v2.6.36-rc8..v2.6.36 regression on NULL pointer deference at disk_replace_part_tbl+0x32

v2.6.36-rc8..v2.6.36 regression on NULL pointer deference at disk_replace_part_tbl+0x32

[Luis R. Rodriguez]

I've filled out a bug report for a regression when I enable USB tether
on my Nexus One when hooked up to my laptop. I get a NULL pointer
dereference. This is a regression between v2.6.36-rc8 and v2.6.36. I
will bisect when I get a chance.

Bug entry:

https://bugzilla.kernel.org/show_bug.cgi?id=21372

Trace:

input: TPPS/2 IBM TrackPoint as
/devices/platform/i8042/serio1/serio2/input/input7
usb 1-3: USB disconnect, address 4
BUG: unable to handle kernel NULL pointer dereference at 00000000000003a0
IP: [<ffffffff812aec32>] disk_replace_part_tbl+0x32/0x80
PGD 0
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
last sysfs file: /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
CPU 0
Modules linked in: <etc>
Pid: 22, comm: khubd Not tainted 2.6.36-wl+ #13 6460DWU/6460DWU
RIP: 0010:[<ffffffff812aec32>]  [<ffffffff812aec32>]
disk_replace_part_tbl+0x32/0x80
RSP: 0018:ffff88003b921990  EFLAGS: 00010282
RAX: ffffea0000cd0708 RBX: ffff880038a0cee0 RCX: ffff88003d001490
RDX: ffffea0000cb5c40 RSI: 0000000000000000 RDI: ffff880039f61df8
RBP: ffff88003b9219a0 R08: 0000000000000000 R09: ffff88003a1a58a8
R10: dead000000100100 R11: 0000000000000228 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8800388f6e98 R15: 0000000000000293
FS:  0000000000000000(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000000003a0 CR3: 0000000001a24000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process khubd (pid: 22, threadinfo ffff88003b920000, task ffff88003b918000)
Stack:
 ffff880039f61df8 ffffffff81a67a60 ffff88003b9219c0 ffffffff812aed08
<0> ffff88003b9219c0 0000000000000000 ffff88003b9219e0 ffffffff813833f7
<0> 0000000000000086 ffff880039f61e68 ffff88003b921a10 ffffffff812bcd87
Call Trace:

 [<ffffffff812aed08>] disk_release+0x28/0x50
 [<ffffffff813833f7>] device_release+0x27/0xa0
 [<ffffffff812bcd87>] kobject_release+0x47/0x90
 [<ffffffff812bcd40>] ? kobject_release+0x0/0x90
 [<ffffffff812be1e7>] kref_put+0x37/0x70
 [<ffffffff812bcc47>] kobject_put+0x27/0x60
 [<ffffffff812bcd40>] ? kobject_release+0x0/0x90
 [<ffffffff812aed47>] put_disk+0x17/0x20
 [<ffffffff813c3c37>] sg_device_destroy+0x67/0xa0
 [<ffffffff813c3bd0>] ? sg_device_destroy+0x0/0xa0
 [<ffffffff812be1e7>] kref_put+0x37/0x70
 [<ffffffff813c3b9e>] sg_remove+0xfe/0x130
 [<ffffffff81383d51>] device_del+0xc1/0x1d0
 [<ffffffff81383e76>] device_unregister+0x16/0x30
 [<ffffffff813b6e95>] __scsi_remove_device+0xa5/0xc0
 [<ffffffff813b322c>] scsi_forget_host+0x5c/0x80
 [<ffffffff813aab1f>] scsi_remove_host+0x6f/0x120
 [<ffffffffa004c46b>] quiesce_and_remove_host+0x6b/0xc0 [usb_storage]
 [<ffffffffa004c592>] usb_stor_disconnect+0x22/0x40 [usb_storage]
 [<ffffffff8140934a>] usb_unbind_interface+0x5a/0x1a0
 [<ffffffff81387055>] __device_release_driver+0x75/0xe0
 [<ffffffff813871bd>] device_release_driver+0x2d/0x40
 [<ffffffff8138617e>] bus_remove_device+0xae/0xf0
 [<ffffffff81383db7>] device_del+0x127/0x1d0
 [<ffffffff81405be0>] usb_disable_device+0x70/0x130
 [<ffffffff813fee13>] usb_disconnect+0x93/0x130
 [<ffffffff814004e7>] hub_thread+0x487/0x1230
 [<ffffffff8105a5fb>] ? dequeue_task_fair+0x8b/0x90
 [<ffffffff81082900>] ? autoremove_wake_function+0x0/0x40
 [<ffffffff81400060>] ? hub_thread+0x0/0x1230
 [<ffffffff810823a6>] kthread+0x96/0xa0
 [<ffffffff8100bea4>] kernel_thread_helper+0x4/0x10
 [<ffffffff81082310>] ? kthread+0x0/0xa0
 [<ffffffff8100bea0>] ? kernel_thread_helper+0x0/0x10
Code: 10 48 89 1c 24 4c 89 64 24 08 0f 1f 44 00 00 48 8b 5f 38 4c 8b a7 00 03
00 00 48 85 db 48 89 77 38 74 42 48 c7 43 18 00 00 00 00 <49> 8b bc 24 a0 03 00
00 e8 61 58 2c 00 4c 89 e7 e8 89 2e ff ff
RIP  [<ffffffff812aec32>] disk_replace_part_tbl+0x32/0x80
 RSP <ffff88003b921990>
CR2: 00000000000003a0
---[ end trace 4704f0507cd6c869 ]---

Re: v2.6.36-rc8..v2.6.36 regression on NULL pointer deference at disk_replace_part_tbl+0x32

[Greg KH]

On Thu, Oct 28, 2010 at 10:25:17AM -0700, Luis R. Rodriguez wrote:
> I've filled out a bug report for a regression when I enable USB tether
> on my Nexus One when hooked up to my laptop. I get a NULL pointer
> dereference. This is a regression between v2.6.36-rc8 and v2.6.36. I
> will bisect when I get a chance.

I don't see any usb-storage changes between those two releases, so
perhaps this is a scsi issue?

bisection would be great to have.

thanks,

greg k-h

Re: v2.6.36-rc8..v2.6.36 regression on NULL pointer deference at disk_replace_part_tbl+0x32

[Luis R. Rodriguez]

On Thu, Oct 28, 2010 at 10:25 AM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> I've filled out a bug report for a regression when I enable USB tether
> on my Nexus One when hooked up to my laptop. I get a NULL pointer
> dereference. This is a regression between v2.6.36-rc8 and v2.6.36. I
> will bisect when I get a chance.

<etc>

> https://bugzilla.kernel.org/show_bug.cgi?id=21372

<etc>

> BUG: unable to handle kernel NULL pointer dereference at 00000000000003a0

> Pid: 22, comm: khubd Not tainted 2.6.36-wl+ #13 6460DWU/6460DWU
> RIP: 0010:[<ffffffff812aec32>]  [<ffffffff812aec32>] disk_replace_part_tbl+0x32/0x80

<etc>

> Call Trace:
>
>  [<ffffffff812aed08>] disk_release+0x28/0x50
>  [<ffffffff813833f7>] device_release+0x27/0xa0
>  [<ffffffff812bcd87>] kobject_release+0x47/0x90
>  [<ffffffff812bcd40>] ? kobject_release+0x0/0x90
>  [<ffffffff812be1e7>] kref_put+0x37/0x70
>  [<ffffffff812bcc47>] kobject_put+0x27/0x60
>  [<ffffffff812bcd40>] ? kobject_release+0x0/0x90
>  [<ffffffff812aed47>] put_disk+0x17/0x20
>  [<ffffffff813c3c37>] sg_device_destroy+0x67/0xa0
>  [<ffffffff813c3bd0>] ? sg_device_destroy+0x0/0xa0
>  [<ffffffff812be1e7>] kref_put+0x37/0x70
>  [<ffffffff813c3b9e>] sg_remove+0xfe/0x130
>  [<ffffffff81383d51>] device_del+0xc1/0x1d0
>  [<ffffffff81383e76>] device_unregister+0x16/0x30
>  [<ffffffff813b6e95>] __scsi_remove_device+0xa5/0xc0
>  [<ffffffff813b322c>] scsi_forget_host+0x5c/0x80
>  [<ffffffff813aab1f>] scsi_remove_host+0x6f/0x120
>  [<ffffffffa004c46b>] quiesce_and_remove_host+0x6b/0xc0 [usb_storage]
>  [<ffffffffa004c592>] usb_stor_disconnect+0x22/0x40 [usb_storage]

Odd, I get 0 results with a:

git log v2.6.36-rc8..v2.6.36 scsiglue.c protocol.c transport.c usb.c
initializers.c sierra_ms.c option_ms.c

So the issue must be elsewhere unless there was a subsystem change
that triggered a new issue on usb-storage.

  Luis

Re: v2.6.36-rc8..v2.6.36 regression on NULL pointer deference at disk_replace_part_tbl+0x32

[Luis R. Rodriguez]

On Thu, Oct 28, 2010 at 10:37 AM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> On Thu, Oct 28, 2010 at 10:25 AM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
>> I've filled out a bug report for a regression when I enable USB tether
>> on my Nexus One when hooked up to my laptop. I get a NULL pointer
>> dereference. This is a regression between v2.6.36-rc8 and v2.6.36. I
>> will bisect when I get a chance.
>
> <etc>
>
>> https://bugzilla.kernel.org/show_bug.cgi?id=21372
>
> <etc>
>
>> BUG: unable to handle kernel NULL pointer dereference at 00000000000003a0
>
>> Pid: 22, comm: khubd Not tainted 2.6.36-wl+ #13 6460DWU/6460DWU
>> RIP: 0010:[<ffffffff812aec32>]  [<ffffffff812aec32>] disk_replace_part_tbl+0x32/0x80
>
> <etc>
>
>> Call Trace:
>>
>>  [<ffffffff812aed08>] disk_release+0x28/0x50
>>  [<ffffffff813833f7>] device_release+0x27/0xa0
>>  [<ffffffff812bcd87>] kobject_release+0x47/0x90
>>  [<ffffffff812bcd40>] ? kobject_release+0x0/0x90
>>  [<ffffffff812be1e7>] kref_put+0x37/0x70
>>  [<ffffffff812bcc47>] kobject_put+0x27/0x60
>>  [<ffffffff812bcd40>] ? kobject_release+0x0/0x90
>>  [<ffffffff812aed47>] put_disk+0x17/0x20
>>  [<ffffffff813c3c37>] sg_device_destroy+0x67/0xa0
>>  [<ffffffff813c3bd0>] ? sg_device_destroy+0x0/0xa0
>>  [<ffffffff812be1e7>] kref_put+0x37/0x70
>>  [<ffffffff813c3b9e>] sg_remove+0xfe/0x130
>>  [<ffffffff81383d51>] device_del+0xc1/0x1d0
>>  [<ffffffff81383e76>] device_unregister+0x16/0x30
>>  [<ffffffff813b6e95>] __scsi_remove_device+0xa5/0xc0
>>  [<ffffffff813b322c>] scsi_forget_host+0x5c/0x80
>>  [<ffffffff813aab1f>] scsi_remove_host+0x6f/0x120
>>  [<ffffffffa004c46b>] quiesce_and_remove_host+0x6b/0xc0 [usb_storage]
>>  [<ffffffffa004c592>] usb_stor_disconnect+0x22/0x40 [usb_storage]
>
> Odd, I get 0 results with a:
>
> git log v2.6.36-rc8..v2.6.36 scsiglue.c protocol.c transport.c usb.c
> initializers.c sierra_ms.c option_ms.c
>
> So the issue must be elsewhere unless there was a subsystem change
> that triggered a new issue on usb-storage.

mcgrof@tux ~/linux-2.6-allstable (git::rel-2.6.36)$ git log
v2.6.36-rc8..v2.6.36 block/genhd.c

Nothing eitrher:

http://lxr.linux.no/linux+v2.6.32/block/genhd.c#L930

Hrm..

mcgrof@tux ~/wireless-testing (git::stuff2)$ gdb vmlinux
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/mcgrof/wireless-testing/vmlinux...done.
(gdb) l *(disk_replace_part_tbl+0x32)
0xffffffff812aec32 is in disk_replace_part_tbl (include/linux/spinlock.h:310).
305		raw_spin_lock_nest_lock(spinlock_check(lock), nest_lock);	\
306	} while (0)
307	
308	static inline void spin_lock_irq(spinlock_t *lock)
309	{
310		raw_spin_lock_irq(&lock->rlock);
311	}
312	
313	#define spin_lock_irqsave(lock, flags)				\
314	do {	

So that spinlock causes the null pointer dereference somehow.

  Luis

Re: v2.6.36-rc8..v2.6.36 regression on NULL pointer deference at disk_replace_part_tbl+0x32

[Alan Stern]

On Thu, 28 Oct 2010, Luis R. Rodriguez wrote:

> On Thu, Oct 28, 2010 at 10:25 AM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> > I've filled out a bug report for a regression when I enable USB tether
> > on my Nexus One when hooked up to my laptop. I get a NULL pointer
> > dereference. This is a regression between v2.6.36-rc8 and v2.6.36. I
> > will bisect when I get a chance.

> Odd, I get 0 results with a:
> 
> git log v2.6.36-rc8..v2.6.36 scsiglue.c protocol.c transport.c usb.c
> initializers.c sierra_ms.c option_ms.c
> 
> So the issue must be elsewhere unless there was a subsystem change
> that triggered a new issue on usb-storage.

What makes you think this bug has anything at all to do with 
usb-storage?  The fact that you saw it with a USB drive has very little 
to do with anything.

With a problem like this, which crosses so many subsystem boundaries 
(USB, storage, SCSI, block), you shouldn't make any assumptions.  Just 
do a complete bisection.

Alan Stern