Bug 21372 - NULL pointer deference at disk_replace_part_tbl+0x32
Summary: NULL pointer deference at disk_replace_part_tbl+0x32
Status: CLOSED CODE_FIX
Alias: None
Product: IO/Storage
Classification: Unclassified
Component: SCSI (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: linux-scsi@vger.kernel.org
URL:
Keywords:
Depends on:
Blocks: 16444
  Show dependency tree
 
Reported: 2010-10-28 17:22 UTC by Luis Chamberlain
Modified: 2010-12-09 10:52 UTC (History)
5 users (show)

See Also:
Kernel Version: 2.6.36
Subsystem:
Regression: Yes
Bisected commit-id:


Attachments

Description Luis Chamberlain 2010-10-28 17:22:43 UTC
I get the following NULL pointer dereference when I hook up my Nexus One to my laptop to enable USB tether. This is a regression between v2.6.36-rc8 and v2.6.36. I will bisect when I get a chance.

input: TPPS/2 IBM TrackPoint as /devices/platform/i8042/serio1/serio2/input/input7
usb 1-3: USB disconnect, address 4
BUG: unable to handle kernel NULL pointer dereference at 00000000000003a0
IP: [<ffffffff812aec32>] disk_replace_part_tbl+0x32/0x80
PGD 0 
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
last sysfs file: /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
CPU 0 
Modules linked in: <etc>
Pid: 22, comm: khubd Not tainted 2.6.36-wl+ #13 6460DWU/6460DWU
RIP: 0010:[<ffffffff812aec32>]  [<ffffffff812aec32>] disk_replace_part_tbl+0x32/0x80
RSP: 0018:ffff88003b921990  EFLAGS: 00010282
RAX: ffffea0000cd0708 RBX: ffff880038a0cee0 RCX: ffff88003d001490
RDX: ffffea0000cb5c40 RSI: 0000000000000000 RDI: ffff880039f61df8
RBP: ffff88003b9219a0 R08: 0000000000000000 R09: ffff88003a1a58a8
R10: dead000000100100 R11: 0000000000000228 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8800388f6e98 R15: 0000000000000293
FS:  0000000000000000(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000000003a0 CR3: 0000000001a24000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process khubd (pid: 22, threadinfo ffff88003b920000, task ffff88003b918000)
Stack:
 ffff880039f61df8 ffffffff81a67a60 ffff88003b9219c0 ffffffff812aed08
<0> ffff88003b9219c0 0000000000000000 ffff88003b9219e0 ffffffff813833f7
<0> 0000000000000086 ffff880039f61e68 ffff88003b921a10 ffffffff812bcd87
Call Trace:

 [<ffffffff812aed08>] disk_release+0x28/0x50
 [<ffffffff813833f7>] device_release+0x27/0xa0
 [<ffffffff812bcd87>] kobject_release+0x47/0x90
 [<ffffffff812bcd40>] ? kobject_release+0x0/0x90
 [<ffffffff812be1e7>] kref_put+0x37/0x70
 [<ffffffff812bcc47>] kobject_put+0x27/0x60
 [<ffffffff812bcd40>] ? kobject_release+0x0/0x90
 [<ffffffff812aed47>] put_disk+0x17/0x20
 [<ffffffff813c3c37>] sg_device_destroy+0x67/0xa0
 [<ffffffff813c3bd0>] ? sg_device_destroy+0x0/0xa0
 [<ffffffff812be1e7>] kref_put+0x37/0x70
 [<ffffffff813c3b9e>] sg_remove+0xfe/0x130
 [<ffffffff81383d51>] device_del+0xc1/0x1d0
 [<ffffffff81383e76>] device_unregister+0x16/0x30
 [<ffffffff813b6e95>] __scsi_remove_device+0xa5/0xc0
 [<ffffffff813b322c>] scsi_forget_host+0x5c/0x80
 [<ffffffff813aab1f>] scsi_remove_host+0x6f/0x120
 [<ffffffffa004c46b>] quiesce_and_remove_host+0x6b/0xc0 [usb_storage]
 [<ffffffffa004c592>] usb_stor_disconnect+0x22/0x40 [usb_storage]
 [<ffffffff8140934a>] usb_unbind_interface+0x5a/0x1a0
 [<ffffffff81387055>] __device_release_driver+0x75/0xe0
 [<ffffffff813871bd>] device_release_driver+0x2d/0x40
 [<ffffffff8138617e>] bus_remove_device+0xae/0xf0
 [<ffffffff81383db7>] device_del+0x127/0x1d0
 [<ffffffff81405be0>] usb_disable_device+0x70/0x130
 [<ffffffff813fee13>] usb_disconnect+0x93/0x130
 [<ffffffff814004e7>] hub_thread+0x487/0x1230
 [<ffffffff8105a5fb>] ? dequeue_task_fair+0x8b/0x90
 [<ffffffff81082900>] ? autoremove_wake_function+0x0/0x40
 [<ffffffff81400060>] ? hub_thread+0x0/0x1230
 [<ffffffff810823a6>] kthread+0x96/0xa0
 [<ffffffff8100bea4>] kernel_thread_helper+0x4/0x10
 [<ffffffff81082310>] ? kthread+0x0/0xa0
 [<ffffffff8100bea0>] ? kernel_thread_helper+0x0/0x10
Code: 10 48 89 1c 24 4c 89 64 24 08 0f 1f 44 00 00 48 8b 5f 38 4c 8b a7 00 03 00 00 48 85 db 48 89 77 38 74 42 48 c7 43 18 00 00 00 00 <49> 8b bc 24 a0 03 00 00 e8 61 58 2c 00 4c 89 e7 e8 89 2e ff ff 
RIP  [<ffffffff812aec32>] disk_replace_part_tbl+0x32/0x80
 RSP <ffff88003b921990>
CR2: 00000000000003a0
---[ end trace 4704f0507cd6c869 ]---
Comment 1 Andrew Morton 2010-10-28 17:52:35 UTC
(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Thu, 28 Oct 2010 17:22:47 GMT
bugzilla-daemon@bugzilla.kernel.org wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=21372
> 
>            Summary: NULL pointer deference at disk_replace_part_tbl+0x32
>            Product: Drivers
>            Version: 2.5
>     Kernel Version: 2.6.36
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: USB
>         AssignedTo: greg@kroah.com
>         ReportedBy: mcgrof@gmail.com
>                 CC: rjw@sisk.pl
>         Regression: Yes

hm, who did this.

Jens, I think you were fixing something up in this area recently?

> 
> I get the following NULL pointer dereference when I hook up my Nexus One to
> my
> laptop to enable USB tether. This is a regression between v2.6.36-rc8 and
> v2.6.36. I will bisect when I get a chance.
> 
> input: TPPS/2 IBM TrackPoint as
> /devices/platform/i8042/serio1/serio2/input/input7
> usb 1-3: USB disconnect, address 4
> BUG: unable to handle kernel NULL pointer dereference at 00000000000003a0
> IP: [<ffffffff812aec32>] disk_replace_part_tbl+0x32/0x80
> PGD 0 
> Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
> last sysfs file: /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
> CPU 0 
> Modules linked in: <etc>
> Pid: 22, comm: khubd Not tainted 2.6.36-wl+ #13 6460DWU/6460DWU
> RIP: 0010:[<ffffffff812aec32>]  [<ffffffff812aec32>]
> disk_replace_part_tbl+0x32/0x80
> RSP: 0018:ffff88003b921990  EFLAGS: 00010282
> RAX: ffffea0000cd0708 RBX: ffff880038a0cee0 RCX: ffff88003d001490
> RDX: ffffea0000cb5c40 RSI: 0000000000000000 RDI: ffff880039f61df8
> RBP: ffff88003b9219a0 R08: 0000000000000000 R09: ffff88003a1a58a8
> R10: dead000000100100 R11: 0000000000000228 R12: 0000000000000000
> R13: 0000000000000000 R14: ffff8800388f6e98 R15: 0000000000000293
> FS:  0000000000000000(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> CR2: 00000000000003a0 CR3: 0000000001a24000 CR4: 00000000000006f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Process khubd (pid: 22, threadinfo ffff88003b920000, task ffff88003b918000)
> Stack:
>  ffff880039f61df8 ffffffff81a67a60 ffff88003b9219c0 ffffffff812aed08
> <0> ffff88003b9219c0 0000000000000000 ffff88003b9219e0 ffffffff813833f7
> <0> 0000000000000086 ffff880039f61e68 ffff88003b921a10 ffffffff812bcd87
> Call Trace:
> 
>  [<ffffffff812aed08>] disk_release+0x28/0x50
>  [<ffffffff813833f7>] device_release+0x27/0xa0
>  [<ffffffff812bcd87>] kobject_release+0x47/0x90
>  [<ffffffff812bcd40>] ? kobject_release+0x0/0x90
>  [<ffffffff812be1e7>] kref_put+0x37/0x70
>  [<ffffffff812bcc47>] kobject_put+0x27/0x60
>  [<ffffffff812bcd40>] ? kobject_release+0x0/0x90
>  [<ffffffff812aed47>] put_disk+0x17/0x20
>  [<ffffffff813c3c37>] sg_device_destroy+0x67/0xa0
>  [<ffffffff813c3bd0>] ? sg_device_destroy+0x0/0xa0
>  [<ffffffff812be1e7>] kref_put+0x37/0x70
>  [<ffffffff813c3b9e>] sg_remove+0xfe/0x130
>  [<ffffffff81383d51>] device_del+0xc1/0x1d0
>  [<ffffffff81383e76>] device_unregister+0x16/0x30
>  [<ffffffff813b6e95>] __scsi_remove_device+0xa5/0xc0
>  [<ffffffff813b322c>] scsi_forget_host+0x5c/0x80
>  [<ffffffff813aab1f>] scsi_remove_host+0x6f/0x120
>  [<ffffffffa004c46b>] quiesce_and_remove_host+0x6b/0xc0 [usb_storage]
>  [<ffffffffa004c592>] usb_stor_disconnect+0x22/0x40 [usb_storage]
>  [<ffffffff8140934a>] usb_unbind_interface+0x5a/0x1a0
>  [<ffffffff81387055>] __device_release_driver+0x75/0xe0
>  [<ffffffff813871bd>] device_release_driver+0x2d/0x40
>  [<ffffffff8138617e>] bus_remove_device+0xae/0xf0
>  [<ffffffff81383db7>] device_del+0x127/0x1d0
>  [<ffffffff81405be0>] usb_disable_device+0x70/0x130
>  [<ffffffff813fee13>] usb_disconnect+0x93/0x130
>  [<ffffffff814004e7>] hub_thread+0x487/0x1230
>  [<ffffffff8105a5fb>] ? dequeue_task_fair+0x8b/0x90
>  [<ffffffff81082900>] ? autoremove_wake_function+0x0/0x40
>  [<ffffffff81400060>] ? hub_thread+0x0/0x1230
>  [<ffffffff810823a6>] kthread+0x96/0xa0
>  [<ffffffff8100bea4>] kernel_thread_helper+0x4/0x10
>  [<ffffffff81082310>] ? kthread+0x0/0xa0
>  [<ffffffff8100bea0>] ? kernel_thread_helper+0x0/0x10
> Code: 10 48 89 1c 24 4c 89 64 24 08 0f 1f 44 00 00 48 8b 5f 38 4c 8b a7 00 03
> 00 00 48 85 db 48 89 77 38 74 42 48 c7 43 18 00 00 00 00 <49> 8b bc 24 a0 03
> 00
> 00 e8 61 58 2c 00 4c 89 e7 e8 89 2e ff ff 
> RIP  [<ffffffff812aec32>] disk_replace_part_tbl+0x32/0x80
>  RSP <ffff88003b921990>
> CR2: 00000000000003a0
> ---[ end trace 4704f0507cd6c869 ]---
> 
> -- 
> Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug.
Comment 2 Jens Axboe 2010-10-29 14:38:09 UTC
If this happened post 2.6.36, then it is indeed a known bug. So I'm a little skeptic, are you sure this is 2.6.36 as released and not a -git somewhat passed that? The version reads 2.6.36-wl+, so it's definitely not pristine 2.6.36.

So I'm pretty sure that this is the issue we fixed by reverting the io stat change. If you update to a newer .36-git or go back to 2.6.36 as released, it will work fine.
Comment 3 Florian Mickler 2010-12-09 10:50:30 UTC
Are you refering to this patch? I'm closing this as fixed then. Luis, if this is not the case, please shout.

commit f253b86b4ad1b3220544e75880510fd455ebd23f
Author: Jens Axboe <jaxboe@fusionio.com>
Date:   Sun Oct 24 22:06:02 2010 +0200

    Revert "block: fix accounting bug on cross partition merges"
Comment 4 Florian Mickler 2010-12-09 10:52:13 UTC
(this was the only commit I could find that somehow had something to do with reverting, io and stat(s)...)

Note You need to log in before you can comment on or make changes to this bug.