Bug 1250279

Summary: BUG: unable to handle kernel NULL pointer dereference at....hidinput_disconnect
Product: [Fedora] Fedora Reporter: Robin Lee <robinlee.sysu>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: gansalmon, hongjiu.lu, itamar, jonathan, kernel-maint, labbott, madhu.chinakonda, mchehab
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kernel-4.1.5-100.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-19 08:04:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Full call trace
none
maybe fix none

Description Robin Lee 2015-08-05 01:17:32 UTC 
Description of problem:
I have a USB bluetooth adapter and have a bluetooth keyboard connected. After about half an hour of inactive, the machine is not responsible for mouse and keyboard input with only Sysrq is responsible.
After cold rebooting, I found a call trace in the journal.

Aug 04 19:06:56 localhost.localdomain kernel: BUG: unable to handle kernel NULL pointer dereference at           (null)
Aug 04 19:06:56 localhost.localdomain kernel: IP: [<ffffffff81640a6e>] hidinput_disconnect+0x2e/0xb0
Aug 04 19:06:56 localhost.localdomain kernel: PGD 0 
Aug 04 19:06:56 localhost.localdomain kernel: Oops: 0000 [#1] SMP 
Aug 04 19:06:56 localhost.localdomain kernel: Modules linked in: joydev hid_lenovo hidp cmac rfcomm bnep intel_rapl ios
Aug 04 19:06:56 localhost.localdomain kernel: CPU: 1 PID: 1927 Comm: khidpd_17ef6048 Tainted: G           OE   4.1.3-20
Aug 04 19:06:56 localhost.localdomain kernel: Hardware name: LENOVO YangTianT4900v-00/ , BIOS FCKT58AUS 09/17/2014
Aug 04 19:06:56 localhost.localdomain kernel: task: ffff8801148fc520 ti: ffff8800a4890000 task.ti: ffff8800a4890000
Aug 04 19:06:56 localhost.localdomain kernel: RIP: 0010:[<ffffffff81640a6e>]  [<ffffffff81640a6e>] hidinput_disconnect+
Aug 04 19:06:56 localhost.localdomain kernel: RSP: 0018:ffff8800a4893be8  EFLAGS: 00010292
Aug 04 19:06:56 localhost.localdomain kernel: RAX: 0000000000000000 RBX: ffff8800c0c2e000 RCX: 000000010080002b
Aug 04 19:06:56 localhost.localdomain kernel: RDX: 000000010080002c RSI: ffffea0002df7300 RDI: 0000000040000000
Aug 04 19:06:56 localhost.localdomain kernel: RBP: ffff8800a4893c08 R08: 00000000b7dcc801 R09: 000000010080002b
Aug 04 19:06:56 localhost.localdomain kernel: R10: ffff8800b7dcc820 R11: 0000000000000000 R12: ffff8800c0c2f8e8
Aug 04 19:06:56 localhost.localdomain kernel: R13: ffff8800c0c2e000 R14: ffff8800c0c2e000 R15: ffff8800c0c2f8d0
Aug 04 19:06:56 localhost.localdomain kernel: FS:  0000000000000000(0000) GS:ffff88011fa80000(0000) knlGS:0000000000000
Aug 04 19:06:56 localhost.localdomain kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Aug 04 19:06:56 localhost.localdomain kernel: CR2: 0000000000000000 CR3: 0000000001c0b000 CR4: 00000000001427e0
Aug 04 19:06:56 localhost.localdomain kernel: Stack:
Aug 04 19:06:56 localhost.localdomain kernel:  ffff8800c0c2e000 ffff8800c0c2f8e8 ffff8800c0c2e000 ffff8800c0c2f8b8
Aug 04 19:06:56 localhost.localdomain kernel:  ffff8800a4893c28 ffffffff8163d760 ffff8800c0c2e000 ffff8800c0c2f8e8
Aug 04 19:06:56 localhost.localdomain kernel:  ffff8800a4893c48 ffffffffa05f44c0 00000000fffffffc ffff8800c0c2f8e8
Aug 04 19:06:56 localhost.localdomain kernel: Call Trace:
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff8163d760>] hid_disconnect+0x80/0x90
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffffa05f44c0>] lenovo_remove+0x40/0xa0 [hid_lenovo]
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff8163d7df>] hid_device_remove+0x6f/0xe0
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff814ec167>] __device_release_driver+0x87/0x120
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff814ec223>] device_release_driver+0x23/0x30
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff814eba98>] bus_remove_device+0x108/0x180
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff814e7c21>] device_del+0x141/0x270
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff8163d8d7>] hid_destroy_device+0x27/0x60
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffffa0548b0b>] hidp_session_remove+0x4b/0xb0 [hidp]
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffffa04dbefb>] l2cap_unregister_user+0x5b/0x70 [bluetooth]
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffffa05484b0>] hidp_session_thread+0x560/0xaf0 [hidp]
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff810ce6f0>] ? wake_up_state+0x20/0x20
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff810ce6f0>] ? wake_up_state+0x20/0x20
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffffa0547f50>] ? hidp_open+0x10/0x10 [hidp]
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff810c0b88>] kthread+0xd8/0xf0
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff810c0ab0>] ? kthread_worker_fn+0x180/0x180
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff817a1e62>] ret_from_fork+0x42/0x70
Aug 04 19:06:56 localhost.localdomain kernel:  [<ffffffff810c0ab0>] ? kthread_worker_fn+0x180/0x180
Aug 04 19:06:56 localhost.localdomain kernel: Code: 00 00 55 48 89 e5 41 56 49 89 fe 41 55 41 54 53 48 8b bf b0 1b 00 0
Aug 04 19:06:56 localhost.localdomain kernel: RIP  [<ffffffff81640a6e>] hidinput_disconnect+0x2e/0xb0
Aug 04 19:06:56 localhost.localdomain kernel:  RSP <ffff8800a4893be8>
Aug 04 19:06:57 localhost.localdomain kernel: CR2: 0000000000000000
Aug 04 19:06:57 localhost.localdomain kernel: ---[ end trace bd9b3cd05a6d4871 ]---

Version-Release number of selected component (if applicable):
kernel-4.1.3-200.fc22.x86_64

How reproducible:
Seems always

Additional info:
The adapter: Bus 001 Device 002: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode)
The keyboard: ThinkPad Compact Bluetooth Keyboard with TrackPoint
Comment 1 Robin Lee 2015-08-05 01:19:44 UTC 
Created attachment 1059290 [details]
Full call trace
Comment 2 Robin Lee 2015-08-06 01:44:28 UTC 
The issue always occurs when my Bluetooth keyboard is disconnected.
Comment 3 Laura Abbott 2015-08-07 23:44:07 UTC 
Created attachment 1060522 [details]
maybe fix

Can you test the attached patch? This fixes a known crash that can cause memory corruption
Comment 4 Robin Lee 2015-08-09 07:38:27 UTC 
The patch fix the crash. Thank you!
Comment 5 Fedora Update System 2015-08-12 00:21:04 UTC 
kernel-4.1.5-100.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/kernel-4.1.5-100.fc21
Comment 6 Fedora Update System 2015-08-12 00:23:00 UTC 
kernel-4.1.5-200.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/kernel-4.1.5-200.fc22
Comment 7 H.J. Lu 2015-08-12 02:54:04 UTC 
*** Bug 1244076 has been marked as a duplicate of this bug. ***
Comment 8 Fedora Update System 2015-08-13 16:54:15 UTC 
Package kernel-4.1.5-100.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kernel-4.1.5-100.fc21'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-13391/kernel-4.1.5-100.fc21
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2015-08-19 08:04:01 UTC 
kernel-4.1.5-200.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2015-08-19 08:11:56 UTC 
kernel-4.1.5-100.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.