Bug 746533 - [abrt] kernel: BUG: unable to handle kernel NULL pointer dereference at 00000068: TAINTED G I
Summary: [abrt] kernel: BUG: unable to handle kernel NULL pointer dereference at 00000...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 16
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Mauro Carvalho Chehab
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:002fb226508d43f8fda343bea75...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-16 23:25 UTC by Michal Ambroz
Modified: 2013-07-04 22:58 UTC (History)
7 users (show)

Fixed In Version: kernel-3.1.0-1.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-25 03:21:58 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Michal Ambroz 2011-10-16 23:25:16 UTC 
libreport version: 2.0.6
abrt_version:   2.0.4.981
cmdline:        BOOT_IMAGE=/vmlinuz-3.1.0-0.rc9.git0.0.fc16.i686.PAE root=/dev/mapper/luks-78b30561-ce5e-4fd2-aa00-06c2ef300dd5 ro quiet rhgb SYSFONT=latarcyrheb-sun16 LANG=en_US.UTF-8 KEYTABLE=us
kernel:         undefined
reason:         BUG: unable to handle kernel NULL pointer dereference at 00000068
time:           Mon Oct 17 00:58:35 2011

backtrace:
:BUG: unable to handle kernel NULL pointer dereference at 00000068
:IP: [<faad8a05>] v4l2_device_release+0x9b/0xbf [videodev]
:*pdpt = 0000000000000000 *pde = 0000000075500003 
:Oops: 0000 [#1] SMP 
:Modules linked in: snd_usb_audio snd_usbmidi_lib snd_rawmidi gspca_sonixj gspca_main videodev media ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat xt_CHECKSUM iptable_mangle tun bridge stp llc lockd rfcomm bnep ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack fuse snd_hda_codec_analog virtio_net kvm snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore arc4 iwlagn snd_page_alloc hp_wmi sparse_keymap ppdev mac80211 btusb bluetooth cfg80211 rfkill joydev parport_pc microcode sunrpc serio_raw iTCO_wdt iTCO_vendor_support e1000e parport binfmt_misc tpm_infineon hp_accel lis3lv02d input_polldev uinput xts gf128mul pata_pcmcia dm_crypt yenta_socket firewire_ohci firewire_core crc_itu_t sdhci_pci sdhci mmc_core wmi pata_acpi ata_generic i915 drm_kms_helper drm i2c_algo_bit i2c_core video [last unloaded: scsi_wait_scan]
:Pid: 22, comm: khubd Tainted: G          I 3.1.0-0.rc9.git0.0.fc16.i686.PAE #1 Hewlett-Packard HP EliteBook 6930p/30DB
:EIP: 0060:[<faad8a05>] EFLAGS: 00010246 CPU: 1
:EIP is at v4l2_device_release+0x9b/0xbf [videodev]
:EAX: 00000000 EBX: eeec7054 ECX: 0040003b EDX: 00000000
:ESI: 00000000 EDI: eeec7000 EBP: f467bd48 ESP: f467bd3c
: DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
:Process khubd (pid: 22, ti=f467a000 task=f453b240 task.ti=f467a000)
:Stack:
: f62be180 eeec705c c0ab0db0 f467bd64 c067e457 c05d111a f467bd7c c05419ba
: f467bd98 eeec7078 f467bd98 c05d10e5 eee0a9a0 ef631810 f0770d5c c05d0fc4
: eed7801c f467bd90 f0a4cc28 f0770d40 eeec7078 c05d0fc4 eed7801c f467bda8
:Call Trace:
: [<c067e457>] device_release+0x3f/0x77
: [<c05d111a>] ? kobject_release+0x156/0x15e
: [<c05419ba>] ? sysfs_addrm_finish+0x87/0x99
: [<c05d10e5>] kobject_release+0x121/0x15e
: [<c05d0fc4>] ? kobject_del+0x2c/0x2c
: [<c05d0fc4>] ? kobject_del+0x2c/0x2c
: [<c05d2243>] kref_put+0x39/0x42
: [<c05d0f46>] kobject_put+0x46/0x4c
: [<c067e2a1>] ? put_device+0x14/0x16
: [<c067e97c>] ? device_del+0x131/0x136
: [<c067e2a1>] put_device+0x14/0x16
: [<c067e9d3>] device_unregister+0x52/0x57
: [<c0825317>] ? _cond_resched+0xd/0x21
: [<c0825bcc>] ? mutex_lock+0x11/0x2a
: [<faad8aed>] video_unregister_device+0x3d/0x40 [videodev]
: [<fab3ee39>] gspca_disconnect+0x90/0x96 [gspca_main]
: [<c06d5d43>] usb_unbind_interface+0x44/0xf8
: [<c06810e8>] __device_release_driver+0x66/0x9c
: [<c068113b>] device_release_driver+0x1d/0x28
: [<c0680d2d>] bus_remove_device+0xa2/0xaf
: [<c067e82e>] ? device_remove_attrs+0x2f/0x4c
: [<c067e940>] device_del+0xf5/0x136
: [<c06d41fd>] usb_disable_device+0xa4/0x1c4
: [<c0434d8c>] ? should_resched+0xd/0x27
: [<c06cd51d>] usb_disconnect+0xd8/0x13d
: [<c06cf47b>] hub_thread+0x7e6/0x11d0
: [<c0438b57>] ? finish_task_switch+0x6d/0xa0
: [<c0825266>] ? __schedule+0x609/0x670
: [<c045fdcd>] ? remove_wait_queue+0x2c/0x2c
: [<c06cec95>] ? usb_remote_wakeup+0x60/0x60
: [<c045f8c8>] kthread+0x67/0x6c
: [<c045f861>] ? kthread_worker_fn+0x11d/0x11d
: [<c082c97e>] kernel_thread_helper+0x6/0x10
:Code: ff b8 88 59 ae fa e8 be cf d4 c5 8b 83 60 01 00 00 85 c0 74 16 83 78 04 00 74 10 83 bb 8c 01 00 00 03 74 07 89 f8 e8 1d a6 87 fe 

comment:
:The issue pop-up when I try to use MSI StarCam clip webcamera identified on USB as:
:Bus 008 Device 002: ID 0c45:60c0 Microdia PC Camera with Mic (SN9C105)
:
:Kernel oops happens when I disconnect the camera. As a result the camera remains visible in the device list of lsusb.
:Device is stucked there till the next reboot.
:

event_log:
:2011-10-17-01:22:39> Smolt profile successfully saved
:2011-10-17-01:24:06> Submitting oops report to http://submit.kerneloops.org/submitoops.php
:2011-10-17-01:25:09  Kernel oops has not been sent due to Couldn't connect to server
:2011-10-17-01:25:09* (exited with 1)

smolt_data:
:
:
:General
:=================================
:UUID: 2789191c-3890-4cd5-8f4c-28a67deb82c3
:OS: Fedora release 16 (Verne)
:Default run level: Unknown
:Language: en_US.utf8
:Platform: i686
:BogoMIPS: 5585.99
:CPU Vendor: GenuineIntel
:CPU Model: Intel(R) Core(TM)2 Duo CPU     T9600  @ 2.80GHz
:CPU Stepping: 10
:CPU Family: 6
:CPU Model Num: 23
:Number of CPUs: 2
:CPU Speed: 2801
:System Memory: 1880
:System Swap: 4094
:Vendor: Hewlett-Packard
:System: HP EliteBook 6930p F.16
:Form factor: Notebook
:Kernel: 3.1.0-0.rc9.git0.0.fc16.i686.PAE
:SELinux Enabled: 1
:SELinux Policy: targeted
:SELinux Enforce: Enforcing
:MythTV Remote: Unknown
:MythTV Role: Unknown
:MythTV Theme: Unknown
:MythTV Plugin: 
:MythTV Tuner: -1
:
:
:Devices
:=================================
:(4480:2098:4156:12507) pci, firewire_ohci, FIREWIRE, R5C832 IEEE 1394 Controller
:(4480:2082:4156:12507) pci, sdhci-pci, BASE, R5C822 SD/SDIO/MMC/MS/MSPro Host Adapter
:(4480:1142:4156:12507) pci, yenta_cardbus, PCI/CARDBUS, RL5c476 II
:(32902:10816:4156:12507) pci, agpgart-intel, HOST/PCI, Mobile 4 Series Chipset Memory Controller Hub
:(32902:10537:4156:12507) pci, ahci, STORAGE, ICH9M/M-E SATA AHCI Controller
:(32902:10519:4156:12507) pci, None, PCI/ISA, ICH9M-E LPC Interface Controller
:(32902:4341:4156:12507) pci, e1000e, ETHERNET, 82567LM Gigabit Network Connection
:(32902:10564:0:0) pci, pcieport, PCI/PCI, 82801I (ICH9 Family) PCI Express Port 3
:(32902:9288:0:0) pci, None, PCI/PCI, 82801 Mobile PCI Bridge
:(32902:10549:4156:12507) pci, uhci_hcd, USB, 82801I (ICH9 Family) USB UHCI Controller #2
:(32902:10548:4156:12507) pci, uhci_hcd, USB, 82801I (ICH9 Family) USB UHCI Controller #1
:(32902:10553:4156:12507) pci, uhci_hcd, USB, 82801I (ICH9 Family) USB UHCI Controller #6
:(32902:10550:4156:12507) pci, uhci_hcd, USB, 82801I (ICH9 Family) USB UHCI Controller #3
:(32902:10554:4156:12507) pci, ehci_hcd, USB, 82801I (ICH9 Family) USB2 EHCI Controller #1
:(32902:10556:4156:12507) pci, ehci_hcd, USB, 82801I (ICH9 Family) USB2 EHCI Controller #2
:(32902:10818:4156:12507) pci, i915, VIDEO, Mobile 4 Series Chipset Integrated Graphics Controller
:(32902:10819:4156:12507) pci, None, VIDEO, Mobile 4 Series Chipset Integrated Graphics Controller
:(32902:10560:0:0) pci, pcieport, PCI/PCI, 82801I (ICH9 Family) PCI Express Port 1
:(32902:10562:0:0) pci, pcieport, PCI/PCI, 82801I (ICH9 Family) PCI Express Port 2
:(32902:10820:4156:12507) pci, None, SIMPLE, Mobile 4 Series Chipset MEI Controller
:(32902:10823:4156:12507) pci, serial, 16550_SERIAL, Mobile 4 Series Chipset AMT SOL Redirection
:(32902:10822:4156:12507) pci, None, STORAGE, Mobile 4 Series Chipset PT IDER Controller
:(32902:10551:4156:12507) pci, uhci_hcd, USB, 82801I (ICH9 Family) USB UHCI Controller #4
:(32902:10568:0:0) pci, pcieport, PCI/PCI, 82801I (ICH9 Family) PCI Express Port 5
:(32902:10552:4156:12507) pci, uhci_hcd, USB, 82801I (ICH9 Family) USB UHCI Controller #5
:(32902:10558:4156:12507) pci, snd_hda_intel, MULTIMEDIA, 82801I (ICH9 Family) HD Audio Controller
:(32902:16950:32902:4113) pci, iwlagn, NETWORK, Ultimate N WiFi Link 5300
:
:
:Filesystem Information
:=================================
:device mtpt type bsize frsize blocks bfree bavail file ffree favail
:-------------------------------------------------------------------
:/dev/mapper/luks-78b30561-ce5e-4fd2-aa00-06c2ef300dd5 / ext4 4096 4096 4127978 1200006 990317 1048576 612422 612422
:/dev/sda8 WITHHELD fuseblk 4096 4096 12299398 3897117 3897117 15621236 15604704 15604704
:/dev/sda2 /boot ext3 1024 1024 3305542 1883531 1712964 840672 840145 840145
:/dev/mapper/luks-2d6c9f93-389f-49ba-b73f-30ee24c76556 /home ext4 4096 4096 4127978 657238 447549 1048576 968280 968280
:/dev/mapper/vgdata-lvdat1 WITHHELD ext4 4096 4096 20642476 8471108 7422532 5242880 5203663 5203663
:
Comment 1 Michal Ambroz 2011-10-16 23:38:44 UTC 
BTW with clean reboot the camera works when it is connected for the first time.
The opps happens when it is disconnected.
Comment 2 Chuck Ebbert 2011-10-18 02:22:51 UTC 
drivers/media/video/v4l2-dev.c:184:

        if (v4l2_dev->release == NULL)
                v4l2_dev = NULL;

v4l2_dev is already NULL here, so we get a null dereference trying to test ->release

Caused by commit 8280b662df96f4172c4972b14a4aec0daf272b8f "[media] v4l: Fix use-after-free case in v4l2_device_release", which was added in 3.1-rc9
Comment 3 Chuck Ebbert 2011-10-19 18:07:12 UTC 
Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=e58fced201ad6e6cb673f07499919c3b20792d94
Comment 4 Michal Ambroz 2011-10-23 07:47:19 UTC 
fixed in 3.1.0-0.rc10.git0.1.fc16.i686.PAE
Comment 5 Michal Ambroz 2011-10-23 07:47:50 UTC 
Thank you.
Comment 6 Michal Ambroz 2011-10-23 22:00:35 UTC 
I am sorry ... I was too fast with retesting.
Unfortunately the issue persists in 3.1.0-0.rc10.git0.1.fc16.i686.PAE

BUG: unable to handle kernel NULL pointer dereference at 00000068
IP: [<faf69a05>] v4l2_device_release+0x9b/0xbf [videodev]
*pdpt = 0000000036805001 *pde = 000000007190d067 
Oops: 0000 [#1] SMP 
Modules linked in: snd_usb_audio snd_usbmidi_lib snd_rawmidi gspca_sonixj gspca_main videodev media vfat fat usb_storage uas ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat xt_CHECKSUM iptable_mangle tun bridge stp llc lockd rfcomm bnep ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_filter nf_conntrack_ipv4 nf_defrag_ipv4 ip6_tables xt_state nf_conntrack fuse virtio_net kvm snd_hda_codec_analog snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm arc4 iwlagn sunrpc mac80211 snd_timer snd cfg80211 soundcore btusb bluetooth iTCO_wdt ppdev hp_wmi sparse_keymap binfmt_misc uinput snd_page_alloc microcode iTCO_vendor_support rfkill parport_pc parport tpm_infineon hp_accel lis3lv02d input_polldev serio_raw e1000e joydev xts gf128mul pata_pcmcia dm_crypt sdhci_pci sdhci mmc_core firewire_ohci yenta_socket firewire_core crc_itu_t wmi pata_acpi ata_generic i915 drm_kms_helper drm i2c_algo_bit i2c_cor
e video [last unloaded: scsi_wait_scan]
Pid: 22, comm: khubd Not tainted 3.1.0-0.rc10.git0.1.fc16.i686.PAE #1 Hewlett-Packard HP EliteBook 6930p/30DB
EIP: 0060:[<faf69a05>] EFLAGS: 00010246 CPU: 0
EIP is at v4l2_device_release+0x9b/0xbf [videodev]
EAX: 00000000 EBX: edab5054 ECX: 0040003a EDX: 00000000
ESI: 00000000 EDI: edab5000 EBP: f467bd48 ESP: f467bd3c
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process khubd (pid: 22, ti=f467a000 task=f453b240 task.ti=f467a000)
Stack:
 f0466c00 edab505c c0ab0db0 f467bd64 c067e4b3 c05d117e f467bd7c c0541a1e
 f467bd98 edab5078 f467bd98 c05d1149 f00c7680 f0405ed0 f2d8155c c05d1028
 f0a8621c f467bd90 ec8696c0 f2d81540 edab5078 c05d1028 f0a8621c f467bda8
Call Trace:
 [<c067e4b3>] device_release+0x3f/0x77
 [<c05d117e>] ? kobject_release+0x156/0x15e
 [<c0541a1e>] ? sysfs_addrm_finish+0x87/0x99
 [<c05d1149>] kobject_release+0x121/0x15e
 [<c05d1028>] ? kobject_del+0x2c/0x2c
 [<c05d1028>] ? kobject_del+0x2c/0x2c
 [<c05d22a7>] kref_put+0x39/0x42
 [<c05d0faa>] kobject_put+0x46/0x4c
 [<c067e2fd>] ? put_device+0x14/0x16
 [<c067e9d8>] ? device_del+0x131/0x136
 [<c067e2fd>] put_device+0x14/0x16
 [<c067ea2f>] device_unregister+0x52/0x57
 [<c082541f>] ? _cond_resched+0xd/0x21
 [<c0825cd4>] ? mutex_lock+0x11/0x2a
 [<faf69aed>] video_unregister_device+0x3d/0x40 [videodev]
 [<fafd6e39>] gspca_disconnect+0x90/0x96 [gspca_main]
 [<c06d5d9f>] usb_unbind_interface+0x44/0xf8
 [<c0681144>] __device_release_driver+0x66/0x9c
 [<c0681197>] device_release_driver+0x1d/0x28
 [<c0680d89>] bus_remove_device+0xa2/0xaf
 [<c067e88a>] ? device_remove_attrs+0x2f/0x4c
 [<c067e99c>] device_del+0xf5/0x136
 [<c06d4259>] usb_disable_device+0xa4/0x1c4
 [<c0434d8c>] ? should_resched+0xd/0x27
 [<c06cd579>] usb_disconnect+0xd8/0x13d
 [<c06cf4d7>] hub_thread+0x7e6/0x11d0
 [<c0438b57>] ? finish_task_switch+0x6d/0xa0
 [<c082536e>] ? __schedule+0x609/0x670
 [<c045fdbd>] ? remove_wait_queue+0x2c/0x2c
 [<c06cecf1>] ? usb_remote_wakeup+0x60/0x60
 [<c045f8b8>] kthread+0x67/0x6c
 [<c045f851>] ? kthread_worker_fn+0x11d/0x11d
 [<c082ca7e>] kernel_thread_helper+0x6/0x10
Code: ff b8 88 69 f7 fa e8 c6 c0 8b c5 8b 83 60 01 00 00 85 c0 74 16 83 78 04 00 74 10 83 bb 8c 01 00 00 03 74 07 89 f8 e8 1d d6 26 fd
Comment 7 Fedora Update System 2011-10-24 14:31:37 UTC 
kernel-3.1.0-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/kernel-3.1.0-1.fc16
Comment 8 Fedora Update System 2011-10-25 03:21:58 UTC 
kernel-3.1.0-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.