Bug 503964

Summary: kernel oops in usb_kill_urb() with 2.6.29.4-167.fc11.x86_64
Product: [Fedora] Fedora Reporter: Peter Robinson <pbrobinson>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: gresko, itamar, kernel-maint, rh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-28 12:48:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Robinson 2009-06-03 15:11:10 UTC 
I'm not sure if this was because I pulled my USB 3G stick (with micro SD card too) or whether it was me turning on the wireless kill switch at the same time so the pcie wlan and usb bluetooth suddently turned up.

Kernel is the current 2.6.29.4-167.fc11.x86_64

Hardware is the pretty common Dell Latitude D630c

iwlagn: Radio Frequency Kill Switch is On:
Kill switch must be turned off for wireless networking to work.
usb 3-2: USB disconnect, address 2
btusb_intr_complete: hci0 urb ffff88011202d240 failed to resubmit (19)
btusb_bulk_complete: hci0 urb ffff88011202d3c0 failed to resubmit (19)
btusb_bulk_complete: hci0 urb ffff88011202d300 failed to resubmit (19)
btusb_send_frame: hci0 urb ffff8800dc1b4780 submission failed
wlan0: No ProbeResp from current AP 00:18:74:c6:b0:92 - assume out of range
iwlagn: Error sending REPLY_ADD_STA: enqueue_hcmd failed: -5
mac80211-phy0: failed to remove key (0, 00:18:74:c6:b0:92) from hardware (-5)
wlan0: deauthenticating by local choice (reason=3)
iwlagn: MAC is in deep sleep!
iwlagn: MAC is in deep sleep!
iwlagn: MAC is in deep sleep!
tg3: eth2: Link is up at 1000 Mbps, full duplex.
tg3: eth2: Flow control is on for TX and on for RX.
usb 1-3.4: USB disconnect, address 7
option1 ttyUSB0: GSM modem (1-port) converter now disconnected from ttyUSB0
option 1-3.4:1.0: device disconnected
option1 ttyUSB1: GSM modem (1-port) converter now disconnected from ttyUSB1
option 1-3.4:1.1: device disconnected
BUG: unable to handle kernel paging request at 0000000000c54d38
IP: [<ffffffff812a06b6>] usb_kill_urb+0x32/0xd1
PGD 10f480067 PUD 10f481067 PMD 10a5ab067 PTE 0
Oops: 0000 [#1] SMP 
last sysfs file: /sys/devices/pci0000:00/0000:00:1a.7/usb1/idVendor
CPU 1 
Modules linked in: ppp_deflate zlib_deflate ppp_async crc_ccitt ppp_generic slhc option usbserial usb_storage rfcomm ipt_MASQUERADE iptable_nat nf_nat bridge stp llc bnep sco l2cap coretemp hwmon ip6t_REJECT nf_conntrack_ipv6 ip6table_filter ip6_tables ipv6 cpufreq_ondemand acpi_cpufreq freq_table fuse dm_multipath kvm_intel kvm uinput snd_hda_codec_idt arc4 ecb snd_hda_intel snd_hda_codec snd_hwdep firewire_ohci snd_pcm iwlagn snd_timer iwlcore lib80211 yenta_socket rsrc_nonstatic firewire_core crc_itu_t snd mac80211 soundcore cfg80211 snd_page_alloc tg3 iTCO_wdt iTCO_vendor_support i2c_i801 btusb bluetooth ppdev parport_pc joydev pcspkr wmi video output parport dell_laptop dcdbas ata_generic pata_acpi nouveau drm i2c_algo_bit i2c_core [last unloaded: microcode]
Pid: 1836, comm: NetworkManager Not tainted 2.6.29.4-167.fc11.x86_64 #1 Latitude D630                   
RIP: 0010:[<ffffffff812a06b6>]  [<ffffffff812a06b6>] usb_kill_urb+0x32/0xd1
RSP: 0018:ffff8801175bdce8  EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000c54cf0 RCX: 0000000000000000
RDX: 0000000100000000 RSI: 0000000000000232 RDI: ffffffff81515e5a
RBP: ffff8801175bdd28 R08: 0000000000000000 R09: 0000000000000009
R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000000008
R13: ffff8800dc124000 R14: ffff8800cf921600 R15: ffff8800cf921728
FS:  00007f1abde1e740(0000) GS:ffff88011ecd4080(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000c54d38 CR3: 000000010f4d7000 CR4: 00000000000026e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process NetworkManager (pid: 1836, threadinfo ffff8801175bc000, task ffff88010f9c4500)
Stack:
 000000000000005c 0000000000000246 ffff8800cf921728 ffff8800cf9216c0
 ffff8801175bdd28 ffffffff813aa7eb ffff880080904c00 0000000000000008
 ffff8801175bdd68 ffffffffa03d475c ffff880080904c90 ffff880080904c00
Call Trace:
 [<ffffffff813aa7eb>] ? mutex_lock+0x27/0x38
 [<ffffffffa03d475c>] option_close+0xa0/0xd4 [option]
 [<ffffffffa03caccf>] serial_close+0x9d/0x156 [usbserial]
 [<ffffffff8122c2a6>] tty_release_dev+0x198/0x49a
 [<ffffffff811842bd>] ? inode_has_perm+0x64/0x66
 [<ffffffff81301f93>] ? fput_light+0x12/0x14
 [<ffffffff813031e6>] ? sys_sendto+0xef/0x105
 [<ffffffff8122c5c6>] tty_release+0x1e/0x29
 [<ffffffff810d61c4>] __fput+0xf9/0x1a0
 [<ffffffff810d6285>] fput+0x1a/0x1c
 [<ffffffff810d35c5>] filp_close+0x68/0x72
 [<ffffffff810d367b>] sys_close+0xac/0xea
 [<ffffffff8101133a>] system_call_fastpath+0x16/0x1b
Code: 48 83 ec 30 0f 1f 44 00 00 be 32 02 00 00 48 89 fb 48 c7 c7 5a 5e 51 81 e8 5c f7 d9 ff e8 78 99 10 00 48 85 db 0f 84 96 00 00 00 <48> 83 7b 48 00 0f 84 8b 00 00 00 48 83 7b 50 00 0f 84 80 00 00 
RIP  [<ffffffff812a06b6>] usb_kill_urb+0x32/0xd1
 RSP <ffff8801175bdce8>
CR2: 0000000000c54d38
---[ end trace 8b8179cd322494e0 ]---
usb 3-2: new full speed USB device using uhci_hcd and address 3
usb 3-2: New USB device found, idVendor=413c, idProduct=8140
usb 3-2: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 3-2: configuration #1 chosen from 1 choice
Comment 1 Chuck Ebbert 2009-06-05 01:01:48 UTC 
drivers/usb/core/urb.c:563

void usb_kill_urb(struct urb *urb)
{
        might_sleep();
===>    if (!(urb && urb->dev && urb->ep))
                return;
        atomic_inc(&urb->reject);

        usb_hcd_unlink_urb(urb, -ENOENT);
        wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0);

        atomic_dec(&urb->reject);
}

urb == c54cf0
Comment 2 Bug Zapper 2009-06-09 17:02:38 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Marek Greško 2009-06-25 13:07:43 UTC 
I am suspecting this patch is relted to this issue.

http://osdir.com/ml/linux-kernel/2009-06/msg04235.html
Comment 4 Chuck Ebbert 2009-06-29 20:14:40 UTC 
That patch is in the latest update, 2.6.29.5-191
Comment 5 Peter Robinson 2009-06-29 20:20:22 UTC 
Wicked! you rock. I'll be testing it tomorrow when I reboot :-)
Comment 6 Marek Greško 2009-07-04 22:24:58 UTC 
Either I was wrong or there is another similar issue:


Jul  4 23:50:18 marek kernel: hub 2-0:1.0: port 5 disabled by hub (EMI?), re-enabling...
Jul  4 23:50:18 marek kernel: usb 2-5: USB disconnect, address 6
Jul  4 23:50:18 marek kernel: option1 ttyUSB0: GSM modem (1-port) converter now disconnected from ttyUSB0
Jul  4 23:50:18 marek kernel: option 2-5:1.0: device disconnected
Jul  4 23:50:18 marek kernel: option1 ttyUSB1: GSM modem (1-port) converter now disconnected from ttyUSB1
Jul  4 23:50:18 marek kernel: option 2-5:1.1: device disconnected
Jul  4 23:50:18 marek pppd[3451]: Hangup (SIGHUP)
Jul  4 23:50:18 marek pppd[3451]: Modem hangup
Jul  4 23:50:18 marek pppd[3451]: Connect time 703.4 minutes.
Jul  4 23:50:18 marek pppd[3451]: Sent 6491688 bytes, received 22586746 bytes.
Jul  4 23:50:18 marek pppd[3451]: Connection terminated.
Jul  4 23:50:18 marek NetworkManager: <info>  (ttyUSB0): now unmanaged
Jul  4 23:50:18 marek NetworkManager: <info>  (ttyUSB0): device state change: 3 -> 1
Jul  4 23:50:18 marek NetworkManager: <info>  (ttyUSB0): cleaning up...
Jul  4 23:50:18 marek NetworkManager: <info>  (ttyUSB0): taking down device.
Jul  4 23:50:18 marek kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000047
Jul  4 23:50:18 marek kernel: IP: [<ffffffff812a07e2>] usb_kill_urb+0x32/0xd1
Jul  4 23:50:18 marek kernel: PGD 0 
Jul  4 23:50:18 marek kernel: Oops: 0000 [#1] SMP 
Jul  4 23:50:18 marek kernel: last sysfs file: /sys/devices/pci0000:00/0000:00:0a.0/usb2/idVendor
Jul  4 23:50:18 marek kernel: CPU 0 
Jul  4 23:50:18 marek kernel: Modules linked in: ppp_async crc_ccitt ppp_generic slhc option usbserial usb_storage hwmon_vid ip6table_mangle ip6table_filter ip6_tables nf_conntrack_ipv6 ipv6 xt_DSCP xt_MARK xt_CONNMARK ipt_MASQUERADE xt_policy iptable_mangle iptable_nat nf_nat_tftp nf_nat_snmp_basic nf_nat_pptp nf_nat_proto_gre nf_nat_amanda nf_nat_irc nf_nat_h323 nf_nat_sip nf_nat_ftp nf_nat nf_conntrack_tftp nf_conntrack_proto_sctp nf_conntrack_pptp nf_conntrack_proto_gre nf_conntrack_netlink nfnetlink nf_conntrack_netbios_ns ts_kmp nf_conntrack_amanda nf_conntrack_irc nf_conntrack_h323 nf_conntrack_sip nf_conntrack_ftp cpufreq_ondemand powernow_k8 freq_table dm_multipath uinput tvaudio tda7432 msp3400 tuner_simple tuner_types tuner snd_hda_codec_analog bttv ir_common snd_hda_intel i2c_algo_bit snd_hda_codec ppdev v4l2_common videodev v4l1_compat arc4 v4l2_compat_ioctl32 snd_hwdep snd_pcm ecb snd_timer videobuf_dma_sg nvidia(P) firewire_ohci snd videobuf_core btcx_risc firewire_core pcspkr soundcore tveeprom 
Jul  4 23:50:18 marek kernel: serio_raw rtl8187 forcedeth snd_page_alloc sata_sil24 crc_itu_t k8temp mac80211 parport_pc eeprom_93cx6 parport asus_atk0110 hwmon i2c_nforce2 cfg80211 pata_amd i2c_core ata_generic pata_acpi sata_nv raid1 [last unloaded: scsi_wait_scan]
Jul  4 23:50:18 marek kernel: Pid: 3451, comm: pppd Tainted: P           2.6.29.5-191.fc11.x86_64 #1 System Product Name
Jul  4 23:50:18 marek kernel: RIP: 0010:[<ffffffff812a07e2>]  [<ffffffff812a07e2>] usb_kill_urb+0x32/0xd1
Jul  4 23:50:18 marek kernel: RSP: 0018:ffff88004adc9ce8  EFLAGS: 00010286
Jul  4 23:50:18 marek kernel: RAX: 0000000000000000 RBX: ffffffffffffffff RCX: 0000000000000000
Jul  4 23:50:18 marek kernel: RDX: 0000000100000000 RSI: 0000000000000232 RDI: ffffffff81515dd7
Jul  4 23:50:18 marek kernel: RBP: ffff88004adc9d28 R08: 0000000000000000 R09: 0000000000000008
Jul  4 23:50:18 marek kernel: R10: 00007fffc54cc270 R11: 0000000000000246 R12: 0000000000000008
Jul  4 23:50:18 marek kernel: R13: ffff88005a528800 R14: ffff880055b04600 R15: ffff880055b04728
Jul  4 23:50:18 marek kernel: FS:  00007f34ae2c36f0(0000) GS:ffffffff817b7000(0000) knlGS:0000000000000000
Jul  4 23:50:18 marek kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul  4 23:50:18 marek kernel: CR2: 0000000000000047 CR3: 000000004adcb000 CR4: 00000000000006e0
Jul  4 23:50:18 marek kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jul  4 23:50:18 marek kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Jul  4 23:50:18 marek kernel: Process pppd (pid: 3451, threadinfo ffff88004adc8000, task ffff880059065c00)
Jul  4 23:50:18 marek kernel: Stack:
Jul  4 23:50:18 marek kernel: ffff88004adc9d18 0000000000000246 ffff880055b04728 ffff880055b046c0
Jul  4 23:50:18 marek kernel: ffff88004adc9d28 ffffffff813aaa13 ffff8800548ab400 0000000000000008
Jul  4 23:50:18 marek kernel: ffff88004adc9d68 ffffffffa0d35773 ffff8800548ab490 ffff8800548ab400
Jul  4 23:50:18 marek kernel: Call Trace:
Jul  4 23:50:18 marek kernel: [<ffffffff813aaa13>] ? mutex_lock+0x27/0x38
Jul  4 23:50:18 marek kernel: [<ffffffffa0d35773>] option_close+0xb7/0xd4 [option]
Jul  4 23:50:18 marek kernel: [<ffffffffa0d2bcd4>] serial_close+0x9d/0x156 [usbserial]
Jul  4 23:50:18 marek kernel: [<ffffffff8122c3d2>] tty_release_dev+0x198/0x49a
Jul  4 23:50:18 marek kernel: [<ffffffff8122c6f2>] tty_release+0x1e/0x29
Jul  4 23:50:18 marek kernel: [<ffffffff810d608c>] __fput+0xf9/0x1a0
Jul  4 23:50:18 marek kernel: [<ffffffff810d614d>] fput+0x1a/0x1c
Jul  4 23:50:18 marek kernel: [<ffffffff810d348d>] filp_close+0x68/0x72
Jul  4 23:50:18 marek kernel: [<ffffffff810d3543>] sys_close+0xac/0xea
Jul  4 23:50:18 marek kernel: [<ffffffff8101133a>] system_call_fastpath+0x16/0x1b
Jul  4 23:50:18 marek kernel: Code: 48 83 ec 30 0f 1f 44 00 00 be 32 02 00 00 48 89 fb 48 c7 c7 d7 5d 51 81 e8 b0 f4 d9 ff e8 74 9a 10 00 48 85 db 0f 84 96 00 00 00 <48> 83 7b 48 00 0f 84 8b 00 00 00 48 83 7b 50 00 0f 84 80 00 00 
Jul  4 23:50:18 marek kernel: RIP  [<ffffffff812a07e2>] usb_kill_urb+0x32/0xd1
Jul  4 23:50:18 marek kernel: RSP <ffff88004adc9ce8>
Jul  4 23:50:18 marek kernel: CR2: 0000000000000047
Jul  4 23:50:18 marek kernel: ---[ end trace 1abf4e2c5bcc6383 ]---


Latest working kernel for me was kernel-2.6.27.21-170.2.56.fc10.x86_64. Updating to 2.6.27.24 broke things. After upgrading to Fedora 11 I additionally get hard lockups but I cannot confirm it is related to USB 3G modem since no logs in that situation. Without modem I did not get any lockup until now but I mostly use the modem, so it could be an occurence. I get lockups slightly more frequently than these kernel dumps.
Comment 7 Marek Greško 2009-07-06 06:07:00 UTC 
I can confirm hard lockup when plugging out connected USB 3G modem. Other spontaneous lockup are probably in situations when modem unplugs and replugs itself (probably some reboots caused by firmware).
Comment 8 Marek Greško 2009-07-27 19:00:52 UTC 
I am observing these issues also with recent kernel-2.6.29.6-213.fc11.x86_64. Although I observe them less frequently.
Comment 9 Marek Greško 2009-08-05 18:01:00 UTC 
I confirm this bug persists in kernel-2.6.29.6-217.2.3.fc11.x86_64. It could be easily triggered by unplugging the connected USB 3G modem.
Comment 10 Bug Zapper 2010-04-27 14:38:32 UTC 
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 11 Bug Zapper 2010-06-28 12:48:07 UTC 
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.