On Sun, 2 May 2010, Michael Buesch wrote: > On Sunday 02 May 2010 17:02:22 Alan Stern wrote: > > Can you figure out what statement corresponds to the faulting > > instruction address, and which pointer is NULL? > > Let's simply look at the code: > The very first dereference made in usb_altnum_to_altsetting() is > intf->num_altsetting > Which is offset 0x8 (on 32bit). That matches the OOPS. > > That function is called by usb_reset_configuration, according to the backtrace. > There we have a loop which loops through the configs. For each config > it retrieves the usb_interface pointer and calls usb_altnum_to_altsetting() on it. No -- it loops through the interfaces, and for each interface it gets the usb_interface pointer etc. > So I am pretty certain that the struct usb_interface *intf pointer is NULL here. Okay. It would help to have to some debugging information. You could add a test just before the call to usb_altnum_to_altsetting(): If intf is NULL then print out i, config->desc.bNumInterfaces, and config->desc.bConfigurationValue. > So why is it NULL? I can't really tell, because I don't know the details of that code. Of course you don't -- that's what I'm here for. :-) > All I can tell is that the device sends _really_ fucked up device and config descriptors > to the kernel. So my guess is that some sanity checks on the config and/or device > descriptors are missing/needed. I doubt it, but it's possible. > The loop uses the hardware descriptor's (untrusted?) bNumInterfaces in the loop termination statement. No it doesn't. Look at line 602 of config.c in 2.6.34-r6; the desc.bNumInterfaces value is not necessarily what the device sent. > That rings a bell for me. > > Note that the kernel also throws this message: > [ 245.449456] usb 4-1: too many configurations: 25, using maximum allowed: 8 > > Is that related? It smells like that to me. What if we only allocated 8 configs earlier > but try to loop 25 configs now? FYI, the config->interface[i] values are set in usb_set_configuration(). That function contains a similar loop and call to usb_altnum_to_altsetting(), but apparently it worked without any problem. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
