Bug 6672

Summary: __device_release_driver oops
Product: Drivers Reporter: xeb
Component: USBAssignee: David Brownell (dbrownell)
Status: RESOLVED CODE_FIX    
Severity: normal CC: greg, stern
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.16 Subsystem:
Regression: --- Bisected commit-id:
Bug Depends on:    
Bug Blocks: 5089    

Description xeb 2006-06-10 08:12:18 UTC 
Most recent kernel where this bug did not occur:
Distribution: gentoo
Hardware Environment: i386
Software Environment: 

Problem Description: 
dummy_hcd dummy_hcd: USB Host+Gadget Emulator, driver 02 May 2005
dummy_hcd dummy_hcd: Dummy host controller
dummy_hcd dummy_hcd: new USB bus registered, assigned bus number 4
usb usb4: configuration #1 chosen from 1 choice
hub 4-0:1.0: USB hub found
hub 4-0:1.0: 1 port detected
dummy_udc dummy_udc: binding gadget driver 'zero'
zero gadget: Gadget Zero, version: St Patrick's Day 2004
zero gadget: using dummy_udc, OUT ep-b IN ep-a
dummy_hcd dummy_hcd: port status 0x00010101 has changes
dummy_hcd dummy_hcd: port status 0x00010101 has changes
zero gadget: resume
dummy_hcd dummy_hcd: port status 0x00100503 has changes
usb 4-1: new high speed USB device using dummy_hcd and address 2
zero gadget: resume
dummy_hcd dummy_hcd: port status 0x00100503 has changes
dummy_udc dummy_udc: set_address = 2
usb 4-1: configuration #3 chosen from 2 choices
dummy_udc dummy_udc: enabled ep-a (ep1in-bulk) maxpacket 512
dummy_udc dummy_udc: enabled ep-b (ep2out-bulk) maxpacket 512
zero gadget: buflen 4096
zero gadget: high speed config #3: source and sink data
dummy_udc dummy_udc: unregister gadget driver 'zero'
zero gadget: reset config
dummy_udc dummy_udc: disabled ep-a
dummy_udc dummy_udc: disabled ep-b
zero gadget: unbind
Unable to handle kernel NULL pointer dereference at virtual address 00000120
 printing eip:
c028b74d
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: g_zero dummy_hcd nvnet snd_intel8x0 snd_ac97_codec 
snd_ac97_bus
CPU:    0
EIP:    0060:[<c028b74d>]    Tainted: P      VLI
EFLAGS: 00010286   (2.6.16 #4)
EIP is at __device_release_driver+0x4d/0xc0
eax: 00000000   ebx: dd1515d8   ecx: 00000001   edx: 00000001
esi: dd151570   edi: e0c29fa0   ebp: d7cce000   esp: d7ccff2c
ds: 007b   es: 007b   ss: 0068
Process rmmod (pid: 5998, threadinfo=d7cce000 task=d7c60050)
Stack: <0>dd151570 e0c29f80 00000292 c028b7d6 dd1510d0 e0c21f8d e0c23fc4 
e0c23aa3
       e0c25524 e0c28a4c e0c2a040 00000000 bfdce760 d7cce000 c01347a4 00000000
       657a5f67 d9006f72 df725ac0 c014e1bb ffffffff b7fbd000 b7fbc000 c014e548
Call Trace:
 [<c028b7d6>] device_release_driver+0x16/0x30
 [<e0c21f8d>] usb_gadget_unregister_driver+0xcd/0x130 [dummy_hcd]
 [<c01347a4>] sys_delete_module+0x144/0x170
 [<c014e1bb>] remove_vma_list+0x4b/0x60
 [<c014e548>] do_munmap+0xe8/0x150
 [<c014e5f7>] sys_munmap+0x47/0x70
 [<c0102fbb>] sysenter_past_esp+0x54/0x75
Code: 68 e8 c8 03 00 00 8b 56 68 8d 47 14 e8 0d ac f0 ff ba f2 a7 3b c0 89 d8 e8 
01 ac f0 ff 8d 46 2c e8 a9 94 0f 00 8b 86 d4 00 00 00 <8b> 90 20 01 00 00 85 d2 
75 29 8b 57 7c 85 d2 75 22 c7 86 d8 00


Steps to reproduce:

insmod dummy_hcd
insmod g_zero
rmmod g_zero
Comment 1 Nishanth Aravamudan 2006-06-10 09:53:58 UTC 
*** Bug 6673 has been marked as a duplicate of this bug. ***
Comment 2 Nishanth Aravamudan 2006-06-10 09:54:04 UTC 
*** Bug 6674 has been marked as a duplicate of this bug. ***
Comment 3 Nishanth Aravamudan 2006-06-10 09:55:15 UTC 
Can you reproduce this with an untainted kernel?

Thanks,
Nish

P.S. Please don't submit the same bug three times.
Comment 4 xeb 2006-06-10 10:27:46 UTC 
Maybe this is fix:
*** dummy_hcd.c.bak     2006-06-10 21:33:18.000000000 +0400
--- dummy_hcd.c 2006-06-10 21:13:05.000000000 +0400
*************** usb_gadget_register_driver (struct usb_g
*** 823,828 ****
--- 823,829 ----
        }

        driver->driver.bus = dum->gadget.dev.parent->bus;
+       dum->gadget.dev.bus = dum->gadget.dev.parent->bus;
        driver_register (&driver->driver);
        device_bind_driver (&dum->gadget.dev);
Comment 5 David Brownell 2006-08-14 22:04:39 UTC 
This patch can't possibly be correct, in the general case, but it's 
barely possible that it's right for dummy-hcd ... which Alan is now 
handling.
Comment 6 Alan Stern 2006-08-15 11:14:22 UTC 
This is a known bug in 2.6.16.  It has been fixed in 2.6.17.  If you're
interested, the patch that fixed the problem is here:

   http://marc.theaimsgroup.com/?l=linux-usb-devel&m=114382399230085&w=2
Comment 7 David Brownell 2006-09-10 08:09:28 UTC 
This has been fixed for some time now, as I understand 
things ... so unless this gets updated with "still broken 
in 2.6.18-rc6" (or later) I'll mark it as closed/fixed 
the week of 18-sept-2006.