25962 – cdc_acm oopses when probing a KryoFlux USB floppy controller

Bug 25962 - cdc_acm oopses when probing a KryoFlux USB floppy controller

Summary: cdc_acm oopses when probing a KryoFlux USB floppy controller

Status:	RESOLVED INVALID

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	USB (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Greg Kroah-Hartman

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-12-30 18:56 UTC by Stephen Kitt
Modified:	2012-02-22 21:54 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	2.6.36
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
lsusb info for the KryoFlux device once it's been initialised (and crashes cdc_acm) (2.56 KB, text/plain) 2010-12-30 18:56 UTC, Stephen Kitt	Details
lsusb info before firmware upload (cdc_acm probes this without crashing) (2.89 KB, text/plain) 2010-12-30 18:57 UTC, Stephen Kitt	Details
Add an attachment (proposed patch, testcase, etc.)

Description Stephen Kitt 2010-12-30 18:56:34 UTC

Created attachment 41962 [details]
lsusb info for the KryoFlux device once it's been initialised (and crashes cdc_acm)

Hi,

The following oops occurs when cdc_acm probes a KryoFlux (http://www.kryoflux.com):

Dec 28 15:19:29 heffalump kernel: [459009.996083] usb 4-1: new full speed USB device using uhci_hcd and address 2
Dec 28 15:19:29 heffalump kernel: [459010.155018] usb 4-1: New USB device found, idVendor=03eb, idProduct=6124
Dec 28 15:19:29 heffalump kernel: [459010.155023] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
Dec 28 15:19:30 heffalump kernel: [459010.559345] cdc_acm 4-1:1.0: This device cannot do calls on its own. It is not a modem.
Dec 28 15:19:30 heffalump kernel: [459010.559482] cdc_acm 4-1:1.0: ttyACM0: USB ACM device
Dec 28 15:19:30 heffalump kernel: [459010.562123] usbcore: registered new interface driver cdc_acm
Dec 28 15:19:30 heffalump kernel: [459010.562129] cdc_acm: v0.26:USB Abstract Control Model driver for USB modems and ISDN adapters
Dec 28 15:20:37 heffalump kernel: [459078.152085] usb 4-1: USB disconnect, address 2
Dec 28 15:20:38 heffalump kernel: [459078.392423] usb 4-1: new full speed USB device using uhci_hcd and address 3
Dec 28 15:20:38 heffalump kernel: [459078.583628] usb 4-1: New USB device found, idVendor=03eb, idProduct=6124
Dec 28 15:20:38 heffalump kernel: [459078.583633] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Dec 28 15:20:38 heffalump kernel: [459078.583637] usb 4-1: Product: C2 DiskSystem
Dec 28 15:20:38 heffalump kernel: [459078.583640] usb 4-1: Manufacturer: www.softpres.org
Dec 28 15:20:38 heffalump kernel: [459078.583642] usb 4-1: SerialNumber: 00000000
Dec 28 15:20:38 heffalump kernel: [459078.586768] cdc_acm 4-1:1.0: This device cannot do calls on its own. It is not a modem.
Dec 28 15:20:38 heffalump kernel: [459078.586862] BUG: unable to handle kernel NULL pointer dereference at 00000004
Dec 28 15:20:38 heffalump kernel: [459078.587150] IP: [<f83c5b85>] acm_probe+0x381/0xa2c [cdc_acm]
Dec 28 15:20:38 heffalump kernel: [459078.587368] *pdpt = 00000000113a7001 *pde = 0000000000000000 
Dec 28 15:20:38 heffalump kernel: [459078.587593] Oops: 0000 [#1] SMP 
Dec 28 15:20:38 heffalump kernel: [459078.587723] last sysfs file: /sys/devices/pci0000:00/0000:00:1d.2/usb4/4-1/manufacturer
Dec 28 15:20:38 heffalump kernel: [459078.588019] Modules linked in: cdc_acm nls_utf8 nls_cp437 vfat fat usb_storage isofs vboxnetadp vboxnetflt vboxdrv sco bridge stp bnep rfcomm l2cap binfmt_misc microcode fuse ext4 jbd2 crc16 sha256_generic aes_i586 aes_generic cbc iTCO_wdt iTCO_vendor_support tcp_diag inet_diag autofs4 loop grip w83627hf hwmon_vid dm_crypt snd_hda_codec_atihdmi cx22702 usblp cx88_dvb cx88_vp3054_i2c videobuf_dvb dvb_core snd_intel8x0 rc_hauppauge_new snd_cs4236 snd_hda_intel snd_wavefront snd_ac97_codec snd_wss_lib tuner_simple tuner_types snd_hda_codec snd_opl3_lib tda9887 snd_mpu401 snd_mpu401_uart cx8800 ir_lirc_codec lirc_dev tda8290 ir_sony_decoder ac97_bus ir_jvc_decoder cx8802 tuner snd_usb_audio ir_rc6_decoder snd_hwdep snd_usbmidi_lib ir_rc5_decoder cx88_alsa snd_pcm cx88xx snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_timer btusb ir_nec_decoder snd_seq_device bluetooth v4l2_common pwc ir_common ir_core videobuf_dma_sg tveeprom videodev rfkill btcx_risc videobuf_core v4l1_com
Dec 28 15:20:38 heffalump kernel: pat snd joydev parport_pc ns558 gameport soundcore tpm_tis serio_raw rng_core parport snd_page_alloc psmouse pcspkr evdev i2c_i801 tpm tpm_bios shpchp processor pci_hotplug ext3 jbd mbcache dm_mod raid1 raid0 md_mod osst st hid_logitech ff_memless usbhid hid sg radeon sd_mod sr_mod cdrom crc_t10dif ata_generic aic79xx ttm aic7xxx 3w_xxxx drm_kms_helper uhci_hcd ata_piix drm libata ehci_hcd scsi_transport_spi firewire_ohci scsi_mod i2c_algo_bit usbcore firewire_core i2c_core thermal skge crc_itu_t thermal_sys button nls_base [last unloaded: scsi_wait_scan]
Dec 28 15:20:38 heffalump kernel: [459078.590607] 
Dec 28 15:20:38 heffalump kernel: [459078.590607] Pid: 208, comm: khubd Not tainted 2.6.36-trunk-686-bigmem #1 P4P800/To Be Filled By O.E.M.
Dec 28 15:20:38 heffalump kernel: [459078.590607] EIP: 0060:[<f83c5b85>] EFLAGS: 00010286 CPU: 0
Dec 28 15:20:38 heffalump kernel: [459078.590607] EIP is at acm_probe+0x381/0xa2c [cdc_acm]
Dec 28 15:20:38 heffalump kernel: [459078.590607] EAX: 00000000 EBX: c45f2800 ECX: 000005d4 EDX: 00000040
Dec 28 15:20:38 heffalump kernel: [459078.590607] ESI: c5bc4c00 EDI: c9f4b14c EBP: c9f4b120 ESP: f6efbd58
Dec 28 15:20:38 heffalump kernel: [459078.590607]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Dec 28 15:20:38 heffalump kernel: [459078.590607] Process khubd (pid: 208, ti=f6efa000 task=f6ec14a0 task.ti=f6efa000)
Dec 28 15:20:38 heffalump kernel: [459078.590607] Stack:
Dec 28 15:20:38 heffalump kernel: [459078.590607]  c11d47ef c5bc4c00 00000000 c5bc4800 c4585c00 00000000 00000000 00000000
Dec 28 15:20:38 heffalump kernel: [459078.590607] <0> 00004421 00000000 00000200 00000010 c4585c64 f83c7800 00000202 c5bc4cec
Dec 28 15:20:38 heffalump kernel: [459078.590607] <0> c5bc4c00 c5bc4c1c 00000000 f83c77cc f848c50c c4585c00 f83c772c c5bc4c1c
Dec 28 15:20:38 heffalump kernel: [459078.590607] Call Trace:
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11d47ef>] ? __pm_runtime_resume+0x52/0x358
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<f848c50c>] ? usb_probe_interface+0xd9/0x13f [usbcore]
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11d0254>] ? driver_probe_device+0x8c/0x110
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11cf8b0>] ? bus_for_each_drv+0x37/0x5f
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11d03bf>] ? device_attach+0x49/0x65
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11d0333>] ? __device_attach+0x0/0x28
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11cf75c>] ? bus_probe_device+0x15/0x29
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11ce93f>] ? device_add+0x313/0x491
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11436a6>] ? kobject_set_name_vargs+0x43/0x48
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11cdbb3>] ? dev_set_name+0x14/0x15
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<f848b403>] ? usb_set_configuration+0x411/0x4a6 [usbcore]
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<f848b454>] ? usb_set_configuration+0x462/0x4a6 [usbcore]
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<f8491241>] ? generic_probe+0x3e/0x61 [usbcore]
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<f848bf94>] ? usb_probe_device+0x21/0x24 [usbcore]
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11d0254>] ? driver_probe_device+0x8c/0x110
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11cf8b0>] ? bus_for_each_drv+0x37/0x5f
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11d03bf>] ? device_attach+0x49/0x65
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11d0333>] ? __device_attach+0x0/0x28
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11cf75c>] ? bus_probe_device+0x15/0x29
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c11ce93f>] ? device_add+0x313/0x491
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<f8485f18>] ? usb_new_device+0x114/0x160 [usbcore]
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<f848733c>] ? hub_thread+0x7d8/0xbde [usbcore]
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c104a442>] ? autoremove_wake_function+0x0/0x29
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<f8486b64>] ? hub_thread+0x0/0xbde [usbcore]
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c104a0ee>] ? kthread+0x63/0x68
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c104a08b>] ? kthread+0x0/0x68
Dec 28 15:20:38 heffalump kernel: [459078.590607]  [<c100897e>] ? kernel_thread_helper+0x6/0x10
Dec 28 15:20:38 heffalump kernel: [459078.590607] Code: 89 c2 ff 35 a0 41 3c c1 89 c3 b8 3d 5b 3c f8 e8 21 fb ff ff 85 db 58 b8 f4 ff ff ff 5a 0f 84 82 06 00 00 8b 44 24 24 66 8b 57 04 <66> 8b 48 04 66 89 54 24 20 8a 83 cc 05 00 00 31 d2 83 7c 24 08 
Dec 28 15:20:38 heffalump kernel: [459078.590607] EIP: [<f83c5b85>] acm_probe+0x381/0xa2c [cdc_acm] SS:ESP 0068:f6efbd58
Dec 28 15:20:38 heffalump kernel: [459078.590607] CR2: 0000000000000004
Dec 28 15:20:38 heffalump kernel: [459078.721231] ---[ end trace c6e38c9fcc79fe0c ]---

This decodes as:
 f8412b36:	59                   	pop    %ecx 
 f8412b37:	5b                   	pop    %ebx 
 f8412b38:	e9 c2 06 00 00       	jmp    f84131ff <acm_probe+0x9fb> 
 f8412b3d:	89 44 24 18          	mov    %eax,0x18(%esp)     |  %esp = f6e83d58 
 f8412b41:	ba d0 80 00 00       	mov    $0x80d0,%edx 
 f8412b46:	b8 d8 05 00 00       	mov    $0x5d8,%eax 
 f8412b4b:	e8 fc ff ff ff       	call   f8412b4c <acm_probe+0x348> 
 f8412b50:	b9 d4 05 00 00       	mov    $0x5d4,%ecx         |  %ecx => 5d4 
 f8412b55:	68 d0 80 00 00       	push   $0x80d0 
 f8412b5a:	89 c2                	mov    %eax,%edx 
 f8412b5c:	ff 35 e0 05 00 00    	pushl  0x5e0 
 f8412b62:	89 c3                	mov    %eax,%ebx 
 f8412b64:	b8 3d 0b 00 00       	mov    $0xb3d,%eax 
 f8412b69:	e8 21 fb ff ff       	call   f841268f <trace_kmalloc> 
 f8412b6e:	85 db                	test   %ebx,%ebx           |  %ebx => f5535800 
 f8412b70:	58                   	pop    %eax 
 f8412b71:	b8 f4 ff ff ff       	mov    $0xfffffff4,%eax 
 f8412b76:	5a                   	pop    %edx                |  %edx => 40 
 f8412b77:	0f 84 82 06 00 00    	je     f84131ff <acm_probe+0x9fb> 
 f8412b7d:	8b 44 24 24          	mov    0x24(%esp),%eax     |  %esp = f6e83d58  %eax => 0 
 f8412b81:	66 8b 57 04          	mov    0x4(%edi),%dx       |  %edi = f1b0098c 
*f8412b85:	66 8b 48 04          	mov    0x4(%eax),%cx       |  %eax = 0 <--- faulting instruction
 f8412b89:	66 89 54 24 20       	mov    %dx,0x20(%esp) 
 f8412b8e:	8a 83 cc 05 00 00    	mov    0x5cc(%ebx),%al 
 f8412b94:	31 d2                	xor    %edx,%edx 
 f8412b96:	83 7c 24 08 02       	cmpl   $0x2,0x8(%esp) 
 f8412b9b:	0f 95 c2             	setne  %dl 
 f8412b9e:	83 e0 fe             	and    $0xfffffffe,%eax 
 f8412ba1:	0b 44 24 1c          	or     0x1c(%esp),%eax 
 f8412ba5:	42                   	inc    %edx 
 f8412ba6:	88 83 cc 05 00 00    	mov    %al,0x5cc(%ebx) 
 f8412bac:	0f b7 45 04          	movzwl 0x4(%ebp),%eax 
 f8412bb0:	6b c0 14             	imul   $0x14,%eax,%eax 
 f8412bb3:	89 83 b0 05 00 00    	mov    %eax,0x5b0(%ebx) 
 f8412bb9:	8b 44 24 04          	mov    0x4(%esp),%eax 
 f8412bbd:	89 43 04             	mov    %eax,0x4(%ebx) 
 f8412bc0:	8b 44 24 0c          	mov    0xc(%esp),%eax 
 f8412bc4:	89 43 08             	mov    %eax,0x8(%ebx) 
 f8412bc7:	8b 44 24 18          	mov    0x18(%esp),%eax 
 f8412bcb:	89 83 bc 05 00 00    	mov    %eax,0x5bc(%ebx) 
 f8412bd1:	8b 44 24 10          	mov    0x10(%esp),%eax 
 f8412bd5:	89 03                	mov    %eax,(%ebx) 

which corresponds to line 1145 in drivers/usb/class/cdc-acm.c:
        ctrlsize = le16_to_cpu(epctrl->wMaxPacketSize);

I take it this means epctrl is NULL, but beyond that I don't know what the problem is...

I'm attaching the lsusb info for the device in its oops-causing state; I'll attach its initial state (which doesn't cause an oops) separately.

I don't have the USB device's firmware's source but can probably get bugs there fixed if that's what's appropriate!

Thanks in advance,

Stephen

Comment 1 Stephen Kitt 2010-12-30 18:57:42 UTC

Created attachment 41972 [details]
lsusb info before firmware upload (cdc_acm probes this without crashing)

Comment 2 Greg Kroah-Hartman 2012-02-22 21:54:37 UTC

All USB bugs should be sent to the linux-usb@vger.kernel.org mailing 
list, and not entered into bugzilla.  Please bring this issue up there,
if it is still a problem in the latest kernel release.

Note You need to log in before you can comment on or make changes to this bug.