> > Hmm, gadget gets zeroed out on every gadget->whatever switch, but it > also gets reinitialized on every whatever->gadget transition. And it > really shouldn't cause a null dereference. > When gadget->host, the call sequence like below:
udc_stop -> usb_del_gadget_udc -> usb_gadget_remove_driver ->composite_unbind -> kfree(cdev); When host->gadget (just plug out MicroB-A cable), the call sequence like below: udc_start-> usb_add_gadget_udc It will only create device udc, the struct usb_composite_dev *cdev does not be reallocated again. When the device connects to host, the functions at composite.c will be called, as cdev is freed, the null dereference will occur. My oops like below (the oops occurs when bus reset occurs): Unable to handle kernel NULL pointer dereference at virtual address 0000003c pgd = 80004000 [0000003c] *pgd=00000000 Internal error: Oops: 17 [#1] SMP ARM Modules linked in: g_serial libcomposite CPU: 0 Not tainted (3.6.0-rc3+ #42) PC is at _raw_spin_lock_irqsave+0x18/0x58 LR is at composite_disconnect+0x24/0x64 [libcomposite] pc : [<804cd920>] lr : [<7f001000>] psr: a0000193 sp : 80671da0 ip : 80671db0 fp : 80671dac r10: bf8086e4 r9 : bf808680 r8 : 0000004b r7 : bf833074 r6 : bf833078 r5 : 0000003c r4 : 00000000 r3 : bf3abd80 r2 : 0000003c r1 : a0000193 r0 : a0000193 Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c53c7d Table: 4ec1004a DAC: 00000017 Process swapper/0 (pid: 0, stack limit = 0x806702f0) Stack: (0x80671da0 to 0x80672000) 1da0: 80671dcc 80671db0 7f001000 804cd914 bf833080 bf833010 bf833078 bf833074 1dc0: 80671dec 80671dd0 80366aa4 7f000fe8 bf833010 09202f20 bf833010 00000000 1de0: 80671e4c 80671df0 80367928 803669f0 daffc000 00000001 84880000 00000040 1e00: b7eec000 bf833014 00000007 ffff981d 80671e3c 80671e20 8004694c 80046460 1e20: 00000000 bf833010 09202f20 00000000 00000000 0000004b bf808680 bf8086e4 1e40: 80671e64 80671e50 80366050 80367638 bf01e100 bf8086d0 80671e9c 80671e68 1e60: 80073d48 80365ff8 20000193 80679148 81257838 bf808680 bf8086d0 8066ddbc 1e80: 0000004b 00000000 412fc09a 00000000 80671eb4 80671ea0 80073ef4 80073d00 1ea0: bf808680 bf8086d0 80671ecc 80671eb8 80076c14 80073ea0 0000004b 80679148 1ec0: 80671ee4 80671ed0 80073cd8 80076b80 80670000 80679148 80671f0c 80671ee8 1ee0: 8000f68c 80073cb4 f400010c 80678970 80671f30 f4000110 8067c978 412fc09a 1f00: 80671f2c 80671f10 800084bc 8000f644 8000f824 60000013 ffffffff 80671f64 1f20: 80671f84 80671f30 8000e7c0 80008494 00000000 00000000 0000000f 80019720 1f40: 80670000 806ae0c8 804cfd84 00000000 8067c978 412fc09a 00000000 80671f84 1f60: 80671f88 80671f78 8000f820 8000f824 60000013 ffffffff 80671fac 80671f88 1f80: 8000fd38 8000f7f8 80678fb0 806ae000 8066063c 8fffffff 1000406a 412fc09a 1fa0: 80671fbc 80671fb0 804bad04 8000fc90 80671ff4 80671fc0 80624948 804bacac 1fc0: ffffffff ffffffff 806244c4 00000000 00000000 8066063c 10c53c7d 80678948 1fe0: 8066060c 8067c96c 00000000 80671ff8 10008044 806246b8 00000000 00000000 Backtrace: [<804cd908>] (_raw_spin_lock_irqsave+0x0/0x58) from [<7f001000>] (composite_disconnect+0x24/0x64 [libcomposite]) [<7f000fdc>] (composite_disconnect+0x0/0x64 [libcomposite]) from [<80366aa4>] (_gadget_stop_activity+0xc0/0x120) r7:bf833074 r6:bf833078 r5:bf833010 r4:bf833080 [<803669e4>] (_gadget_stop_activity+0x0/0x120) from [<80367928>] (udc_irq+0x2fc/0xf90) r7:00000000 r6:bf833010 r5:09202f20 r4:bf833010 [<8036762c>] (udc_irq+0x0/0xf90) from [<80366050>] (ci_irq+0x64/0xdc) [<80365fec>] (ci_irq+0x0/0xdc) from [<80073d48>] (handle_irq_event_percpu+0x54/0x1a0) r5:bf8086d0 r4:bf01e100 [<80073cf4>] (handle_irq_event_percpu+0x0/0x1a0) from [<80073ef4>] (handle_irq_event+0x60/0x80) [<80073e94>] (handle_irq_event+0x0/0x80) from [<80076c14>] (handle_fasteoi_irq+0xa0/0x170) r5:bf8086d0 r4:bf808680 [<80076b74>] (handle_fasteoi_irq+0x0/0x170) from [<80073cd8>] (generic_handle_irq+0x30/0x38) r5:80679148 r4:0000004b [<80073ca8>] (generic_handle_irq+0x0/0x38) from [<8000f68c>] (handle_IRQ+0x54/0xb4) r5:80679148 r4:80670000 [<8000f638>] (handle_IRQ+0x0/0xb4) from [<800084bc>] (gic_handle_irq+0x34/0x68) r9:412fc09a r8:8067c978 r7:f4000110 r6:80671f30 r5:80678970 r4:f400010c [<80008488>] (gic_handle_irq+0x0/0x68) from [<8000e7c0>] (__irq_svc+0x40/0x54) Exception stack(0x80671f30 to 0x80671f78) 1f20: 00000000 00000000 0000000f 80019720 1f40: 80670000 806ae0c8 804cfd84 00000000 8067c978 412fc09a 00000000 80671f84 1f60: 80671f88 80671f78 8000f820 8000f824 60000013 ffffffff r7:80671f64 r6:ffffffff r5:60000013 r4:8000f824 [<8000f7ec>] (default_idle+0x0/0x44) from [<8000fd38>] (cpu_idle+0xb4/0xf0) [<8000fc84>] (cpu_idle+0x0/0xf0) from [<804bad04>] (rest_init+0x64/0x7c) r9:412fc09a r8:1000406a r7:8fffffff r6:8066063c r5:806ae000 r4:80678fb0 [<804baca0>] (rest_init+0x0/0x7c) from [<80624948>] (start_kernel+0x29c/0x2ec) [<806246ac>] (start_kernel+0x0/0x2ec) from [<10008044>] (0x10008044) Code: e24cb004 e1a02000 e10f0000 f10c0080 (e1921f9f) ---[ end trace 88c67be3789626f3 ]--- Kernel panic - not syncing: Fatal exception in interrupt CPU3: stopping > Are you running getty on g_serial's tty or are you just echo'ing to it? > I remember there was a problem with it assuming that there's always both > tx and rx. > > Regards, > -- > Alex -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
