On Wed, Feb 24, 2010 at 02:05:53PM -0800, Andrew Morton wrote: > > (switched to email. Please respond via emailed reply-to-all, not via the > bugzilla web interface). > > Regent regression, bisected to > > commit 3f0479e00a3fca9590ae8d9edc4e9c47b7fa0610 > Author: Sarah Sharp <sarah.a.sharp@xxxxxxxxxxxxxxx> > AuthorDate: Thu Dec 3 09:44:36 2009 -0800 > Commit: Greg Kroah-Hartman <gregkh@xxxxxxx> > CommitDate: Fri Dec 11 11:55:27 2009 -0800 > > USB: Check bandwidth when switching alt settings. > > > On Tue, 23 Feb 2010 10:58:09 GMT bugzilla-daemon@xxxxxxxxxxxxxxxxxxx wrote: > > > http://bugzilla.kernel.org/show_bug.cgi?id=15376 > > > > Summary: regression (oops) with usb in 2.6.33-rc8 > > Product: Drivers > > Version: 2.5 > > Kernel Version: 2.6.33-rc8 bee415ce427d1eab6cfb30221461c7d20cbf1903 > > Platform: All > > OS/Version: Linux > > Tree: Mainline > > Status: NEW > > Severity: normal > > Priority: P1 > > Component: USB > > AssignedTo: greg@xxxxxxxxx > > ReportedBy: cfergeau@xxxxxxxxxxxx > > Regression: No > > > > > > Created an attachment (id=25172) > > --> (http://bugzilla.kernel.org/attachment.cgi?id=25172) > > lsusb -v before running the program that triggers the oops > > > > While "playing" (ie sending it random stuff with libusb) with an iPod nano with > > a recent kernel (tested with 2.6.33-rc8 and git master from a few hours ago), > > I'm getting a kernel oops : > > > > > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 > > IP: [<ffffffffa00e7079>] usb_altnum_to_altsetting+0x9/0x60 [usbcore] > > PGD 6b802067 PUD 6b9ad067 PMD 0 > > Oops: 0000 [#1] SMP > > last sysfs file: /sys/devices/pci0000:00/0000:00:1a.7/usb1/1-2/devnum > > CPU 1 > > Pid: 4349, comm: python Not tainted 2.6.33-desktop-0.rc8.1mnb #1 > > Mac-F22788A9/MacBook4,1 > > RIP: 0010:[<ffffffffa00e7079>] [<ffffffffa00e7079>] > > usb_altnum_to_altsetting+0x9/0x60 [usbcore] > > RSP: 0018:ffff880068011d18 EFLAGS: 00010246 > > RAX: 0000000000000001 RBX: 0000000000000001 RCX: ffff88006f8905f0 > > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 > > RBP: ffff880068011d18 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000000 R12: ffff88007c573800 > > R13: ffff880068042c00 R14: 0000000000000000 R15: 00000000ffffffb5 > > FS: 00007f224c9f0700(0000) GS:ffff880001b00000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b > > CR2: 0000000000000010 CR3: 000000006b815000 CR4: 00000000000006e0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > > Process python (pid: 4349, threadinfo ffff880068010000, task ffff88006b8c4350) > > Stack: > > ffff880068011d88 ffffffffa00f4213 0000000000000000 ffff880000000000 > > <0> ffff880000001388 ffffffff810df769 ffff88006da3e400 ffff88007c377d50 > > <0> ffff880068011d88 0000000000000000 ffff88007c9a3240 00007fff620c8c8c > > Call Trace: > > [<ffffffffa00f4213>] usb_reset_configuration+0x123/0x250 [usbcore] > > [<ffffffff810df769>] ? filemap_fault+0xb9/0x450 > > [<ffffffffa00ff34d>] usbdev_do_ioctl+0xcdd/0x12c0 [usbcore] > > [<ffffffff810f9a59>] ? __do_fault+0x3b9/0x4b0 > > [<ffffffff813b8e07>] ? _lock_kernel+0x47/0xad > > [<ffffffffa00ff9f8>] usbdev_ioctl+0x48/0x80 [usbcore] > > [<ffffffff81137ffd>] vfs_ioctl+0x3d/0xd0 > > [<ffffffff8113858a>] do_vfs_ioctl+0x8a/0x5a0 > > [<ffffffff811f4166>] ? __up_read+0xa6/0xd0 > > [<ffffffff8107bcde>] ? up_read+0xe/0x10 > > [<ffffffff81138b21>] sys_ioctl+0x81/0xa0 > > [<ffffffff8100a002>] system_call_fastpath+0x16/0x1b > > Code: 0f b6 7f 02 39 f7 74 c1 83 c2 01 44 39 c2 7c e2 31 c0 eb b5 66 66 66 66 > > 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 0f 1f 44 00 00 <44> 8b 47 10 45 85 c0 > > 74 35 48 8b 07 31 d2 0f b6 48 03 39 f1 75 > > RIP [<ffffffffa00e7079>] usb_altnum_to_altsetting+0x9/0x60 [usbcore] > > RSP <ffff880068011d18> > > CR2: 0000000000000010 > > ---[ end trace ded3cae37b595f91 ]--- > > > > I bisected it to > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3f0479e0 > > With this commit, the oops happens, right before this commit, my test program > > just fails with > > > > Traceback (most recent call last): > > File "./ipoddfu.py", line 32, in <module> > > dev = libipoddfu.ipoddfu() > > File "/home/teuf/hack/ipoddfu/snapshot-201002150047/tools/libipoddfu.py", > > line 76, in __init__ > > self.handle.setConfiguration(1) > > usb.USBError: Numerical result out of range > > > > (which is an acceptable result to me since the iPod is in a pretty bad state at > > that point). Random stuff, hmmm? Maybe you asked it to change alternate settings to one that the device doesn't provide? Can you post your python script? The only way you would get a null pointer deference when usb_altnum_to_altsetting() is called in usb_reset_configuration() is if usb_host_config->interface[i] is null. I think that's only true if the configuration is not active, meaning the device was in the addressed state. Alan, does this sound correct? I think the fix is to dig the interfaces out of the interface cache instead. I'll post a patch in a bit. Sarah -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
