Bug 746533

Summary:	[abrt] kernel: BUG: unable to handle kernel NULL pointer dereference at 00000068: TAINTED G I
Product:	[Fedora] Fedora	Reporter:	Michal Ambroz <rebus>
Component:	kernel	Assignee:	Mauro Carvalho Chehab <mchehab>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	16	CC:	gansalmon, itamar, jonathan, kernel-maint, lemenkov, lwang, madhu.chinakonda
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	i686
OS:	Unspecified
Whiteboard:	abrt_hash:002fb226508d43f8fda343bea758a4e2857de6c0
Fixed In Version:	kernel-3.1.0-1.fc16	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-10-25 03:21:58 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Michal Ambroz 2011-10-16 23:25:16 UTC

libreport version: 2.0.6
abrt_version:   2.0.4.981
cmdline:        BOOT_IMAGE=/vmlinuz-3.1.0-0.rc9.git0.0.fc16.i686.PAE root=/dev/mapper/luks-78b30561-ce5e-4fd2-aa00-06c2ef300dd5 ro quiet rhgb SYSFONT=latarcyrheb-sun16 LANG=en_US.UTF-8 KEYTABLE=us
kernel:         undefined
reason:         BUG: unable to handle kernel NULL pointer dereference at 00000068
time:           Mon Oct 17 00:58:35 2011

backtrace:
:BUG: unable to handle kernel NULL pointer dereference at 00000068
:IP: [<faad8a05>] v4l2_device_release+0x9b/0xbf [videodev]
:*pdpt = 0000000000000000 *pde = 0000000075500003 
:Oops: 0000 [#1] SMP 
:Modules linked in: snd_usb_audio snd_usbmidi_lib snd_rawmidi gspca_sonixj gspca_main videodev media ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat xt_CHECKSUM iptable_mangle tun bridge stp llc lockd rfcomm bnep ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack fuse snd_hda_codec_analog virtio_net kvm snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore arc4 iwlagn snd_page_alloc hp_wmi sparse_keymap ppdev mac80211 btusb bluetooth cfg80211 rfkill joydev parport_pc microcode sunrpc serio_raw iTCO_wdt iTCO_vendor_support e1000e parport binfmt_misc tpm_infineon hp_accel lis3lv02d input_polldev uinput xts gf128mul pata_pcmcia dm_crypt yenta_socket firewire_ohci firewire_core crc_itu_t sdhci_pci sdhci mmc_core wmi pata_acpi ata_generic i915 drm_kms_helper drm i2c_algo_bit i2c_core video [last unloaded: scsi_wait_scan]
:Pid: 22, comm: khubd Tainted: G          I 3.1.0-0.rc9.git0.0.fc16.i686.PAE #1 Hewlett-Packard HP EliteBook 6930p/30DB
:EIP: 0060:[<faad8a05>] EFLAGS: 00010246 CPU: 1
:EIP is at v4l2_device_release+0x9b/0xbf [videodev]
:EAX: 00000000 EBX: eeec7054 ECX: 0040003b EDX: 00000000
:ESI: 00000000 EDI: eeec7000 EBP: f467bd48 ESP: f467bd3c
: DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
:Process khubd (pid: 22, ti=f467a000 task=f453b240 task.ti=f467a000)
:Stack:
: f62be180 eeec705c c0ab0db0 f467bd64 c067e457 c05d111a f467bd7c c05419ba
: f467bd98 eeec7078 f467bd98 c05d10e5 eee0a9a0 ef631810 f0770d5c c05d0fc4
: eed7801c f467bd90 f0a4cc28 f0770d40 eeec7078 c05d0fc4 eed7801c f467bda8
:Call Trace:
: [<c067e457>] device_release+0x3f/0x77
: [<c05d111a>] ? kobject_release+0x156/0x15e
: [<c05419ba>] ? sysfs_addrm_finish+0x87/0x99
: [<c05d10e5>] kobject_release+0x121/0x15e
: [<c05d0fc4>] ? kobject_del+0x2c/0x2c
: [<c05d0fc4>] ? kobject_del+0x2c/0x2c
: [<c05d2243>] kref_put+0x39/0x42
: [<c05d0f46>] kobject_put+0x46/0x4c
: [<c067e2a1>] ? put_device+0x14/0x16
: [<c067e97c>] ? device_del+0x131/0x136
: [<c067e2a1>] put_device+0x14/0x16
: [<c067e9d3>] device_unregister+0x52/0x57
: [<c0825317>] ? _cond_resched+0xd/0x21
: [<c0825bcc>] ? mutex_lock+0x11/0x2a
: [<faad8aed>] video_unregister_device+0x3d/0x40 [videodev]
: [<fab3ee39>] gspca_disconnect+0x90/0x96 [gspca_main]
: [<c06d5d43>] usb_unbind_interface+0x44/0xf8
: [<c06810e8>] __device_release_driver+0x66/0x9c
: [<c068113b>] device_release_driver+0x1d/0x28
: [<c0680d2d>] bus_remove_device+0xa2/0xaf
: [<c067e82e>] ? device_remove_attrs+0x2f/0x4c
: [<c067e940>] device_del+0xf5/0x136
: [<c06d41fd>] usb_disable_device+0xa4/0x1c4
: [<c0434d8c>] ? should_resched+0xd/0x27
: [<c06cd51d>] usb_disconnect+0xd8/0x13d
: [<c06cf47b>] hub_thread+0x7e6/0x11d0
: [<c0438b57>] ? finish_task_switch+0x6d/0xa0
: [<c0825266>] ? __schedule+0x609/0x670
: [<c045fdcd>] ? remove_wait_queue+0x2c/0x2c
: [<c06cec95>] ? usb_remote_wakeup+0x60/0x60
: [<c045f8c8>] kthread+0x67/0x6c
: [<c045f861>] ? kthread_worker_fn+0x11d/0x11d
: [<c082c97e>] kernel_thread_helper+0x6/0x10
:Code: ff b8 88 59 ae fa e8 be cf d4 c5 8b 83 60 01 00 00 85 c0 74 16 83 78 04 00 74 10 83 bb 8c 01 00 00 03 74 07 89 f8 e8 1d a6 87 fe 

comment:
:The issue pop-up when I try to use MSI StarCam clip webcamera identified on USB as:
:Bus 008 Device 002: ID 0c45:60c0 Microdia PC Camera with Mic (SN9C105)
:
:Kernel oops happens when I disconnect the camera. As a result the camera remains visible in the device list of lsusb.
:Device is stucked there till the next reboot.
:

event_log:
:2011-10-17-01:22:39> Smolt profile successfully saved
:2011-10-17-01:24:06> Submitting oops report to http://submit.kerneloops.org/submitoops.php
:2011-10-17-01:25:09  Kernel oops has not been sent due to Couldn't connect to server
:2011-10-17-01:25:09* (exited with 1)

smolt_data:
:
:
:General
:=================================
:UUID: 2789191c-3890-4cd5-8f4c-28a67deb82c3
:OS: Fedora release 16 (Verne)
:Default run level: Unknown
:Language: en_US.utf8
:Platform: i686
:BogoMIPS: 5585.99
:CPU Vendor: GenuineIntel
:CPU Model: Intel(R) Core(TM)2 Duo CPU     T9600  @ 2.80GHz
:CPU Stepping: 10
:CPU Family: 6
:CPU Model Num: 23
:Number of CPUs: 2
:CPU Speed: 2801
:System Memory: 1880
:System Swap: 4094
:Vendor: Hewlett-Packard
:System: HP EliteBook 6930p F.16
:Form factor: Notebook
:Kernel: 3.1.0-0.rc9.git0.0.fc16.i686.PAE
:SELinux Enabled: 1
:SELinux Policy: targeted
:SELinux Enforce: Enforcing
:MythTV Remote: Unknown
:MythTV Role: Unknown
:MythTV Theme: Unknown
:MythTV Plugin: 
:MythTV Tuner: -1
:
:
:Devices
:=================================
:(4480:2098:4156:12507) pci, firewire_ohci, FIREWIRE, R5C832 IEEE 1394 Controller
:(4480:2082:4156:12507) pci, sdhci-pci, BASE, R5C822 SD/SDIO/MMC/MS/MSPro Host Adapter
:(4480:1142:4156:12507) pci, yenta_cardbus, PCI/CARDBUS, RL5c476 II
:(32902:10816:4156:12507) pci, agpgart-intel, HOST/PCI, Mobile 4 Series Chipset Memory Controller Hub
:(32902:10537:4156:12507) pci, ahci, STORAGE, ICH9M/M-E SATA AHCI Controller
:(32902:10519:4156:12507) pci, None, PCI/ISA, ICH9M-E LPC Interface Controller
:(32902:4341:4156:12507) pci, e1000e, ETHERNET, 82567LM Gigabit Network Connection
:(32902:10564:0:0) pci, pcieport, PCI/PCI, 82801I (ICH9 Family) PCI Express Port 3
:(32902:9288:0:0) pci, None, PCI/PCI, 82801 Mobile PCI Bridge
:(32902:10549:4156:12507) pci, uhci_hcd, USB, 82801I (ICH9 Family) USB UHCI Controller #2
:(32902:10548:4156:12507) pci, uhci_hcd, USB, 82801I (ICH9 Family) USB UHCI Controller #1
:(32902:10553:4156:12507) pci, uhci_hcd, USB, 82801I (ICH9 Family) USB UHCI Controller #6
:(32902:10550:4156:12507) pci, uhci_hcd, USB, 82801I (ICH9 Family) USB UHCI Controller #3
:(32902:10554:4156:12507) pci, ehci_hcd, USB, 82801I (ICH9 Family) USB2 EHCI Controller #1
:(32902:10556:4156:12507) pci, ehci_hcd, USB, 82801I (ICH9 Family) USB2 EHCI Controller #2
:(32902:10818:4156:12507) pci, i915, VIDEO, Mobile 4 Series Chipset Integrated Graphics Controller
:(32902:10819:4156:12507) pci, None, VIDEO, Mobile 4 Series Chipset Integrated Graphics Controller
:(32902:10560:0:0) pci, pcieport, PCI/PCI, 82801I (ICH9 Family) PCI Express Port 1
:(32902:10562:0:0) pci, pcieport, PCI/PCI, 82801I (ICH9 Family) PCI Express Port 2
:(32902:10820:4156:12507) pci, None, SIMPLE, Mobile 4 Series Chipset MEI Controller
:(32902:10823:4156:12507) pci, serial, 16550_SERIAL, Mobile 4 Series Chipset AMT SOL Redirection
:(32902:10822:4156:12507) pci, None, STORAGE, Mobile 4 Series Chipset PT IDER Controller
:(32902:10551:4156:12507) pci, uhci_hcd, USB, 82801I (ICH9 Family) USB UHCI Controller #4
:(32902:10568:0:0) pci, pcieport, PCI/PCI, 82801I (ICH9 Family) PCI Express Port 5
:(32902:10552:4156:12507) pci, uhci_hcd, USB, 82801I (ICH9 Family) USB UHCI Controller #5
:(32902:10558:4156:12507) pci, snd_hda_intel, MULTIMEDIA, 82801I (ICH9 Family) HD Audio Controller
:(32902:16950:32902:4113) pci, iwlagn, NETWORK, Ultimate N WiFi Link 5300
:
:
:Filesystem Information
:=================================
:device mtpt type bsize frsize blocks bfree bavail file ffree favail
:-------------------------------------------------------------------
:/dev/mapper/luks-78b30561-ce5e-4fd2-aa00-06c2ef300dd5 / ext4 4096 4096 4127978 1200006 990317 1048576 612422 612422
:/dev/sda8 WITHHELD fuseblk 4096 4096 12299398 3897117 3897117 15621236 15604704 15604704
:/dev/sda2 /boot ext3 1024 1024 3305542 1883531 1712964 840672 840145 840145
:/dev/mapper/luks-2d6c9f93-389f-49ba-b73f-30ee24c76556 /home ext4 4096 4096 4127978 657238 447549 1048576 968280 968280
:/dev/mapper/vgdata-lvdat1 WITHHELD ext4 4096 4096 20642476 8471108 7422532 5242880 5203663 5203663
:

Comment 1 Michal Ambroz 2011-10-16 23:38:44 UTC

BTW with clean reboot the camera works when it is connected for the first time.
The opps happens when it is disconnected.

Comment 2 Chuck Ebbert 2011-10-18 02:22:51 UTC

drivers/media/video/v4l2-dev.c:184:

        if (v4l2_dev->release == NULL)
                v4l2_dev = NULL;

v4l2_dev is already NULL here, so we get a null dereference trying to test ->release

Caused by commit 8280b662df96f4172c4972b14a4aec0daf272b8f "[media] v4l: Fix use-after-free case in v4l2_device_release", which was added in 3.1-rc9

Comment 3 Chuck Ebbert 2011-10-19 18:07:12 UTC

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=e58fced201ad6e6cb673f07499919c3b20792d94

Comment 4 Michal Ambroz 2011-10-23 07:47:19 UTC

fixed in 3.1.0-0.rc10.git0.1.fc16.i686.PAE

Comment 5 Michal Ambroz 2011-10-23 07:47:50 UTC

Thank you.

Comment 6 Michal Ambroz 2011-10-23 22:00:35 UTC

I am sorry ... I was too fast with retesting.
Unfortunately the issue persists in 3.1.0-0.rc10.git0.1.fc16.i686.PAE

BUG: unable to handle kernel NULL pointer dereference at 00000068
IP: [<faf69a05>] v4l2_device_release+0x9b/0xbf [videodev]
*pdpt = 0000000036805001 *pde = 000000007190d067 
Oops: 0000 [#1] SMP 
Modules linked in: snd_usb_audio snd_usbmidi_lib snd_rawmidi gspca_sonixj gspca_main videodev media vfat fat usb_storage uas ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat xt_CHECKSUM iptable_mangle tun bridge stp llc lockd rfcomm bnep ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_filter nf_conntrack_ipv4 nf_defrag_ipv4 ip6_tables xt_state nf_conntrack fuse virtio_net kvm snd_hda_codec_analog snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm arc4 iwlagn sunrpc mac80211 snd_timer snd cfg80211 soundcore btusb bluetooth iTCO_wdt ppdev hp_wmi sparse_keymap binfmt_misc uinput snd_page_alloc microcode iTCO_vendor_support rfkill parport_pc parport tpm_infineon hp_accel lis3lv02d input_polldev serio_raw e1000e joydev xts gf128mul pata_pcmcia dm_crypt sdhci_pci sdhci mmc_core firewire_ohci yenta_socket firewire_core crc_itu_t wmi pata_acpi ata_generic i915 drm_kms_helper drm i2c_algo_bit i2c_cor
e video [last unloaded: scsi_wait_scan]
Pid: 22, comm: khubd Not tainted 3.1.0-0.rc10.git0.1.fc16.i686.PAE #1 Hewlett-Packard HP EliteBook 6930p/30DB
EIP: 0060:[<faf69a05>] EFLAGS: 00010246 CPU: 0
EIP is at v4l2_device_release+0x9b/0xbf [videodev]
EAX: 00000000 EBX: edab5054 ECX: 0040003a EDX: 00000000
ESI: 00000000 EDI: edab5000 EBP: f467bd48 ESP: f467bd3c
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process khubd (pid: 22, ti=f467a000 task=f453b240 task.ti=f467a000)
Stack:
 f0466c00 edab505c c0ab0db0 f467bd64 c067e4b3 c05d117e f467bd7c c0541a1e
 f467bd98 edab5078 f467bd98 c05d1149 f00c7680 f0405ed0 f2d8155c c05d1028
 f0a8621c f467bd90 ec8696c0 f2d81540 edab5078 c05d1028 f0a8621c f467bda8
Call Trace:
 [<c067e4b3>] device_release+0x3f/0x77
 [<c05d117e>] ? kobject_release+0x156/0x15e
 [<c0541a1e>] ? sysfs_addrm_finish+0x87/0x99
 [<c05d1149>] kobject_release+0x121/0x15e
 [<c05d1028>] ? kobject_del+0x2c/0x2c
 [<c05d1028>] ? kobject_del+0x2c/0x2c
 [<c05d22a7>] kref_put+0x39/0x42
 [<c05d0faa>] kobject_put+0x46/0x4c
 [<c067e2fd>] ? put_device+0x14/0x16
 [<c067e9d8>] ? device_del+0x131/0x136
 [<c067e2fd>] put_device+0x14/0x16
 [<c067ea2f>] device_unregister+0x52/0x57
 [<c082541f>] ? _cond_resched+0xd/0x21
 [<c0825cd4>] ? mutex_lock+0x11/0x2a
 [<faf69aed>] video_unregister_device+0x3d/0x40 [videodev]
 [<fafd6e39>] gspca_disconnect+0x90/0x96 [gspca_main]
 [<c06d5d9f>] usb_unbind_interface+0x44/0xf8
 [<c0681144>] __device_release_driver+0x66/0x9c
 [<c0681197>] device_release_driver+0x1d/0x28
 [<c0680d89>] bus_remove_device+0xa2/0xaf
 [<c067e88a>] ? device_remove_attrs+0x2f/0x4c
 [<c067e99c>] device_del+0xf5/0x136
 [<c06d4259>] usb_disable_device+0xa4/0x1c4
 [<c0434d8c>] ? should_resched+0xd/0x27
 [<c06cd579>] usb_disconnect+0xd8/0x13d
 [<c06cf4d7>] hub_thread+0x7e6/0x11d0
 [<c0438b57>] ? finish_task_switch+0x6d/0xa0
 [<c082536e>] ? __schedule+0x609/0x670
 [<c045fdbd>] ? remove_wait_queue+0x2c/0x2c
 [<c06cecf1>] ? usb_remote_wakeup+0x60/0x60
 [<c045f8b8>] kthread+0x67/0x6c
 [<c045f851>] ? kthread_worker_fn+0x11d/0x11d
 [<c082ca7e>] kernel_thread_helper+0x6/0x10
Code: ff b8 88 69 f7 fa e8 c6 c0 8b c5 8b 83 60 01 00 00 85 c0 74 16 83 78 04 00 74 10 83 bb 8c 01 00 00 03 74 07 89 f8 e8 1d d6 26 fd

Comment 7 Fedora Update System 2011-10-24 14:31:37 UTC

kernel-3.1.0-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/kernel-3.1.0-1.fc16

Comment 8 Fedora Update System 2011-10-25 03:21:58 UTC

kernel-3.1.0-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.