lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090825221918.4de9e30f@neptune.home>
Date:	Tue, 25 Aug 2009 22:19:18 +0200
From:	Bruno Prémont <bonbons@...ux-vserver.org>
To:	Alan Stern <stern@...land.harvard.edu>
Cc:	Alan Cox <alan@...rguk.ukuu.org.uk>, Greg KH <greg@...ah.com>,
	Kernel development list <linux-kernel@...r.kernel.org>,
	USB list <linux-usb@...r.kernel.org>,
	"Rafael J. Wysocki" <rjw@...k.pl>
Subject: Re: 2.6.31-rc5 regression: Oops when USB Serial disconnected while
 in use

On Mon, 24 August 2009 Alan Stern <stern@...land.harvard.edu> wrote:
> Apparently the tty isn't getting removed from the driver the way it
> should when minicom closes it the first time.  And no wonder -- I just
> realized that my new serial_shutdown() routine doesn't call
> tty_shutdown(tty).  Try inserting such a call right before
> tty->driver_data gets set to NULL.

Done that, it brings us to n_tty_set_termios() this time:

[  107.990039] usb 2-2: new full speed USB device using uhci_hcd and address 2
[  108.208982] usb 2-2: New USB device found, idVendor=9e88, idProduct=9e8f
[  108.208992] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  108.209000] usb 2-2: Product: SheevaPlug JTAGKey FT2232D B
[  108.209007] usb 2-2: Manufacturer: FTDI
[  108.209013] usb 2-2: SerialNumber: FTS55QK6
[  108.209243] usb 2-2: configuration #1 chosen from 1 choice
[  108.323938] usbcore: registered new interface driver usbserial
[  108.323943] usbserial: USB Serial Driver core
[  108.357581] USB Serial support registered for FTDI USB Serial Device
[  108.357819] usb 2-2: Ignoring serial port reserved for JTAG
[  108.357924] ftdi_sio 2-2:1.1: FTDI USB Serial Device converter detected
[  108.357990] usb 2-2: Detected FT2232C
[  108.357996] usb 2-2: Number of endpoints 2
[  108.358003] usb 2-2: Endpoint 1 MaxPacketSize 64
[  108.358009] usb 2-2: Endpoint 2 MaxPacketSize 64
[  108.358015] usb 2-2: Setting MaxPacketSize 64
[  108.360175] usb 2-2: FTDI USB Serial Device converter now attached to ttyUSB0
[  108.360216] usbcore: registered new interface driver ftdi_sio
[  108.360223] ftdi_sio: v1.5.0:USB FTDI Serial Converters Driver
[  200.248102] BUG: unable to handle kernel NULL pointer dereference at 0000000c
[  200.248257] IP: [<c115ff36>] n_tty_set_termios+0x1a6/0x410
[  200.248369] *pde = 00000000 
[  200.248429] Oops: 0000 [#1] 
[  200.248489] last sysfs file: /sys/devices/virtual/hwmon/hwmon0/temp1_input
[  200.248607] Modules linked in: ftdi_sio usbserial squashfs zlib_inflate nfs lockd nfs_acl sunrpc 8021q snd_pcm_oss snd_mixer_oss xfs exportfs loop usb_storage snd_intel8x0 snd_ac97_codec nsc_ircc ac97_bus irda snd_pcm pcspkr i2c_i801 snd_timer uhci_hcd ehci_hcd snd snd_page_alloc crc_ccitt usbcore
[  200.249280] 
[  200.249317] Pid: 2155, comm: minicom Tainted: G   M       (2.6.31-rc6-gregkh #2) TravelMate 660
[  200.249466] EIP: 0060:[<c115ff36>] EFLAGS: 00010246 CPU: 0
[  200.249563] EIP is at n_tty_set_termios+0x1a6/0x410
[  200.249649] EAX: 00000000 EBX: dbdd9000 ECX: 00000000 EDX: 00000000
[  200.249757] ESI: 00000000 EDI: 00000000 EBP: dd2dade8 ESP: dd2dadd8
[  200.249866]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[  200.249962] Process minicom (pid: 2155, ti=dd2da000 task=dd91b500 task.ti=dd2da000)
[  200.250090] Stack:
[  200.250129]  c11616ab dbdd9000 dbdd9000 00000000 dd2dadf4 c11617db dbaf20e8 dd2dae04
[  200.250312] <0> c1164280 dbdd9000 dbdd9000 dd2dae20 c1164432 dbaf20e8 dbdd9000 dbdd9000
[  200.250514] <0> db953a80 dbdd9000 dd2dae44 c115f5b9 dd2dae7c dd2daef4 00000000 00000000
[  200.250722] Call Trace:
[  200.250773]  [<c11616ab>] ? reset_buffer_flags+0xab/0xe0
[  200.250870]  [<c11617db>] ? n_tty_open+0x3b/0x90
[  200.250954]  [<c1164280>] ? tty_ldisc_open+0x30/0x50
[  200.251044]  [<c1164432>] ? tty_ldisc_setup+0x22/0x70
[  200.251135]  [<c115f5b9>] ? tty_init_dev+0x89/0x160
[  200.251223]  [<c115f9fc>] ? tty_open+0x36c/0x4b0
[  200.251310]  [<c1077246>] ? chrdev_open+0x96/0x140
[  200.251400]  [<c1072fdf>] ? __dentry_open+0x9f/0x250
[  200.251490]  [<c1073279>] ? nameidata_to_filp+0x59/0x70
[  200.251584]  [<c10771b0>] ? chrdev_open+0x0/0x140
[  200.251672]  [<c107f569>] ? do_filp_open+0x269/0x890
[  200.251762]  [<c1038c5c>] ? ktime_get_ts+0x4c/0x50
[  200.251852]  [<c1072da7>] ? do_sys_open+0x57/0x140
[  200.251943]  [<c1026d55>] ? alarm_setitimer+0x35/0x70
[  200.252035]  [<c1072ef9>] ? sys_open+0x29/0x40
[  200.252116]  [<c1002e08>] ? sysenter_do_call+0x12/0x26
[  200.252205] Code: 31 c0 f3 ab 0f b6 93 2c 01 00 00 31 f6 8b 83 60 01 00 00 8b 7b 30 89 b3 74 03 00 00 80 e2 fd 89 83 78 03 00 00 88 93 2c 01 00 00 <8b> 47 0c 83 e0 02 0f 85 8a fe ff ff 8b 8b 64 01 00 00 85 c9 0f 
[  200.252995] EIP: [<c115ff36>] n_tty_set_termios+0x1a6/0x410 SS:ESP 0068:dd2dadd8
[  200.253134] CR2: 000000000000000c
[  200.253225] ---[ end trace f4b79a25ac2c3be9 ]---

My actions:
  plug-in ftdi
  run minicom
  exit minicom
  run minicom -> bang

Bang at:
/tmp/linux-2.6.31-rc6-gregkh/drivers/char/n_tty.c:1456

1449:	if (canon_change) {
1450:		memset(&tty->read_flags, 0, sizeof tty->read_flags);
1451:		tty->canon_head = tty->read_tail;
1452:		tty->canon_data = 0;
1453:		tty->erasing = 0;
1454:	}
1455:
1456:	if (canon_change && !L_ICANON(tty) && tty->read_cnt)
1457:		wake_up_interruptible(&tty->read_wait);

Not sure which part of the if() it is that explodes, I would guess
it's !L_ICANON(tty):

	#define ICANON      0000002
	#define _L_FLAG(tty, f) ((tty)->termios->c_lflag & (f))
	#define L_ICANON(tty)  _L_FLAG((tty), ICANON)
=>
	if (canon_change && !((tty)->termios->c_lflag & (ICANON)) && tty->read_cnt)
=>
	tty->termios is probably NULL


Anyhow, here is the matching extract of objdump for n_tty.o:
/tmp/linux-2.6.31-rc6-gregkh/drivers/char/n_tty.c:1453
     37f:       0f b6 93 2c 01 00 00    movzbl 0x12c(%ebx),%edx
/tmp/linux-2.6.31-rc6-gregkh/drivers/char/n_tty.c:1452
     386:       31 f6                   xor    %esi,%esi
/tmp/linux-2.6.31-rc6-gregkh/drivers/char/n_tty.c:1451
     388:       8b 83 60 01 00 00       mov    0x160(%ebx),%eax
/tmp/linux-2.6.31-rc6-gregkh/drivers/char/n_tty.c:1456
     38e:       8b 7b 30                mov    0x30(%ebx),%edi
/tmp/linux-2.6.31-rc6-gregkh/drivers/char/n_tty.c:1452
     391:       89 b3 74 03 00 00       mov    %esi,0x374(%ebx)
/tmp/linux-2.6.31-rc6-gregkh/drivers/char/n_tty.c:1453
     397:       80 e2 fd                and    $0xfd,%dl
/tmp/linux-2.6.31-rc6-gregkh/drivers/char/n_tty.c:1451
     39a:       89 83 78 03 00 00       mov    %eax,0x378(%ebx)
/tmp/linux-2.6.31-rc6-gregkh/drivers/char/n_tty.c:1453
     3a0:       88 93 2c 01 00 00       mov    %dl,0x12c(%ebx)
/tmp/linux-2.6.31-rc6-gregkh/drivers/char/n_tty.c:1456
>    3a6:       8b 47 0c                mov    0xc(%edi),%eax
     3a9:       83 e0 02                and    $0x2,%eax
     3ac:       0f 85 8a fe ff ff       jne    23c <n_tty_set_termios+0x3c>
     3b2:       8b 8b 64 01 00 00       mov    0x164(%ebx),%ecx
     3b8:       85 c9                   test   %ecx,%ecx
     3ba:       0f 84 7c fe ff ff       je     23c <n_tty_set_termios+0x3c>



Some further notes:
- disconnect causes the device to vanish and minicom to tell so.
  Quit minicom works without complaint. Any restart produces
  the same effect as above
- after this trace some lock remains taken that causes processes
  to stall (processes ending up in D state)
- when booting with this kernel some part of the init sequence
  never shows up on screen (e.g. everything from init's runlevel
  3 is missing and getty's prompt shows up with some delay compared
  to gettys on other VTs.


Bruno
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ