2.6.3: Crash when trying to load usbnet

From: Daniel Egger
Date: Sat Feb 21 2004 - 11:56:15 EST

Hija,

I just observed the following two problems with USB:

1. /proc/bus/usb/devices will block after the output of all
available USB devices. Further tries to access it will block
immediately.[1]
2. When trying to inset the usbnet driver for a cdcnet cable modem
using modprobe, modprobe will segfault and the driver causes an
kernel oops.[2]

[1] Output was:
egger@alex:/proc/bus/usb$ cat devices

T: Bus=04 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 2
B: Alloc= 0/900 us ( 0%), #Int= 0, #Iso= 0
D: Ver= 1.10 Cls=09(hub ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1
P: Vendor=0000 ProdID=0000 Rev= 2.06
S: Manufacturer=Linux 2.6.3 uhci_hcd
S: Product=UHCI Host Controller
S: SerialNumber=0000:00:10.2
C:* #Ifs= 1 Cfg#= 1 Atr=40 MxPwr= 0mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub
E: Ad=81(I) Atr=03(Int.) MxPS= 2 Ivl=255ms

T: Bus=03 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 2
B: Alloc= 0/900 us ( 0%), #Int= 0, #Iso= 0
D: Ver= 1.10 Cls=09(hub ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1
P: Vendor=0000 ProdID=0000 Rev= 2.06
S: Manufacturer=Linux 2.6.3 uhci_hcd
S: Product=UHCI Host Controller
S: SerialNumber=0000:00:10.1
C:* #Ifs= 1 Cfg#= 1 Atr=40 MxPwr= 0mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub
E: Ad=81(I) Atr=03(Int.) MxPS= 2 Ivl=255ms

T: Bus=02 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 2
B: Alloc=236/900 us (26%), #Int= 2, #Iso= 0
D: Ver= 1.10 Cls=09(hub ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1
P: Vendor=0000 ProdID=0000 Rev= 2.06
S: Manufacturer=Linux 2.6.3 uhci_hcd
S: Product=UHCI Host Controller
S: SerialNumber=0000:00:10.0
C:* #Ifs= 1 Cfg#= 1 Atr=40 MxPwr= 0mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub
E: Ad=81(I) Atr=03(Int.) MxPS= 2 Ivl=255ms

T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=1.5 MxCh= 0
D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1
P: Vendor=046d ProdID=c308 Rev=12.10
S: Manufacturer=Logitech
S: Product=Logitech USB Keyboard
C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr= 80mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=01 Prot=01 Driver=hid
E: Ad=81(I) Atr=03(Int.) MxPS= 8 Ivl=10ms
I: If#= 1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=hid
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms

T: Bus=02 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 3 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=02(comm.) Sub=00 Prot=00 MxPS=32 #Cfgs= 1
P: Vendor=077b ProdID=08b7 Rev= 1.01
S: Manufacturer=The Linksys Group, Inc.
S: Product=USB Cable Modem
C:* #Ifs= 2 Cfg#= 1 Atr=c0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=(none)
E: Ad=85(I) Atr=03(Int.) MxPS= 8 Ivl=64ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=(none)
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=(none)
E: Ad=81(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms

T: Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=480 MxCh= 6
B: Alloc= 0/800 us ( 0%), #Int= 0, #Iso= 0
D: Ver= 2.00 Cls=09(hub ) Sub=00 Prot=01 MxPS= 8 #Cfgs= 1
P: Vendor=0000 ProdID=0000 Rev= 2.06
S: Manufacturer=Linux 2.6.3 ehci_hcd
S: Product=EHCI Host Controller
S: SerialNumber=0000:00:10.3
C:* #Ifs= 1 Cfg#= 1 Atr=40 MxPwr= 0mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub
E: Ad=81(I) Atr=03(Int.) MxPS= 2 Ivl=256ms

[2] The decoded kernel OOPS and additional info is as follows, please
note that I've replugged the modem into a different port because I
wanted to check whether this is possibly a USB 2.0 device and I
connected to a USB 1.0 port in the first place (which to observe I
used the devices output for).

usb 2-2: USB disconnect, address 3
usb 3-1: new full speed USB device using address 2
drivers/usb/core/message.c: string descriptor 0 too short
slab error in cache_free_debugcheck(): cache `size-1024': double free, or memory outside object was overwritten
Call Trace:
[<c0158b99>] kfree+0x2e9/0x410
[<e1923f5e>] usbnet_probe+0x3ee/0x4d0 [usbnet]
[<e1923f5e>] usbnet_probe+0x3ee/0x4d0 [usbnet]
[<c02d42fb>] usb_probe_interface+0x5b/0x70
[<c028387d>] bus_match+0x3d/0x70
[<c02839aa>] driver_attach+0x5a/0x90
[<c0283ca1>] bus_add_driver+0xa1/0xc0
[<c0284168>] driver_register+0x88/0x90
[<c02d43d5>] usb_register+0x45/0xa0
[<c0265fc3>] get_random_bytes+0x43/0x50
[<e1837038>] usbnet_init+0x38/0x3a [usbnet]
[<c014923b>] sys_init_module+0x1eb/0x3c0
[<c010a14f>] syscall_call+0x7/0xb

c512f008: redzone 1: 0x0, redzone 2: 0xd0012.
------------[ cut here ]------------
kernel BUG at mm/slab.c:1696!
invalid operand: 0000 [#1]
CPU: 0
EIP: 0060:[<c0158b30>] Not tainted
EFLAGS: 00010002
EIP is at kfree+0x280/0x410
eax: c512f000 ebx: 80010c00 ecx: 00001000 edx: 00000008
esi: dffef980 edi: c512f000 ebp: ce8b7e78 esp: ce8b7e48
ds: 007b es: 007b ss: 0068
Process modprobe (pid: 4304, threadinfo=ce8b6000 task=d04f2960)
Stack: dffef980 c512f008 00000000 000d0012 0512f008 e1923f5e c512f008 dffe6f78
00000286 d2833df8 ffffffea c512fc06 ce8b7eb8 e1923f5e c512fc00 d8a47ef8
00000006 c79aaf38 000041ed cff21bf8 cff21cdc ffffffea e1924200 c2235f18
Call Trace:
[<e1923f5e>] usbnet_probe+0x3ee/0x4d0 [usbnet]
[<e1923f5e>] usbnet_probe+0x3ee/0x4d0 [usbnet]
[<c02d42fb>] usb_probe_interface+0x5b/0x70
[<c028387d>] bus_match+0x3d/0x70
[<c02839aa>] driver_attach+0x5a/0x90
[<c0283ca1>] bus_add_driver+0xa1/0xc0
[<c0284168>] driver_register+0x88/0x90
[<c02d43d5>] usb_register+0x45/0xa0
[<c0265fc3>] get_random_bytes+0x43/0x50
[<e1837038>] usbnet_init+0x38/0x3a [usbnet]
[<c014923b>] sys_init_module+0x1eb/0x3c0
[<c010a14f>] syscall_call+0x7/0xb

Code: 0f 0b a0 06 c3 a5 41 c0 e9 e2 fe ff ff 0f 0b 9f 06 c3 a5 41

--
Servus,
Daniel

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil