+++ This bug was initially created as a clone of Bug #228231 +++ Description of problem: Connect a Nokia phones like 6230i (6151 for example) triggers a BUG in slab/mm.c when the usbnet probe tries to release the device in an error path. This is kernel.org bugzilla 7201: http://bugzilla.kernel.org/show_bug.cgi?id=7201 Version-Release number of selected component (if applicable): $ uname -r 2.6.18-8.EL How reproducible: Just connect Nokia (I have 6151 compatible with 6230i) phone to USB port through the DKU-2. Steps to Reproduce: 1. Run tail -f /var/log/messages 2. Connect Nokia 3. Look at the error Actual results: $ tail -f /var/log/messages Feb 12 01:11:29 MyComputer kernel: ohci_hcd 0000:00:02.1: auto-wakeup Feb 12 01:11:30 MyComputer kernel: usb 2-3: new full speed USB device using ohci_hcd and address 2 Feb 12 01:11:30 MyComputer kernel: usb 2-3: configuration #1 chosen from 1 choice Feb 12 01:11:30 MyComputer kernel: drivers/usb/class/cdc-acm.c: Ignoring extra header, type -3, length 4 Feb 12 01:11:30 MyComputer kernel: cdc_acm 2-3:1.1: ttyACM0: USB ACM device Feb 12 01:11:30 MyComputer kernel: usbcore: registered new interface driver cdc_acm Feb 12 01:11:30 MyComputer kernel: drivers/usb/class/cdc-acm.c: v0.25:USB Abstract Control Model driver for USB modems and ISDN adapters Feb 12 01:11:31 MyComputer kernel: usbcore: registered new interface driver cdc_ether Feb 12 01:11:31 MyComputer kernel: rndis_host 2-3:1.9: RNDIS init failed, -110 Feb 12 01:11:31 MyComputer kernel: usb%d: unregister 'rndis_host' usb-0000:00:02.1-3, RNDIS device Feb 12 01:11:31 MyComputer kernel: BUGging on (!PageSlab(page)) Feb 12 01:11:31 MyComputer kernel: ------------[ cut here ]------------ Feb 12 01:11:31 MyComputer kernel: kernel BUG at mm/slab.c:594! Feb 12 01:11:31 MyComputer kernel: invalid opcode: 0000 [#1] Feb 12 01:11:31 MyComputer kernel: SMP Feb 12 01:11:31 MyComputer kernel: last sysfs file: /devices/pci0000:00/0000:00:02.1/usb2/2-3/2-3:1.10/usbdev2.2_ep07/dev Feb 12 01:11:31 MyComputer kernel: Modules linked in: rndis_host cdc_ether usbnet cdc_acm usblp autofs4 sunrpc ppp_synctty ppp_async crc_ccitt ppp_generic slhc ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink iptable_filter ip_tables ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables dm_mirror dm_multipath dm_mod video sbs i2c_ec button battery asus_acpi ac ipv6 parport_pc lp parport snd_emu10k1_synth snd_emux_synth snd_seq_virmidi snd_seq_midi_emul snd_intel8x0 snd_emu10k1 snd_rawmidi snd_ac97_codec snd_ac97_bus snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_device snd_util_mem snd_timer snd_hwdep snd snd_page_alloc emu10k1_gp soundcore 8139too gameport nvidia(P)(U) pcspkr 8139cp i2c_nforce2 forcedeth ohci1394 mii i2c_core ieee1394 ide_cd cdrom serio_raw sata_nv libata sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd Feb 12 01:11:31 MyComputer kernel: CPU: 0 Feb 12 01:11:31 MyComputer kernel: EIP: 0060:[<c04715d4>] Tainted: P VLI Feb 12 01:11:31 MyComputer kernel: EFLAGS: 00010092 (2.6.19-1.2895.fc6 #1) Feb 12 01:11:31 MyComputer kernel: EIP is at kfree+0x45/0x7e Feb 12 01:11:31 MyComputer kernel: eax: 00000020 ebx: c12d8a40 ecx: c0697ed0 edx: 00000086 Feb 12 01:11:31 MyComputer kernel: esi: 00000286 edi: d6c5258d ebp: d6c58c00 esp: db6c3da8 Feb 12 01:11:31 MyComputer kernel: ds: 007b es: 007b ss: 0068 Feb 12 01:11:31 MyComputer kernel: Process modprobe (pid: 3580, ti=db6c3000 task=cabb56d0 task.ti=db6c3000) Feb 12 01:11:31 MyComputer udevd-event[3569]: run_program: '/sbin/modprobe' abnormal exit Feb 12 01:11:31 MyComputer kernel: Stack: c063e591 c064ddd0 ffffff92 e0d89a55 d6c58806 e0d89261 c16a1b5c 00000000 Feb 12 01:11:31 MyComputer kernel: c0625b55 c06243c1 00000001 db6c3df8 c0420966 00000000 00000000 00000003 Feb 12 01:11:31 MyComputer kernel: 00000282 ad1ba482 de69a600 e0d49760 d6c58800 da2191a8 d9056400 e0d4a700 Feb 12 01:11:31 MyComputer kernel: Call Trace: Feb 12 01:11:31 MyComputer kernel: [<e0d89261>] usbnet_probe+0x583/0x596 [usbnet] Feb 12 01:11:31 MyComputer kernel: [<c0590da1>] usb_probe_interface+0x5d/0x7f Feb 12 01:11:31 MyComputer kernel: [<c055e6f8>] really_probe+0x39/0xda Feb 12 01:11:31 MyComputer kernel: [<c055e92f>] __driver_attach+0x73/0xab Feb 12 01:11:31 MyComputer kernel: [<c055de08>] bus_for_each_dev+0x37/0x59 Feb 12 01:11:31 MyComputer kernel: [<c055e61b>] driver_attach+0x16/0x18 Feb 12 01:11:31 MyComputer kernel: [<c055e0d9>] bus_add_driver+0x61/0x165 Feb 12 01:11:31 MyComputer kernel: [<c059090b>] usb_register_driver+0x6f/0xd5 Feb 12 01:11:31 MyComputer kernel: [<c044302e>] sys_init_module+0x17ff/0x19aa Feb 12 01:11:31 MyComputer kernel: [<c040404b>] syscall_call+0x7/0xb Feb 12 01:11:31 MyComputer kernel: [<00b53402>] 0xb53402 Feb 12 01:11:31 MyComputer kernel: ======================= Feb 12 01:11:31 MyComputer kernel: Code: 05 03 1d 80 86 86 c0 8b 03 f6 c4 40 74 03 8b 5b 0c 8b 03 84 c0 78 1c c7 44 24 04 d0 dd 64 c0 c7 04 24 91 e5 63 c0 e8 fd 64 fb ff <0f> 0b 52 02 e0 dd 64 c0 89 e0 8b 4b 18 25 00 f0 ff ff 8b 40 10 Feb 12 01:11:31 MyComputer kernel: EIP: [<c04715d4>] kfree+0x45/0x7e SS:ESP 0068:db6c3da8 Feb 12 01:11:31 MyComputer kernel: <3>BUG: sleeping function called from invalid context at kernel/rwsem.c:20 Feb 12 01:11:31 MyComputer kernel: in_atomic():0, irqs_disabled():1 Feb 12 01:11:31 MyComputer kernel: [<c0405018>] dump_trace+0x69/0x1b6 Feb 12 01:11:31 MyComputer kernel: [<c040517d>] show_trace_log_lvl+0x18/0x2c Feb 12 01:11:31 MyComputer kernel: [<c0405778>] show_trace+0xf/0x11 Feb 12 01:11:31 MyComputer kernel: [<c0405875>] dump_stack+0x15/0x17 Feb 12 01:11:31 MyComputer kernel: [<c043c402>] down_read+0x12/0x28 Feb 12 01:11:31 MyComputer kernel: [<c0433efe>] blocking_notifier_call_chain+0xe/0x29 Feb 12 01:11:31 MyComputer kernel: [<c0429f94>] do_exit+0x1b/0x787 Feb 12 01:11:31 MyComputer kernel: [<c0405719>] die+0x2c3/0x2e8 Feb 12 01:11:31 MyComputer kernel: [<c0405c5a>] do_invalid_op+0xa2/0xab Feb 12 01:11:31 MyComputer kernel: [<c0625ce1>] error_code+0x39/0x40 Feb 12 01:11:31 MyComputer kernel: [<c04715d4>] kfree+0x45/0x7e Feb 12 01:11:31 MyComputer kernel: [<e0d89261>] usbnet_probe+0x583/0x596 [usbnet] Feb 12 01:11:31 MyComputer kernel: [<c0590da1>] usb_probe_interface+0x5d/0x7f Feb 12 01:11:31 MyComputer kernel: [<c055e6f8>] really_probe+0x39/0xda Feb 12 01:11:31 MyComputer kernel: [<c055e92f>] __driver_attach+0x73/0xab Feb 12 01:11:31 MyComputer kernel: [<c055de08>] bus_for_each_dev+0x37/0x59 Feb 12 01:11:31 MyComputer kernel: [<c055e61b>] driver_attach+0x16/0x18 Feb 12 01:11:31 MyComputer kernel: [<c055e0d9>] bus_add_driver+0x61/0x165 Feb 12 01:11:31 MyComputer kernel: [<c059090b>] usb_register_driver+0x6f/0xd5 Feb 12 01:11:31 MyComputer kernel: [<c044302e>] sys_init_module+0x17ff/0x19aa Feb 12 01:11:31 MyComputer kernel: [<c040404b>] syscall_call+0x7/0xb Feb 12 01:11:31 MyComputer kernel: [<00b53402>] 0xb53402 Feb 12 01:11:31 MyComputer kernel: ======================= Expected results: Connect to my Nokia through gnokii or gammu. -- Additional comment from cebbert on 2007-02-16 17:42 EST -- It is happening in kfree(), called from usbnet_probe() at the "out1" label: out1: free_netdev(net); -- Additional comment from zaitcev on 2007-02-16 18:58 EST -- Looks like this may be it: http://marc.theaimsgroup.com/?l=linux-usb-devel&m=117159465032226&w=2 --- at91.orig/drivers/usb/net/usbnet.c 2007-02-15 15:32:33.000000000 -0800 +++ at91/drivers/usb/net/usbnet.c 2007-02-15 17:41:16.000000000 -0800 @@ -1181,6 +1181,9 @@ usbnet_probe (struct usb_interface *udev // NOTE net->name still not usable ... if (info->bind) { status = info->bind (dev, udev); + if (status < 0) + goto out1; + // heuristic: "usb%d" for links we know are two-host, // else "eth%d" when there's reasonable doubt. userspace // can rename the link if it knows better. @@ -1207,12 +1210,12 @@ usbnet_probe (struct usb_interface *udev if (status == 0 && dev->status) status = init_status (dev, udev); if (status < 0) - goto out1; + goto out3; if (!dev->rx_urb_size) dev->rx_urb_size = dev->hard_mtu; dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1); - + SET_NETDEV_DEV(net, &udev->dev); status = register_netdev (net); if (status)
Created attachment 185491 [details] Test patch 2 - zero the inftdata I think this has a better chance to help, because the patch I mentioned in the other bug did not change the path in this specific case. The problem is in calling the disconnect from within the probe when the driver is unbound from the interface.
Please try the kernel 2.6.18-44.el5bz236719.1 from http://people.redhat.com/zaitcev/ftp/236719/
Hi Pete, have a report that they're seeing a crash on removal of the device with 2.6.18-44.el5bz236719.1 - they've given me a reference to a kernel.org bz that apparently resolves it for them: http://bugzilla.kernel.org/show_bug.cgi?id=7201#c19 kernel.org bz is down right now, or I'd paste it in here directly.
Created attachment 213261 [details] Daniel's rndis_host patch from 2.6.20
oops reported to be fixed by the patch in comment #5 Memory for crash kernel (0x0 to 0x0) notwithin permissible range <FF>mtrr: 0xe0000000,0x8000000 overlaps existing 0xe0000000,0x2000000 mtrr: 0xe0000000,0x8000000 overlaps existing 0xe0000000,0x2000000 mtrr: 0xe0000000,0x8000000 overlaps existing 0xe0000000,0x2000000 rndis_host 2-1:1.12: RNDIS init failed, -32 rndis_host: probe of 2-1:1.12 failed with error -32 BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000 printing eip: f8df7776 *pde = 3dc44067 Oops: 0000 [#1] SMP last sysfs file: /class/net/eth0/carrier Modules linked in: rndis_host cdc_ether usbnet cdc_acm thinkpad(U) autofs4 hidp rfcomm l2cap bluetooth sunrpc cisco_ipsec(U) arc4 ieee80211_crypt_wep ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink ipt_LOG xt_limit iptable_filter ip_tables ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables cpufreq_ondemand video sbs ibm_acpi backlight i2c_e c button battery asus_acpi ac radeon drm ipv6 lp snd_intel8x0m ata_piix libata scsi_mod snd_intel8x0 snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_se q_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc parport_pc serio_raw parport ipw2100 ieee80211 e1000 i2c_i801 ieee80211_crypt pcspkr i2c_core cast6 de s blowfish aes_i586 dm_crypt dm_snapshot dm_zero dm_mirror dm_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd CPU: 0 EIP: 0060:[<f8df7776>] Tainted: P VLI EFLAGS: 00010202 (2.6.18-44.el5bz236719.1 #1) EIP is at usbnet_disconnect+0x2f/0x89 [usbnet] eax: 00000000 ebx: e7a2c400 ecx: 0000000d edx: f8df7747 esi: ea6c9800 edi: ee6c7c00 ebp: ee6c7c58 esp: f7fb1ed8 ds: 007b es: 007b ss: 0068 Process khubd (pid: 108, ti=f7fb1000 task=f7fb0aa0 task.ti=f7fb1000) Stack: ea6c9800 f8f03540 f8f03570 ee6c7c58 c057b253 ea6c988c ea6c9814 c054baa2 ea6c9814 ea6c9814 c0692d40 c054bc9c 00000000 c054b47f ea6c9800 ee6c7c00 ea6c9814 c054a5bf ea6c9800 ee6c7c00 0000000d ea6c9814 c0579bd7 ee6c7eb8 Call Trace: [<c057b253>] usb_unbind_interface+0x34/0x6a [<c054baa2>] __device_release_driver+0x5a/0x79 [<c054bc9c>] device_release_driver+0x1c/0x2b [<c054b47f>] bus_remove_device+0x78/0x8a [<c054a5bf>] device_del+0xe5/0x12b [<c0579bd7>] usb_disable_device+0x62/0xc3 [<c0576b56>] usb_disconnect+0x76/0xd0 [<c057766f>] hub_thread+0x325/0x979 [<c0436025>] autoremove_wake_function+0x0/0x2d [<c057734a>] hub_thread+0x0/0x979 [<c0435f59>] kthread+0xc0/0xeb [<c0435e99>] kthread+0x0/0xeb [<c0405c3b>] kernel_thread_helper+0x7/0x10 ======================= Code: c6 53 8b 98 14 01 00 00 c7 80 14 01 00 00 00 00 00 00 85 db 74 6a 8b b8 88 00 00 00 83 ef 58 f6 83 94 00 00 00 02 74 27 8b 43 04 <ff> 30 8d 47 04 50 8b 47 30 ff 70 08 8b 86 10 01 00 00 ff 30 ff EIP: [<f8df7776>] usbnet_disconnect+0x2f/0x89 [usbnet] SS:ESP 0068:f7fb1ed8 <0>Kernel panic - not syncing: Fatal exception
Unfortunately, the patch referenced by the comment #5 is exactly the one already applied to 2.6.18-44.el5bz236719.1. So we cannot trust what they say about any patches fixing this or that, but at least they've captured the trace. I only wish they captured the COMPLETE dmesg (but for all that's sacred please attache complete dmesgs instead of dropping them in the comments).
I've stated that when it crashed, it did not crash on fc6 after it got updated. This have been initially found by fedora users, studied and fixed in both fc kernel and kernel.org. That capture has been taken from ttyS0, that's all what came there.
Created attachment 247231 [details] Test patch 3 - same as Daniels this time
I think I understand what is going on. My comment #7 was incorrect. My patch is not the same as patch in comment #5, and is broken. But I saw what I expected to see and not what actually is. I'm sorry. I have built a new test kernel 2.6.18-44.el5bz236719.2, please give it a try. http://people.redhat.com/zaitcev/ftp/236719/
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Nov 13 15:05:06 x2 kernel: usb 4-1.3.1.3: new full speed USB device using ehci_hcd and address 8 Nov 13 15:05:06 x2 kernel: usb 4-1.3.1.3: configuration #1 chosen from 1 choice Nov 13 15:05:07 x2 kernel: cdc_acm 4-1.3.1.3:1.10: ttyACM0: USB ACM device Nov 13 15:05:07 x2 kernel: usbcore: registered new driver cdc_acm Nov 13 15:05:07 x2 kernel: drivers/usb/class/cdc-acm.c: v0.25:USB Abstract Control Model driver for USB modems and ISDN adapters Nov 13 15:05:07 x2 kernel: usbcore: registered new driver cdc_ether Nov 13 15:05:07 x2 kernel: rndis_host 4-1.3.1.3:1.12: RNDIS init failed, -32 Nov 13 15:05:07 x2 kernel: rndis_host: probe of 4-1.3.1.3:1.12 failed with error -32 Nov 13 15:05:07 x2 kernel: usbcore: registered new driver rndis_host Nov 13 15:05:29 x2 kernel: usb 4-1.3.1.3: USB disconnect, address 8 Nov 13 15:05:29 x2 kernel: usb 4-1.3.1.3: new full speed USB device using ehci_hcd and address 9 Nov 13 15:05:30 x2 kernel: usb 4-1.3.1.3: device not accepting address 9, error -32 but didn't crash this time. # uname -a Linux x2.y.com 2.6.18-44.el5bz236719.2 #1 SMP Sat Nov 3 03:05:29 EDT 2007 i686 i686 i386 GNU/Linux Note that this is tainted kernel with commercial product, but I'd make a guess that it has nothing to do with this issue and we saw the same symptoms in fedora and it was also successfully fixed there. Have not run tests does the interface actually work (nor the ndis stuff). But i guess that's a another story then. Thanks, I would call this resolved.
In case anyone is interested, -32 is a so-called "stall" response. It means that the firmware is unwilling to perform the command, but it did not crash. It is a normal reply if something is not right with the parameters. Perhaps the phone does not implement RNDIS correctly but happens to work with Windows, or it's how the phone interlocks between ACM and RNDIS modes. Try to blacklist cdc_acm, see if the issue goes away.
in 2.6.18-61.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5
Greetings Red Hat Partner, A fix for this issue should be included in the latest packages contained in RHEL5.2-Snapshot1--available now on partners.redhat.com. Please test and confirm that your issue is fixed. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to ASSIGNED. If you are receiving this message in Issue Tracker, please reply with a message to Issue Tracker about your results and I will update bugzilla for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager. Thank you
Greetings Red Hat Partner, A fix for this issue should be included in the latest packages contained in RHEL5.2-Snapshot3--available now on partners.redhat.com. Please test and confirm that your issue is fixed. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to ASSIGNED. If you are receiving this message in Issue Tracker, please reply with a message to Issue Tracker about your results and I will update bugzilla for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager. Thank you
Greetings Red Hat Partner, A fix for this issue should be included in the latest packages contained in RHEL5.2-Snapshot4--available now on partners.redhat.com. Please test and confirm that your issue is fixed. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to ASSIGNED. If you are receiving this message in Issue Tracker, please reply with a message to Issue Tracker about your results and I will update bugzilla for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager. Thank you
Tried with http://people.redhat.com/dzickus/el5/90.el5/i686/kernel-2.6.18-90.el5.i686.rpm and can't reproduce it anymore (although can't remember what the exact steps were a year ago). I guess it's fixed now. thanks
Greetings Red Hat Partner, A fix for this issue should be included in the latest packages contained in RHEL5.2-Snapshot6--available now on partners.redhat.com. We are nearing GA for 5.2 so please test and confirm that your issue is fixed ASAP. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to ASSIGNED. If you are receiving this message in Issue Tracker, please reply with a message to Issue Tracker about your results and I will update bugzilla for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager. Thank you
Greetings Red Hat Partner, A fix for this issue should be included in the latest packages contained in RHEL5.2-Snapshot7--available now on partners.redhat.com. We are nearing GA for 5.2--this is the last opportunity to test and confirm that your issue is fixed. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to ASSIGNED. If you are receiving this message in Issue Tracker, please reply with a message to Issue Tracker about your results and I will update bugzilla for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager. Thank you
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0314.html