Bug 5537

Summary: cdc-acm oopses when device is unplugged
Product: Drivers Reporter: Thomas Nilsson (thomas)
Component: USBAssignee: Greg Kroah-Hartman (greg)
Status: REJECTED UNREPRODUCIBLE    
Severity: normal CC: bunk
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.14 Subsystem:
Regression: --- Bisected commit-id:
Bug Depends on:    
Bug Blocks: 5089    
Attachments: Fixes oops when removing cdc_acm module

Description Thomas Nilsson 2005-11-02 04:04:07 UTC 
The cdc_acm module oopses if I disconnect my Nokia phones USB cable while I have
an active connection open. More or less the same as bug 4407, however that
bugreport has been marked as fixed, and the patches are in the 2.6.14 release.
But the driver seem to still exhibit a similar bug.

usb 3-1: USB disconnect, address 4
Unable to handle kernel NULL pointer dereference at virtual address 0000000c
 printing eip:
c018e9fe
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: cdc_acm nfs lockd sunrpc vfat fat processor tdfx drm usbhid
ehci_hcd 3c59x i2c_viapro mii i2c_core uhci_hcd usbcore via_agp agpgart evdev
CPU:    0
EIP:    0060:[<c018e9fe>]    Not tainted VLI
EFLAGS: 00010246   (2.6.14) 
EIP is at sysfs_hash_and_remove+0x1e/0x107
eax: d7dd01a0   ebx: d76a6a68   ecx: c01bfa10   edx: c81fb188
esi: 00000000   edi: d532df80   ebp: d7fd0bc0   esp: c51c9e1c
ds: 007b   es: 007b   ss: 0068
Process picocom (pid: 8063, threadinfo=c51c8000 task=c4bb3540)
Stack: d7fe6d40 d2df290c d2df28c8 d76a6a68 d76a6a60 d532df80 d7fd0bc0 c02064c1 
       d7dd01a0 d532df80 d7fd0c2c d76a6a60 00000000 00000000 c02c32d2 c0206530 
       d76a6a60 d23229a0 d883b5ff d76a6a60 0a600000 d23229a0 d883b6f8 d23229a0 
Call Trace:
 [<c02064c1>] class_device_del+0xb1/0x110
 [<c0206530>] class_device_unregister+0x10/0x20
 [<d883b5ff>] acm_tty_unregister+0x1f/0x70 [cdc_acm]
 [<d883b6f8>] acm_tty_close+0xa8/0xb0 [cdc_acm]
 [<c01ef283>] release_dev+0x163/0x720
 [<c024b1ae>] netif_receive_skb+0x15e/0x1d0
 [<c024b29c>] process_backlog+0x7c/0x100
 [<c024b394>] net_rx_action+0x74/0x110
 [<c01efcff>] tty_release+0xf/0x20
 [<c0158e01>] __fput+0xa1/0x170
 [<c0157372>] filp_close+0x52/0x90
 [<c011c45b>] put_files_struct+0x7b/0xd0
 [<c011d107>] do_exit+0xe7/0x380
 [<c011d414>] do_group_exit+0x34/0x70
 [<c01030c5>] syscall_call+0x7/0xb
Code: 10 83 c4 0c e9 34 b6 fe ff 8d 74 26 00 55 57 56 53 83 ec 0c 8b 44 24 20 8b
50 08 8b 70 50 85 d2 74 7b ff 4a 70 0f 88 e9 00 00 00 <8b> 46 0c 8d 68 fc 8b 4d
04 0f 18 01 90 83 c6 0c 89 c3 39 f0 89 
 <1>Fixing recursive fault but reboot is needed!
Comment 1 Thomas Nilsson 2005-11-06 07:59:57 UTC 
After recompiling with CONFIG_DEBUG_INFO and CONFIG_FRAME_POINTER i was unable
to reproduce the above crash, another crash however occured when rmmod cdc_acm

a friend pointed me a possible fix which seemed to fix my problems.
Comment 2 Thomas Nilsson 2005-11-06 08:01:14 UTC 
Created attachment 6483 [details]
Fixes oops when removing cdc_acm module
Comment 3 Thomas Nilsson 2005-11-06 08:03:13 UTC 
(Note: patch from andersg@0x63.nu)
Comment 4 Greg Kroah-Hartman 2005-11-14 21:32:51 UTC 
I do not see how that patch fixes anything, as it does the same thing
the original code does.

What are you doing with this active connection?  Are you running ppp or some other
line dicipline over it?
Comment 5 Thomas Nilsson 2005-11-27 10:44:04 UTC 
Try as I might, I just can't reproduce the crash. I'm slowly starting to believe
that the problem never occured and I dreamt it all. I've tried numerous ways of
reproducing the error (the error did occur on every reboot on that machine when
I reported the issue (and did so aswell on the laptop)) but I give up. I'll give
it one more go without the extra debugging enabled and see if I start getting
crashes again. But I doubt I'll get anything useful out of it.
Comment 6 Adrian Bunk 2005-12-30 05:11:41 UTC 
Please reopen this bug if you are able to reproduce it.