Kernel Oops when plugging in Archos USB device

Bug #204922 reported by Stef Walter on 2008-03-22
4
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Tim Gardner

Bug Description

On Hardy when plugging in my Archos Jukebox 6000 USB device the kernel does an oops and the device. It previously showed up as a drive on my desktop. The Archos Jukebox uses the ISD 200 chipset for its USB functionality.

[ 25.609279] ieee1394: Host added: ID:BUS[0-00:1023] GUID[374fc00034a430c1]
[ 29.772630] usb-storage: device scan complete
[ 29.772738] BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 29.772745] printing eip: f097e8b2 *pde = 00000000
[ 29.772751] Oops: 0000 [#1] SMP
[ 29.772755] Modules linked in: ext3 jbd mbcache sg usb_storage sr_mod libusual sd_mod cdrom pata_acpi ohci1394 ieee1394 b44 mii ata_piix ssb ata_generic libata scsi_mod ehci_hcd uhci_hcd usbcore thermal processor fan fbcon tileblit font bitblit softcursor fuse
[ 29.772781]
[ 29.772784] Pid: 2333, comm: usb-storage Not tainted (2.6.24-12-generic #1)
[ 29.772787] EIP: 0060:[<f097e8b2>] EFLAGS: 00010216 CPU: 0
[ 29.772799] EIP is at usb_stor_access_xfer_buf+0xd2/0x210 [usb_storage]
[ 29.772802] EAX: edc2ff3c EBX: 0000003c ECX: 00000000 EDX: c15c7940
[ 29.772804] ESI: dfa8c424 EDI: 00000024 EBP: 00000000 ESP: edc2ff04
[ 29.772807] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[ 29.772810] Process usb-storage (pid: 2333, ti=edc2e000 task=edc90b40 task.ti=edc2e000)
[ 29.772813] Stack: 00000060 dfa8c400 00000024 c15c7940 00000024 00000060 df806d80 edc2ff78
[ 29.772821] dfa8c400 f097ea2d edc2ff38 edc2ff3c 00000000 00000000 00000000 dfa8c800
[ 29.772829] df878c00 f0985603 00000292 df878f30 edc90b40 edc2ff68 df878e78 df806d80
[ 29.772837] Call Trace:
[ 29.772842] [<f097ea2d>] usb_stor_set_xfer_buf+0x3d/0x60 [usb_storage]
[ 29.772853] [<f0985603>] isd200_ata_command+0x1b3/0x650 [usb_storage]
[ 29.772865] [<c0318f10>] __down_interruptible+0x110/0x140
[ 29.772875] [<f097ff30>] usb_stor_control_thread+0x0/0x1f0 [usb_storage]
[ 29.772885] [<f09800c8>] usb_stor_control_thread+0x198/0x1f0 [usb_storage]
[ 29.772896] [<c0124a30>] complete+0x40/0x60
[ 29.772904] [<f097ff30>] usb_stor_control_thread+0x0/0x1f0 [usb_storage]
[ 29.772912] [<c01418c2>] kthread+0x42/0x70
[ 29.772918] [<c0141880>] kthread+0x0/0x70
[ 29.772922] [<c0106677>] kernel_thread_helper+0x7/0x10
[ 29.772929] =======================
[ 29.772931] Code: 24 08 83 c4 14 5b 5e 5f 5d c3 8b 7c 24 2c 8d 04 13 85 db 89 07 75 41 8b 44 24 08 39 04 24 76 d8 8b 44 24 2c 8b 1c 24 2b 5c 24 08 <8b> 4d 00 8b 10 8b 45 0c 8b 75 04 29 d0 39 d8 77 ce 8b 5c 24 2c
[ 29.772975] EIP: [<f097e8b2>] usb_stor_access_xfer_buf+0xd2/0x210 [usb_storage] SS:ESP 0068:edc2ff04
[ 29.772986] ---[ end trace 360fc2e2283e921e ]---
[ 32.454795] usb 1-1: USB disconnect, address 3

Kernel discussion and patches that seem to be applicable:

http://<email address hidden>/msg00952.html
http://<email address hidden>/msg00965.html

Hi Stef,

It seems like patches were merged upstream for this. I'm including the upstream git commit id's and descriptions:

commit 7084191d53b224b953c8e1db525ea6c31aca5fc7
Author: Alan Stern <email address hidden>
Date: Wed Feb 20 14:15:58 2008 -0500

    USB: usb-storage: don't access beyond the end of the sg buffer

    This patch (as1035) fixes a bug in usb_stor_access_xfer_buf() (the bug
    was originally found by Boaz Harrosh): The routine must not attempt to
    write beyond the end of a scatter-gather list or beyond the number of
    bytes requested. It also fixes up the formatting of a few comments
    and similar whitespace issues.

    Signed-off-by: Alan Stern <email address hidden>
    Signed-off-by: Greg Kroah-Hartman <email address hidden>

and

commit 6d512a80c26d87f8599057c86dc920fbfe0aa3aa
Author: Alan Stern <email address hidden>
Date: Fri Feb 22 17:00:06 2008 -0500

    usb-storage: update earlier scatter-gather bug fix

    This patch (as1037) makes a small update to the earlier as1035 patch.
    The minimum-length computation shouldn't be done in
    usb_stor_access_xfer_buf(), since that routine can be called multiple
    times for a single transfer. It should be done in
    usb_stor_set_xfer_buf() instead, which gets called only once.

    The way it is now isn't really _wrong_, but it isn't really _right_
    either. Moving the statement will be an improvement.

    Signed-off-by: Alan Stern <email address hidden>
    Signed-off-by: Greg Kroah-Hartman <email address hidden>

However, please note that we're currently in Beta freeze for Hardy so these may not get in. If this is the case, they should automatically be available in the Intrepid Ibex release as the kernel will be rebased with mainline. Thanks.

Changed in linux:
assignee: nobody → ubuntu-kernel-team
importance: Undecided → Medium
status: New → Triaged
Tim Gardner (timg-tpi) wrote :
Changed in linux:
assignee: ubuntu-kernel-team → timg-tpi
milestone: none → ubuntu-8.04
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.24-15.27

---------------
linux (2.6.24-15.27) hardy; urgency=low

  [Alan Stern]

  * usb-storage: don't access beyond the end of the sg buffer
    - LP: #204922

  [Mario Limonciello]

  * Enable Reset and SCO workaround on Dell 410 BT adapter

  [Tim Gardner]

  * Enable CONFIG_E1000 in the i386 virtual image.
    - LP: #205646

  [Thomas Gleixner]

  * x86: tsc prevent time going backwards

  [Matthew Garrett]

  * Fix framebuffer fonts on non-x86 platforms

 -- Tim Gardner <email address hidden> Fri, 04 Apr 2008 08:14:49 -0600

Changed in linux:
status: Fix Committed → Fix Released
Stef Walter (stefw) wrote :

This is now working properly. Thanks!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers