Bug 16023

Summary: g_ether.ko crashes at the board at91sam9260-ek
Product: Drivers Reporter: alexmeldevelop
Component: USBAssignee: Greg Kroah-Hartman (greg)
Status: RESOLVED CODE_FIX    
Severity: normal CC: maxim.osipov
Priority: P1    
Hardware: ARM   
OS: Linux   
Kernel Version: 2.6.30 and 2.6.32 Subsystem:
Regression: No Bisected commit-id:
Attachments: LinuxConfig

Description alexmeldevelop 2010-05-21 12:58:52 UTC 
Created attachment 26485 [details]
LinuxConfig

g_ether.ko was started with the following commands:

    insmod /lib/modules/g_ether.ko
    ifconfig usb0 192.168.0.1  netmask 255.255.0.0

The board is connected via USB interface to Windows XP. Windows XP identifies USB device as RNDIS interface correctly.
The Windows Driver was installed with the following file  “linux-2.6.30\Documentation\usb\linux.inf”


Windows provides the new interface. Ping from Windows to the board functions properly.
By starting Wirechack the driver g_ether.ko crashes on the board.

Here are the outputs coming out:


Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = c0004000
[00000000] *pgd=00000000
Internal error: Oops: 17 [#1]
Modules linked in: g_ether
CPU: 0    Not tainted  (2.6.30 #1)
PC is at strlen+0xc/0x20
LR is at rndis_msg_parser+0x3b0/0x7dc [g_ether]
pc : [<c00e7d74>]    lr : [<bf0023a4>]    psr: 20000093
sp : c0241e88  ip : c1ff42e0  fp : c2838050
r10: c1ff42e0  r9 : c2838030  r8 : c1ff42f4
r7 : c1ff430c  r6 : c1ff42f4  r5 : bf006954  r4 : 00000000
r3 : 0001010c  r2 : 00000000  r1 : bf006984  r0 : 00000000
Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
Control: 0005317f  Table: 21c80000  DAC: 00000017
Process swapper (pid: 0, stack limit = 0xc0240268)
Stack: (0xc0241e88 to 0xc0242000)
1e80:                   c1067120 c1067120 c1067360 00000000 c0254918 0000000c 
1ea0: c104e440 bf0027f4 c0241f08 00000000 c1067120 c02549d8 00000000 c013dddc 
1ec0: c0259bbc 0000000c 000c8802 c02549d8 c1067120 c013e870 41069265 c0254918 
1ee0: 000c8802 c2838030 0000000a 00000001 c02549d8 00000030 00000004 c013f17c 
1f00: c0254a08 c02549f0 00000021 004c0000 00000100 c1067ae0 00000000 00000000 
1f20: 0000000a 2001ee40 41069265 2001ee0c 00000000 c005b4b8 0000000a c0247f00 
1f40: 0000000a 0000000a c0259a48 c005cd3c c003dc08 0000000a 00000000 c0023050 
1f60: c024319c ffffffff fefff000 c00239f4 00000000 0005317f 0005217f 60000013 
1f80: c0025278 c0240000 c0025278 c0259a48 2001ee40 41069265 2001ee0c 00000000 
1fa0: 600000d3 c0241fb8 c00252b8 c00252c4 60000013 ffffffff c002526c c002525c 
1fc0: 00000000 c02610bc c0259a1c c0020ee4 c0243c78 c0008910 c0008434 00000000 
1fe0: 00000000 c0020ee4 00053175 c0259a78 c00212e8 20008034 00000000 00000000 
[<c00e7d74>] (strlen+0xc/0x20) from [<bf0023a4>] (rndis_msg_parser+0x3b0/0x7dc [g_ether])
[<bf0023a4>] (rndis_msg_parser+0x3b0/0x7dc [g_ether]) from [<bf0027f4>] (rndis_command_complete+0x24/0x6c [g_ether])
[<bf0027f4>] (rndis_command_complete+0x24/0x6c [g_ether]) from [<c013dddc>] (done+0x60/0x98)
[<c013dddc>] (done+0x60/0x98) from [<c013e870>] (read_fifo+0xd8/0x104)
[<c013e870>] (read_fifo+0xd8/0x104) from [<c013f17c>] (at91_udc_irq+0x694/0x72c)
[<c013f17c>] (at91_udc_irq+0x694/0x72c) from [<c005b4b8>] (handle_IRQ_event+0x40/0x114)
[<c005b4b8>] (handle_IRQ_event+0x40/0x114) from [<c005cd3c>] (handle_level_irq+0x8c/0xe4)
[<c005cd3c>] (handle_level_irq+0x8c/0xe4) from [<c0023050>] (_text+0x50/0x78)
[<c0023050>] (_text+0x50/0x78) from [<c00239f4>] (__irq_svc+0x34/0x60)
Exception stack(0xc0241f70 to 0xc0241fb8)
1f60:                                     00000000 0005317f 0005217f 60000013 
1f80: c0025278 c0240000 c0025278 c0259a48 2001ee40 41069265 2001ee0c 00000000 
1fa0: 600000d3 c0241fb8 c00252b8 c00252c4 60000013 ffffffff                   
[<c00239f4>] (__irq_svc+0x34/0x60) from [<c00252b8>] (default_idle+0x40/0x58)
[<c00252b8>] (default_idle+0x40/0x58) from [<c002525c>] (cpu_idle+0x38/0x54)
[<c002525c>] (cpu_idle+0x38/0x54) from [<c0008910>] (start_kernel+0x248/0x2a4)
[<c0008910>] (start_kernel+0x248/0x2a4) from [<20008034>] (0x20008034)
Code: c024d0fc e1a02000 ea000000 e2800001 (e5d03000) 
Kernel panic - not syncing: Fatal exception in interrupt
[<c002938c>] (unwind_backtrace+0x0/0xdc) from [<c01b826c>] (panic+0x34/0x110)
[<c01b826c>] (panic+0x34/0x110) from [<c002795c>] (die+0x130/0x15c)
[<c002795c>] (die+0x130/0x15c) from [<c002a4b0>] (__do_kernel_fault+0x68/0x80)
[<c002a4b0>] (__do_kernel_fault+0x68/0x80) from [<c002a6d0>] (do_page_fault+0x208/0x228)
[<c002a6d0>] (do_page_fault+0x208/0x228) from [<c00231f8>] (do_DataAbort+0x30/0x90)
[<c00231f8>] (do_DataAbort+0x30/0x90) from [<c00239ac>] (__dabt_svc+0x4c/0x60)
Exception stack(0xc0241e40 to 0xc0241e88)
1e40: 00000000 bf006984 00000000 0001010c 00000000 bf006954 c1ff42f4 c1ff430c 
1e60: c1ff42f4 c2838030 c1ff42e0 c2838050 c1ff42e0 c0241e88 bf0023a4 c00e7d74 
1e80: 20000093 ffffffff                                                       
[<c00239ac>] (__dabt_svc+0x4c/0x60) from [<bf0023a4>] (rndis_msg_parser+0x3b0/0x7dc [g_ether])
[<bf0023a4>] (rndis_msg_parser+0x3b0/0x7dc [g_ether]) from [<bf0027f4>] (rndis_command_complete+0x24/0x6c [g_ether])
[<bf0027f4>] (rndis_command_complete+0x24/0x6c [g_ether]) from [<c013dddc>] (done+0x60/0x98)
[<c013dddc>] (done+0x60/0x98) from [<c013e870>] (read_fifo+0xd8/0x104)
[<c013e870>] (read_fifo+0xd8/0x104) from [<c013f17c>] (at91_udc_irq+0x694/0x72c)
[<c013f17c>] (at91_udc_irq+0x694/0x72c) from [<c005b4b8>] (handle_IRQ_event+0x40/0x114)
[<c005b4b8>] (handle_IRQ_event+0x40/0x114) from [<c005cd3c>] (handle_level_irq+0x8c/0xe4)
[<c005cd3c>] (handle_level_irq+0x8c/0xe4) from [<c0023050>] (_text+0x50/0x78)
[<c0023050>] (_text+0x50/0x78) from [<c00239f4>] (__irq_svc+0x34/0x60)
Exception stack(0xc0241f70 to 0xc0241fb8)
1f60:                                     00000000 0005317f 0005217f 60000013 
1f80: c0025278 c0240000 c0025278 c0259a48 2001ee40 41069265 2001ee0c 00000000 
1fa0: 600000d3 c0241fb8 c00252b8 c00252c4 60000013 ffffffff                   
[<c00239f4>] (__irq_svc+0x34/0x60) from [<c00252b8>] (default_idle+0x40/0x58)
[<c00252b8>] (default_idle+0x40/0x58) from [<c002525c>] (cpu_idle+0x38/0x54)
[<c002525c>] (cpu_idle+0x38/0x54) from [<c0008910>] (start_kernel+0x248/0x2a4)
[<c0008910>] (start_kernel+0x248/0x2a4) from [<20008034>] (0x20008034)



The Wirechack hang till the usb cable is unplugged.



I use Linux Version linux-2.6.30 with 2.6.30-at91.patch.
The Version 2.6.32.9 crashes too. 


For further questions, I am available from 2010-06-07

Best regards
Comment 1 Andrew Morton 2010-05-21 21:40:51 UTC 
(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Fri, 21 May 2010 12:58:58 GMT
bugzilla-daemon@bugzilla.kernel.org wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=16023
> 
>            Summary: g_ether.ko crashes at the board at91sam9260-ek
>            Product: Drivers
>            Version: 2.5
>     Kernel Version: 2.6.30 and 2.6.32
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: USB
>         AssignedTo: greg@kroah.com
>         ReportedBy: alexmeldevelop@googlemail.com
>         Regression: No
> 
> 
> Created an attachment (id=26485)
>  --> (https://bugzilla.kernel.org/attachment.cgi?id=26485)
> LinuxConfig
> 
> g_ether.ko was started with the following commands:
> 
>     insmod /lib/modules/g_ether.ko
>     ifconfig usb0 192.168.0.1  netmask 255.255.0.0
> 
> The board is connected via USB interface to Windows XP. Windows XP identifies
> USB device as RNDIS interface correctly.
> The Windows Driver was installed with the following file 
> ___linux-2.6.30\Documentation\usb\linux.inf___
> 
> 
> Windows provides the new interface. Ping from Windows to the board functions
> properly.
> By starting Wirechack the driver g_ether.ko crashes on the board.
> 
> Here are the outputs coming out:
> 
> 
> Unable to handle kernel NULL pointer dereference at virtual address 00000000
> pgd = c0004000
> [00000000] *pgd=00000000
> Internal error: Oops: 17 [#1]
> Modules linked in: g_ether
> CPU: 0    Not tainted  (2.6.30 #1)
> PC is at strlen+0xc/0x20
> LR is at rndis_msg_parser+0x3b0/0x7dc [g_ether]
> pc : [<c00e7d74>]    lr : [<bf0023a4>]    psr: 20000093
> sp : c0241e88  ip : c1ff42e0  fp : c2838050
> r10: c1ff42e0  r9 : c2838030  r8 : c1ff42f4
> r7 : c1ff430c  r6 : c1ff42f4  r5 : bf006954  r4 : 00000000
> r3 : 0001010c  r2 : 00000000  r1 : bf006984  r0 : 00000000
> Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
> Control: 0005317f  Table: 21c80000  DAC: 00000017
> Process swapper (pid: 0, stack limit = 0xc0240268)
> Stack: (0xc0241e88 to 0xc0242000)
> 1e80:                   c1067120 c1067120 c1067360 00000000 c0254918 0000000c 
> 1ea0: c104e440 bf0027f4 c0241f08 00000000 c1067120 c02549d8 00000000 c013dddc 
> 1ec0: c0259bbc 0000000c 000c8802 c02549d8 c1067120 c013e870 41069265 c0254918 
> 1ee0: 000c8802 c2838030 0000000a 00000001 c02549d8 00000030 00000004 c013f17c 
> 1f00: c0254a08 c02549f0 00000021 004c0000 00000100 c1067ae0 00000000 00000000 
> 1f20: 0000000a 2001ee40 41069265 2001ee0c 00000000 c005b4b8 0000000a c0247f00 
> 1f40: 0000000a 0000000a c0259a48 c005cd3c c003dc08 0000000a 00000000 c0023050 
> 1f60: c024319c ffffffff fefff000 c00239f4 00000000 0005317f 0005217f 60000013 
> 1f80: c0025278 c0240000 c0025278 c0259a48 2001ee40 41069265 2001ee0c 00000000 
> 1fa0: 600000d3 c0241fb8 c00252b8 c00252c4 60000013 ffffffff c002526c c002525c 
> 1fc0: 00000000 c02610bc c0259a1c c0020ee4 c0243c78 c0008910 c0008434 00000000 
> 1fe0: 00000000 c0020ee4 00053175 c0259a78 c00212e8 20008034 00000000 00000000 
> [<c00e7d74>] (strlen+0xc/0x20) from [<bf0023a4>]
> (rndis_msg_parser+0x3b0/0x7dc
> [g_ether])
> [<bf0023a4>] (rndis_msg_parser+0x3b0/0x7dc [g_ether]) from [<bf0027f4>]
> (rndis_command_complete+0x24/0x6c [g_ether])
> [<bf0027f4>] (rndis_command_complete+0x24/0x6c [g_ether]) from [<c013dddc>]
> (done+0x60/0x98)
> [<c013dddc>] (done+0x60/0x98) from [<c013e870>] (read_fifo+0xd8/0x104)
> [<c013e870>] (read_fifo+0xd8/0x104) from [<c013f17c>]
> (at91_udc_irq+0x694/0x72c)
> [<c013f17c>] (at91_udc_irq+0x694/0x72c) from [<c005b4b8>]
> (handle_IRQ_event+0x40/0x114)
> [<c005b4b8>] (handle_IRQ_event+0x40/0x114) from [<c005cd3c>]
> (handle_level_irq+0x8c/0xe4)
> [<c005cd3c>] (handle_level_irq+0x8c/0xe4) from [<c0023050>] (_text+0x50/0x78)
> [<c0023050>] (_text+0x50/0x78) from [<c00239f4>] (__irq_svc+0x34/0x60)
> Exception stack(0xc0241f70 to 0xc0241fb8)
> 1f60:                                     00000000 0005317f 0005217f 60000013 
> 1f80: c0025278 c0240000 c0025278 c0259a48 2001ee40 41069265 2001ee0c 00000000 
> 1fa0: 600000d3 c0241fb8 c00252b8 c00252c4 60000013 ffffffff                   
> [<c00239f4>] (__irq_svc+0x34/0x60) from [<c00252b8>] (default_idle+0x40/0x58)
> [<c00252b8>] (default_idle+0x40/0x58) from [<c002525c>] (cpu_idle+0x38/0x54)
> [<c002525c>] (cpu_idle+0x38/0x54) from [<c0008910>]
> (start_kernel+0x248/0x2a4)
> [<c0008910>] (start_kernel+0x248/0x2a4) from [<20008034>] (0x20008034)
> Code: c024d0fc e1a02000 ea000000 e2800001 (e5d03000) 
> Kernel panic - not syncing: Fatal exception in interrupt
> [<c002938c>] (unwind_backtrace+0x0/0xdc) from [<c01b826c>] (panic+0x34/0x110)
> [<c01b826c>] (panic+0x34/0x110) from [<c002795c>] (die+0x130/0x15c)
> [<c002795c>] (die+0x130/0x15c) from [<c002a4b0>]
> (__do_kernel_fault+0x68/0x80)
> [<c002a4b0>] (__do_kernel_fault+0x68/0x80) from [<c002a6d0>]
> (do_page_fault+0x208/0x228)
> [<c002a6d0>] (do_page_fault+0x208/0x228) from [<c00231f8>]
> (do_DataAbort+0x30/0x90)
> [<c00231f8>] (do_DataAbort+0x30/0x90) from [<c00239ac>]
> (__dabt_svc+0x4c/0x60)
> Exception stack(0xc0241e40 to 0xc0241e88)
> 1e40: 00000000 bf006984 00000000 0001010c 00000000 bf006954 c1ff42f4 c1ff430c 
> 1e60: c1ff42f4 c2838030 c1ff42e0 c2838050 c1ff42e0 c0241e88 bf0023a4 c00e7d74 
> 1e80: 20000093 ffffffff                                                       
> [<c00239ac>] (__dabt_svc+0x4c/0x60) from [<bf0023a4>]
> (rndis_msg_parser+0x3b0/0x7dc [g_ether])
> [<bf0023a4>] (rndis_msg_parser+0x3b0/0x7dc [g_ether]) from [<bf0027f4>]
> (rndis_command_complete+0x24/0x6c [g_ether])
> [<bf0027f4>] (rndis_command_complete+0x24/0x6c [g_ether]) from [<c013dddc>]
> (done+0x60/0x98)
> [<c013dddc>] (done+0x60/0x98) from [<c013e870>] (read_fifo+0xd8/0x104)
> [<c013e870>] (read_fifo+0xd8/0x104) from [<c013f17c>]
> (at91_udc_irq+0x694/0x72c)
> [<c013f17c>] (at91_udc_irq+0x694/0x72c) from [<c005b4b8>]
> (handle_IRQ_event+0x40/0x114)
> [<c005b4b8>] (handle_IRQ_event+0x40/0x114) from [<c005cd3c>]
> (handle_level_irq+0x8c/0xe4)
> [<c005cd3c>] (handle_level_irq+0x8c/0xe4) from [<c0023050>] (_text+0x50/0x78)
> [<c0023050>] (_text+0x50/0x78) from [<c00239f4>] (__irq_svc+0x34/0x60)
> Exception stack(0xc0241f70 to 0xc0241fb8)
> 1f60:                                     00000000 0005317f 0005217f 60000013 
> 1f80: c0025278 c0240000 c0025278 c0259a48 2001ee40 41069265 2001ee0c 00000000 
> 1fa0: 600000d3 c0241fb8 c00252b8 c00252c4 60000013 ffffffff                   
> [<c00239f4>] (__irq_svc+0x34/0x60) from [<c00252b8>] (default_idle+0x40/0x58)
> [<c00252b8>] (default_idle+0x40/0x58) from [<c002525c>] (cpu_idle+0x38/0x54)
> [<c002525c>] (cpu_idle+0x38/0x54) from [<c0008910>]
> (start_kernel+0x248/0x2a4)
> [<c0008910>] (start_kernel+0x248/0x2a4) from [<20008034>] (0x20008034)
> 
> 
> 
> The Wirechack hang till the usb cable is unplugged.
> 
> 
> 
> I use Linux Version linux-2.6.30 with 2.6.30-at91.patch.
> The Version 2.6.32.9 crashes too. 
> 
> 
> For further questions, I am available from 2010-06-07
>
Comment 2 Andrew Morton 2010-05-21 22:03:16 UTC 
On Fri, 21 May 2010 14:52:18 -0700 (PDT)
David Brownell <david-b@pacbell.net> wrote:

> For the record: looks unrelated to the board.  Some patch must have borkt
> the RNDIS message parsing.   

I can't see any likely-looking changes to drivers/usb/gadget/rndis.c
over the past couple of years.
Comment 3 Anonymous Emailer 2010-05-21 22:48:05 UTC 
Reply-To: david-b@pacbell.net

For the record: looks unrelated to the board.  Some patch must have borkt
the RNDIS message parsing.
Comment 4 Anonymous Emailer 2010-05-21 22:48:40 UTC 
Reply-To: david-b@pacbell.net

For the record: looks unrelated to the board.  Some patch must have borkt
the RNDIS message parsing.
Comment 5 Maxim Osipov 2010-06-24 13:07:15 UTC 
Same problem for me with AT91SAM9263 board from Ronetix and AT91SAM9260 board.
Comment 6 Maxim Osipov 2010-07-30 16:34:47 UTC 
The problem is caused by:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=drivers/usb/gadget/f_rndis.c;h=882484a40398bce12d0eab023b9ab7922d1cade3;hb=HEAD#l710

This leads to invalid pointer dereference at:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=drivers/usb/gadget/rndis.c;h=5c0d06c79a81f1f5e5198aa1576e5e2d29d369f7;hb=HEAD#l295

Not being an expert in RNDIS not I just added NULL pointer checking to avoid the problem. But would appreciate a better solution.
Comment 7 Greg Kroah-Hartman 2010-09-01 19:46:51 UTC 
closing as the patch is now in my tree.