'[linux-usb-devel] 2.6.24: NULL scatter-gather pointer in'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-usb-devel
Subject:    [linux-usb-devel] 2.6.24: NULL scatter-gather pointer in
From:       Mark Glines <mark () glines ! org>
Date:       2008-01-30 17:08:28
Message-ID: 20080130090828.49246b1d () chirp ! tahoe
[Download RAW message or body]

> 
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hi,


[   95.406864] usb 4-1: new full speed USB device using uhci_hcd and address 2
[   95.550372] usb 4-1: configuration #1 chosen from 1 choice
[   95.622808] usbcore: registered new interface driver libusual
[   95.681971] Initializing USB Mass Storage driver...
[   95.775056] scsi3 : SCSI emulation for USB Mass Storage devices
[   95.777071] usbcore: registered new interface driver usb-storage
[   95.777084] USB Mass Storage support registered.
[   95.777928] usb-storage: device found at 2
[   95.777935] usb-storage: waiting for device to settle before scanning
[   97.291557] Unable to handle kernel NULL pointer dereference at 0000000000000000 \
RIP: [   97.291567]  [<ffffffff8835fa4e>] \
:usb_storage:usb_stor_access_xfer_buf+0xde/0x270 [   97.291587] PGD 6a25c067 PUD \
6a3f1067 PMD 0 [   97.291596] Oops: 0000 [1] PREEMPT SMP
[   97.291603] CPU 1
[   97.291607] Modules linked in: usb_storage libusual i915 drm ipv6 nfsd lockd \
nfs_acl auth_rpcgss sunrpc exportfs rfcomm l2cap dm_mod fuse dock tun kvm_intel kvm \
acpi_cpufreq rfkill_input rfkill coretemp bonding hci_usb bluetooth arc4 ecb iwl4965 \
snd_hda_intel mac80211 snd_pcm uhci_hcd ehci_hcd usbcore pcmcia snd_timer \
snd_page_alloc ide_cd firmware_class psmouse snd_hwdep parport_pc yenta_socket snd \
8250_pnp parport 8250 rsrc_nonstatic cdrom thermal video cfg80211 pcmcia_core \
i2c_i801 ac serial_core battery intel_agp button output sg evdev [   97.291706] Pid: \
7107, comm: usb-storage Not tainted 2.6.24 #3 [   97.291711] RIP: \
0010:[<ffffffff8835fa4e>]  [<ffffffff8835fa4e>] \
:usb_storage:usb_stor_access_xfer_buf+0xde/0x270 [   97.291727] RSP: \
0018:ffff810067e71db0  EFLAGS: 00010283 [   97.291732] RAX: ffff810074586600 RBX: \
0000000087654321 RCX: 0000000000000000 [   97.291737] RDX: 0000000000000004 RSI: \
ffff810067cfb424 RDI: ffff810074586624 [   97.291742] RBP: ffff810067e71e10 R08: \
ffff810002973550 R09: 0000000000000000 [   97.291747] R10: ffff81006a236000 R11: \
2222222222222222 R12: 0000000000000000 [   97.291751] R13: 0000000000000024 R14: \
0000000000000024 R15: 0000000000000600 [   97.291757] FS:  0000000000000000(0000) \
GS:ffff81007d00d500(0000) knlGS:0000000000000000 [   97.291763] CS:  0010 DS: 0018 \
ES: 0018 CR0: 000000008005003b [   97.291768] CR2: 0000000000000000 CR3: \
000000006a2ea000 CR4: 00000000000026e0 [   97.291772] DR0: 0000000000000000 DR1: \
0000000000000000 DR2: 0000000000000000 [   97.291777] DR3: 0000000000000000 DR6: \
00000000ffff0ff0 DR7: 0000000000000400 [   97.291783] Process usb-storage (pid: 7107, \
threadinfo ffff810067e70000, task ffff810067d10f20) [   97.291788] Stack:  \
0000000300000000 0000000000000000 ffff810067e71e2c ffff810067e71e20 [   97.291800]  \
0000006067d10f20 ffff810067cfb400 ffff810002973550 0000000000000060 [   97.291810]  \
ffff81006a236000 ffff810067d14c78 ffff810067d14df0 ffff810067e71eb0 [   97.291820] \
Call Trace: [   97.291840]  [<ffffffff8835fc14>] \
:usb_storage:usb_stor_set_xfer_buf+0x34/0x60 [   97.291857]  [<ffffffff88366d58>] \
:usb_storage:isd200_ata_command+0x188/0x530 [   97.291877]  [<ffffffff8836142e>] \
:usb_storage:usb_stor_control_thread+0x1be/0x250 [   97.291892]  [<ffffffff812b5106>] \
_spin_unlock_irqrestore+0x16/0x40 [   97.291906]  [<ffffffff88361270>] \
:usb_storage:usb_stor_control_thread+0x0/0x250 [   97.291918]  [<ffffffff8105290d>] \
kthread+0x4d/0x80 [   97.291928]  [<ffffffff8100d2e8>] child_rip+0xa/0x12
[   97.291943]  [<ffffffff810528c0>] kthread+0x0/0x80
[   97.291950]  [<ffffffff8100d2de>] child_rip+0x0/0x12
[   97.291956]
[   97.291958]
[   97.291959] Code: 49 39 1c 24 0f 85 78 01 00 00 4d 8b 44 24 08 41 f6 c0 01 0f
[   97.291985] RIP  [<ffffffff8835fa4e>] \
:usb_storage:usb_stor_access_xfer_buf+0xde/0x270 [   97.291999]  RSP \
<ffff810067e71db0> [   97.292002] CR2: 0000000000000000
[   97.292009] ---[ end trace 77e35c70f05f8a11 ]---


> usb_storage:usb_stor_access_xfer_buf+0xde is the first pointer
dereference in an inlined call to sg_page().


static inline struct page *sg_page(struct scatterlist *sg)
{
#ifdef CONFIG_DEBUG_SG
        BUG_ON(sg->sg_magic != SG_MAGIC);
        BUG_ON(sg_is_chain(sg));
#endif
        return (struct page *)((sg)->page_link & ~0x3);
}


Turning on CONFIG_DEBUG_SG didn't make much difference, because the "sg"
pointer itself is NULL.  Thus, it segfaulted before BUG_ON was actually
called.

This hardware worked fine with 2.6.23.12... though my kernel config is
rather different from that one.  Before I start digging and trying to
work out all the details and hopefully fix it, I was wondering if you've
already seen this?

Thanks,

Mark

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic