761] [<c051f63e>] _spin_lock_irqsave+0x35/0x3e [459715.351767] [<f893f42c>] ? pl2303_close+0x48/0x1af [pl2303] [459715.351773] [<f893f42c>] pl2303_close+0x48/0x1af [pl2303] [459715.351782] [<f8203a00>] serial_close+0x86/0x12d [usbserial] [459715.351786] [<c03cb028>] tty_release_dev+0x176/0x3fa [459715.351791] [<c02936b1>] ? generic_delete_inode+0x135/0x142 [459715.351795] [<c02459a8>] ? trace_hardirqs_on+0xb/0xd [459715.351800] [<c03cb2be>] tty_release+0x12/0x1c [459715.351804] [<c0284097>] __fput+0xca/0x175 [459715.351808] [<c028415b>] fput+0x19/0x1b [459715.351812] [<c0281805>] filp_close+0x51/0x5b [459715.351816] [<c022885c>] put_files_struct+0x68/0xaa [459715.351820] [<c02288d5>] exit_files+0x37/0x3c [459715.351824] [<c0229ca3>] do_exit+0x1b4/0x5a8 [459715.351828] [<c022a0f5>] do_group_exit+0x5e/0x85 [459715.351832] [<c023278d>] get_signal_to_deliver+0x384/0x39b [459715.351837] [<c0201e2f>] do_notify_resume+0x69/0x6cc [459715.351840] [<c051f45d>] ? _spin_unlock_irqrestore+0x42/0x58 [459715.351845] [<c023aeb5>] ? hrtimer_try_to_cancel+0x63/0x6d [459715.351850] [<c023b1e2>] ? hrtimer_nanosleep+0xbd/0x11d [459715.351855] [<c023a9dc>] ? hrtimer_wakeup+0x0/0x1c [459715.351859] [<c023b284>] ? sys_nanosleep+0x42/0x53 [459715.351863] [<c0202b12>] work_notifysig+0x13/0x19 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
