Kernel panic in usb_altnum_to_altsetting() function.

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • kernel-2.6.32-358.18.1.el6

Issue

  • System freeze (kernel oops) sometimes during USB hotplugging.
BUG: unable to handle kernel NULL pointer dereference at 00000008
IP: [<c0732ef6>] usb_altnum_to_altsetting+0x6/0x40
*pdpt = 0000000033db1001 *pde = 0000000000000000 
Oops: 0000 [#1] SMP 

Resolution

Root Cause

  • Code path got a pointer from a table, but obtained the value just past the instantiated portion of the table. The pointer was dereferenced causing a panic.

Diagnostic Steps

  • Check kernel ring buffer for following call traces.

Kernel Ring Buffer:

crash> log
BUG: unable to handle kernel NULL pointer dereference at 00000008           
IP: [<c0732ef6>] usb_altnum_to_altsetting+0x6/0x40
*pdpt = 0000000033db1001 *pde = 0000000000000000 
Oops: 0000 [#1] SMP 
last sysfs file: /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/boot_vga
Modules linked in: nfs lockd fscache auth_rpcgss nfs_acl sunrpc nf_nat_ftp nf_nat nf_conntrack_ftp ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 serio_raw i2c_i801 i2c_core sg iTCO_wdt iTCO_vendor_support snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc e1000e xhci_hcd ext4 jbd2 mbcache sr_mod cdrom sd_mod crc_t10dif ahci wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan]

Pid: 7694, comm: trdsscanUSB Not tainted 2.6.32-358.18.1.el6.i686.debug #1 Hewlett-Packard HP Z220 SFF Workstation/1791
EIP: 0060:[<c0732ef6>] EFLAGS: 00210246 CPU: 0
EIP is at usb_altnum_to_altsetting+0x6/0x40                        
EAX: 00000000 EBX: 00000001 ECX: 00000006 EDX: 00000000
ESI: 00000000 EDI: f3dc1318 EBP: f2c91e30 ESP: f2c91e24
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process trdsscanUSB (pid: 7694, ti=f2c90000 task=f2c8e7e0 task.ti=f2c90000)
Stack:
 00000001 00000000 f3dc1318 f2c91e6c c073fb6b 00000000 00000001 00000000
<0> 00000000 00000000 00001388 f2c91e6c c1c5ce08 ffffffb9 c1cff0a0 f3dc1318
<0> 00000001 c1cff0a0 f2c91ef4 c0749267 c040f8f8 f2c91eb8 c04868bd f2c8e7e0
Call Trace:
 [<c073fb6b>] usb_reset_configuration+0xfb/0x230
 [<c0749267>] usbdev_ioctl+0xab7/0x1480
 [<c040f8f8>] ? sched_clock+0x8/0x10
 [<c04868bd>] ? sched_clock_cpu+0x13d/0x180
 [<c04941bb>] ? trace_hardirqs_off+0xb/0x10
 [<c0497b94>] ? __lock_acquire+0x1c4/0x1250
 [<c055a5cb>] vfs_ioctl+0x7b/0x90
 [<c055a726>] do_vfs_ioctl+0x66/0x5c0
 [<c04941bb>] ? trace_hardirqs_off+0xb/0x10
 [<c04869dd>] ? cpu_clock+0x6d/0x70
 [<c0496b1b>] ? lock_release_holdtime+0x3b/0x1b0
 [<c054a149>] ? fget_light+0xa9/0xd0
 [<c054a15d>] ? fget_light+0xbd/0xd0
 [<c054a0ec>] ? fget_light+0x4c/0xd0
 [<c055acdf>] sys_ioctl+0x5f/0x80
 [<c0409cbf>] sysenter_do_call+0x12/0x38
Code: 39 d3 75 17 eb e1 8d b4 26 00 00 00 00 8b 44 8e 50 8b 18 0f b6 5b 02 39 d3 74 cc 83 c1 01 39 f9 7c eb eb c1 90 55 89 e5 57 56 53 <8b> 78 08 85 ff 74 27 8b 00 0f b6 48 03 39 d1 74 1f 8d 48 1c 31 
EIP: [<c0732ef6>] usb_altnum_to_altsetting+0x6/0x40 SS:ESP 0068:f2c91e24
CR2: 0000000000000008

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments