Hello! Disconnect handling in the USB scanner driver is buggy. This can be reproduced by unplugging the scanner while it is used by e.g. xsane (the complete oops report is below).
Also there are several more problems:
- Check for the free minor number availability is wrong (it reads past
the end of p_scn_table).
- kmalloc error handling in probe_scanner() does not unlink the IRQ
URB submitted previously.
The attached patch fixes these problems.
=======================================================================
ksymoops 2.4.7 on i686 2.4.21rel-std-up-alt1.vsu3. Options used
-V (default)
-k /proc/ksyms (default)
-l /proc/modules (default)
-o /lib/modules/2.4.21rel-std-up-alt1.vsu3/ (default)
-m /boot/System.map-2.4.21rel-std-up-alt1.vsu3 (default)
Warning: You did not tell me where to find symbol information. I will
assume that the log matches the kernel and modules that are running
right now and I'll use the default options above for symbol resolution.
If the current kernel and/or modules do not match the log, you can get
more accurate output by telling me the kernel version and where to find
map, modules, ksyms etc. ksymoops -h explains the options.
Warning (compare_ksyms_lsmod): module reiserfs is in lsmod but not in ksyms, probably
no symbols exported
ACPI: LAPIC_NMI (acpi_id[0x00] polarity[0x1] trigger[0x1] lint[0x1])
cpu: 0, clocks: 2000158, slice: 1000079
Unable to handle kernel NULL pointer dereference at virtual address 00000000
c0118a0b
*pde = 00000000
Oops: 0002
CPU: 0
EIP: 0010:[<c0118a0b>] Not tainted
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00210002
eax: dd6ca948 ebx: 00000000 ecx: c359df08 edx: c359df00
esi: 00200202 edi: bfffe2f0 ebp: d5e100a0 esp: c359def4
ds: 0018 es: 0018 ss: 0018
Process xsane (pid: 3971, stackpage=c359d000)
Stack: dd6ca940 c359c000 c010768b 00000001 c359c000 dd6ca948 00000000 db84f420
bfffe2f0 c01077f0 dd6ca940 c0085522 dd6ca8c0 e4e19ea6 ffffffe7 dd6ca8c0
c02ac280 c02ac000 c02ac000 dbb00840 c02adfcc c0117781 c359df70 dfd9bba0
Call Trace: [<c010768b>] [<c01077f0>] [<e4e19ea6>] [<c0117781>] [<c0122112>]
[<c0144e37>] [<c0108913>]
Code: 89 0b 56 9d 5b 5e c3 8d b4 26 00 00 00 00 8d bc 27 00 00 00
>>EIP; c0118a0b <add_wait_queue_exclusive+1b/30> <=====
>>eax; dd6ca948 <_end+1d3c4838/205def50>
>>ecx; c359df08 <_end+3297df8/205def50>
>>edx; c359df00 <_end+3297df0/205def50>
>>ebp; d5e100a0 <_end+15b09f90/205def50>
>>esp; c359def4 <_end+3297de4/205def50>
Trace; c010768b <__down+3b/a0>
Trace; c01077f0 <__down_failed+8/c>
Trace; e4e19ea6 <[scanner].text.lock.scanner+91/e5>
Trace; c0117781 <schedule+231/260>
Trace; c0122112 <schedule_timeout+82/a0>
Trace; c0144e37 <sys_ioctl+247/260>
Trace; c0108913 <system_call+33/40>
Code; c0118a0b <add_wait_queue_exclusive+1b/30>
00000000 <_EIP>:
Code; c0118a0b <add_wait_queue_exclusive+1b/30> <=====
0: 89 0b mov %ecx,(%ebx) <=====
Code; c0118a0d <add_wait_queue_exclusive+1d/30>
2: 56 push %esi
Code; c0118a0e <add_wait_queue_exclusive+1e/30>
3: 9d popf
Code; c0118a0f <add_wait_queue_exclusive+1f/30>
4: 5b pop %ebx
Code; c0118a10 <add_wait_queue_exclusive+20/30>
5: 5e pop %esi
Code; c0118a11 <add_wait_queue_exclusive+21/30>
6: c3 ret
Code; c0118a12 <add_wait_queue_exclusive+22/30>
7: 8d b4 26 00 00 00 00 lea 0x0(%esi,1),%esi
Code; c0118a19 <add_wait_queue_exclusive+29/30>
e: 8d bc 27 00 00 00 00 lea 0x0(%edi,1),%edi
2 warnings issued. Results may not be reliable.
--
Sergey Vlasov
80_02-scanner-fix-alt.patch
Description: Binary data
pgp00000.pgp
Description: PGP signature
