662373 – NULL pointer dereference when remove module cx88

Bug 662373 - NULL pointer dereference when remove module cx88

Summary: NULL pointer dereference when remove module cx88

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	14
Hardware:	i686
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-12-12 06:53 UTC by Michael Weidner
Modified:	2010-12-17 06:37 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-12-17 06:37:22 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Michael Weidner 2010-12-12 06:53:49 UTC

When unloading module cx88 for my TV card the following OOPS apears (since 2.6.35.9-64.fc14.i686.PAE, all preveous kernels frum fedora-update were ok):

Dec 11 20:31:20 han kernel: : [  150.947397] oscam sets custom speed on ttyS1. This is deprecated.
Dec 11 20:31:27 han kernel: : [  157.890139] cx88/2: unregistering cx8802 driver, type: dvb access: shared
Dec 11 20:31:27 han kernel: : [  157.890216] cx88[0]/2: subsystem: 0070:9200, board: Hauppauge Nova-SE2 DVB-S [card=38]
Dec 11 20:31:27 han kernel: : [  157.910822] cx8800 0000:03:05.0: PCI INT A disabled
Dec 11 20:31:27 han kernel: : [  158.615488] cx88-mpeg driver manager 0000:03:05.2: PCI INT A disabled
Dec 11 20:31:27 han kernel: : [  158.617370] BUG: unable to handle kernel NULL pointer dereference at 00000160
Dec 11 20:31:27 han kernel: : [  158.617449] IP: [<f7a9b0a9>] ir_close+0x12/0x20 [ir_core]
Dec 11 20:31:27 han kernel: : [  158.617504] *pdpt = 0000000030309001 *pde = 000000007c06e067 
Dec 11 20:31:27 han kernel: : [  158.617559] Oops: 0000 [#1] SMP 
Dec 11 20:31:27 han kernel: : [  158.617607] last sysfs file: /sys/devices/system/cpu/cpu0/cpufreq/scaling_setspeed
Dec 11 20:31:27 han acpid: input device has been disconnected
Dec 11 20:31:27 han kernel: : [  158.617660] Modules linked in: xt_multiport powernow_k8 mperf cpufreq_stats cpufreq_powersave cpufreq_ondemand cpufreq_conservative it87 hwmon_vid xt_length xt_mark cls_fw sch_sfq sch_hfsc iptable_mangle ppp_synctty ppp_async crc_ccitt ppp_generic slhc ipv6 nf_nat_irc nf_conntrack_irc nf_nat_ftp nf_conntrack_ftp ipt_MASQUERADE ipt_REDIRECT iptable_nat nf_nat ipt_LOG xt_limit ext2 dvb_core cx8802(-) cx88xx lirc_dev ir_common usblp ir_core tveeprom v4l2_common videodev v4l1_compat videobuf_dma_sg videobuf_core btcx_risc via_rhine i2c_piix4 joydev k8temp atl1 mii serio_raw raid0 ata_generic pata_acpi pata_atiixp radeon ttm drm_kms_helper drm usb_storage i2c_algo_bit i2c_core [last unloaded: videobuf_dvb]
Dec 11 20:31:27 han kernel: : [  158.617859] 
Dec 11 20:31:27 han kernel: : [  158.617863] Pid: 3944, comm: rmmod Not tainted 2.6.35.9-64.fc14.i686.PAE #1 A780GM-A/A780GM-A
Dec 11 20:31:27 han kernel: : [  158.617867] EIP: 0060:[<f7a9b0a9>] EFLAGS: 00010282 CPU: 1
Dec 11 20:31:27 han kernel: : [  158.617872] EIP is at ir_close+0x12/0x20 [ir_core]
Dec 11 20:31:27 han kernel: : [  158.617875] EAX: 00000000 EBX: f5d63000 ECX: 00000000 EDX: f60add80
Dec 11 20:31:27 han kernel: : [  158.617877] ESI: f5d1ce0c EDI: f5d63790 EBP: f013de10 ESP: f013de10
Dec 11 20:31:27 han kernel: : [  158.617880]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Dec 11 20:31:27 han kernel: : [  158.617884] Process rmmod (pid: 3944, ti=f013c000 task=f5448ca0 task.ti=f013c000)
Dec 11 20:31:27 han kernel: : [  158.617886] Stack:
Dec 11 20:31:27 han kernel: : [  158.617887]  f013de24 c06d1ba6 f5d1ce0c f5d1ca2c f5d1ce40 f013de38 c06d5829 f5d1ce60
Dec 11 20:31:27 han kernel: : [  158.617892] <0> f5d1ce0c f5d1ce00 f013de4c c06d5851 f5d63000 f5d638e4 f5d638d0 f013de60
Dec 11 20:31:27 han kernel: : [  158.617897] <0> c06d1f05 f5d1d400 f5d63000 f5d637ac f013de74 f7a9bfe2 f5d1d400 f5d63000
Dec 11 20:31:27 han kernel: : [  158.617902] Call Trace:
Dec 11 20:31:27 han kernel: : [  158.617912]  [<c06d1ba6>] ? input_close_device+0x43/0x5f
Dec 11 20:31:27 han kernel: : [  158.617916]  [<c06d5829>] ? evdev_cleanup+0xc3/0xcb
Dec 11 20:31:27 han kernel: : [  158.617920]  [<c06d5851>] ? evdev_disconnect+0x20/0x33
Dec 11 20:31:27 han kernel: : [  158.617924]  [<c06d1f05>] ? input_unregister_device+0xef/0x165
Dec 11 20:31:27 han kernel: : [  158.617931]  [<f7a9bfe2>] ? ir_unregister_class+0x3a/0x50 [ir_core]
Dec 11 20:31:27 han kernel: : [  158.617937]  [<f7a9b07e>] ? ir_input_unregister+0x7e/0x97 [ir_core]
Dec 11 20:31:27 han kernel: : [  158.617947]  [<f7bc376b>] ? cx88_ir_fini+0x23/0x3a [cx88xx]
Dec 11 20:31:27 han kernel: : [  158.617953]  [<f7bc0781>] ? cx88_core_put+0x87/0xea [cx88xx]
Dec 11 20:31:27 han kernel: : [  158.617960]  [<f7be42f4>] ? cx8802_remove+0x131/0x140 [cx8802]
Dec 11 20:31:27 han kernel: : [  158.617965]  [<c05cd858>] ? pci_device_remove+0x1e/0x3e
Dec 11 20:31:27 han kernel: : [  158.617970]  [<c0661807>] ? __device_release_driver+0x62/0xa4
Dec 11 20:31:27 han kernel: : [  158.617973]  [<c0661df0>] ? driver_detach+0x62/0x82
Dec 11 20:31:27 han kernel: : [  158.617977]  [<c06616ea>] ? bus_remove_driver+0x8d/0xc7
Dec 11 20:31:27 han kernel: : [  158.617981]  [<c0661e84>] ? driver_unregister+0x50/0x57
Dec 11 20:31:27 han kernel: : [  158.617985]  [<c05cda32>] ? pci_unregister_driver+0x32/0x67
Dec 11 20:31:27 han kernel: : [  158.617990]  [<c0466257>] ? cpumask_next+0x17/0x19
Dec 11 20:31:27 han kernel: : [  158.617996]  [<f7be45b1>] ? cx8802_fini+0x12/0x14 [cx8802]
Dec 11 20:31:27 han kernel: : [  158.618000]  [<c04672bb>] ? sys_delete_module+0x181/0x1de
Dec 11 20:31:27 han kernel: : [  158.618006]  [<c07bc77d>] ? do_page_fault+0x219/0x275
Dec 11 20:31:27 han kernel: : [  158.618009]  [<c07bc7ab>] ? do_page_fault+0x247/0x275
Dec 11 20:31:27 han kernel: : [  158.618015]  [<c040899f>] ? sysenter_do_call+0x12/0x28
Dec 11 20:31:27 han kernel: : [  158.618017] Code: 8b 83 38 01 00 00 e8 a3 cc a3 c8 89 d8 e8 9c cc a3 c8 8d 65 f8 5b 5e 5d c3 55 89 e5 0f 1f 44 00 00 05 ac 07 00 00 e8 88 66 bc c8 <8b> 90 60 01 00 00 8b 42 20 ff 52 2c 5d c3 55 89 e5 0f 1f 44 00 
Dec 11 20:31:27 han kernel: : [  158.618040] EIP: [<f7a9b0a9>] ir_close+0x12/0x20 [ir_core] SS:ESP 0068:f013de10
Dec 11 20:31:27 han kernel: : [  158.618047] CR2: 0000000000000160
Dec 11 20:31:27 han kernel: : [  158.618051] ---[ end trace d5d9c1f31a355384 ]---
Dec 11 20:31:27 han kernel: : [  158.621560] lirc_dev: module unloaded

After that cpufreq scaling does not work anymore.

This is the script (working since Fedora 9) used for unloading the TV card modules:

unload_dvb()
{
  log "unload_dvb"
  # DVB-Module ermitteln; Pfad und Extension abtrennen; '-' in '_' umwandeln
  modules=$(find /lib/modules/$(uname -r)/kernel/drivers/media -type f|sed "s/\([^/]*\/\)*\([^/]*\)\.ko/\2/g;s/-/_/g")

  run=1
  while [ $run -gt 0 ]; do
    run=0
    count=0
    unload=""
    loaded=""

    # Module aus /proc/modules ermitteln
    while read module size refcount rest; do
        found=$(echo "$modules"|grep -e "$module" -w|wc -l)
        if [ $found -gt 0 ]; then
            # geladene DVB-Module, deren RefCount 0 ist, ermitteln
            if [ $refcount -eq 0 ]; then
                unload="$unload $module"
                # Marker fuer weiteren Durchlauf setzen
                run=1
            else
                loaded="$loaded $module"
                let count=$count+1
            fi
        fi
    done < /proc/modules

    if [ $run -gt 0 ]; then
        for mm in $unload; do
            rmmod $mm
        done
    fi
  done

  if [ $count -gt 0  ]; then
      log "Couldn't unload:"
      for mm in $loaded; do
          log "    $mm"
      done
  fi

  /bin/sleep 1
}

This bug also appeard in the latest rawhide kernel (2.6.37-0.rc5.git2.1.fc15). In previous 2.6.36.2-12.rc1.fc15 from rawhide the bug is not present.

Comment 1 Michael Weidner 2010-12-17 06:37:22 UTC

Today I installed 2.6.35.10-68.fc14.i686.PAE from koji and the error is gone.

Note You need to log in before you can comment on or make changes to this bug.