On Thu, Jan 31 2008 at 1:08 +0200, Alan Stern <[EMAIL PROTECTED]> wrote:
> Boaz:
>
> This looks like it might have something to do with your changes.
>
> Alan Stern
>
>
> On Wed, 30 Jan 2008, Mark Glines wrote:
>
>> :
>> Mime-Version: 1.0
>> Content-Type: text/plain; charset=US-ASCII
>> Content-Transfer-Encoding: 7bit
>>
>> Hi,
>>
>>
>> [ 95.406864] usb 4-1: new full speed USB device using uhci_hcd and address
>> 2
>> [ 95.550372] usb 4-1: configuration #1 chosen from 1 choice
>> [ 95.622808] usbcore: registered new interface driver libusual
>> [ 95.681971] Initializing USB Mass Storage driver...
>> [ 95.775056] scsi3 : SCSI emulation for USB Mass Storage devices
>> [ 95.777071] usbcore: registered new interface driver usb-storage
>> [ 95.777084] USB Mass Storage support registered.
>> [ 95.777928] usb-storage: device found at 2
>> [ 95.777935] usb-storage: waiting for device to settle before scanning
>> [ 97.291557] Unable to handle kernel NULL pointer dereference at
>> 0000000000000000 RIP:
>> [ 97.291567] [<ffffffff8835fa4e>]
>> :usb_storage:usb_stor_access_xfer_buf+0xde/0x270
>> [ 97.291587] PGD 6a25c067 PUD 6a3f1067 PMD 0
>> [ 97.291596] Oops: 0000 [1] PREEMPT SMP
>> [ 97.291603] CPU 1
>> [ 97.291607] Modules linked in: usb_storage libusual i915 drm ipv6 nfsd
>> lockd nfs_acl auth_rpcgss sunrpc exportfs rfcomm l2cap dm_mod fuse dock tun
>> kvm_intel kvm acpi_cpufreq rfkill_input rfkill coretemp bonding hci_usb
>> bluetooth arc4 ecb iwl4965 snd_hda_intel mac80211 snd_pcm uhci_hcd ehci_hcd
>> usbcore pcmcia snd_timer snd_page_alloc ide_cd firmware_class psmouse
>> snd_hwdep parport_pc yenta_socket snd 8250_pnp parport 8250 rsrc_nonstatic
>> cdrom thermal video cfg80211 pcmcia_core i2c_i801 ac serial_core battery
>> intel_agp button output sg evdev
>> [ 97.291706] Pid: 7107, comm: usb-storage Not tainted 2.6.24 #3
>> [ 97.291711] RIP: 0010:[<ffffffff8835fa4e>] [<ffffffff8835fa4e>]
>> :usb_storage:usb_stor_access_xfer_buf+0xde/0x270
>> [ 97.291727] RSP: 0018:ffff810067e71db0 EFLAGS: 00010283
>> [ 97.291732] RAX: ffff810074586600 RBX: 0000000087654321 RCX:
>> 0000000000000000
>> [ 97.291737] RDX: 0000000000000004 RSI: ffff810067cfb424 RDI:
>> ffff810074586624
>> [ 97.291742] RBP: ffff810067e71e10 R08: ffff810002973550 R09:
>> 0000000000000000
>> [ 97.291747] R10: ffff81006a236000 R11: 2222222222222222 R12:
>> 0000000000000000
>> [ 97.291751] R13: 0000000000000024 R14: 0000000000000024 R15:
>> 0000000000000600
>> [ 97.291757] FS: 0000000000000000(0000) GS:ffff81007d00d500(0000)
>> knlGS:0000000000000000
>> [ 97.291763] CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
>> [ 97.291768] CR2: 0000000000000000 CR3: 000000006a2ea000 CR4:
>> 00000000000026e0
>> [ 97.291772] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>> 0000000000000000
>> [ 97.291777] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>> 0000000000000400
>> [ 97.291783] Process usb-storage (pid: 7107, threadinfo ffff810067e70000,
>> task ffff810067d10f20)
>> [ 97.291788] Stack: 0000000300000000 0000000000000000 ffff810067e71e2c
>> ffff810067e71e20
>> [ 97.291800] 0000006067d10f20 ffff810067cfb400 ffff810002973550
>> 0000000000000060
>> [ 97.291810] ffff81006a236000 ffff810067d14c78 ffff810067d14df0
>> ffff810067e71eb0
>> [ 97.291820] Call Trace:
>> [ 97.291840] [<ffffffff8835fc14>]
>> :usb_storage:usb_stor_set_xfer_buf+0x34/0x60
>> [ 97.291857] [<ffffffff88366d58>]
>> :usb_storage:isd200_ata_command+0x188/0x530
>> [ 97.291877] [<ffffffff8836142e>]
>> :usb_storage:usb_stor_control_thread+0x1be/0x250
>> [ 97.291892] [<ffffffff812b5106>] _spin_unlock_irqrestore+0x16/0x40
>> [ 97.291906] [<ffffffff88361270>]
>> :usb_storage:usb_stor_control_thread+0x0/0x250
>> [ 97.291918] [<ffffffff8105290d>] kthread+0x4d/0x80
>> [ 97.291928] [<ffffffff8100d2e8>] child_rip+0xa/0x12
>> [ 97.291943] [<ffffffff810528c0>] kthread+0x0/0x80
>> [ 97.291950] [<ffffffff8100d2de>] child_rip+0x0/0x12
>> [ 97.291956]
>> [ 97.291958]
>> [ 97.291959] Code: 49 39 1c 24 0f 85 78 01 00 00 4d 8b 44 24 08 41 f6 c0
>> 01 0f
>> [ 97.291985] RIP [<ffffffff8835fa4e>]
>> :usb_storage:usb_stor_access_xfer_buf+0xde/0x270
>> [ 97.291999] RSP <ffff810067e71db0>
>> [ 97.292002] CR2: 0000000000000000
>> [ 97.292009] ---[ end trace 77e35c70f05f8a11 ]---
>>
>>
>> :usb_storage:usb_stor_access_xfer_buf+0xde is the first pointer
>> dereference in an inlined call to sg_page().
>>
>>
>> static inline struct page *sg_page(struct scatterlist *sg)
>> {
>> #ifdef CONFIG_DEBUG_SG
>> BUG_ON(sg->sg_magic != SG_MAGIC);
>> BUG_ON(sg_is_chain(sg));
>> #endif
>> return (struct page *)((sg)->page_link & ~0x3);
>> }
>>
>>
>> Turning on CONFIG_DEBUG_SG didn't make much difference, because the "sg"
>> pointer itself is NULL. Thus, it segfaulted before BUG_ON was actually
>> called.
>>
>> This hardware worked fine with 2.6.23.12... though my kernel config is
>> rather different from that one. Before I start digging and trying to
>> work out all the details and hopefully fix it, I was wondering if you've
>> already seen this?
>>
>> Thanks,
>>
>> Mark
>>
Please check the below patch.
one thing that I can see is that the isd200 does an INQUARY transfer of
sizeof(struct inquiry_data) which is 96 bytes, when scsi_scan.c sends an
INQUARY with 36 bytes buffer. So we have an underflow in
usb_stor_access_xfer_buf().
The below patch will only check my theory. I will send a proper fix
later, please confirm that this fixes it.
What kills me is that this condition has existed before my patch, I'll
try to see why it is triggered now
---
drivers/usb/storage/protocol.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/drivers/usb/storage/protocol.c b/drivers/usb/storage/protocol.c
index a41ce21..d0ff1f6 100644
--- a/drivers/usb/storage/protocol.c
+++ b/drivers/usb/storage/protocol.c
@@ -229,6 +229,12 @@ void usb_stor_set_xfer_buf(unsigned char *buffer,
unsigned int offset = 0;
struct scatterlist *sg = NULL;
+ BUG_ON(!scsi_sglist(srb));
+
+ if(buflen > scsi_bufflen(srb))
+ buflen = scsi_bufflen(srb);
+ /*FIXME: should we set an underflow condition here*/
+
usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
TO_XFER_BUF);
if (buflen < scsi_bufflen(srb))
-
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
