Red Hat Bugzilla – Bug 442253
[rndis] Kernel oops on USB insert
Last modified: 2008-05-23 03:44:28 EDT
Description of problem: Inserting phone in USB causes kernel Oops Version-Release number of selected component (if applicable): Linux damson 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:54:46 EDT 2008 i686 i686 i386 GNU/Linux How reproducible: Always Steps to Reproduce: 1. Insert phone in USB Actual results: Kernel oops Additional info: Using proprietary NVIDIA module, but I doubt it matters as this looks completely unrelated. usb 3-1: new full speed USB device using uhci_hcd and address 2 usb 3-1: configuration #1 chosen from 1 choice usbcore: registered new interface driver cdc_ether rndis_host 3-1:1.0: RNDIS_MSG_QUERY(0x00010202) failed, -47 BUG: unable to handle kernel paging request at virtual address fffffff4 printing eip: f8d266d3 *pde = 00799067 *pte = 00000000 Oops: 0002 [#1] SMP Modules linked in: rndis_host cdc_ether usbnet mii rfkill_input coretemp hwmon f use cpufreq_ondemand acpi_cpufreq loop dm_multipath ipv6 snd_hda_intel(U) snd_se q_oss(U) snd_seq_midi_event(U) snd_seq(U) arc4 ecb blkcipher snd_seq_device(U) nvidia(P)(U) snd_pcm_oss(U) b43 snd_mixer_oss(U) rfkill sr_mod cdrom mac80211 snd _pcm(U) snd_timer(U) cfg80211 i2c_i801 joydev input_polldev uvcvideo snd_page_alloc(U) snd_hwdep(U) snd(U) sdhci firewire_ohci mmc_core firewire_core battery ata_piix pata_acpi ricoh_mmc i2c_core tg3 ac compat_ioctl32 iTCO_wdt video output soundcore ata_generic iTCO_vendor_support crc_itu_t videodev button v4l1_compat v4l2_common ssb sg dm_snapshot dm_zero dm_mirror dm_mod ahci libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd Pid: 16726, comm: modprobe Tainted: P (2.6.24.4-64.fc8 #1) EIP: 0060:[<f8d266d3>] EFLAGS: 00210286 CPU: 1 EIP is at generic_rndis_bind+0x219/0x3ca [rndis_host] EAX: fffffff4 EBX: 00000616 ECX: 00200096 EDX: 00200000 ESI: f6b85d7c EDI: 00002000 EBP: f6bbe800 ESP: f6b85d48 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process modprobe (pid: 16726, ti=f6b85000 task=f5a5f3b0 task.ti=f6b85000) Stack: 00010202 00000000 f6b85d80 f6b85d7c 00000000 000080d0 f5ab1400 00000001 f5ab1400 f6c38480 00000000 f6c38000 c05d4668 00000004 fffffff4 f6c38480 f8d26aa0 f8d26adc f4c6cf48 f8bbdea2 f7123c78 f45b7560 f4e8aab0 c0498ca2 Call Trace: [<c05d4668>] ether_setup+0x0/0x76 [<f8bbdea2>] usbnet_probe+0x1f5/0x534 [usbnet] [<c0498ca2>] iput+0x39/0x62 [<c04c2211>] sysfs_addrm_finish+0x4a/0x194 [<c05882b7>] usb_autopm_do_device+0xd0/0xda [<c04c2ba8>] sysfs_create_link+0xc1/0x105 [<c0587e8a>] usb_match_one_id+0x1c/0x71 [<c0588d2b>] usb_probe_interface+0xbf/0x102 [<c05717ad>] driver_probe_device+0xe7/0x165 [<c04fbf73>] kobject_uevent_env+0x353/0x377 [<c05718d1>] __driver_attach+0x0/0xa5 [<c0571941>] __driver_attach+0x70/0xa5 [<c0570d23>] bus_for_each_dev+0x37/0x59 [<c057160b>] driver_attach+0x16/0x18 [<c05718d1>] __driver_attach+0x0/0xa5 [<c0571009>] bus_add_driver+0x6d/0x197 [<c058890f>] usb_register_driver+0x6d/0xd4 [<c044d008>] sys_init_module+0x14d6/0x15f9 [<c0488c87>] do_sync_read+0xc7/0x10a [<c04051da>] syscall_call+0x7/0xb [<c0620000>] xfrm_send_migrate+0x13/0x236 ======================= Code: 74 24 34 c7 44 24 34 04 00 00 00 89 74 24 0c c7 44 24 04 00 00 00 00 c7 04 24 02 02 01 00 e8 de fc ff ff 85 c0 74 0a 8b 44 24 38 <c7> 00 00 00 00 00 f6 44 24 1c 02 74 0d 8b 44 24 38 83 38 01 0f EIP: [<f8d266d3>] generic_rndis_bind+0x219/0x3ca [rndis_host] SS:ESP 0068:f6b85d48 ---[ end trace 15cc95e9ed07f21f ]---
Looks pretty clear, bouncing to upstream.
David Brownell says: Does this happen with 2.6.25-rc9? If 2.6.24.4-64.fc8 picked up any of the wireless RNDIS patches, it needs to pick up a bugfix which created an oopsing path there. Looks like linux-2.6-wireless-pending.patch has the bug.
Patch in question is available in the (in progress) build here: http://koji.fedoraproject.org/koji/buildinfo?buildID=46311 Give it a try when the build complete?
Fixes are in 2.6.24.4-82
*** Bug 438616 has been marked as a duplicate of this bug. ***