crash by cdc_acm driver in kernels 4.8-rc1/5

crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

L.S.

up to vanilla kernel 4.7.3 I've seen no problems.
On two different dekstops running vanilla kernel-4.8 I can force a crash by
inserting an USB-modem that requires module cdc_acm.ko .
(Strangely enough that doesn't happen on my laptop.)

The moment that cdc_acm loads (manually or automatically - the hardware needs
to be present) a kernel oops occurs.
The system remains responsive for a while, but a reboot is necessairy.
If you try a neat shutdown, the system will hang forever after 'remounting fs
read-only'. You'll need a power-down.

The oops tells things that I didn't all write down, but it says
null pointer dereference at 00000246
...
failed while handling devices/pci0000:00/0000:00:1d.3/usb7/7-1/7-1:1d  etc.
...
udevd .. is taking too long..

Could someone please explain and repair the magic that is happening here?

Thanks in advance, Wim Osterholt.


----- wim@djo.tudelft.nl -----

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

On Thu, 2016-09-08 at 13:58 +0200, Wim Osterholt wrote:
> L.S.
> 
> up to vanilla kernel 4.7.3 I've seen no problems.
> On two different dekstops running vanilla kernel-4.8 I can force a
> crash by
> inserting an USB-modem that requires module cdc_acm.ko .
> (Strangely enough that doesn't happen on my laptop.)
> 
> The moment that cdc_acm loads (manually or automatically - the
> hardware needs
> to be present) a kernel oops occurs.
> The system remains responsive for a while, but a reboot is necessairy.
> If you try a neat shutdown, the system will hang forever after
> 'remounting fs
> read-only'. You'll need a power-down.
> 
> The oops tells things that I didn't all write down, but it says
> null pointer dereference at 00000246

That is the important part. I am sorry, but without the oops
nobody can help you. Please capture it

dmesg > /root/oops.txt

and report it.

	Regards
		Oliver

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Thu, Sep 08, 2016 at 02:20:38PM +0200, Oliver Neukum wrote:
> > 
> > The oops tells things that I didn't all write down, but it says
> > null pointer dereference at 00000246
> 
> That is the important part. I am sorry, but without the oops
> nobody can help you. Please capture it

Sep  6 19:12:37 localhost kernel: usb 7-1: new full-speed USB device number 2 using uhci_hcd
Sep  6 19:12:37 localhost kernel: usb 7-1: New USB device found, idVendor=0572, idProduct=1340
Sep  6 19:12:37 localhost kernel: usb 7-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Sep  6 19:12:37 localhost kernel: usb 7-1: Product: USB Modem
Sep  6 19:12:37 localhost kernel: usb 7-1: Manufacturer: Conexant
Sep  6 19:12:37 localhost kernel: usb 7-1: SerialNumber: 12345678
Sep  6 19:12:38 localhost mtp-probe[13126]: checking bus 7, device 2: "/sys/devices/pci0000:00/0000:00:1d.3/usb7/7-1"
Sep  6 19:12:38 localhost mtp-probe[13126]: bus: 7, device: 2 was not an MTP device
Sep  6 19:12:38 localhost kernel: BUG: unable to handle kernel NULL pointer dereference at 00000246
Sep  6 19:12:38 localhost kernel: IP: [<e0a81a35>] 0xe0a81a35
Sep  6 19:12:38 localhost kernel: *pde = 00000000 
Sep  6 19:12:38 localhost kernel: Oops: 0000 [#1] SMP
Sep  6 19:12:38 localhost kernel: Modules linked in: cdc_acm(+) nouveau video drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit lirc_serial(C) lirc_dev(O) cfg80211 rfkill binfmt_misc svgalib_helper(O) snd_pcm_oss snd_mixer_oss fbcon bitblit softcursor font tileblit sr9700 dm9601 usbnet usb_storage mii snd_hda_codec_generic tg3 snd_hda_intel snd_hda_codec ptp snd_hwdep pps_core gpio_ich snd_hda_core libphy ppdev firmware_class uhci_hcd pcspkr snd_pcm ohci_pci ohci_hcd lpc_ich ehci_pci snd_timer ehci_hcd mfd_core snd usbcore floppy soundcore wmi parport_pc usb_common parport acpi_cpufreq processor button
Sep  6 19:12:38 localhost kernel: CPU: 0 PID: 13127 Comm: udevd Tainted: G         C O    4.8.0-rc5 #1
Sep  6 19:12:38 localhost kernel: Hardware name: Hewlett-Packard HP xw4300 Workstation/0A00h, BIOS 786D3 v01.08 03/10/2006
Sep  6 19:12:38 localhost kernel: task: df639c00 task.stack: df4d6000
Sep  6 19:12:38 localhost kernel: EIP: 0060:[<e0a81a35>] EFLAGS: 00010202 CPU: 0
Sep  6 19:12:38 localhost kernel: EAX: 00000000 EBX: def22000 ECX: 00000000 EDX: 00000124
Sep  6 19:12:38 localhost kernel: ESI: def2227c EDI: dee04000 EBP: 00000246 ESP: df4d7ce8
Sep  6 19:12:38 localhost kernel:  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Sep  6 19:12:38 localhost kernel: CR0: 80050033 CR2: 00000246 CR3: 19b4d000 CR4: 00000690
Sep  6 19:12:38 localhost kernel: Stack:
Sep  6 19:12:38 localhost kernel:  dee8ba00 dee8ba00 dee8b400 dee04000 df4b6380 df4b63b8 00000001 dee04070
Sep  6 19:12:38 localhost kernel:  daca2ec0 dee8ba1c 00000040 00000010 00000000 def2200c def2227c 00000000
Sep  6 19:12:38 localhost kernel:  dee20800 00000000 df639c00 dcdc37e0 c01f4347 00000246 00000246 dcdc37e0
Sep  6 19:12:38 localhost kernel: Call Trace:
Sep  6 19:12:38 localhost kernel:  [<c01f4347>] ? 0xc01f4347
Sep  6 19:12:38 localhost kernel:  [<c04357ca>] ? 0xc04357ca
Sep  6 19:12:38 localhost kernel:  [<e0ac422f>] ? 0xe0ac422f
Sep  6 19:12:38 localhost kernel:  [<c030276f>] ? 0xc030276f
Sep  6 19:12:38 localhost kernel:  [<c03028ce>] ? 0xc03028ce
Sep  6 19:12:38 localhost kernel:  [<c030140b>] ? 0xc030140b
Sep  6 19:12:38 localhost kernel:  [<c030238a>] ? 0xc030238a
Sep  6 19:12:38 localhost kernel:  [<c0302879>] ? 0xc0302879
Sep  6 19:12:38 localhost kernel:  [<c030205e>] ? 0xc030205e
Sep  6 19:12:38 localhost kernel:  [<c0302e85>] ? 0xc0302e85
Sep  6 19:12:38 localhost kernel:  [<e0ac3525>] ? 0xe0ac3525
Sep  6 19:12:38 localhost kernel:  [<e08620a9>] ? 0xe08620a9
Sep  6 19:12:38 localhost kernel:  [<e0862000>] ? 0xe0862000
Sep  6 19:12:38 localhost kernel:  [<c01003eb>] ? 0xc01003eb
Sep  6 19:12:38 localhost kernel:  [<c04357ca>] ? 0xc04357ca
Sep  6 19:12:38 localhost kernel:  [<c027c45c>] ? 0xc027c45c
Sep  6 19:12:38 localhost kernel:  [<c01ae14a>] ? 0xc01ae14a
Sep  6 19:12:38 localhost kernel:  [<c0183bf5>] ? 0xc0183bf5
Sep  6 19:12:38 localhost kernel:  [<c0183c24>] ? 0xc0183c24
Sep  6 19:12:38 localhost kernel:  [<c0174deb>] ? 0xc0174deb
Sep  6 19:12:38 localhost kernel:  [<c0175043>] ? 0xc0175043
Sep  6 19:12:38 localhost kernel:  [<c0100ed1>] ? 0xc0100ed1
Sep  6 19:12:38 localhost kernel:  [<c0436e65>] ? 0xc0436e65
Sep  6 19:12:38 localhost kernel: Code: 44 24 04 ba 20 2c a8 e0 89 58 74 83 c0 1c 89 44 24 24 e8 0f de 87 df 85 c0 0f 88 ed fe ff ff 8b 6c 24 54 85 ed 0f 84 91 00 00 00 <0f> b6 45 00 ba c0 00 40 02 83 e8 04 e8 eb c5 72 df 85 c0 89 83
Sep  6 19:12:38 localhost kernel: EIP: [<e0a81a35>]  SS:ESP 0068:df4d7ce8
Sep  6 19:12:38 localhost kernel: CR2: 0000000000000246
Sep  6 19:12:38 localhost kernel: ---[ end trace 64919c4014c0aa1d ]---
Sep  6 19:12:38 localhost kernel: udevd[919]: worker [13127] terminated by signal 9 (Killed)
Sep  6 19:12:38 localhost kernel: udevd[919]: worker [13127] failed while handling '/devices/pci0000:00/0000:00:1d.3/usb7/7-1/7-1:1.1'
Sep  6 19:12:38 localhost kernel: clocksource: timekeeping watchdog on CPU1: Marking clocksource 'tsc' as unstable because the skew is too large:
Sep  6 19:12:38 localhost kernel: clocksource:                       'refined-jiffies' wd_now: 11d65e0 wd_last: 11d6560 mask: ffffffff
Sep  6 19:12:38 localhost kernel: clocksource:                       'tsc' cs_now: dad6eef733f0 cs_last: dad67427eed0 mask: ffffffffffffffff
Sep  6 19:12:38 localhost kernel: clocksource: Switched to clocksource refined-jiffies
Sep  6 19:13:38 localhost kernel: udevd[919]: worker [13125] /devices/pci0000:00/0000:00:1d.3/usb7/7-1/7-1:1.0 is taking a long time
Sep  6 19:15:38 localhost kernel: udevd[919]: worker [13125] /devices/pci0000:00/0000:00:1d.3/usb7/7-1/7-1:1.0 timeout; kill it
Sep  6 19:15:38 localhost kernel: udevd[919]: seq 1356 '/devices/pci0000:00/0000:00:1d.3/usb7/7-1/7-1:1.0' killed
Sep  6 19:15:38 localhost kernel: udevd[919]: worker [13125] terminated by signal 9 (Killed)
Sep  6 19:15:38 localhost kernel: udevd[919]: worker [13125] failed while handling '/devices/pci0000:00/0000:00:1d.3/usb7/7-1/7-1:1.0'
Sep  6 19:15:44 localhost shutdown[13136]: shutting down for system reboot


Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

On Thu, 2016-09-08 at 14:58 +0200, Wim Osterholt wrote:
> On Thu, Sep 08, 2016 at 02:20:38PM +0200, Oliver Neukum wrote:
> > > 
> > > The oops tells things that I didn't all write down, but it says
> > > null pointer dereference at 00000246
> > 
> > That is the important part. I am sorry, but without the oops
> > nobody can help you. Please capture it
> 
> Sep  6 19:12:37 localhost kernel: usb 7-1: new full-speed USB device number 2 using uhci_hcd
> Sep  6 19:12:37 localhost kernel: usb 7-1: New USB device found, idVendor=0572, idProduct=1340
> Sep  6 19:12:37 localhost kernel: usb 7-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
> Sep  6 19:12:37 localhost kernel: usb 7-1: Product: USB Modem
> Sep  6 19:12:37 localhost kernel: usb 7-1: Manufacturer: Conexant
> Sep  6 19:12:37 localhost kernel: usb 7-1: SerialNumber: 12345678
> Sep  6 19:12:38 localhost mtp-probe[13126]: checking bus 7, device 2: "/sys/devices/pci0000:00/0000:00:1d.3/usb7/7-1"
> Sep  6 19:12:38 localhost mtp-probe[13126]: bus: 7, device: 2 was not an MTP device
> Sep  6 19:12:38 localhost kernel: BUG: unable to handle kernel NULL pointer dereference at 00000246
> Sep  6 19:12:38 localhost kernel: IP: [<e0a81a35>] 0xe0a81a35
> Sep  6 19:12:38 localhost kernel: *pde = 00000000 
> Sep  6 19:12:38 localhost kernel: Oops: 0000 [#1] SMP
> Sep  6 19:12:38 localhost kernel: Modules linked in: cdc_acm(+) nouveau video drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit lirc_serial(C) lirc_dev(O) cfg80211 rfkill binfmt_misc svgalib_helper(O) snd_pcm_oss snd_mixer_oss fbcon bitblit softcursor font tileblit sr9700 dm9601 usbnet usb_storage mii snd_hda_codec_generic tg3 snd_hda_intel snd_hda_codec ptp snd_hwdep pps_core gpio_ich snd_hda_core libphy ppdev firmware_class uhci_hcd pcspkr snd_pcm ohci_pci ohci_hcd lpc_ich ehci_pci snd_timer ehci_hcd mfd_core snd usbcore floppy soundcore wmi parport_pc usb_common parport acpi_cpufreq processor button
> Sep  6 19:12:38 localhost kernel: CPU: 0 PID: 13127 Comm: udevd Tainted: G         C O    4.8.0-rc5 #1
> Sep  6 19:12:38 localhost kernel: Hardware name: Hewlett-Packard HP xw4300 Workstation/0A00h, BIOS 786D3 v01.08 03/10/2006
> Sep  6 19:12:38 localhost kernel: task: df639c00 task.stack: df4d6000
> Sep  6 19:12:38 localhost kernel: EIP: 0060:[<e0a81a35>] EFLAGS: 00010202 CPU: 0
> Sep  6 19:12:38 localhost kernel: EAX: 00000000 EBX: def22000 ECX: 00000000 EDX: 00000124
> Sep  6 19:12:38 localhost kernel: ESI: def2227c EDI: dee04000 EBP: 00000246 ESP: df4d7ce8
> Sep  6 19:12:38 localhost kernel:  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
> Sep  6 19:12:38 localhost kernel: CR0: 80050033 CR2: 00000246 CR3: 19b4d000 CR4: 00000690
> Sep  6 19:12:38 localhost kernel: Stack:
> Sep  6 19:12:38 localhost kernel:  dee8ba00 dee8ba00 dee8b400 dee04000 df4b6380 df4b63b8 00000001 dee04070
> Sep  6 19:12:38 localhost kernel:  daca2ec0 dee8ba1c 00000040 00000010 00000000 def2200c def2227c 00000000
> Sep  6 19:12:38 localhost kernel:  dee20800 00000000 df639c00 dcdc37e0 c01f4347 00000246 00000246 dcdc37e0
> Sep  6 19:12:38 localhost kernel: Call Trace:
> Sep  6 19:12:38 localhost kernel:  [<c01f4347>] ? 0xc01f4347

Hi,

your stack trace is broken. Did you fail to install the System.map file?

	Regards
		Oliver

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Thu, Sep 08, 2016 at 03:05:15PM +0200, Oliver Neukum wrote:
> > Sep  6 19:12:38 localhost kernel: Call Trace:
> > Sep  6 19:12:38 localhost kernel:  [<c01f4347>] ? 0xc01f4347
> 
> Hi,
> 
> your stack trace is broken. Did you fail to install the System.map file?

Never needed that for anything the last 20 years or so.
I don't have the device at hand here, so new logs will be available
tomorrow.

Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Thu, Sep 08, 2016 at 03:05:15PM +0200, Oliver Neukum wrote:
> > Sep  6 19:12:38 localhost kernel: Call Trace:
> > Sep  6 19:12:38 localhost kernel:  [<c01f4347>] ? 0xc01f4347
> 
> Hi,
> 
> your stack trace is broken. Did you fail to install the System.map file?

Source is available under /usr/src/linux --> /usr/src/linux-4.8-rc5
System.map is available there, also as System.map-4.8-rc5.
System.map and System.map-4.8-rc5 is also available in /boot.
But the call trace still shows no symbols.
>From reading I understood that symbols from modules will not be available in
System.map. So what else  should I do?



[   46.133212] usb 4-1: new full-speed USB device number 2 using uhci_hcd
[   46.334136] usb 4-1: New USB device found, idVendor=0572, idProduct=1340
[   46.334140] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   46.334142] usb 4-1: Product: USB Modem
[   46.334145] usb 4-1: Manufacturer: Conexant
[   46.334147] usb 4-1: SerialNumber: 12345678
[   46.388110] BUG: unable to handle kernel NULL pointer dereference at 00000246
[   46.391243] IP: [<e12d0a35>] 0xe12d0a35
[   46.391243] *pde = 00000000 
[   46.391243] Oops: 0000 [#1] SMP
[   46.391243] Modules linked in: cdc_acm(+) radeon drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit fbcon bitblit softcursor font tileblit lirc_serial(C) lirc_dev(O) binfmt_misc svgalib_helper(O) snd_pcm_oss snd_mixer_oss usbhid usb_storage ipw2200 snd_intel8x0 snd_ac97_codec libipw lib80211 ac97_bus cfg80211 snd_pcm snd_timer rfkill firmware_class snd via_rhine ppdev soundcore pcspkr uhci_hcd mii ehci_pci ehci_hcd usbcore floppy parport_pc lpc_ich usb_common fan parport acpi_cpufreq thermal mfd_core processor button
[   46.391243] CPU: 1 PID: 1868 Comm: udevd Tainted: G         C O    4.8.0-rc5 #1
[   46.391243] Hardware name: MEDIONPC MS-7048/MS-7048, BIOS 6.00 PG 02/12/2004
[   46.391243] task: df6adb00 task.stack: dc740000
[   46.391243] EIP: 0060:[<e12d0a35>] EFLAGS: 00010202 CPU: 1
[   46.391243] EAX: 00000000 EBX: dec6f000 ECX: 00000000 EDX: 00000124
[   46.391243] ESI: dec6f27c EDI: dc7a5800 EBP: 00000246 ESP: dc741ce8
[   46.391243]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[   46.391243] CR0: 80050033 CR2: 00000246 CR3: 1c714000 CR4: 00000690
[   46.391243] Stack:
[   46.391243]  df788000 df788000 df788400 dc7a5800 df4b5780 df4b57b8 00000001 dc7a5870
[   46.391243]  dc4409c0 df78801c 00000040 00000010 00000000 dec6f00c dec6f27c 00000000
[   46.391243]  dc79e800 00000000 df6adb00 da4a5f30 c01f5243 00000246 00000246 da4a5f30
[   46.391243] Call Trace:
[   46.391243]  [<c01f5243>] ? 0xc01f5243
[   46.391243]  [<c043c68a>] ? 0xc043c68a
[   46.391243]  [<e09fc22f>] ? 0xe09fc22f
[   46.391243]  [<c03087a8>] ? 0xc03087a8
[   46.391243]  [<c0308907>] ? 0xc0308907
[   46.391243]  [<c0307444>] ? 0xc0307444
[   46.391243]  [<c03083c3>] ? 0xc03083c3
[   46.391243]  [<c03088b2>] ? 0xc03088b2
[   46.391243]  [<c0308097>] ? 0xc0308097
[   46.391243]  [<c0308ebe>] ? 0xc0308ebe
[   46.391243]  [<e09fb525>] ? 0xe09fb525
[   46.391243]  [<e12d30a9>] ? 0xe12d30a9
[   46.391243]  [<e12d3000>] ? 0xe12d3000
[   46.391243]  [<c01003eb>] ? 0xc01003eb
[   46.391243]  [<c043c68a>] ? 0xc043c68a
[   46.391243]  [<c027d355>] ? 0xc027d355
[   46.391243]  [<c01af013>] ? 0xc01af013
[   46.391243]  [<c0184275>] ? 0xc0184275
[   46.391243]  [<c01842a4>] ? 0xc01842a4
[   46.391243]  [<c017546b>] ? 0xc017546b
[   46.391243]  [<c01756c3>] ? 0xc01756c3
[   46.391243]  [<c0100ed1>] ? 0xc0100ed1
[   46.391243]  [<c043dd25>] ? 0xc043dd25
[   46.391243] Code: 44 24 04 ba 20 1c 2d e1 89 58 74 83 c0 1c 89 44 24 24 e8 35 4e 03 df 85 c0 0f 88 ed fe ff ff 8b 6c 24 54 85 ed 0f 84 91 00 00 00 <0f> b6 45 00 ba c0 00 40 02 83 e8 04 e8 b4 e4 ed de 85 c0 89 83
[   46.391243] EIP: [<e12d0a35>]  SS:ESP 0068:dc741ce8
[   46.391243] CR2: 0000000000000246
[   46.802809] ---[ end trace 3cd7f784cc67fa66 ]---
[   46.811156] udevd[884]: worker [1868] terminated by signal 9 (Killed)
[   46.811164] udevd[884]: worker [1868] failed while handling '/devices/pci0000:00/0000:00:1d.2/usb4/4-1/4-1:1.1'


Regards, Wim.
y

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

> your stack trace is broken. Did you fail to install the System.map file?
> 
> 	Regards
> 		Oliver

>Finally found something.
>CONFIG_DEBUG_INFO was not set.

Doesn't make any difference either.
Compiled cdc_acm in the kernel, not as a module. Doesn't make any
difference, except for that it says 'a reboot is necessairy' en then it
freezes. Still no symbols.

Google didn't tell me anything useful, nor did you.
This took me days already.
I told you all you need: plug in a modem that needs cdc_acm.


Wim.


----- wim@djo.tudelft.nl -----

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Thu, Sep 08, 2016 at 03:05:15PM +0200, Oliver Neukum wrote:
> 
> your stack trace is broken. Did you fail to install the System.map file?
> 
> 	Regards
> 		Oliver

A laptop, more broken than the rest, does not output anything after
inserting. Later on it crashes. No system.map file in /boot.
After booting with the dongle inserted it spits out:

[   17.204261] fbcon: radeondrmfb (fb0) is primary device
[   17.276234] BUG: unable to handle kernel NULL pointer dereference at 00000007
[   17.276266] IP: [<d080d2e0>] acm_probe+0x450/0xed0 [cdc_acm]
[   17.276272] *pde = 00000000 
[   17.276278] Oops: 0000 [#1] PREEMPT SMP
[   17.276362] Modules linked in: cdc_acm(+) radeon(+) fbcon i2c_algo_bit bitblit softcursor font drm_kms_helper cfbfillrect syscopyarea cfbimgblt sysfillrect sysimgblt fb_sys_fops cfbcopyarea ttm snd_intel8x0m snd_intel8x0 pcmcia snd_ac97_codec drm dell_smm_hwmon hwmon ipw2200 fb uhci_hcd fbdev ehci_pci yenta_socket ehci_hcd ac97_bus snd_pcm dcdbas libipw usbcore pcmcia_rsrc pcmcia_core snd_timer lib80211 cfg80211 3c59x snd serio_raw intel_agp soundcore usb_common 8250_pci mii video intel_gtt agpgart 8250 8250_base parport_pc parport serial_core
[   17.276371] CPU: 0 PID: 1311 Comm: udevd Not tainted 4.8.0-rc5 #1
[   17.276375] Hardware name: Dell Computer Corporation Inspiron 4100                   /Inspiron 4100            , BIOS A13 05/16/2003
[   17.276379] task: cf9667c0 task.stack: cf10a000
[   17.276385] EIP: 0060:[<d080d2e0>] EFLAGS: 00010202 CPU: 0
[   17.276400] EIP is at acm_probe+0x450/0xed0 [cdc_acm]
[   17.276404] EAX: 00000004 EBX: cbb62800 ECX: 00000040 EDX: 00000040
[   17.276409] ESI: 00000000 EDI: 00000000 EBP: cf10bd00 ESP: cf10bc60
[   17.276413]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[   17.276418] CR0: 80050033 CR2: 00000007 CR3: 0f07f000 CR4: 000006d0
[   17.276420] Stack:
[   17.276435]  00000000 00000082 00000012 00000000 000046dd cf29ac80 cf9e6238 cf90cb84
[   17.276448]  cf801c08 00000012 000045c0 00000080 cf9e6200 cf88d960 00000010 cc884470
[   17.276462]  cc884400 00000001 cf194a00 cf193000 cf194a00 c14f00ff cc8844f8 cf9667c0
[   17.276464] Call Trace:
[   17.276486]  [<c14f00ff>] ? _raw_spin_unlock_irqrestore+0xf/0x30
[   17.276498]  [<c106d139>] ? preempt_count_add+0x89/0x90
[   17.276505]  [<c106d139>] ? preempt_count_add+0x89/0x90
[   17.276512]  [<c14f02f1>] ? _raw_spin_lock_irqsave+0x11/0x40
[   17.276611]  [<d0b144cc>] ? usb_probe_interface+0xfc/0x2d0 [usbcore]
[   17.276657]  [<d0b144cc>] ? usb_probe_interface+0xfc/0x2d0 [usbcore]
[   17.276675]  [<c1317aef>] ? driver_probe_device+0x1ff/0x400
[   17.276682]  [<c1317aef>] ? driver_probe_device+0x1ff/0x400
[   17.276691]  [<c1317dc9>] ? __driver_attach+0xd9/0x100
[   17.276698]  [<c1317dc9>] ? __driver_attach+0xd9/0x100
[   17.276706]  [<c14f02bd>] ? _raw_spin_lock+0xd/0x30
[   17.276712]  [<c14f00cd>] ? _raw_spin_unlock+0xd/0x30
[   17.276720]  [<c1317cf0>] ? driver_probe_device+0x400/0x400
[   17.276728]  [<c1315ca7>] ? bus_for_each_dev+0x47/0x80
[   17.276735]  [<c1315ca7>] ? bus_for_each_dev+0x47/0x80
[   17.276743]  [<c1317441>] ? driver_attach+0x11/0x20
[   17.276750]  [<c1317cf0>] ? driver_probe_device+0x400/0x400
[   17.276757]  [<c1316f9f>] ? bus_add_driver+0x1df/0x270
[   17.276764]  [<c14f00cd>] ? _raw_spin_unlock+0xd/0x30
[   17.276777]  [<c126c714>] ? kset_find_obj+0x44/0x90
[   17.276785]  [<c131874e>] ? driver_register+0x4e/0xc0
[   17.276791]  [<c131874e>] ? driver_register+0x4e/0xc0
[   17.276837]  [<d0b1330a>] ? usb_register_driver+0x5a/0x110 [usbcore]
[   17.276852]  [<d07f90a7>] ? acm_init+0xa7/0xd6 [cdc_acm]
[   17.276857]  [<d07f9000>] ? 0xd07f9000
[   17.276864]  [<c100048d>] ? do_one_initcall+0x2d/0x130
[   17.276880]  [<c10f56c9>] ? do_init_module+0x19/0x1a0
[   17.276889]  [<c10f56f8>] ? do_init_module+0x48/0x1a0
[   17.276900]  [<c10b7cc7>] ? load_module+0x19c7/0x2150
[   17.276913]  [<c113ef33>] ? kernel_read_file+0x103/0x200
[   17.276922]  [<c10b85f0>] ? SyS_finit_module+0x90/0xd0
[   17.276929]  [<c10b85f0>] ? SyS_finit_module+0x90/0xd0
[   17.276940]  [<c10016c8>] ? do_int80_syscall_32+0x38/0x90
[   17.276946]  [<c10016c8>] ? do_int80_syscall_32+0x38/0x90
[   17.276954]  [<c14f07da>] ? entry_INT80_32+0x2a/0x2a
[   17.277046] Code: 04 89 b3 c0 04 00 00 8d 04 80 c1 e0 02 89 83 b4 04 00 00 8b 45 a8 89 43 04 8b 45 ac 89 43 08 8b 45 a0 89 03 8b 45 c0 85 c0 74 0a <0f> b6 40 03 89 83 c8 04 00 00 f6 45 a4 04 74 07 83 a3 c8 04 00
[   17.277065] EIP: [<d080d2e0>] acm_probe+0x450/0xed0 [cdc_acm] SS:ESP 0068:cf10bc60
[   17.277068] CR2: 0000000000000007
[   17.277360] ---[ end trace 5847748dfb454f14 ]---
[   17.280317] udevd[1295]: worker [1311] terminated by signal 9 (Killed)
[   17.280333] udevd[1295]: worker [1311] failed while handling '/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1:1.0'

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

On Mon, 2016-09-12 at 04:43 +0200, Wim Osterholt wrote:
> 
> A laptop, more broken than the rest, does not output anything after
> inserting. Later on it crashes. No system.map file in /boot.
> After booting with the dongle inserted it spits out:

I cannot replicate it. Could you please provide "lsusb -v"?

	Regards
		Oliver

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Tue, Sep 20, 2016 at 03:05:14PM +0200, Oliver Neukum wrote:
> 
> I cannot replicate it. Could you please provide "lsusb -v"?
> 
> 	Regards
> 		Oliver

It concerns these type of modems:
http://www.ebay.nl/itm/191933738340
http://www.ebay.nl/itm/121590899044

lsusb:
Bus 002 Device 002: ID 0bda:0111 Realtek Semiconductor Corp. RTS5111 Card Reader Controller
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 002: ID 0572:1340 Conexant Systems (Rockwell), Inc. 
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 002: ID 0fe6:9700 Kontron (Industrial Computer Source / ICS Advent) DM9601 Fast Ethernet Adapter
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Since the output is quite lengthy, I've cut out everything but Bus 007 Device 002
lsusb -v:

Bus 007 Device 002: ID 0572:1340 Conexant Systems (Rockwell), Inc. 
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            2 Communications
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x0572 Conexant Systems (Rockwell), Inc.
  idProduct          0x1340 
  bcdDevice            1.00
  iManufacturer           1 Conexant
  iProduct                2 USB Modem
  iSerial                 3 12345678
  bNumConfigurations      2
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           73
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         2 Communications
      bInterfaceSubClass      2 Abstract (modem)
      bInterfaceProtocol      1 AT-commands (v.25ter)
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval             128
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      CDC Header:
        bcdCDC               1.10
      CDC Call Management:
        bmCapabilities       0x03
          call management
          use DataInterface
        bDataInterface          1
      CDC ACM:
        bmCapabilities       0x07
          sends break
          line coding and serial state
          get/set/clear comm features
      CDC Union:
        bMasterInterface        0
        bSlaveInterface         1 
      Country Selection:
        iCountryCodeRelDate        4 04052004
        wCountryCode          0x4803
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           96
    bNumInterfaces          3
    bConfigurationValue     2
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         2 Communications
      bInterfaceSubClass      2 Abstract (modem)
      bInterfaceProtocol      1 AT-commands (v.25ter)
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval             128
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval              10
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval              10
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x03  EP 3 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      CDC Header:
        bcdCDC               1.10
      CDC Call Management:
        bmCapabilities       0x03
          call management
          use DataInterface
        bDataInterface          1
      CDC ACM:
        bmCapabilities       0x07
          sends break
          line coding and serial state
          get/set/clear comm features
      CDC Union:
        bMasterInterface        0
        bSlaveInterface         1 
      Country Selection:
        iCountryCodeRelDate        4 04052004
        wCountryCode          0x4803
Device Status:     0x0000
  (Bus Powered)


Regards Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

On Tue, 2016-09-20 at 17:45 +0200, Wim Osterholt wrote:
> On Tue, Sep 20, 2016 at 03:05:14PM +0200, Oliver Neukum wrote:
> > 
> > I cannot replicate it. Could you please provide "lsusb -v"?
> > 
> > 	Regards
> > 		Oliver
> 
> It concerns these type of modems:
> http://www.ebay.nl/itm/191933738340
> http://www.ebay.nl/itm/121590899044

OK. These devices are unusual in having two outputs.
I've ordered a device, but it will take weeks to ship.
It is definitely valuable for testing.

Anyway, which of its configurations is used?
Please look up the bConfigurationValue for your device
in sysfs.

	Regards
		Oliver

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Wed, Sep 21, 2016 at 02:21:17PM +0200, Oliver Neukum wrote:
> On Tue, 2016-09-20 at 17:45 +0200, Wim Osterholt wrote:
> 
> Anyway, which of its configurations is used?
> Please look up the bConfigurationValue for your device
> in sysfs.

And what might that be?
'locate sysfs' gives one hit at /etc/init.d/sysfs
When I say 'sysfs stop' it stops udev.
When I say 'sysfs start' it says nothing.
Again 'sysfs start' says sysfs already started.
That doesn't have changed anything.

There's a /sys/fs/ext4/* with nothing that you seem to mean.

There's a /proc/sys/fs with nothing that you seem to mean.

There's one mention of acm in /proc/tty/drivers and nowhere I see anything
that might be of any interest somehow.


Regards, Wim.


----- wim@djo.tudelft.nl -----

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Wed, Sep 21, 2016 at 02:21:17PM +0200, Oliver Neukum wrote:
> in sysfs.

Google pointed me to /sys/bus/usb/drivers/usb/*
where I find all kinds of 'bConfigurationValue'.
Now is the problem to find which one you could mean.

Under /sys/bus/usb/drivers/usb/7-1  I find
manufacturer  which reads 'Conexant'  and
bConfigurationValue  which reads '1'


Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

On Wed, 2016-09-21 at 18:41 +0200, Wim Osterholt wrote:
> On Wed, Sep 21, 2016 at 02:21:17PM +0200, Oliver Neukum wrote:
> > in sysfs.
> 
> Google pointed me to /sys/bus/usb/drivers/usb/*
> where I find all kinds of 'bConfigurationValue'.
> Now is the problem to find which one you could mean.
> 
> Under /sys/bus/usb/drivers/usb/7-1  I find
> manufacturer  which reads 'Conexant'  and
> bConfigurationValue  which reads '1'

OK. Strange. Please do

dmesg -c
echo 9 > /proc/sysrq-trigger
modprobe cdc_acm
echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control

[plug your device in]

and provide the full output of dmesg after that.

	Regards
		Oliver

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

> >Please look up the bConfigurationValue for your device
> >in sysfs.

I didn't explicitly say that this was done under kernel-4.7.4, otherwise
it may have been impossible under 4.8 .

On Thu, Sep 22, 2016 at 04:40:50PM +0200, Oliver Neukum wrote:
> 
> OK. Strange. Please do
> 
> dmesg -c
> echo 9 > /proc/sysrq-trigger
> modprobe cdc_acm
> echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control
> 
> [plug your device in]
> 
> and provide the full output of dmesg after that.

You don't state if this must be done in a safe 4.7.4 or a crashable 4.8.
(if I get that far to retrieve dmesg to a file).

Anyway, echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control
results in 'No such file or directory' because there is no 'dynamic_debug'.

The kernel option DYNAMIC_DEBUG was not set.
A new kernel is compiling now..



Groeten, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Thu, Sep 22, 2016 at 04:40:50PM +0200, Oliver Neukum wrote:
> OK. Strange. Please do
> 
> dmesg -c
> echo 9 > /proc/sysrq-trigger
> modprobe cdc_acm
> echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control
> 
> [plug your device in]
> 
> and provide the full output of dmesg after that.

On kernel-4.7.4 this gives this little output:

[  135.279989] sysrq: SysRq : Changing Loglevel
[  135.280489] sysrq: Loglevel set to 9
[  146.712004] usbcore: registered new interface driver cdc_acm
[  146.712537] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[  173.257346] usb 6-1: new full-speed USB device number 2 using uhci_hcd
[  173.450326] usb 6-1: New USB device found, idVendor=0572, idProduct=1340
[  173.450879] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  173.451374] usb 6-1: Product: USB Modem
[  173.451867] usb 6-1: Manufacturer: Conexant
[  173.452360] usb 6-1: SerialNumber: 12345678
[  173.455415] cdc_acm:acm_probe: cdc_acm 6-1:1.0: interfaces are valid
[  173.455995] cdc_acm 6-1:1.0: ttyACM0: USB ACM device
[  173.562316] cdc_acm:acm_ctrl_msg: cdc_acm 6-1:1.0: acm_ctrl_msg - rq 0x20, val 0x0, len 0x7, result 7


4.8-rc7 is compiling now..


Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Thu, Sep 22, 2016 at 04:40:50PM +0200, Oliver Neukum wrote:
> 
> dmesg -c
> echo 9 > /proc/sysrq-trigger
> modprobe cdc_acm
> echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control
> 
> [plug your device in]
> 
> and provide the full output of dmesg after that.

That is not possible under a 4.8 kernel.

'Fixing recursive fault but reboot is needed!' and frozen it is.


Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Thu, Sep 22, 2016 at 04:40:50PM +0200, Oliver Neukum wrote:
> 
> dmesg -c
> echo 9 > /proc/sysrq-trigger
> modprobe cdc_acm
> echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control
> 
> [plug your device in]
> 
> and provide the full output of dmesg after that.

After some experimenting I succeeded in grabbing it over the serial port.
The console was immedately frozen, but the serial port kept working:

[  407.859834] sysrq: SysRq : Changing Loglevel
[  407.908433] sysrq: Loglevel set to 9
[  407.980538] usbcore: registered new interface driver cdc_acm
[  408.044439] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[  410.480711] usb 6-1: new full-speed USB device number 2 using uhci_hcd
[  410.696717] usb 6-1: New USB device found, idVendor=0572, idProduct=1340
[  410.700739] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  410.704738] usb 6-1: Product: USB Modem
[  410.708735] usb 6-1: Manufacturer: Conexant
[  410.708738] usb 6-1: SerialNumber: 12345678
[  410.763492] cdc_acm:acm_probe: cdc_acm 6-1:1.0: interfaces are valid
[  410.763515] BUG: unable to handle kernel NULL pointer dereference at 00000249
[  410.763522] IP: [<e08dfc77>] acm_probe+0x4ee/0xc8c [cdc_acm]
[  410.763524] *pde = 00000000 
[  410.763526] Oops: 0000 [#1] SMP
[  410.763562] Modules linked in: cdc_acm nouveau video drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit cfg80211 rfkill binfmt_misc snd_pcm_oss snd_mixer_oss fbcon bitblit softcursor font tileblit sr9700 dm9601 usb_storage usbnet snd_hda_codec_generic mii snd_hda_intel snd_hda_codec tg3 snd_hwdep ptp snd_hda_core pps_core snd_pcm gpio_ich libphy firmware_class pcspkr ohci_pci lpc_ich ppdev snd_timer mfd_core ohci_hcd snd uhci_hcd wmi parport_pc floppy ehci_pci soundcore parport ehci_hcd acpi_cpufreq button processor
[  410.763565] CPU: 0 PID: 429 Comm: kworker/0:1 Not tainted 4.8.0-rc8 #1
[  410.763567] Hardware name: Hewlett-Packard HP xw4300 Workstation/0A00h, BIOS 786D3 v01.08 03/10/2006
[  410.763572] Workqueue: usb_hub_wq hub_event
[  410.763574] task: df523f00 task.stack: dec30000
[  410.763576] EIP: 0060:[<e08dfc77>] EFLAGS: 00010202 CPU: 0
[  410.763579] EIP is at acm_probe+0x4ee/0xc8c [cdc_acm]
[  410.763581] EAX: 00000246 EBX: decff000 ECX: e08e1854 EDX: 00000000
[  410.763582] ESI: 00000100 EDI: 00000000 EBP: dec31c18 ESP: dec31b80
[  410.763584]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  410.763586] CR0: 80050033 CR2: 00000249 CR3: 13edd000 CR4: 00000690
[  410.763587] Stack:
[  410.763592]  00003a20 00003d01 0000000f df4a9d50 00000000 00000000 00000010 00000040
[  410.763597]  00000080 00000246 df650ec0 dee42800 da86f470 00000001 df7d2e80 df7d2eb8
[  410.763601]  da86f400 dee42600 dee42800 00000000 da95f000 00000004 00000246 dec31c00
[  410.763602] Call Trace:
[  410.763609]  [<c04cee8d>] ? __mutex_unlock_slowpath+0xf4/0xfc
[  410.763614]  [<c03cda6c>] ? usb_probe_interface+0x17b/0x1f6
[  410.763616]  [<c03cda6c>] ? usb_probe_interface+0x17b/0x1f6
[  410.763620]  [<c0361090>] ? driver_probe_device+0x17b/0x30e
[  410.763622]  [<c0361090>] ? driver_probe_device+0x17b/0x30e
[  410.763625]  [<c035f78a>] ? bus_for_each_drv+0x59/0x68
[  410.763627]  [<c035f78a>] ? bus_for_each_drv+0x59/0x68
[  410.763629]  [<c0360e3e>] ? __device_attach+0x91/0x105
[  410.763631]  [<c0361324>] ? driver_allows_async_probing+0x2f/0x2f
[  410.763634]  [<c0360412>] ? bus_probe_device+0x27/0x6b
[  410.763636]  [<c0360412>] ? bus_probe_device+0x27/0x6b
[  410.763638]  [<c035eb98>] ? device_add+0x289/0x4be
[  410.763641]  [<c03cc3d1>] ? usb_set_configuration+0x5a6/0x5e9
[  410.763643]  [<c03cc3d1>] ? usb_set_configuration+0x5a6/0x5e9
[  410.763647]  [<c03d3bc0>] ? generic_probe+0x3b/0x67
[  410.763649]  [<c03d3bc0>] ? generic_probe+0x3b/0x67
[  410.763652]  [<c03cd8d8>] ? usb_probe_device+0x49/0x62
[  410.763654]  [<c03cd88f>] ? usb_suspend+0xcd/0xcd
[  410.763656]  [<c0361090>] ? driver_probe_device+0x17b/0x30e
[  410.763658]  [<c0361090>] ? driver_probe_device+0x17b/0x30e
[  410.763661]  [<c035f78a>] ? bus_for_each_drv+0x59/0x68
[  410.763663]  [<c035f78a>] ? bus_for_each_drv+0x59/0x68
[  410.763665]  [<c0360e3e>] ? __device_attach+0x91/0x105
[  410.763667]  [<c0361324>] ? driver_allows_async_probing+0x2f/0x2f
[  410.763670]  [<c0360412>] ? bus_probe_device+0x27/0x6b
[  410.763672]  [<c0360412>] ? bus_probe_device+0x27/0x6b
[  410.763674]  [<c035eb98>] ? device_add+0x289/0x4be
[  410.763677]  [<c03598a4>] ? add_device_randomness+0x84/0x9c
[  410.763680]  [<c03c477c>] ? usb_new_device+0x29d/0x3b5
[  410.763681]  [<c03c477c>] ? usb_new_device+0x29d/0x3b5
[  410.763684]  [<c03c5eab>] ? hub_event+0xb32/0xed8
[  410.763686]  [<c03c5eab>] ? hub_event+0xb32/0xed8
[  410.763689]  [<c03c5268>] ? usb_remote_wakeup+0x6f/0x7d
[  410.763693]  [<c0148318>] ? process_one_work+0x174/0x2bc
[  410.763695]  [<c0148318>] ? process_one_work+0x174/0x2bc
[  410.763698]  [<c01488f4>] ? worker_thread+0x22c/0x2f6
[  410.763700]  [<c01486c8>] ? rescuer_thread+0x23f/0x23f
[  410.763703]  [<c014bcc9>] ? kthread+0xa4/0xa9
[  410.763706]  [<c04d06a2>] ? ret_from_kernel_thread+0xe/0x24
[  410.763708]  [<c014bc25>] ? kthread_create_on_node+0x101/0x101
[  410.763734] Code: 14 89 83 b4 04 00 00 8b 45 94 89 43 04 8b 45 ac 89 43 08 8b 85 7c ff ff ff 89 83 c0 04 00 00 8b 45 a8 89 03 8b 45 c0 85 c0 74 0a <0f> b6 40 03 89 83 c8 04 00 00 f6 45 9c 04 74 07 83 a3 c8 04 00
[  410.763738] EIP: [<e08dfc77>] acm_probe+0x4ee/0xc8c [cdc_acm] SS:ESP 0068:dec31b80
[  410.763739] CR2: 0000000000000249
[  410.763742] ---[ end trace 6872abde65b2c9e1 ]---
[  410.763838] BUG: unable to handle kernel paging request at ffffffec
[  410.763841] IP: [<c014c16b>] kthread_data+0xf/0x13
[  410.763844] *pde = 00770067 *pte = 00000000 
[  410.763846] Oops: 0000 [#2] SMP
[  410.763875] Modules linked in: cdc_acm nouveau video drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit cfg80211 rfkill binfmt_misc snd_pcm_oss snd_mixer_oss fbcon bitblit softcursor font tileblit sr9700 dm9601 usb_storage usbnet snd_hda_codec_generic mii snd_hda_intel snd_hda_codec tg3 snd_hwdep ptp snd_hda_core pps_core snd_pcm gpio_ich libphy firmware_class pcspkr ohci_pci lpc_ich ppdev snd_timer mfd_core ohci_hcd snd uhci_hcd wmi parport_pc floppy ehci_pci soundcore parport ehci_hcd acpi_cpufreq button processor
[  410.763878] CPU: 0 PID: 429 Comm: kworker/0:1 Tainted: G      D         4.8.0-rc8 #1
[  410.763880] Hardware name: Hewlett-Packard HP xw4300 Workstation/0A00h, BIOS 786D3 v01.08 03/10/2006
[  410.763888] task: df523f00 task.stack: dec30000
[  410.763890] EIP: 0060:[<c014c16b>] EFLAGS: 00010002 CPU: 0
[  410.763892] EIP is at kthread_data+0xf/0x13
[  410.763893] EAX: 00000000 EBX: dec32000 ECX: b3d25f6d EDX: df523f00
[  410.763895] ESI: df5241b4 EDI: dfb94940 EBP: dec31f48 ESP: dec31f44
[  410.763896]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  410.763898] CR0: 80050033 CR2: 00000014 CR3: 1ee16000 CR4: 00000690
[  410.763899] Stack:
[  410.763904]  c0148a1c dec31f6c c04cd2e4 00000000 00000000 df523f00 00000246 dec32000
[  410.763909]  dec31d50 dec31f98 dec31f78 c04cd6a9 df523f00 dec31fac c013967e df524288
[  410.763913]  01000000 df52412c df4e0000 00000001 00000000 dec31f98 dec31f98 00000009
[  410.763914] Call Trace:
[  410.763917]  [<c0148a1c>] ? wq_worker_sleeping+0xd/0x75
[  410.763919]  [<c04cd2e4>] ? __schedule+0xcc/0x424
[  410.763922]  [<c04cd6a9>] ? schedule+0x6d/0x7a
[  410.763925]  [<c013967e>] ? do_exit+0x74d/0x775
[  410.763929]  [<c04d16b9>] ? rewind_stack_do_exit+0x11/0x13
[  410.763931]  [<c014bc25>] ? kthread_create_on_node+0x101/0x101
[  410.763957] Code: 8d 44 b0 4d c0 8d 0c 95 00 00 00 00 29 cb b9 02 00 00 00 89 da 5b 5d e9 f5 fd ff ff 55 89 e5 3e 8d 74 26 00 8b 80 84 02 00 00 5d <8b> 40 ec c3 55 89 e5 52 3e 8d 74 26 00 b9 04 00 00 00 8b 90 84
[  410.763960] EIP: [<c014c16b>] kthread_data+0xf/0x13 SS:ESP 0068:dec31f44
[  410.763961] CR2: 00000000ffffffec
[  410.763964] ---[ end trace 6872abde65b2c9e2 ]---
[  410.763965] Fixing recursive fault but reboot is needed!


Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

[-- Attachment #1: Type: text/plain, Size: 962 bytes --]

On Tue, 2016-09-27 at 18:34 +0200, Wim Osterholt wrote:
> On Thu, Sep 22, 2016 at 04:40:50PM +0200, Oliver Neukum wrote:
> > 
> > dmesg -c
> > echo 9 > /proc/sysrq-trigger
> > modprobe cdc_acm
> > echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control
> > 
> > [plug your device in]
> > 
> > and provide the full output of dmesg after that.
> 
> After some experimenting I succeeded in grabbing it over the serial port.
> The console was immedately frozen, but the serial port kept working:

Very good. This is a valid oops. We can do two things. When I
decode it, seems to crash in acm_alloc_minor() which does not make
sense. It is likely that our kernels or compilers are a bit different.
Could you please call gdb on your kernel module cdc-acm.ko
and do:

list *(acm_probe+0x4ee)

this should show you where it crashes. In addition I've attached
a patch with paranoid debugging. Could you compile and test a kernel
with it?

	Regards
		Oliver


[-- Attachment #2: 0001-CDC-ACM-more-paranoid-debugging.patch --]
[-- Type: text/x-patch, Size: 1171 bytes --]

From 28bb525ab295bd014768868eafb6a76d0c0d80c2 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Wed, 28 Sep 2016 11:11:04 +0200
Subject: [PATCH] CDC-ACM: more paranoid debugging

---
 drivers/usb/class/cdc-acm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 78f0f85..283e16e 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1324,10 +1324,13 @@ made_compressed_probe:
 	if (minor < 0)
 		goto alloc_fail1;
 
+	WARN_ON(!epctrl);
 	ctrlsize = usb_endpoint_maxp(epctrl);
+	WARN_ON(!epread);
 	readsize = usb_endpoint_maxp(epread) *
 				(quirks == SINGLE_RX_URB ? 1 : 2);
 	acm->combined_interfaces = combined_interfaces;
+	WARN_ON(!epwrite);
 	acm->writesize = usb_endpoint_maxp(epwrite) * 20;
 	acm->control = control_interface;
 	acm->data = data_interface;
@@ -1352,6 +1355,7 @@ made_compressed_probe:
 	acm->port.ops = &acm_port_ops;
 	init_usb_anchor(&acm->delayed);
 	acm->quirks = quirks;
+	dev_dbg(&intf->dev, "control structures set up\n");
 
 	buf = usb_alloc_coherent(usb_dev, ctrlsize, GFP_KERNEL, &acm->ctrl_dma);
 	if (!buf)
-- 
2.6.2

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Wed, Sep 28, 2016 at 11:16:04AM +0200, Oliver Neukum wrote:
> 
> Very good. This is a valid oops. We can do two things. When I
> decode it, seems to crash in acm_alloc_minor() which does not make
> sense. It is likely that our kernels or compilers are a bit different.
> Could you please call gdb on your kernel module cdc-acm.ko
> and do:
> 
> list *(acm_probe+0x4ee)
> 
> this should show you where it crashes.

Currently gcc-4.9.3-rc3.
This is from vanilla kernel 4.8-rc8

# gdb ./cdc-acm.ko
GNU gdb (Gentoo 7.10.1 vanilla) 7.10.1
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see: <https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./cdc-acm.ko...done.
(gdb) list *(acm_probe+0x4ee)
0x1c9b is in acm_probe (drivers/usb/class/cdc-acm.c:1346).
1341            acm->control = control_interface;
1342            acm->data = data_interface;
1343            acm->minor = minor;
1344            acm->dev = usb_dev;
1345            if (h.usb_cdc_acm_descriptor)
1346                    acm->ctrl_caps = h.usb_cdc_acm_descriptor->bmCapabilities;
1347            if (quirks & NO_CAP_LINE)
1348                    acm->ctrl_caps &= ~USB_CDC_CAP_LINE;
1349            acm->ctrlsize = ctrlsize;
1350            acm->readsize = readsize;
(gdb) quit

A new kernel is compiling now.

Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Wed, Sep 28, 2016 at 11:16:04AM +0200, Oliver Neukum wrote:
> this should show you where it crashes. In addition I've attached
> a patch with paranoid debugging. Could you compile and test a kernel
> with it?
> 
> 	Regards
> 		Oliver

If you mean
  echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control
etc, then it will take some time because I don't have the cabling not
available now for a serial dump.

Just 4.8-rc8 with the patched modules gave an oops of less than one screen
while the machine stayed responsive long enough to grab it with the mouse
and put it in a file:

HP src # sync
HP src # [ 3744.914184] BUG: unable to handle kernel NULL pointer dereference at 00000249
[ 3744.914538] IP: [<e092fcb6>] acm_probe+0x52d/0xced [cdc_acm]
[ 3744.914850] *pde = 00000000
[ 3744.915133] Oops: 0000 [#1] SMP
[ 3744.915446] Modules linked in: cdc_acm(+) nouveau video drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit cfg80211 rfkill binfmt_misc svgalib_helper(O) snd_pcm_oss snd_mixer_oss fbcon bitblit softcursor font tileblit sr9700 dm9601 snd_hda_codec_generic usb_storage usbnet snd_hda_intel mii snd_hda_codec tg3 snd_hwdep snd_hda_core ptp pps_core snd_pcm libphy gpio_ich firmware_class snd_timer lpc_ich pcspkr ppdev ohci_pci snd ohci_hcd wmi mfd_core uhci_hcd floppy parport_pc soundcore ehci_pci parport acpi_cpufreq ehci_hcd button processor
[ 3744.918142] CPU: 1 PID: 24530 Comm: udevd Tainted: G           O    4.8.0-rc8 #1
[ 3744.918142] Hardware name: Hewlett-Packard HP xw4300 Workstation/0A00h, BIOS 786D3 v01.08 03/10/2006
[ 3744.918142] task: df7b4d00 task.stack: d3d56000
[ 3744.918142] EIP: 0060:[<e092fcb6>] EFLAGS: 00010202 CPU: 1
[ 3744.918142] EIP is at acm_probe+0x52d/0xced [cdc_acm]
[ 3744.918142] EAX: 00000246 EBX: cf9a7800 ECX: e09318d4 EDX: 00000000
[ 3744.918142] ESI: 00000100 EDI: 00000000 EBP: d3d57cc8 ESP: d3d57c30
[ 3744.918142]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 3744.918142] CR0: 80050033 CR2: 00000249 CR3: 1ac9a000 CR4: 00000690
[ 3744.918142] Stack:
[ 3744.918142]  00003a20 00003d7b 0000000f df4a9d50 00000000 00000000 00000010 00000040
[ 3744.918142]  00000080 00000246 dedeb200 dac90740 cfa40870 00000001 ceb37180 cfa40800
[ 3744.918142]  ceb371b8 dedeaa00 dedeb200 00000000 cabfe3f0 00000004 00000246 d3d57cb0
[ 3744.918142] Call Trace:
[ 3744.918142]  [<c04cee8d>] ? __mutex_unlock_slowpath+0xf4/0xfc
[ 3744.918142]  [<c03cda6c>] ? usb_probe_interface+0x17b/0x1f6
[ 3744.918142]  [<c03cda6c>] ? usb_probe_interface+0x17b/0x1f6
[ 3744.918142]  [<c0361090>] ? driver_probe_device+0x17b/0x30e
[ 3744.918142]  [<c0361090>] ? driver_probe_device+0x17b/0x30e
[ 3744.918142]  [<c03612d2>] ? __driver_attach+0xaf/0xd2
[ 3744.918142]  [<c03612d2>] ? __driver_attach+0xaf/0xd2
[ 3744.918142]  [<c04ca8ea>] ? klist_next+0x2a/0xad
[ 3744.918142]  [<c035f6fd>] ? bus_for_each_dev+0x50/0x6c
[ 3744.918142]  [<c035f6fd>] ? bus_for_each_dev+0x50/0x6c
[ 3744.918142]  [<c0360b00>] ? driver_attach+0x19/0x1b
[ 3744.918142]  [<c0361223>] ? driver_probe_device+0x30e/0x30e
[ 3744.918142]  [<c036066c>] ? bus_add_driver+0x10a/0x1ee
[ 3744.918142]  [<c02cbb06>] ? kset_find_obj+0x2b/0x5f
[ 3744.918142]  [<c0361aea>] ? driver_register+0x74/0xa9
[ 3744.918142]  [<c0361aea>] ? driver_register+0x74/0xa9
[ 3744.918142]  [<c03ccb17>] ? usb_register_driver+0x67/0xf8
[ 3744.918142]  [<e09340ac>] ? acm_init+0xac/0xdf [cdc_acm]
[ 3744.918142]  [<e0934000>] ? 0xe0934000
[ 3744.918142]  [<c01004cb>] ? do_one_initcall+0x90/0x113
[ 3744.918142]  [<c04cee8d>] ? __mutex_unlock_slowpath+0xf4/0xfc
[ 3744.918142]  [<c01e1bc6>] ? kmem_cache_alloc_trace+0x72/0xe3
[ 3744.918142]  [<c01b24a1>] ? do_init_module+0x21/0x1a7
[ 3744.918142]  [<c01b24d0>] ? do_init_module+0x50/0x1a7
[ 3744.918142]  [<c0189c32>] ? load_module+0x190e/0x1d33
[ 3744.918142]  [<c018a1d7>] ? SyS_finit_module+0x9c/0xa8
[ 3744.918142]  [<c018a1d7>] ? SyS_finit_module+0x9c/0xa8
[ 3744.918142]  [<c0101363>] ? do_int80_syscall_32+0x47/0x7f
[ 3744.918142]  [<c0101363>] ? do_int80_syscall_32+0x47/0x7f
[ 3744.918142]  [<c04d0785>] ? entry_INT80_32+0x31/0x31
[ 3744.918142] Code: 14 89 83 b4 04 00 00 8b 45 90 89 43 04 8b 45 ac 89 43 08 8b 85 7c ff ff ff 89 83 c0 04 00 00 8b 45 a4 89 03 8b 45 c0 85 c0 74 0a <0f> b6 40 03 89 83 c8 04 00 00 f6 45 9c 04 74 07 83 a3 c8 04 00
[ 3744.918142] EIP: [<e092fcb6>] acm_probe+0x52d/0xced [cdc_acm] SS:ESP 0068:d3d57c30
[ 3744.918142] CR2: 0000000000000249
[ 3745.000049] ---[ end trace e6bc96526d51607e ]---
[ 3745.006322] udevd[945]: worker [24530] terminated by signal 9 (Killed)
[ 3745.008927] udevd[945]: worker [24530] failed while handling '/devices/pci0000:00/0000:00:1d.3/usb6/6-1/6-1:1.0'


Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

On Wed, 2016-09-28 at 17:08 +0200, Wim Osterholt wrote:
> On Wed, Sep 28, 2016 at 11:16:04AM +0200, Oliver Neukum wrote:
> > this should show you where it crashes. In addition I've attached
> > a patch with paranoid debugging. Could you compile and test a kernel
> > with it?
> > 
> > 	Regards
> > 		Oliver
> 
> If you mean
>   echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control
> etc, then it will take some time because I don't have the cabling not
> available now for a serial dump.
> 
> Just 4.8-rc8 with the patched modules gave an oops of less than one screen
> while the machine stayed responsive long enough to grab it with the mouse
> and put it in a file:
> 
> HP src # sync
> HP src # [ 3744.914184] BUG: unable to handle kernel NULL pointer dereference at 00000249

The last view lines before that please with the debugging level ramped
up to 9 please.

	Regards
		Oliver

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Wed, Sep 28, 2016 at 05:23:30PM +0200, Oliver Neukum wrote:
> > 
> > HP src # sync
> > HP src # [ 3744.914184] BUG: unable to handle kernel NULL pointer dereference at 00000249
> 
> The last view lines before that please with the debugging level ramped
> up to 9 please.

Recompiled again, double checked if it was really the new module.
That doesn't seem to make any difference at all.

[  549.238494] sysrq: SysRq : Changing Loglevel
[  549.265916] sysrq: Loglevel set to 9
[  549.363794] usbcore: registered new interface driver cdc_acm
[  549.429906] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[  550.941964] usb 6-1: new full-speed USB device number 2 using uhci_hcd
[  551.148944] usb 6-1: New USB device found, idVendor=0572, idProduct=1340
[  551.149975] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  551.153974] usb 6-1: Product: USB Modem
[  551.157969] usb 6-1: Manufacturer: Conexant
[  551.161969] usb 6-1: SerialNumber: 12345678
[  551.171006] cdc_acm:acm_probe: cdc_acm 6-1:1.0: interfaces are valid
[  551.173997] BUG: unable to handle kernel NULL pointer dereference at 00000249
[  551.177957] IP: [<e0826cb6>] acm_probe+0x52d/0xced [cdc_acm]
[  551.177957] *pde = 00000000 
[  551.177957] Oops: 0000 [#1] SMP
[  551.177957] Modules linked in: cdc_acm nouveau video drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit cfg80211 rfkill binfmt_misc svgalib_helper(O) snd_pcm_oss snd_mixer_oss fbcon bitblit softcursor font tileblit sr9700 snd_hda_codec_generic dm9601 snd_hda_intel usbnet usb_storage mii snd_hda_codec snd_hwdep tg3 snd_hda_core ptp pps_core snd_pcm gpio_ich libphy snd_timer lpc_ich ppdev firmware_class pcspkr mfd_core snd ohci_pci ohci_hcd uhci_hcd wmi floppy parport_pc soundcore ehci_pci parport acpi_cpufreq ehci_hcd button processor
[  551.177957] CPU: 0 PID: 725 Comm: kworker/0:2 Tainted: G           O    4.8.0-rc8 #1
....

Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

[-- Attachment #1: Type: text/plain, Size: 755 bytes --]

On Thu, 2016-09-29 at 15:26 +0200, Wim Osterholt wrote:
> On Wed, Sep 28, 2016 at 05:23:30PM +0200, Oliver Neukum wrote:
> > > 
> > > HP src # sync
> > > HP src # [ 3744.914184] BUG: unable to handle kernel NULL pointer dereference at 00000249
> > 
> > The last view lines before that please with the debugging level ramped
> > up to 9 please.
> 
> Recompiled again, double checked if it was really the new module.
> That doesn't seem to make any difference at all.

Hi,

sorry for the delay. Your results are strange and we will have to do it
the hard way. Could you retest with the attached patch applied
in addition to the last patch I sent?
I can see no good reason for a crash where you see a crash, so brute
force is called for.

	Regards
		Oliver


[-- Attachment #2: 0001-CDC-ACM-insanely-paranoid-debugging.patch --]
[-- Type: text/x-patch, Size: 1445 bytes --]

From f9344147b6c75aca8f66b728e92ab854452255ed Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 6 Oct 2016 12:47:15 +0200
Subject: [PATCH] CDC-ACM: insanely paranoid debugging

---
 drivers/usb/class/cdc-acm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 283e16e..32625a3 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1319,11 +1319,13 @@ made_compressed_probe:
 	acm = kzalloc(sizeof(struct acm), GFP_KERNEL);
 	if (acm == NULL)
 		goto alloc_fail;
+	dev_dbg(&intf->dev, "descriptor allocated\n");
 
 	minor = acm_alloc_minor(acm);
 	if (minor < 0)
 		goto alloc_fail1;
 
+	dev_dbg(&intf->dev, "minor allocated\n");
 	WARN_ON(!epctrl);
 	ctrlsize = usb_endpoint_maxp(epctrl);
 	WARN_ON(!epread);
@@ -1343,6 +1345,7 @@ made_compressed_probe:
 	acm->ctrlsize = ctrlsize;
 	acm->readsize = readsize;
 	acm->rx_buflimit = num_rx_buf;
+	dev_dbg(&intf->dev, "descriptor initialized\n");
 	INIT_WORK(&acm->work, acm_softint);
 	init_waitqueue_head(&acm->wioctl);
 	spin_lock_init(&acm->write_lock);
@@ -1351,6 +1354,7 @@ made_compressed_probe:
 	acm->is_int_ep = usb_endpoint_xfer_int(epread);
 	if (acm->is_int_ep)
 		acm->bInterval = epread->bInterval;
+	dev_dbg(&intf->dev, "locks and queues initialized\n");
 	tty_port_init(&acm->port);
 	acm->port.ops = &acm_port_ops;
 	init_usb_anchor(&acm->delayed);
-- 
2.6.2

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

On Thu, 2016-09-08 at 14:58 +0200, Wim Osterholt wrote:
> On Thu, Sep 08, 2016 at 02:20:38PM +0200, Oliver Neukum wrote:
> > > 
> > > The oops tells things that I didn't all write down, but it says
> > > null pointer dereference at 00000246
> > 
> > That is the important part. I am sorry, but without the oops
> > nobody can help you. Please capture it

Hi,

I got one of those devices. However, I don't get a crash.
Could you please give me instructions on how you trigger it?

	Regards
		Oliver

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Mon, Oct 17, 2016 at 04:10:45PM +0200, Oliver Neukum wrote:
> Hi,
>    
> I got one of those devices. However, I don't get a crash.
> Could you please give me instructions on how you trigger it?
  
That's not too hard, just plug it in. :-)
  
However you must have set cdc_acm in your kernel, or availabe as a module. 
It happens on all my machines on kernels 4.8 and 4.9.
Now, all my kernel configs will differ a bit, but must have something
peculiar in common. Or you've received a totally different device.
 
Here's one config at http://webserver.djo.tudelft.nl/.config-4.8.1
 
Many options are inherited by 'make oldconfig' from version to version,
without me knowing what it all means. So maybe it's just a weird combination
of options then?


Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

On Mon, 2016-10-17 at 17:20 +0200, Wim Osterholt wrote:
> On Mon, Oct 17, 2016 at 04:10:45PM +0200, Oliver Neukum wrote:
> > Hi,
> >    
> > I got one of those devices. However, I don't get a crash.
> > Could you please give me instructions on how you trigger it?
>   
> That's not too hard, just plug it in. :-)
>   
> However you must have set cdc_acm in your kernel, or availabe as a module. 
> It happens on all my machines on kernels 4.8 and 4.9.
> Now, all my kernel configs will differ a bit, but must have something
> peculiar in common. Or you've received a totally different device.
>  
> Here's one config at http://webserver.djo.tudelft.nl/.config-4.8.1
>  
> Many options are inherited by 'make oldconfig' from version to version,
> without me knowing what it all means. So maybe it's just a weird combination
> of options then?

Oct 18 14:05:07 linux-dtbq.site kernel: usb 1-9: new full-speed USB device number 10 using xhci_hcd
Oct 18 14:05:07 linux-dtbq.site mtp-probe[2583]: checking bus 1, device 10: "/sys/devices/pci0000:00/0000:00:14.0/usb1/1-9"
Oct 18 14:05:07 linux-dtbq.site mtp-probe[2583]: bus: 1, device: 10 was not an MTP device
Oct 18 14:05:07 linux-dtbq.site kernel: usb 1-9: New USB device found, idVendor=0572, idProduct=1340
Oct 18 14:05:07 linux-dtbq.site kernel: usb 1-9: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Oct 18 14:05:07 linux-dtbq.site kernel: usb 1-9: Product: USB Modem
Oct 18 14:05:07 linux-dtbq.site kernel: usb 1-9: Manufacturer: Conexant
Oct 18 14:05:07 linux-dtbq.site kernel: usb 1-9: SerialNumber: 12345678
Oct 18 14:05:07 linux-dtbq.site kernel: cdc_acm 1-9:1.0: ttyACM0: USB ACM device
Oct 18 14:05:07 linux-dtbq.site kernel: usbcore: registered new interface driver cdc_acm
Oct 18 14:05:07 linux-dtbq.site kernel: cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
Oct 18 14:05:11 linux-dtbq.site ModemManager[901]: <info>  Creating modem with plugin 'Generic' and '1' ports
Oct 18 14:05:11 linux-dtbq.site ModemManager[901]: <info>  Modem for device at '/sys/devices/pci0000:00/0000:00:14.0/usb1/1-9' successfully created
Oct 18 14:05:11 linux-dtbq.site ModemManager[901]: <warn>  Modem couldn't be initialized: couldn't load current capabilities: Failed to determine modem capabilities.
Oct 18 14:05:11 linux-dtbq.site NetworkManager[945]: <warn> (ttyACM0): failed to look up interface index
Oct 18 14:05:11 linux-dtbq.site NetworkManager[945]: <info> (ttyACM0): device state change: unmanaged -> unavailable (reason 'none') [10 20 0]
Oct 18 14:05:11 linux-dtbq.site NetworkManager[945]: <info> (ttyACM0): deactivating device (reason 'none') [0]                                                                                                                    
Oct 18 14:05:11 linux-dtbq.site NetworkManager[945]: <info> (ttyACM0): modem state 'unknown'                                                                                                                                      
Oct 18 14:05:11 linux-dtbq.site NetworkManager[945]: <info> (ttyACM0): new Broadband device (driver: 'cdc_acm' ifindex: 0)                                                                                                        
Oct 18 14:05:11 linux-dtbq.site NetworkManager[945]: <info> (ttyACM0): exported as /org/freedesktop/NetworkManager/Devices/3     

It definitely does not crash and is probed and your .config is not
extremely unusual.
I am afraid unless you test the last patch I sent we will not make
progress. Something odd is going on.

	Regards
		Oliver

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Tue, Oct 18, 2016 at 02:18:43PM +0200, Oliver Neukum wrote:
> Oct 18 14:05:07 linux-dtbq.site kernel: usb 1-9: Manufacturer: Conexant
> Oct 18 14:05:07 linux-dtbq.site kernel: usb 1-9: SerialNumber: 12345678

With that unique serial number it must be that very device. :-)

> It definitely does not crash and is probed and your .config is not
> extremely unusual.
> I am afraid unless you test the last patch I sent we will not make
> progress. Something odd is going on.

Whell, I DID test that patch and it already crashed before it could print
anything. That's why the output I sent you looked the same.

Once again, this time on 4.9-rc1.
Applied your patch 0001-CDC-ACM-more-paranoid-debugging to cdc_acm.c .

Did
> > dmesg -c
> > echo 9 > /proc/sysrq-trigger
> > modprobe cdc_acm
> > echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control
> >
> > [plug your device in]
> >
> > and provide the full output of dmesg after that.

Got
[  765.409057] sysrq: SysRq : Changing Loglevel
[  765.416465] sysrq: Loglevel set to 9
[  778.299271] usbcore: registered new interface driver cdc_acm
[  778.301921] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[  833.204100] usb 6-1: new full-speed USB device number 2 using uhci_hcd
[  833.411088] usb 6-1: New USB device found, idVendor=0572, idProduct=1340
[  833.412127] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  833.416129] usb 6-1: Product: USB Modem
[  833.420123] usb 6-1: Manufacturer: Conexant
[  833.420126] usb 6-1: SerialNumber: 12345678
[  833.473854] cdc_acm:acm_probe: cdc_acm 6-1:1.0: interfaces are valid
[  833.473876] BUG: unable to handle kernel NULL pointer dereference at 00000249
[  833.473882] IP: [<e08fca6e>] acm_probe+0x540/0xd00 [cdc_acm]
[  833.473885] *pde = 00000000 
[  833.473887] Oops: 0000 [#1] SMP
[  833.473925] Modules linked in: cdc_acm nouveau video drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit cfg80211 rfkill binfmt_misc svgalib_helper(O) snd_pcm_oss snd_mixer_oss fbcon bitblit softcursor font tileblit sr9700 dm9601 snd_hda_codec_generic usbnet usb_storage snd_hda_intel mii snd_hda_codec tg3 snd_hwdep snd_hda_core ptp pps_core snd_pcm libphy gpio_ich snd_timer firmware_class lpc_ich pcspkr ppdev snd ohci_pci mfd_core ohci_hcd floppy wmi uhci_hcd soundcore parport_pc acpi_cpufreq ehci_pci parport ehci_hcd processor button
[  833.473928] CPU: 0 PID: 4 Comm: kworker/0:0 Tainted: G           O    4.9.0-rc1 #1
[  833.473930] Hardware name: Hewlett-Packard HP xw4300 Workstation/0A00h, BIOS 786D3 v01.08 03/10/2006
[  833.473935] Workqueue: usb_hub_wq hub_event
[  833.473937] task: df4e15c0 task.stack: df4f4000
[  833.473939] EIP: 0060:[<e08fca6e>] EFLAGS: 00010202 CPU: 0
[  833.473942] EIP is at acm_probe+0x540/0xd00 [cdc_acm]
[  833.473944] EAX: 00000246 EBX: dc4b2800 ECX: e08fe594 EDX: 00000000
[  833.473945] ESI: 00000100 EDI: 00000000 EBP: df4f5c18 ESP: df4f5b80
[  833.473947]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  833.473949] CR0: 80050033 CR2: 00000249 CR3: 1c8c4000 CR4: 00000690
[  833.473950] Stack:
[  833.473956]  00003a20 00003de7 0000000f df4a9d50 00000000 00000000 00000010 00000040
[  833.473960]  00000080 00000246 dee5f000 d9614d80 d960e070 00000001 d2aee100 d960e000
[  833.473965]  d2aee138 dee5f400 dee5f000 00000000 c82931b0 00000004 00000246 df4f5c00
[  833.473966] Call Trace:
[  833.473975]  [<c04d43f0>] ? __mutex_unlock_slowpath+0xf4/0xfc
[  833.473978]  [<c03d071c>] ? usb_probe_interface+0x17b/0x1f6
[  833.473980]  [<c03d071c>] ? usb_probe_interface+0x17b/0x1f6
[  833.473984]  [<c036396f>] ? driver_probe_device+0x17b/0x30e
[  833.473986]  [<c036396f>] ? driver_probe_device+0x17b/0x30e
[  833.473989]  [<c03620b4>] ? bus_for_each_drv+0x59/0x68
[  833.473991]  [<c03620b4>] ? bus_for_each_drv+0x59/0x68
[  833.473993]  [<c036371d>] ? __device_attach+0x91/0x105
[  833.473996]  [<c0363c03>] ? driver_allows_async_probing+0x2f/0x2f
[  833.473998]  [<c0362d3c>] ? bus_probe_device+0x27/0x6b
[  833.474000]  [<c0362d3c>] ? bus_probe_device+0x27/0x6b
[  833.474002]  [<c03614c4>] ? device_add+0x28d/0x4c0
[  833.474006]  [<c03cf081>] ? usb_set_configuration+0x594/0x5d7
[  833.474008]  [<c03cf081>] ? usb_set_configuration+0x594/0x5d7
[  833.474012]  [<c03d6878>] ? generic_probe+0x3b/0x67
[  833.474014]  [<c03d6878>] ? generic_probe+0x3b/0x67
[  833.474016]  [<c03d0588>] ? usb_probe_device+0x49/0x62
[  833.474017]  [<c03d053f>] ? usb_suspend+0xcd/0xcd
[  833.474020]  [<c036396f>] ? driver_probe_device+0x17b/0x30e
[  833.474022]  [<c036396f>] ? driver_probe_device+0x17b/0x30e
[  833.474024]  [<c03620b4>] ? bus_for_each_drv+0x59/0x68
[  833.474026]  [<c03620b4>] ? bus_for_each_drv+0x59/0x68
[  833.474028]  [<c036371d>] ? __device_attach+0x91/0x105
[  833.474031]  [<c0363c03>] ? driver_allows_async_probing+0x2f/0x2f
[  833.474033]  [<c0362d3c>] ? bus_probe_device+0x27/0x6b
[  833.474035]  [<c0362d3c>] ? bus_probe_device+0x27/0x6b
[  833.474037]  [<c03614c4>] ? device_add+0x28d/0x4c0
[  833.474041]  [<c035c1f7>] ? add_device_randomness+0x84/0x9c
[  833.474043]  [<c03c7508>] ? usb_new_device+0x29d/0x3b5
[  833.474045]  [<c03c7508>] ? usb_new_device+0x29d/0x3b5
[  833.474048]  [<c03c8c37>] ? hub_event+0xb32/0xed8
[  833.474050]  [<c03c8c37>] ? hub_event+0xb32/0xed8
[  833.474052]  [<c03c7ff4>] ? usb_remote_wakeup+0x6f/0x7d
[  833.474056]  [<c0148b8f>] ? process_one_work+0x174/0x2bc
[  833.474058]  [<c0148b8f>] ? process_one_work+0x174/0x2bc
[  833.474061]  [<c014916e>] ? worker_thread+0x22c/0x2f7
[  833.474063]  [<c0148f42>] ? rescuer_thread+0x242/0x242
[  833.474065]  [<c014c5ea>] ? kthread+0xa5/0xaa
[  833.474067]  [<c014c545>] ? kthread_park+0x4c/0x4c
[  833.474070]  [<c04d5f83>] ? ret_from_fork+0x1b/0x28
[  833.474096] Code: 14 89 83 b4 04 00 00 8b 45 90 89 43 04 8b 45 ac 89 43 08 8b 85 7c ff ff ff 89 83 c0 04 00 00 8b 45 a4 89 03 8b 45 c0 85 c0 74 0a <0f> b6 40 03 89 83 c8 04 00 00 f6 45 9c 04 74 07 83 a3 c8 04 00
[  833.474100] EIP: [<e08fca6e>] 
[  833.474101] acm_probe+0x540/0xd00 [cdc_acm]
[  833.474101]  SS:ESP 0068:df4f5b80
[  833.474102] CR2: 0000000000000249
[  833.474105] ---[ end trace c01a346ab38875ab ]---
[  833.474138] BUG: unable to handle kernel paging request at ffffffec
[  833.474142] IP: [<c014cd62>] kthread_data+0xf/0x13
[  833.474144] *pde = 0077e067 *pte = 00000000 
[  833.474145] 
[  833.474147] Oops: 0000 [#2] SMP
[  833.474177] Modules linked in: cdc_acm nouveau video drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit cfg80211 rfkill binfmt_misc svgalib_helper(O) snd_pcm_oss snd_mixer_oss fbcon bitblit softcursor font tileblit sr9700 dm9601 snd_hda_codec_generic usbnet usb_storage snd_hda_intel mii snd_hda_codec tg3 snd_hwdep snd_hda_core ptp pps_core snd_pcm libphy gpio_ich snd_timer firmware_class lpc_ich pcspkr ppdev snd ohci_pci mfd_core ohci_hcd floppy wmi uhci_hcd soundcore parport_pc acpi_cpufreq ehci_pci parport ehci_hcd processor button
[  833.474180] CPU: 0 PID: 4 Comm: kworker/0:0 Tainted: G      D    O    4.9.0-rc1 #1
[  833.474181] Hardware name: Hewlett-Packard HP xw4300 Workstation/0A00h, BIOS 786D3 v01.08 03/10/2006
[  833.474189] task: df4e15c0 task.stack: df4f4000
[  833.474191] EIP: 0060:[<c014cd62>] EFLAGS: 00010002 CPU: 0
[  833.474193] EIP is at kthread_data+0xf/0x13
[  833.474195] EAX: 00000000 EBX: df4e15c0 ECX: dfb95050 EDX: df4e15c0
[  833.474196] ESI: df4e1874 EDI: df4e15c0 EBP: df4f5f4c ESP: df4f5f48
[  833.474198]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  833.474200] CR0: 80050033 CR2: 00000014 CR3: 1c8c4000 CR4: 00000690
[  833.474201] Stack:
[  833.474206]  c0149297 df4f5f70 c04d289f df401d80 c01e3800 dfb94b80 00000001 df4e15c0
[  833.474211]  df4f5f98 df4e15c0 df4f5f7c c0153935 df4f5d50 df4f5fac c0139f19 01000000
[  833.474215]  df4e17ec df4e0000 00000001 00000000 df4f5f98 df4f5f98 00000009 df4f6000
[  833.474216] Call Trace:
[  833.474219]  [<c0149297>] ? wq_worker_sleeping+0xd/0x75
[  833.474222]  [<c04d289f>] ? __schedule+0xb7/0x3d0
[  833.474225]  [<c01e3800>] ? kmem_cache_free+0x73/0xf3
[  833.474228]  [<c0153935>] ? do_task_dead+0x35/0x37
[  833.474232]  [<c0139f19>] ? do_exit+0x735/0x75b
[  833.474234]  [<c04d6f99>] ? rewind_stack_do_exit+0x11/0x13
[  833.474261] Code: 8d 64 12 4e c0 8d 0c 95 00 00 00 00 29 cb b9 02 00 00 00 89 da 5b 5d e9 db fd ff ff 55 89 e5 3e 8d 74 26 00 8b 80 84 02 00 00 5d <8b> 40 ec c3 55 89 e5 52 3e 8d 74 26 00 b9 04 00 00 00 8b 90 84
[  833.474264] EIP: [<c014cd62>] 
[  833.474265] kthread_data+0xf/0x13
[  833.474265]  SS:ESP 0068:df4f5f48
[  833.474266] CR2: 00000000ffffffec
[  833.474268] ---[ end trace c01a346ab38875ac ]---
[  833.474269] Fixing recursive fault but reboot is needed!

> When I decode it, seems to crash in acm_alloc_minor() which does not make
> sense. It is likely that our kernels or compilers are a bit different.
> Could you please call gdb on your kernel module cdc-acm.ko
>and do:
>
> list *(acm_probe+0x4ee)

I guess you'd want this time  list *(acm_probe+0x540)  because 540 is now
reported at [  833.473882] IP: [<e08fca6e>] acm_probe+0x540/0xd00 [cdc_acm].

# gdb ./cdc-acm.ko
GNU gdb (Gentoo 7.10.1 vanilla) 7.10.1
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./cdc-acm.ko...done.
(gdb) list *(acm_probe+0x540)
0x1a92 is in acm_probe (drivers/usb/class/cdc-acm.c:1340).
1335            acm->control = control_interface;
1336            acm->data = data_interface;
1337            acm->minor = minor;
1338            acm->dev = usb_dev;
1339            if (h.usb_cdc_acm_descriptor)
1340                    acm->ctrl_caps = h.usb_cdc_acm_descriptor->bmCapabilities;
1341            if (quirks & NO_CAP_LINE)
1342                    acm->ctrl_caps &= ~USB_CDC_CAP_LINE;
1343            acm->ctrlsize = ctrlsize;
1344            acm->readsize = readsize;
(gdb)
quit


Curiously enough, when I do that on 0x4ee, then I seen something that
reminds me of your patches:

(gdb) list *(acm_probe+0x4ee)
0x1a40 is in acm_probe (drivers/usb/class/cdc-acm.c:1332).
1327            WARN_ON(!epctrl);
1328            ctrlsize = usb_endpoint_maxp(epctrl);
1329            WARN_ON(!epread);
1330            readsize = usb_endpoint_maxp(epread) *
1331                                    (quirks == SINGLE_RX_URB ? 1 : 2);
1332            acm->combined_interfaces = combined_interfaces;
1333            WARN_ON(!epwrite);
1334            acm->writesize = usb_endpoint_maxp(epwrite) * 20;
1335            acm->control = control_interface;
1336            acm->data = data_interface;
(gdb)
quit


Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Tue, Oct 18, 2016 at 02:18:43PM +0200, Oliver Neukum wrote:
> On Mon, 2016-10-17 at 17:20 +0200, Wim Osterholt wrote:
> > On Mon, Oct 17, 2016 at 04:10:45PM +0200, Oliver Neukum wrote:
> > > Hi,
> > >    
> > > I got one of those devices. However, I don't get a crash.
> > > Could you please give me instructions on how you trigger it?
> >   
> > That's not too hard, just plug it in. :-)

> It definitely does not crash and is probed and your .config is not
> extremely unusual.

Hmmm.

> ... Something odd is going on.

You didn't try it on many machines, did you?
The latest install on a 'new' laptop (Dell latitude D610) did also crash.
For if it matters, they all have Intel chipset here.
Crashes now on five machines.

An worn-out Dell laptop (Inspiron 510m) suddenly got stuck in a reboot loop
for 4.7.10 and 4.9-rc3, but a 4.8-rc4 kept running. Even more miraculously,
it didn't crash on inserting the modem.
I could even compile a 4.9-rc3 that didn't crash on that machine.
The effect was even portable!

I now have a crashing and a non-crashing 4.9-rc3 kernel.
You can find the configs here:
http://webserver.djo.tudelft.nl/.config-4.9-rc3.notOK
http://webserver.djo.tudelft.nl/.config-4.9-rc3.OK

They are very different, so it will take a lot of time to eliminate the
options one by one.
So if you have an idea of which options, or combination of options are evil,
I'd like to hear.


Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Tue, Oct 18, 2016 at 02:18:43PM +0200, Oliver Neukum wrote:

> It definitely does not crash and is probed and your .config is not
> extremely unusual.

Hmmm.

> ... Something odd is going on.

Whell, yes.
The only thing that appears you'll have to do is unset 'CONFIG_SMP'.

My machines didn't have the luxury of multicore processors (until recently),
so there never has been any reason to deliberately switch these options on!

In the process of searching, many options may have changed. The crash/OOPS
has now mitigated into just a WARNING with a call trace.
(Or it could be a totally different bug?)
After the call trace the device is working normally and a shutdown
completes to the end now.
That is with the config given here:
http://webserver.djo.tudelft.nl/.config-4.9-rc4.OK (CONFIG_SMP=y)
http://webserver.djo.tudelft.nl/WARNING-4.9-rc4    (call trace for C_S unset)

Tests on other machines with (slightly) different configs all seem to
confirm that the problems are gone when CONFIG_SMP is set.

Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

[-- Attachment #1: Type: text/plain, Size: 1152 bytes --]

On Tue, 2016-11-15 at 01:16 +0100, Wim Osterholt wrote:

Hi,

> Whell, yes.
> The only thing that appears you'll have to do is unset 'CONFIG_SMP'.

OK. I haven't tested that, nor would I ever considered it.
 
> My machines didn't have the luxury of multicore processors (until recently),
> so there never has been any reason to deliberately switch these options on!
> 
> In the process of searching, many options may have changed. The crash/OOPS
> has now mitigated into just a WARNING with a call trace.
> (Or it could be a totally different bug?)
> After the call trace the device is working normally and a shutdown
> completes to the end now.
> That is with the config given here:
> http://webserver.djo.tudelft.nl/.config-4.9-rc4.OK (CONFIG_SMP=y)
> http://webserver.djo.tudelft.nl/WARNING-4.9-rc4    (call trace for C_S unset)
> 
> Tests on other machines with (slightly) different configs all seem to
> confirm that the problems are gone when CONFIG_SMP is set.

OK, something extremely strange is going on. And I think it is time to get
the big hammer out. I made an extremely stupid debugging patch. Could
you test with it?

	Regards
		Oliver


[-- Attachment #2: 0001-acm-insane-debugging.patch --]
[-- Type: text/x-patch, Size: 5444 bytes --]

From d9c67172611257c262a19e9d3d4d9e6b9a69e88c Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.de>
Date: Tue, 8 Nov 2016 16:12:11 +0100
Subject: [PATCH] acm: insane debugging

extremnely stupid debugging patch

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/usb/class/cdc-acm.c | 49 +++++++++++++++++++++++++++++++++++++++------
 1 file changed, 43 insertions(+), 6 deletions(-)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 0f3f62e..a460e46 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1329,68 +1329,103 @@ made_compressed_probe:
 	if (acm == NULL)
 		goto alloc_fail;
 
+printk(KERN_ERR"Check point  1\n");
 	minor = acm_alloc_minor(acm);
 	if (minor < 0)
 		goto alloc_fail1;
-
+printk(KERN_ERR"Check point  2\n");
 	ctrlsize = usb_endpoint_maxp(epctrl);
+printk(KERN_ERR"Check point  3\n");
 	readsize = usb_endpoint_maxp(epread) *
 				(quirks == SINGLE_RX_URB ? 1 : 2);
+printk(KERN_ERR"Check point  4\n");
 	acm->combined_interfaces = combined_interfaces;
+printk(KERN_ERR"Check point  5\n");
 	acm->writesize = usb_endpoint_maxp(epwrite) * 20;
+printk(KERN_ERR"Check point  6\n");
 	acm->control = control_interface;
+printk(KERN_ERR"Check point  7\n");
 	acm->data = data_interface;
+printk(KERN_ERR"Check point  8\n");
 	acm->minor = minor;
+printk(KERN_ERR"Check point  9\n");
 	acm->dev = usb_dev;
+printk(KERN_ERR"Check point  10\n");
 	if (h.usb_cdc_acm_descriptor)
 		acm->ctrl_caps = h.usb_cdc_acm_descriptor->bmCapabilities;
+printk(KERN_ERR"Check point  11\n");
 	if (quirks & NO_CAP_LINE)
 		acm->ctrl_caps &= ~USB_CDC_CAP_LINE;
+printk(KERN_ERR"Check point  12\n");
 	acm->ctrlsize = ctrlsize;
+printk(KERN_ERR"Check point  13\n");
 	acm->readsize = readsize;
+printk(KERN_ERR"Check point  14\n");
 	acm->rx_buflimit = num_rx_buf;
+printk(KERN_ERR"Check point  15\n");
 	INIT_WORK(&acm->work, acm_softint);
+printk(KERN_ERR"Check point  16\n");
 	init_waitqueue_head(&acm->wioctl);
+printk(KERN_ERR"Check point  17\n");
 	spin_lock_init(&acm->write_lock);
+printk(KERN_ERR"Check point  18\n");
 	spin_lock_init(&acm->read_lock);
+printk(KERN_ERR"Check point  19\n");
 	mutex_init(&acm->mutex);
+printk(KERN_ERR"Check point  20\n");
 	acm->is_int_ep = usb_endpoint_xfer_int(epread);
+printk(KERN_ERR"Check point  21\n");
 	if (acm->is_int_ep)
 		acm->bInterval = epread->bInterval;
+printk(KERN_ERR"Check point  22\n");
 	tty_port_init(&acm->port);
+printk(KERN_ERR"Check point  23\n");
 	acm->port.ops = &acm_port_ops;
+printk(KERN_ERR"Check point  24\n");
 	init_usb_anchor(&acm->delayed);
+printk(KERN_ERR"Check point  25\n");
 	acm->quirks = quirks;
+printk(KERN_ERR"Check point  26\n");
 
 	buf = usb_alloc_coherent(usb_dev, ctrlsize, GFP_KERNEL, &acm->ctrl_dma);
 	if (!buf)
 		goto alloc_fail2;
 	acm->ctrl_buffer = buf;
+printk(KERN_ERR"Check point  27\n");
 
 	if (acm_write_buffers_alloc(acm) < 0)
 		goto alloc_fail4;
+printk(KERN_ERR"Check point  28\n");
 
 	acm->ctrlurb = usb_alloc_urb(0, GFP_KERNEL);
 	if (!acm->ctrlurb)
 		goto alloc_fail5;
+printk(KERN_ERR"Check point  29\n");
 
 	for (i = 0; i < num_rx_buf; i++) {
 		struct acm_rb *rb = &(acm->read_buffers[i]);
 		struct urb *urb;
+printk(KERN_ERR"Check point  30, buffer %d\n", i);
 
 		rb->base = usb_alloc_coherent(acm->dev, readsize, GFP_KERNEL,
 								&rb->dma);
 		if (!rb->base)
 			goto alloc_fail6;
+printk(KERN_ERR"Check point  31, buffer %d\n", i);
 		rb->index = i;
+printk(KERN_ERR"Check point  32, buffer %d\n", i);
 		rb->instance = acm;
+printk(KERN_ERR"Check point  33, buffer %d\n", i);
 
 		urb = usb_alloc_urb(0, GFP_KERNEL);
 		if (!urb)
 			goto alloc_fail6;
+printk(KERN_ERR"Check point  34, buffer %d\n", i);
 
 		urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+printk(KERN_ERR"Check point  35, buffer %d\n", i);
 		urb->transfer_dma = rb->dma;
+printk(KERN_ERR"Check point  36, buffer %d\n", i);
 		if (acm->is_int_ep) {
 			usb_fill_int_urb(urb, acm->dev,
 					 usb_rcvintpipe(usb_dev, epread->bEndpointAddress),
@@ -1405,9 +1440,11 @@ made_compressed_probe:
 					  acm->readsize,
 					  acm_read_bulk_callback, rb);
 		}
-
+printk(KERN_ERR"Check point  37, buffer %d\n", i);
 		acm->read_urbs[i] = urb;
+printk(KERN_ERR"Check point  38, buffer %d\n", i);
 		__set_bit(i, &acm->read_urbs_free);
+printk(KERN_ERR"Check point  39, buffer %d\n", i);
 	}
 	for (i = 0; i < ACM_NW; i++) {
 		struct acm_wb *snd = &(acm->wb[i]);
@@ -1431,11 +1468,11 @@ made_compressed_probe:
 	}
 
 	usb_set_intfdata(intf, acm);
-
+printk(KERN_ERR"Check point  40\n");
 	i = device_create_file(&intf->dev, &dev_attr_bmCapabilities);
 	if (i < 0)
 		goto alloc_fail7;
-
+printk(KERN_ERR"Check point 41\n");
 	if (h.usb_cdc_country_functional_desc) { /* export the country data */
 		struct usb_cdc_country_functional_desc * cfd =
 					h.usb_cdc_country_functional_desc;
@@ -1447,7 +1484,7 @@ made_compressed_probe:
 		memcpy(acm->country_codes, (u8 *)&cfd->wCountyCode0,
 							cfd->bLength - 4);
 		acm->country_rel_date = cfd->iCountryCodeRelDate;
-
+printk(KERN_ERR"Check point  42\n");
 		i = device_create_file(&intf->dev, &dev_attr_wCountryCodes);
 		if (i < 0) {
 			kfree(acm->country_codes);
@@ -1455,7 +1492,7 @@ made_compressed_probe:
 			acm->country_code_size = 0;
 			goto skip_countries;
 		}
-
+printk(KERN_ERR"Check point  43\n");
 		i = device_create_file(&intf->dev,
 						&dev_attr_iCountryCodeRelDate);
 		if (i < 0) {
-- 
2.1.4

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[poma]

On 15.11.2016 01:16, Wim Osterholt wrote:
> On Tue, Oct 18, 2016 at 02:18:43PM +0200, Oliver Neukum wrote:
> 
>> It definitely does not crash and is probed and your .config is not
>> extremely unusual.
> 
> Hmmm.
> 
>> ... Something odd is going on.
> 
> Whell, yes.
> The only thing that appears you'll have to do is unset 'CONFIG_SMP'.
> 
> My machines didn't have the luxury of multicore processors (until recently),
> so there never has been any reason to deliberately switch these options on!
> 
> In the process of searching, many options may have changed. The crash/OOPS
> has now mitigated into just a WARNING with a call trace.
> (Or it could be a totally different bug?)
> After the call trace the device is working normally and a shutdown
> completes to the end now.
> That is with the config given here:
> http://webserver.djo.tudelft.nl/.config-4.9-rc4.OK (CONFIG_SMP=y)
> http://webserver.djo.tudelft.nl/WARNING-4.9-rc4    (call trace for C_S unset)
> 
> Tests on other machines with (slightly) different configs all seem to
> confirm that the problems are gone when CONFIG_SMP is set.
> 
> Regards, Wim.
> 
> 

Try retest with mainline 4.9-rc5,
CONFIG_SMP was not crucial[1].

$ grep CONFIG_SMP /boot/config-4.9.0-0.rc5.git0.1.fc26.x86_64*
/boot/config-4.9.0-0.rc5.git0.1.fc26.x86_64:CONFIG_SMP=y
/boot/config-4.9.0-0.rc5.git0.1.fc26.x86_64+debug:CONFIG_SMP=y

[1] https://www.spinics.net/lists/linux-usb/msg148852.html

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Tue, Nov 15, 2016 at 12:26:00PM +0100, poma wrote:
> > In the process of searching, many options may have changed. The crash/OOPS
> > has now mitigated into just a WARNING with a call trace.
> > (Or it could be a totally different bug?)
> > 
> > Tests on other machines with (slightly) different configs all seem to
> > confirm that the problems are gone when CONFIG_SMP is set.
> > 
> 
> Try retest with mainline 4.9-rc5,
> CONFIG_SMP was not crucial[1].

I did also test 4.9-rc5 and it behaves like all the rest (since 4.8).
My problem is gone when CONFIG_SMP is set.

That doesn't mean that there are no extra bugs here, dependant on the
presence or absence of other options.

> [1] https://www.spinics.net/lists/linux-usb/msg148852.html

I experience a sliding scale.
With debug it crashes immediately. It may crash later on (even at shutdown
time). It's not even an oops but a warning. In the end it happens to just
work.


Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

On Tue, 2016-11-15 at 14:29 +0100, Wim Osterholt wrote:

> I experience a sliding scale.
> With debug it crashes immediately. It may crash later on (even at shutdown
> time). It's not even an oops but a warning. In the end it happens to just
> work.

This is very odd. We need to know where it crashes. Please try the
insane debug patch I posted.

	Regards
		Oliver

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Wed, Nov 16, 2016 at 01:34:30PM +0100, Oliver Neukum wrote:
> 
> This is very odd. We need to know where it crashes. Please try the
> insane debug patch I posted.

A bit of patience please. Yesterday I hadn't the modem at hand.

Groeten, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Wed, Nov 16, 2016 at 04:07:57PM +0100, Wim Osterholt wrote:
> A bit of patience please. Yesterday I hadn't the modem at hand.

Whell, I lost track of what happens where with which config file..
Confusion about the bug not appearing an too many configs with SMP set
where I'm sure the machine(s) crashed on it.

The intention was to now use just one machine, to avoid confusion.
This is not going to work, due to problems with my video card.
(Crashes when it writes text beyond framebuffer space?)
VGA mode keeps working now.. We'll see..

Okay, a virgin start then.
A new 4.8.8 downloaded. A config from 4.7.9. Make oldconfig.
Accept all defaults for the new options.
CONFIG_SMP was set. Made two kernels, with and without SMP set.
Both kernels behaved the same: an OOPS at cdc_acm loading.
Fortunately the bug is still there.
In this very config the SMP setting does not seem to matter.

Now a retry of 4.9-rc5. I take the config of 4.8.8 and accept
the default for the new options.
SMP set.  No call trace appears.
For completeness I should also try with SMP unset. That is for tomorrow
then.

BTW, your latest patch was not yet applied here. At work where I had no oops
today, it gave an output count from 0 to 41, looping (30-39) through 16
buffers.  More tomorrow. Need urgent sleep now.

Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Thu, Nov 17, 2016 at 02:57:33AM +0100, Wim Osterholt wrote:
> Now a retry of 4.9-rc5. I take the config of 4.8.8 and accept
> the default for the new options.
> SMP set.  No call trace appears.
> For completeness I should also try with SMP unset. That is for tomorrow
> then.

With CONFIG_SMP unset nothing goes wrong here either.
It looks like it has been fixed in 4.9-rc5, but I should also double check
several conbinations on my (slower) laptop.

Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Thu, Nov 17, 2016 at 10:14:34AM +0100, Wim Osterholt wrote:
> > For completeness I should also try with SMP unset. That is for tomorrow
> > then.
> 
> With CONFIG_SMP unset nothing goes wrong here either.
> It looks like it has been fixed in 4.9-rc5, but I should also double check
> several conbinations on my (slower) laptop.

Nov 17 15:07:49 localhost kernel: usb 4-1: new full-speed USB device number 2 using uhci_hcd
Nov 17 15:07:49 localhost kernel: usb 4-1: New USB device found, idVendor=0572, idProduct=1340
Nov 17 15:07:49 localhost kernel: usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Nov 17 15:07:49 localhost kernel: usb 4-1: Product: USB Modem
Nov 17 15:07:49 localhost kernel: usb 4-1: Manufacturer: Conexant
Nov 17 15:07:49 localhost kernel: usb 4-1: SerialNumber: 12345678
Nov 17 15:07:50 localhost mtp-probe[12956]: checking bus 4, device 2: "/sys/devices/pci0000:00/0000:00:1d.2/usb4/4-1"
Nov 17 15:07:50 localhost mtp-probe[12956]: bus: 4, device: 2 was not an MTP device
Nov 17 15:07:51 localhost kernel: Check point  1
Nov 17 15:07:51 localhost kernel: Check point  2
Nov 17 15:07:51 localhost kernel: Check point  3
Nov 17 15:07:51 localhost kernel: Check point  4
Nov 17 15:07:51 localhost kernel: Check point  5
Nov 17 15:07:51 localhost kernel: Check point  6
Nov 17 15:07:51 localhost kernel: Check point  7
Nov 17 15:07:51 localhost kernel: Check point  8
Nov 17 15:07:51 localhost kernel: Check point  9
Nov 17 15:07:51 localhost kernel: Check point  10
Nov 17 15:07:51 localhost kernel: BUG: unable to handle kernel NULL pointer dereference at 00000249
Nov 17 15:07:51 localhost kernel: IP: [<e186ece2>] acm_probe+0x559/0xe53 [cdc_acm]
Nov 17 15:07:51 localhost kernel: *pde = 00000000 
Nov 17 15:07:51 localhost kernel: Oops: 0000 [#1] SMP
...


You can get a few logs concatenated at
http://webserver.djo.tudelft.nl/insane488.logs

Usually the oops follows immediately after inserting the modem, but in one case
it took a few seconds extra before the oops. I think that is the one that
printed the full range of checkpoints.

On another 3 machines running 4.9-rc5 here  everything went fine on insertion.
Switching back to 4.8.8 produced the bug with outputs similar to the above.

Now back to the laptops to see if I can get confirmation of having seen the
oops at 4.9-rc5 in some way. I'm not sure now. 


Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Oliver Neukum]

[-- Attachment #1: Type: text/plain, Size: 602 bytes --]

On Thu, 2016-11-17 at 17:11 +0100, Wim Osterholt wrote:

> Nov 17 15:07:51 localhost kernel: Check point  10
> Nov 17 15:07:51 localhost kernel: BUG: unable to handle kernel NULL pointer dereference at 00000249
> Nov 17 15:07:51 localhost kernel: IP: [<e186ece2>] acm_probe+0x559/0xe53 [cdc_acm]
> Nov 17 15:07:51 localhost kernel: *pde = 00000000 
> Nov 17 15:07:51 localhost kernel: Oops: 0000 [#1] SMP

I don't understand it, bit please test the attached patch
with dynamic debugging for cdc-acm and the kernel log level
at maximum. And please repost "lsusb -v" for your device.

	Regards
		Oliver


[-- Attachment #2: 0001-CDC-ACM-debugging-for-parsed-descriptors.patch --]
[-- Type: text/x-patch, Size: 1115 bytes --]

From 51665f8ce6e13ba11b93b856290135bfe529d835 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Mon, 21 Nov 2016 14:08:31 +0100
Subject: [PATCH] CDC-ACM: debugging for parsed descriptors

This is necessary to debug the parser on malformed headers.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/usb/class/cdc-acm.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 6895f9e..f03b5db 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1188,6 +1188,12 @@ static int acm_probe(struct usb_interface *intf,
 
 	cdc_parse_cdc_header(&h, intf, buffer, buflen);
 	union_header = h.usb_cdc_union_desc;
+
+	dev_dbg(&intf->dev, "Parsed device header\n");
+	dev_dbg(&intf->dev, "Union descriptor %p\n", h.usb_cdc_union_desc);
+	dev_dbg(&intf->dev, "ACM descriptor %p\n", h.usb_cdc_acm_descriptor);
+	dev_dbg(&intf->dev, "Country descriptor %p\n", h.usb_cdc_country_functional_desc);
+
 	cmgmd = h.usb_cdc_call_mgmt_descriptor;
 	if (cmgmd)
 		call_intf_num = cmgmd->bDataInterface;
-- 
2.1.4

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Mon, Nov 21, 2016 at 02:19:32PM +0100, Oliver Neukum wrote:
> On Thu, 2016-11-17 at 17:11 +0100, Wim Osterholt wrote:
> 
> > Nov 17 15:07:51 localhost kernel: Check point  10
> > Nov 17 15:07:51 localhost kernel: BUG: unable to handle kernel NULL pointer dereference at 00000249
> > Nov 17 15:07:51 localhost kernel: IP: [<e186ece2>] acm_probe+0x559/0xe53 [cdc_acm]
> > Nov 17 15:07:51 localhost kernel: *pde = 00000000 
> > Nov 17 15:07:51 localhost kernel: Oops: 0000 [#1] SMP
> 
> I don't understand it, bit please test the attached patch
> with dynamic debugging for cdc-acm and the kernel log level
> at maximum. And please repost "lsusb -v" for your device.

I didn't find traces of kernel-4.9-rc5 being ran on any of my laptops, so I
can't have seen a crash on rc5. It seems rc5 and rc6 is safe now.

I assume you want this on a crashing kernel, but I already removed the
sources. (Lack of space).
4.8.10 is now compiling, that was the fastest option. If that one doesn't
crash anymore I'll dig up 4.8.8 again.

lsusb -v:

Bus 004 Device 002: ID 0572:1340 Conexant Systems (Rockwell), Inc. 
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            2 Communications
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x0572 Conexant Systems (Rockwell), Inc.
  idProduct          0x1340 
  bcdDevice            1.00
  iManufacturer           1 Conexant
  iProduct                2 USB Modem
  iSerial                 3 12345678
  bNumConfigurations      2
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           73
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         2 Communications
      bInterfaceSubClass      2 Abstract (modem)
      bInterfaceProtocol      1 AT-commands (v.25ter)
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval             128
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      CDC Header:
        bcdCDC               1.10
      CDC Call Management:
        bmCapabilities       0x03
          call management
          use DataInterface
        bDataInterface          1
      CDC ACM:
        bmCapabilities       0x07
          sends break
          line coding and serial state
          get/set/clear comm features
      CDC Union:
        bMasterInterface        0
        bSlaveInterface         1 
      Country Selection:
        iCountryCodeRelDate        4 04052004
        wCountryCode          0x4803
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           96
    bNumInterfaces          3
    bConfigurationValue     2
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         2 Communications
      bInterfaceSubClass      2 Abstract (modem)
      bInterfaceProtocol      1 AT-commands (v.25ter)
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval             128
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval              10
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval              10
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x03  EP 3 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      CDC Header:
        bcdCDC               1.10
      CDC Call Management:
        bmCapabilities       0x03
          call management
          use DataInterface
        bDataInterface          1
      CDC ACM:
        bmCapabilities       0x07
          sends break
          line coding and serial state
          get/set/clear comm features
      CDC Union:
        bMasterInterface        0
        bSlaveInterface         1 
      Country Selection:
        iCountryCodeRelDate        4 04052004
        wCountryCode          0x4803
Device Status:     0x0000
  (Bus Powered)

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Mon, Nov 21, 2016 at 04:58:25PM +0100, Wim Osterholt wrote:
> 
> I didn't find traces of kernel-4.9-rc5 being ran on any of my laptops, so I
> can't have seen a crash on rc5. It seems rc5 and rc6 is safe now.

Neither 4.8.10, nor 4.8.9 show the bug.
It must be a bug ouside cdc_acm that they have fixed. (a late propagation of
the IRQ-penalty-bug-fix maybe?)

I'm rebuilding 4.8.8 now.

Groeten, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[poma]

On 21.11.2016 21:23, Wim Osterholt wrote:
> On Mon, Nov 21, 2016 at 04:58:25PM +0100, Wim Osterholt wrote:
>>
>> I didn't find traces of kernel-4.9-rc5 being ran on any of my laptops, so I
>> can't have seen a crash on rc5. It seems rc5 and rc6 is safe now.
> 
> Neither 4.8.10, nor 4.8.9 show the bug.
> It must be a bug ouside cdc_acm that they have fixed. (a late propagation of
> the IRQ-penalty-bug-fix maybe?)
> 
> I'm rebuilding 4.8.8 now.
> 
> Groeten, Wim.
> 


After all the patching and testing I concluded the same, 
breakage came and is gone outside drivers/usb/class/
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/diff/?id=v4.9-rc5&id2=v4.9-rc4

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Mon, Nov 21, 2016 at 02:19:32PM +0100, Oliver Neukum wrote:

> I don't understand it, bit please test the attached patch
> with dynamic debugging for cdc-acm and the kernel log level
> at maximum.

> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
> index 6895f9e..f03b5db 100644
> --- a/drivers/usb/class/cdc-acm.c
> +++ b/drivers/usb/class/cdc-acm.c
> @@ -1188,6 +1188,12 @@ static int acm_probe(struct usb_interface *intf,
>  
>  	cdc_parse_cdc_header(&h, intf, buffer, buflen);
>  	union_header = h.usb_cdc_union_desc;
> +
> +	dev_dbg(&intf->dev, "Parsed device header\n");
> +	dev_dbg(&intf->dev, "Union descriptor %p\n", h.usb_cdc_union_desc);
> +	dev_dbg(&intf->dev, "ACM descriptor %p\n", h.usb_cdc_acm_descriptor);
> +	dev_dbg(&intf->dev, "Country descriptor %p\n", h.usb_cdc_country_functional_desc);
> +
>  	cmgmd = h.usb_cdc_call_mgmt_descriptor;
>  	if (cmgmd)
>  		call_intf_num = cmgmd->bDataInterface;


On kernel 4.8.8  this crashes hard and produces over a serial link:

[  156.842106] sysrq: SysRq : Changing Loglevel
[  156.842110] sysrq: Loglevel set to 9
[  156.947852] usbcore: registered new interface driver cdc_acm
[  156.947854] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[  161.176701] usb 4-1: new full-speed USB device number 2 using uhci_hcd
[  161.383608] usb 4-1: New USB device found, idVendor=0572, idProduct=1340
[  161.384707] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  161.388722] usb 4-1: Product: USB Modem
[  161.392711] usb 4-1: Manufacturer: Conexant
[  161.392714] usb 4-1: SerialNumber: 12345678
[  161.397703] cdc_acm:acm_probe: cdc_acm 4-1:1.0: interfaces are valid
[  161.397731] BUG: unable to handle kernel NULL pointer dereference at 00000249
[  161.397740] IP: [<e086ad09>] acm_probe+0x580/0xd1e [cdc_acm]
[  161.397742] *pde = 00000000 
[  161.397745] Oops: 0000 [#1] SMP
[  161.397786] Modules linked in: cdc_acm radeon drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit fbcon bitblit softcursor font tileblit binfmt_misc snd_pcm_oss snd_mixer_oss usb_storage usbhid ipw2200 libipw lib80211 snd_intel8x0 cfg80211 snd_ac97_codec ac97_bus uhci_hcd snd_pcm ehci_pci snd_timer snd ehci_hcd rfkill usbcore soundcore via_rhine firmware_class ppdev pcspkr parport_pc mii lpc_ich parport fan usb_common acpi_cpufreq thermal mfd_core floppy button processor
[  161.397790] CPU: 0 PID: 4 Comm: kworker/0:0 Not tainted 4.8.8 #2
[  161.397792] Hardware name: MEDIONPC MS-7048/MS-7048, BIOS 6.00 PG 02/12/2004
[  161.397805] Workqueue: usb_hub_wq hub_event [usbcore]
[  161.397807] task: df4c9500 task.stack: df4da000
[  161.397810] EIP: 0060:[<e086ad09>] EFLAGS: 00010202 CPU: 0
[  161.397813] EIP is at acm_probe+0x580/0xd1e [cdc_acm]
[  161.397815] EAX: 00000246 EBX: dc27b000 ECX: e086c934 EDX: 00000000
[  161.397817] ESI: 00000100 EDI: 00000000 EBP: df4dbc18 ESP: df4dbb80
[  161.397819]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  161.397821] CR0: 80050033 CR2: 00000249 CR3: 1c45f000 CR4: 00000690
[  161.397822] Stack:
[  161.397828]  00003640 00003662 0000000e df491d50 00000000 00000000 00000010 00000040
[  161.397835]  00000080 00000246 dd1fc540 decf5a00 dc468c70 00000001 df583a00 df583a38
[  161.397841]  dc468c00 decf5800 decf5a00 00000000 dc452ab0 00000004 00000246 df4dbc00
[  161.397842] Call Trace:
[  161.397853]  [<c04bce4d>] ? __mutex_unlock_slowpath+0xf4/0xfc
[  161.397862]  [<e1e2e50d>] ? usb_probe_interface+0x17b/0x1f6 [usbcore]
[  161.397870]  [<e1e2e50d>] ? usb_probe_interface+0x17b/0x1f6 [usbcore]
[  161.397877]  [<c0366fe8>] ? driver_probe_device+0x17b/0x30e
[  161.397880]  [<c0366fe8>] ? driver_probe_device+0x17b/0x30e
[  161.397883]  [<c03656e2>] ? bus_for_each_drv+0x59/0x68
[  161.397886]  [<c03656e2>] ? bus_for_each_drv+0x59/0x68
[  161.397890]  [<c0366d96>] ? __device_attach+0x91/0x105
[  161.397893]  [<c036727c>] ? driver_allows_async_probing+0x2f/0x2f
[  161.397896]  [<c036636a>] ? bus_probe_device+0x27/0x6b
[  161.397899]  [<c036636a>] ? bus_probe_device+0x27/0x6b
[  161.397902]  [<c0364af0>] ? device_add+0x289/0x4be
[  161.397911]  [<e1e2ce72>] ? usb_set_configuration+0x5a6/0x5e9 [usbcore]
[  161.397919]  [<e1e2ce72>] ? usb_set_configuration+0x5a6/0x5e9 [usbcore]
[  161.397928]  [<e1e34664>] ? generic_probe+0x3b/0x67 [usbcore]
[  161.397937]  [<e1e34664>] ? generic_probe+0x3b/0x67 [usbcore]
[  161.397945]  [<e1e2e379>] ? usb_probe_device+0x49/0x62 [usbcore]
[  161.397953]  [<e1e2e330>] ? usb_suspend+0xcd/0xcd [usbcore]
[  161.397957]  [<c0366fe8>] ? driver_probe_device+0x17b/0x30e
[  161.397960]  [<c0366fe8>] ? driver_probe_device+0x17b/0x30e
[  161.397963]  [<c03656e2>] ? bus_for_each_drv+0x59/0x68
[  161.397966]  [<c03656e2>] ? bus_for_each_drv+0x59/0x68
[  161.397969]  [<c0366d96>] ? __device_attach+0x91/0x105
[  161.397972]  [<c036727c>] ? driver_allows_async_probing+0x2f/0x2f
[  161.397976]  [<c036636a>] ? bus_probe_device+0x27/0x6b
[  161.397979]  [<c036636a>] ? bus_probe_device+0x27/0x6b
[  161.397982]  [<c0364af0>] ? device_add+0x289/0x4be
[  161.397985]  [<c035f7e9>] ? add_device_randomness+0x84/0x9c
[  161.397993]  [<e1e2521a>] ? usb_new_device+0x29d/0x3b5 [usbcore]
[  161.398001]  [<e1e2521a>] ? usb_new_device+0x29d/0x3b5 [usbcore]
[  161.398010]  [<e1e26949>] ? hub_event+0xb32/0xed8 [usbcore]
[  161.398017]  [<e1e26949>] ? hub_event+0xb32/0xed8 [usbcore]
[  161.398026]  [<e1e25d06>] ? usb_remote_wakeup+0x6f/0x7d [usbcore]
[  161.398031]  [<c01484b7>] ? process_one_work+0x174/0x2bc
[  161.398034]  [<c01484b7>] ? process_one_work+0x174/0x2bc
[  161.398037]  [<c0148a93>] ? worker_thread+0x22c/0x2f6
[  161.398040]  [<c0148867>] ? rescuer_thread+0x23f/0x23f
[  161.398043]  [<c014be62>] ? kthread+0xa4/0xa9
[  161.398046]  [<c04be662>] ? ret_from_kernel_thread+0xe/0x24
[  161.398049]  [<c014bdbe>] ? kthread_create_on_node+0x101/0x101
[  161.398085] Code: 14 89 83 b4 04 00 00 8b 45 94 89 43 04 8b 45 ac 89 43 08 8b 85 7c ff ff ff 89 83 c0 04 00 00 8b 45 a8 89 03 8b 45 c0 85 c0 74 0a <0f> b6 40 03 89 83 c8 04 00 00 f6 45 9c 04 74 07 83 a3 c8 04 00
[  161.398091] EIP: [<e086ad09>] acm_probe+0x580/0xd1e [cdc_acm] SS:ESP 0068:df4dbb80
[  161.398092] CR2: 0000000000000249
[  161.398096] ---[ end trace da016e6d3520a331 ]---
[  161.398152] BUG: unable to handle kernel paging request at ffffffec
[  161.398156] IP: [<c014c304>] kthread_data+0xf/0x13
[  161.398159] *pde = 00735067 *pte = 00000000 
[  161.398161] Oops: 0000 [#2] SMP
[  161.398197] Modules linked in: cdc_acm radeon drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit fbcon bitblit softcursor font tileblit binfmt_misc snd_pcm_oss snd_mixer_oss usb_storage usbhid ipw2200 libipw lib80211 snd_intel8x0 cfg80211 snd_ac97_codec ac97_bus uhci_hcd snd_pcm ehci_pci snd_timer snd ehci_hcd rfkill usbcore soundcore via_rhine firmware_class ppdev pcspkr parport_pc mii lpc_ich parport fan usb_common acpi_cpufreq thermal mfd_core floppy button processor
[  161.398200] CPU: 0 PID: 4 Comm: kworker/0:0 Tainted: G      D         4.8.8 #2
[  161.398202] Hardware name: MEDIONPC MS-7048/MS-7048, BIOS 6.00 PG 02/12/2004
[  161.398217] task: df4c9500 task.stack: df4da000
[  161.398219] EIP: 0060:[<c014c304>] EFLAGS: 00010002 CPU: 0
[  161.398221] EIP is at kthread_data+0xf/0x13
[  161.398223] EAX: 00000000 EBX: df4dc000 ECX: dec92374 EDX: df4c9500
[  161.398225] ESI: df4c97b4 EDI: dfbd0960 EBP: df4dbf48 ESP: df4dbf44
[  161.398227]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  161.398229] CR0: 80050033 CR2: 00000014 CR3: 1c45f000 CR4: 00000690
[  161.398231] Stack:
[  161.398237]  c0148bbb df4dbf6c c04bb2a4 df401d80 c01e2b00 df4c9500 00000001 df4dc000
[  161.398244]  df4dbd50 df4dbf98 df4dbf78 c04bb669 df4c9500 df4dbfac c0139827 df4c9888
[  161.398250]  01000000 df4c972c df4c8000 00000001 00000000 df4dbf98 df4dbf98 00000009
[  161.398251] Call Trace:
[  161.398254]  [<c0148bbb>] ? wq_worker_sleeping+0xd/0x75
[  161.398259]  [<c04bb2a4>] ? __schedule+0xcc/0x424
[  161.398263]  [<c01e2b00>] ? __slab_free+0x266/0x270
[  161.398266]  [<c04bb669>] ? schedule+0x6d/0x7a
[  161.398270]  [<c0139827>] ? do_exit+0x74d/0x775
[  161.398274]  [<c04bf679>] ? rewind_stack_do_exit+0x11/0x13
[  161.398277]  [<c014bdbe>] ? kthread_create_on_node+0x101/0x101
[  161.398312] Code: 8d 44 90 4c c0 8d 0c 95 00 00 00 00 29 cb b9 02 00 00 00 89 da 5b 5d e9 f5 fd ff ff 55 89 e5 3e 8d 74 26 00 8b 80 84 02 00 00 5d <8b> 40 ec c3 55 89 e5 52 3e 8d 74 26 00 b9 04 00 00 00 8b 90 84
[  161.398316] EIP: [<c014c304>] kthread_data+0xf/0x13 SS:ESP 0068:df4dbf44
[  161.398318] CR2: 00000000ffffffec
[  161.398320] ---[ end trace da016e6d3520a332 ]---
[  161.398321] Fixing recursive fault but reboot is needed!


Regards, Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Bjørn Mork]

Wim Osterholt <wim@djo.tudelft.nl> writes:

> On Mon, Nov 21, 2016 at 02:19:32PM +0100, Oliver Neukum wrote:
>> On Thu, 2016-11-17 at 17:11 +0100, Wim Osterholt wrote:
>> 
>> > Nov 17 15:07:51 localhost kernel: Check point  10
>> > Nov 17 15:07:51 localhost kernel: BUG: unable to handle kernel NULL pointer dereference at 00000249
>> > Nov 17 15:07:51 localhost kernel: IP: [<e186ece2>] acm_probe+0x559/0xe53 [cdc_acm]
>> > Nov 17 15:07:51 localhost kernel: *pde = 00000000 
>> > Nov 17 15:07:51 localhost kernel: Oops: 0000 [#1] SMP
>> 
>> I don't understand it, bit please test the attached patch
>> with dynamic debugging for cdc-acm and the kernel log level
>> at maximum. And please repost "lsusb -v" for your device.
>
> I didn't find traces of kernel-4.9-rc5 being ran on any of my laptops, so I
> can't have seen a crash on rc5. It seems rc5 and rc6 is safe now.
>
> I assume you want this on a crashing kernel, but I already removed the
> sources. (Lack of space).
> 4.8.10 is now compiling, that was the fastest option. If that one doesn't
> crash anymore I'll dig up 4.8.8 again.
>
> lsusb -v:
>
> Bus 004 Device 002: ID 0572:1340 Conexant Systems (Rockwell), Inc. 
> Device Descriptor:
>   bLength                18
>   bDescriptorType         1
>   bcdUSB               1.10
>   bDeviceClass            2 Communications
>   bDeviceSubClass         0 
>   bDeviceProtocol         0 
>   bMaxPacketSize0        64
>   idVendor           0x0572 Conexant Systems (Rockwell), Inc.
>   idProduct          0x1340 
>   bcdDevice            1.00
>   iManufacturer           1 Conexant
>   iProduct                2 USB Modem
>   iSerial                 3 12345678
>   bNumConfigurations      2
>   Configuration Descriptor:
>     bLength                 9
>     bDescriptorType         2
>     wTotalLength           73
>     bNumInterfaces          2
>     bConfigurationValue     1
>     iConfiguration          0 
>     bmAttributes         0x80
>       (Bus Powered)
>     MaxPower              100mA
>     Interface Descriptor:
>       bLength                 9
>       bDescriptorType         4
>       bInterfaceNumber        0
>       bAlternateSetting       0
>       bNumEndpoints           1
>       bInterfaceClass         2 Communications
>       bInterfaceSubClass      2 Abstract (modem)
>       bInterfaceProtocol      1 AT-commands (v.25ter)
>       iInterface              0 
>       Endpoint Descriptor:
>         bLength                 7
>         bDescriptorType         5
>         bEndpointAddress     0x81  EP 1 IN
>         bmAttributes            3
>           Transfer Type            Interrupt
>           Synch Type               None
>           Usage Type               Data
>         wMaxPacketSize     0x0040  1x 64 bytes
>         bInterval             128
>     Interface Descriptor:
>       bLength                 9
>       bDescriptorType         4
>       bInterfaceNumber        1
>       bAlternateSetting       0
>       bNumEndpoints           2
>       bInterfaceClass        10 CDC Data
>       bInterfaceSubClass      0 Unused
>       bInterfaceProtocol      0 
>       iInterface              0 
>       Endpoint Descriptor:
>         bLength                 7
>         bDescriptorType         5
>         bEndpointAddress     0x82  EP 2 IN
>         bmAttributes            2
>           Transfer Type            Bulk
>           Synch Type               None
>           Usage Type               Data
>         wMaxPacketSize     0x0040  1x 64 bytes
>         bInterval               1
>       Endpoint Descriptor:
>         bLength                 7
>         bDescriptorType         5
>         bEndpointAddress     0x02  EP 2 OUT
>         bmAttributes            2
>           Transfer Type            Bulk
>           Synch Type               None
>           Usage Type               Data
>         wMaxPacketSize     0x0040  1x 64 bytes
>         bInterval               1
>       CDC Header:
>         bcdCDC               1.10
>       CDC Call Management:
>         bmCapabilities       0x03
>           call management
>           use DataInterface
>         bDataInterface          1
>       CDC ACM:
>         bmCapabilities       0x07
>           sends break
>           line coding and serial state
>           get/set/clear comm features
>       CDC Union:
>         bMasterInterface        0
>         bSlaveInterface         1 
>       Country Selection:
>         iCountryCodeRelDate        4 04052004
>         wCountryCode          0x4803
>   Configuration Descriptor:
>     bLength                 9
>     bDescriptorType         2
>     wTotalLength           96
>     bNumInterfaces          3
>     bConfigurationValue     2
>     iConfiguration          0 
>     bmAttributes         0x80
>       (Bus Powered)
>     MaxPower              100mA
>     Interface Descriptor:
>       bLength                 9
>       bDescriptorType         4
>       bInterfaceNumber        0
>       bAlternateSetting       0
>       bNumEndpoints           1
>       bInterfaceClass         2 Communications
>       bInterfaceSubClass      2 Abstract (modem)
>       bInterfaceProtocol      1 AT-commands (v.25ter)
>       iInterface              0 
>       Endpoint Descriptor:
>         bLength                 7
>         bDescriptorType         5
>         bEndpointAddress     0x81  EP 1 IN
>         bmAttributes            3
>           Transfer Type            Interrupt
>           Synch Type               None
>           Usage Type               Data
>         wMaxPacketSize     0x0040  1x 64 bytes
>         bInterval             128
>     Interface Descriptor:
>       bLength                 9
>       bDescriptorType         4
>       bInterfaceNumber        1
>       bAlternateSetting       0
>       bNumEndpoints           2
>       bInterfaceClass        10 CDC Data
>       bInterfaceSubClass      0 Unused
>       bInterfaceProtocol      0 
>       iInterface              0 
>       Endpoint Descriptor:
>         bLength                 7
>         bDescriptorType         5
>         bEndpointAddress     0x82  EP 2 IN
>         bmAttributes            2
>           Transfer Type            Bulk
>           Synch Type               None
>           Usage Type               Data
>         wMaxPacketSize     0x0040  1x 64 bytes
>         bInterval              10
>       Endpoint Descriptor:
>         bLength                 7
>         bDescriptorType         5
>         bEndpointAddress     0x02  EP 2 OUT
>         bmAttributes            2
>           Transfer Type            Bulk
>           Synch Type               None
>           Usage Type               Data
>         wMaxPacketSize     0x0040  1x 64 bytes
>         bInterval              10
>     Interface Descriptor:
>       bLength                 9
>       bDescriptorType         4
>       bInterfaceNumber        2
>       bAlternateSetting       0
>       bNumEndpoints           2
>       bInterfaceClass        10 CDC Data
>       bInterfaceSubClass      0 Unused
>       bInterfaceProtocol      0 
>       iInterface              0 
>       Endpoint Descriptor:
>         bLength                 7
>         bDescriptorType         5
>         bEndpointAddress     0x83  EP 3 IN
>         bmAttributes            2
>           Transfer Type            Bulk
>           Synch Type               None
>           Usage Type               Data
>         wMaxPacketSize     0x0040  1x 64 bytes
>         bInterval               1
>       Endpoint Descriptor:
>         bLength                 7
>         bDescriptorType         5
>         bEndpointAddress     0x03  EP 3 OUT
>         bmAttributes            2
>           Transfer Type            Bulk
>           Synch Type               None
>           Usage Type               Data
>         wMaxPacketSize     0x0040  1x 64 bytes
>         bInterval               1
>       CDC Header:
>         bcdCDC               1.10
>       CDC Call Management:
>         bmCapabilities       0x03
>           call management
>           use DataInterface
>         bDataInterface          1
>       CDC ACM:
>         bmCapabilities       0x07
>           sends break
>           line coding and serial state
>           get/set/clear comm features
>       CDC Union:
>         bMasterInterface        0
>         bSlaveInterface         1 
>       Country Selection:
>         iCountryCodeRelDate        4 04052004
>         wCountryCode          0x4803

No excuse for crashing of course, but that's one of the sickets
descriptor sets I've seen today. Who got the bright idea to put the
communication class functional descriptors on the data class interfaces?
And what's with the second data interface?  How is the host supposed to
make any use of that when both(!) the CDC Union descriptors refer to
interface 0 and 1 only?  Not that we can use those union descriptors for
much anyway since we have to guess the relationship between control and
data interface before we can get to it...

So I'm not surprised that this is unexpected by the driver.  We just
need to figure out how to ignore the noise and carry on.

But looking at the driver, it looks like that is exactly what it should
do.  This device has the  NO_UNION_NORMAL quirk so normal probing is
skipped and we will just use interfaces 0 and 1.  Which is the only sane
thing to do given the above mess...

Don't understand how it could crash.



Bjørn

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Bjørn Mork]

Wim Osterholt <wim@djo.tudelft.nl> writes:

> On Mon, Nov 21, 2016 at 02:19:32PM +0100, Oliver Neukum wrote:
>
>> I don't understand it, bit please test the attached patch
>> with dynamic debugging for cdc-acm and the kernel log level
>> at maximum.
>
>> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
>> index 6895f9e..f03b5db 100644
>> --- a/drivers/usb/class/cdc-acm.c
>> +++ b/drivers/usb/class/cdc-acm.c
>> @@ -1188,6 +1188,12 @@ static int acm_probe(struct usb_interface *intf,
>>  
>>  	cdc_parse_cdc_header(&h, intf, buffer, buflen);
>>  	union_header = h.usb_cdc_union_desc;
>> +
>> +	dev_dbg(&intf->dev, "Parsed device header\n");
>> +	dev_dbg(&intf->dev, "Union descriptor %p\n", h.usb_cdc_union_desc);
>> +	dev_dbg(&intf->dev, "ACM descriptor %p\n", h.usb_cdc_acm_descriptor);
>> +	dev_dbg(&intf->dev, "Country descriptor %p\n", h.usb_cdc_country_functional_desc);
>> +
>>  	cmgmd = h.usb_cdc_call_mgmt_descriptor;
>>  	if (cmgmd)
>>  		call_intf_num = cmgmd->bDataInterface;
>
>
> On kernel 4.8.8  this crashes hard and produces over a serial link:

Huh?  That device shouldn't ever enter that code path AFAICS.
Unless.... you wouldn't happen to add a dynamic entry for this device,
would you?  What's the output of

 cat /sys/bus/usb/drivers/cdc_acm/new_id

?

We should probably survive it, but I think the current acm_probe() is
going to barf hard on the last data interface, if probed without the
default NO_UNION_NORMAL quirk.  cdc_parse_cdc_header() will happily
parse all the functional descriptors, including the union pointing to
interfaces 0 and 1.  I might be missing it, but I cannot see any sanity
check verifying that the currently probed interface is actually part of
the set of interfaces pointed to by the union.  There is a sanity check
for the availability of the data interface, but there is none for the
control interface (the assumption of course that that's the interface
we're probing).

I think we need a bit more sanity checking of the union.  This is likely
a generic problem for any CDC driver, so it is worth considering adding
a shared function for that.

And all this fails to explain anything if you didn't add the device
dynamically, of course...



Bjørn

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Tue, Nov 22, 2016 at 06:50:28PM +0100, Bjørn Mork wrote:
> >         iCountryCodeRelDate        4 04052004
> >         wCountryCode          0x4803
> 
> No excuse for crashing of course, but that's one of the sickets
> descriptor sets I've seen today. Who got the bright idea to put the
> communication class functional descriptors on the data class interfaces?

Whell, the chinese of coarse. It's all chinese to me. But maybe they made 
this time an exact copy of their example from Conexant. Not that they are
that careful usually.

>...
> Don't understand how it could crash.

The oops does normally not immediately lead to a crash. Only with debugging
on it will halt immediately and the log will tell you that a reboot will
be necessairy. 

Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

On Tue, Nov 22, 2016 at 07:08:30PM +0100, Bjørn Mork wrote:
> > On kernel 4.8.8  this crashes hard and produces over a serial link:
> 
> Huh?  That device shouldn't ever enter that code path AFAICS.
> Unless.... you wouldn't happen to add a dynamic entry for this device,

No idea of what you mean here.

> would you?  What's the output of
> 
>  cat /sys/bus/usb/drivers/cdc_acm/new_id

Just empty.

Wim.

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Bjørn Mork]

On November 23, 2016 1:54:57 AM CET, Wim Osterholt <wim@djo.tudelft.nl> wrote:
>On Tue, Nov 22, 2016 at 07:08:30PM +0100, Bjørn Mork wrote:
>> > On kernel 4.8.8  this crashes hard and produces over a serial link:
>> 
>> Huh?  That device shouldn't ever enter that code path AFAICS.
>> Unless.... you wouldn't happen to add a dynamic entry for this
>device,
>
>No idea of what you mean here.
>
>> would you?  What's the output of
>> 
>>  cat /sys/bus/usb/drivers/cdc_acm/new_id
>
>Just empty.

Shit. Back to not understanding how you could possibly enter the debugging code at all.

Bjørn

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Alan Stern]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: TEXT/PLAIN; charset=UTF-8, Size: 902 bytes --]

On Wed, 23 Nov 2016, [ISO-8859-1] Bjørn Mork wrote:

> On November 23, 2016 1:54:57 AM CET, Wim Osterholt <wim@djo.tudelft.nl> wrote:
> >On Tue, Nov 22, 2016 at 07:08:30PM +0100, Bjørn Mork wrote:
> >> > On kernel 4.8.8  this crashes hard and produces over a serial link:
> >> 
> >> Huh?  That device shouldn't ever enter that code path AFAICS.
> >> Unless.... you wouldn't happen to add a dynamic entry for this
> >device,
> >
> >No idea of what you mean here.
> >
> >> would you?  What's the output of
> >> 
> >>  cat /sys/bus/usb/drivers/cdc_acm/new_id
> >
> >Just empty.
> 
> Shit. Back to not understanding how you could possibly enter the debugging code at all.

You're in the lucky position of having an engaged and responsive bug
reporter who is willing to apply patches and run tests.  Just write a
simple diagnostic patch that will reveal exactly what pathway is being
followed.

Alan Stern