Most recent kernel where this bug did not occur: Distribution: Kubuntu Gutsy Hardware Environment: Software Environment: Problem Description: I got this error message: BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000 in dmesg output when connecting a USB device. Turning off CONFIG_SCSI_SCAN_ASYNC fixed the problem. Apparently there is a bug in SCSI core code. Steps to reproduce: I connected my MP4 player (which is not recognized) on USB.
Created attachment 12536 [details] dmesg output with BUG messages
Reply-To: akpm@linux-foundation.org On Sat, 25 Aug 2007 09:47:40 -0700 (PDT) bugme-daemon@bugzilla.kernel.org wrote: > http://bugzilla.kernel.org/show_bug.cgi?id=8940 > > Summary: BUG: unable to handle kernel NULL pointer dereference at > virtual address 00000000 > Product: Drivers > Version: 2.5 > KernelVersion: 2.6.22.5 > Platform: All > OS/Version: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: USB > AssignedTo: greg@kroah.com > ReportedBy: dchris@gmail.com > > > Most recent kernel where this bug did not occur: > Distribution: Kubuntu Gutsy > Hardware Environment: > Software Environment: > Problem Description: I got this error message: > BUG: unable to handle kernel NULL pointer dereference at virtual address > 00000000 > in dmesg output when connecting a USB device. Turning off > CONFIG_SCSI_SCAN_ASYNC fixed the problem. Apparently there is a bug in SCSI > core code. > > Steps to reproduce: I connected my MP4 player (which is not recognized) on > USB. The CONFIG_USB_DEBUG-enabled dmesg was attached to the report. [ 262.416000] usb-storage: scsi cmd done, result=0x70000 [ 262.416000] usb-storage: *** thread sleeping. [ 262.416000] usb 5-3: USB disconnect, address 2 [ 262.416000] PM: Removing info for No Bus:usbdev5.2_ep81 [ 262.416000] PM: Removing info for No Bus:usbdev5.2_ep01 [ 262.416000] usb-storage: storage_disconnect() called [ 262.416000] usb-storage: usb_stor_stop_transport called [ 262.416000] BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000 [ 262.416000] printing eip: [ 262.416000] c025fec5 [ 262.416000] *pde = 00000000 [ 262.416000] Oops: 0000 [#1] [ 262.416000] SMP [ 262.416000] Modules linked in: usb_storage ide_core libusual binfmt_misc rfcomm l2cap bluetooth capability commoncap radeon drm ipv6 acpi_cpufreq cpufreq_userspace cpufreq_stats cpufreq_powersave cpufreq_ondemand freq_table cpufreq_conservative video sbs button dock battery container ac af_packet fuse sbp2 parport_pc lp parport joydev snd_hda_intel snd_pcm_oss snd_pcm snd_mixer_oss snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event pcspkr ipw2200 ieee80211 ieee80211_crypt psmouse serio_raw snd_seq snd_timer snd_seq_device iTCO_wdt iTCO_vendor_support intel_agp snd soundcore snd_page_alloc shpchp pci_hotplug agpgart evdev ext3 jbd mbcache sg 8139too sr_mod cdrom sd_mod ata_piix ahci 8139cp mii ohci1394 ieee1394 ata_generic libata scsi_mod ehci_hcd uhci_hcd usbcore raid10 raid456 xor raid1 raid0 multipath linear md_mod dm_mirror dm_snapshot dm_mod thermal processor fan [ 262.416000] CPU: 0 [ 262.416000] EIP: 0060:[<c025fec5>] Not tainted VLI [ 262.416000] EFLAGS: 00010202 (2.6.22.1 #1) [ 262.416000] EIP is at make_class_name+0x35/0xa0 [ 262.416000] eax: 00000000 ebx: ffffffff ecx: ffffffff edx: 0000000b [ 262.416000] esi: f88dd3c6 edi: 00000000 ebp: 00000000 esp: c1b9be58 [ 262.416000] ds: 007b es: 007b fs: 00d8 gs: 0000 ss: 0068 [ 262.416000] Process khubd (pid: 1971, ti=c1b9a000 task=dfc2b9a0 task.ti=c1b9a000) [ 262.416000] Stack: efedf208 f88f024c efedf200 efedf208 f88f01e0 c0260069 00000000 f88f02a8 [ 262.416000] efedf200 eccce400 00000246 00000000 c02600f8 efedf000 f88d7180 efedf000 [ 262.416000] eccce400 f88d46ab eccce430 eccce400 f88ce905 eccce6f8 ed541a18 f8c19540 [ 262.416000] Call Trace: [ 262.416000] [<c0260069>] class_device_del+0x99/0x120 [ 262.416000] [<c02600f8>] class_device_unregister+0x8/0x10 [ 262.416000] [<f88d7180>] __scsi_remove_device+0x30/0x80 [scsi_mod] [ 262.416000] [<f88d46ab>] scsi_forget_host+0x4b/0x60 [scsi_mod] [ 262.416000] [<f88ce905>] scsi_remove_host+0x55/0xe0 [scsi_mod] [ 262.416000] [<f8c024bd>] storage_disconnect+0x1d/0x30 [usb_storage] [ 262.416000] [<f88b2ef0>] usb_unbind_interface+0x50/0xa0 [usbcore] [ 262.416000] [<c025f538>] __device_release_driver+0x68/0xa0 [ 262.416000] [<c025f9a3>] device_release_driver+0x23/0x40 [ 262.416000] [<c025ee0c>] bus_remove_device+0x5c/0x90 [ 262.416000] [<c025cf70>] device_del+0x160/0x260 [ 262.416000] [<f88b018e>] usb_disable_device+0x7e/0xe0 [usbcore] [ 262.416000] [<f88ac397>] usb_disconnect+0x97/0x130 [usbcore] [ 262.416000] [<f88aca3f>] hub_thread+0x26f/0xc30 [usbcore] [ 262.416000] [<c02f08da>] schedule+0x2ca/0x890 [ 262.416000] [<c013bcb0>] autoremove_wake_function+0x0/0x50 [ 262.416000] [<f88ac7d0>] hub_thread+0x0/0xc30 [usbcore] [ 262.416000] [<c013b9f2>] kthread+0x42/0x70 [ 262.416000] [<c013b9b0>] kthread+0x0/0x70 [ 262.416000] [<c0105487>] kernel_thread_helper+0x7/0x10 [ 262.416000] ======================= [ 262.416000] Code: ff ff 89 6c 24 10 31 ed 89 d9 89 74 24 08 89 c6 89 7c 24 0c 89 c7 89 e8 89 14 24 f2 ae f7 d1 49 8b 04 24 89 ca 89 d9 8b 38 89 e8 <f2> ae f7 d1 49 8d 44 0a 02 ba d0 00 00 00 e8 48 cf f1 ff 31 d2 [ 262.416000] EIP: [<c025fec5>] make_class_name+0x35/0xa0 SS:ESP 0068:c1b9be58
Reply-To: matthew@wil.cx On Sun, Aug 26, 2007 at 12:52:07AM -0700, Andrew Morton wrote: > On Sat, 25 Aug 2007 09:47:40 -0700 (PDT) bugme-daemon@bugzilla.kernel.org > wrote: > > Problem Description: I got this error message: > > BUG: unable to handle kernel NULL pointer dereference at virtual address > > 00000000 > > in dmesg output when connecting a USB device. Turning off > > CONFIG_SCSI_SCAN_ASYNC fixed the problem. Apparently there is a bug in SCSI > > core code. I don't think SCSI_SCAN_ASYNC is the problem. It's probably a coincidence. SCSI_SCAN_ASYNC doesn't touch the call-path reported in the backtrace. In any case, if it is SCSI_SCAN_ASYNC-related, there's an outstanding patch to fix the locking, which is slated for inclusion in 2.6.24. http://git.kernel.org/?p=linux/kernel/git/jejb/scsi-misc-2.6.git;a=commit;h=a93a091df8232fad60867d41fbc3be855a0b78f2
On Sun, 26 Aug 2007, Matthew Wilcox wrote: > On Sun, Aug 26, 2007 at 12:52:07AM -0700, Andrew Morton wrote: > > On Sat, 25 Aug 2007 09:47:40 -0700 (PDT) bugme-daemon@bugzilla.kernel.org > wrote: > > > Problem Description: I got this error message: > > > BUG: unable to handle kernel NULL pointer dereference at virtual address > > > 00000000 > > > in dmesg output when connecting a USB device. Turning off > > > CONFIG_SCSI_SCAN_ASYNC fixed the problem. Apparently there is a bug in > SCSI > > > core code. > > I don't think SCSI_SCAN_ASYNC is the problem. It's probably a > coincidence. SCSI_SCAN_ASYNC doesn't touch the call-path reported in > the backtrace. It's not a coincidence. The oops occurred because of the way the async scanning routine registers new devices. See the explanation and discussion in this thread: http://marc.info/?l=linux-scsi&m=118650567017151&w=2 > In any case, if it is SCSI_SCAN_ASYNC-related, there's an outstanding > patch to fix the locking, which is slated for inclusion in 2.6.24. > > http://git.kernel.org/?p=linux/kernel/git/jejb/scsi-misc-2.6.git;a=commit;h=a93a091df8232fad60867d41fbc3be855a0b78f2 I have seen exactly this same problem, and it also shows up in Bugzilla entries #8840 and #8846. The patch mentioned above did fix it. I thought (and still do think!) that the patch should go into 2.6.23 and 2.6.22-stable. Why wait for 2.6.24 for a serious bugfix? Alan Stern
The patch is in the tree now, closing the bug.