Bug 2459

Summary: NULL pointer dereference in ir_lirc_codec on unregister
Product: Mageia Reporter: Herbert Poetzl <herbert>
Component: RPM PackagesAssignee: Thomas Backlund <tmb>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: herbert, marja11, stormi-mageia
Version: 1   
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Source RPM: kernel-desktop-2.6.38.8-4.mga CVE:
Status comment:

Description Herbert Poetzl 2011-08-19 15:15:49 CEST 
Description of problem:
when unloading ir_lirc_codec (under certain circumstances) the kernel logs a BUG and the module cannot be unloaded anymore.

Version-Release number of selected component (if applicable):
kernel-desktop-2.6.38.8-4.mga

How reproducible:
almost always

Aug 16 03:31:02 localhost kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
Aug 16 03:31:02 localhost kernel: IP: [<ffffffffa01d403a>] ir_lirc_unregister+0x1a/0x90 [ir_lirc_codec]
Aug 16 03:31:02 localhost kernel: PGD 768f9067 PUD 6d396067 PMD 0 
Aug 16 03:31:02 localhost kernel: Oops: 0000 [#1] SMP 
Aug 16 03:31:02 localhost kernel: last sysfs file: /sys/devices/pci0000:00/0000:00:1d.7/usb1/1-4/1-4.2/1-4.2.1/1-4.2.1.2/1-4.2.1.2:1.0/host8/target8:0:0/8:0:0:2/block/sdf/sdf1/stat
Aug 16 03:31:02 localhost kernel: CPU 1 
Aug 16 03:31:02 localhost kernel: Modules linked in: nls_utf8 isofs budget_ci budget_core cx2341x nls_iso8859_1 nls_cp437 vfat fat fuse ipt_MASQUERADE ipt_LOG xt_time xt_connlimit xt_helper xt_realm xt_NFQUEUE xt_tcpmss xt_tcpudp ipt_addrtype xt_pkttype nfnetlink iptable_raw xt_TPROXY nf_tproxy_core ip6_tables nf_defrag_ipv6 xt_CLASSIFY xt_mark xt_hashlimit xt_comment ipt_REJECT xt_length xt_connmark xt_owner xt_recent xt_iprange xt_physdev xt_policy xt_multiport iptable_mangle iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack iptable_filter ip_tables x_tables tun af_packet radeon ttm drm_kms_helper drm hwmon_vid coretemp binfmt_misc loop dm_mod isl6421 cx24123 cx88_vp3054_i2c lnbp21 stv0299 wm8775 sr_mod snd_hda_codec_realtek dvb_core snd_hda_intel snd_hda_codec rc_rc5_hauppauge_new saa7146 snd_hwdep ttpci_eeprom snd_aw2 snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device ir_lirc_codec cx88_alsa lirc_dev cx8802(-) ir_sony_decoder ppdev snd_pcm_oss ir_jvc_decoder cx88xx i
Aug 16 03:31:02 localhost kernel: r_rc6_decoder parport_pc snd_pcm ir_rc5_decoder ir_nec_decoder rc_core i2c_algo_bit tveeprom v4l2_common videodev videobuf_dma_sg snd_timer snd_mixer_oss evdev uas parport sg ftdi_sio iTCO_wdt iTCO_vendor_support v4l2_compat_ioctl32 videobuf_core btcx_risc usb_storage floppy asus_atk0110 i2c_i801 snd usbserial i2c_core rng_core serio_raw button r8169 processor mii soundcore snd_page_alloc ata_piix ahci libahci libata sd_mod scsi_mod crc_t10dif raid1 ext3 jbd uhci_hcd ohci_hcd ehci_hcd usbhid hid usbcore [last unloaded: cx8800]
Aug 16 03:31:02 localhost kernel: 
Aug 16 03:31:02 localhost kernel: Pid: 3955, comm: rmmod Not tainted 2.6.38.8-desktop-1.mga #1 System manufacturer System Product Name/P5GC
Aug 16 03:31:02 localhost kernel: RIP: 0010:[<ffffffffa01d403a>]  [<ffffffffa01d403a>] ir_lirc_unregister+0x1a/0x90 [ir_lirc_codec]
Aug 16 03:31:02 localhost kernel: RSP: 0018:ffff880077b53cf8  EFLAGS: 00010282
Aug 16 03:31:02 localhost kernel: RAX: 0000000000000000 RBX: ffff88007a0f7e00 RCX: ffffffffa063c100
Aug 16 03:31:02 localhost kernel: RDX: ffffffffa063c110 RSI: dead000000100100 RDI: ffff8800779da000
Aug 16 03:31:02 localhost kernel: RBP: ffff880077b53d08 R08: ffff880077b52000 R09: 0000000000000000
Aug 16 03:31:02 localhost kernel: R10: 0000000000000000 R11: dead000000200200 R12: ffff8800779da000
Aug 16 03:31:02 localhost kernel: R13: ffffffffa00b7a80 R14: ffff88007a913000 R15: 00007fff4d5e4eda
Aug 16 03:31:02 localhost kernel: FS:  00007ff4daf21700(0000) GS:ffff88007fc80000(0000) knlGS:0000000000000000
Aug 16 03:31:02 localhost kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Aug 16 03:31:02 localhost kernel: CR2: 0000000000000028 CR3: 000000006d2f4000 CR4: 00000000000006e0
Aug 16 03:31:02 localhost kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Aug 16 03:31:02 localhost kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Aug 16 03:31:02 localhost kernel: Process rmmod (pid: 3955, threadinfo ffff880077b52000, task ffff880076d6ada0)
Aug 16 03:31:02 localhost kernel: Stack:
Aug 16 03:31:02 localhost kernel: ffffffffa01d4c00 ffff8800779da000 ffff880077b53d28 ffffffffa063b2ce
Aug 16 03:31:02 localhost kernel: ffff8800779da000 ffff880079e28300 ffff880077b53d48 ffffffffa06390b8
Aug 16 03:31:02 localhost kernel: ffff880077b53d48 ffff880079985000 ffff880077b53d68 ffffffffa06baeb4
Aug 16 03:31:02 localhost kernel: Call Trace:
Aug 16 03:31:02 localhost kernel: [<ffffffffa063b2ce>] ir_raw_event_unregister+0x8e/0xe0 [rc_core]
Aug 16 03:31:02 localhost kernel: [<ffffffffa06390b8>] rc_unregister_device+0x88/0xb0 [rc_core]
Aug 16 03:31:02 localhost kernel: [<ffffffffa06baeb4>] cx88_ir_fini+0x34/0x60 [cx88xx]
Aug 16 03:31:02 localhost kernel: [<ffffffffa06b6cc4>] cx88_core_put+0x74/0x100 [cx88xx]
Aug 16 03:31:02 localhost kernel: [<ffffffffa00b6924>] cx8802_remove+0x194/0x1a5 [cx8802]
Aug 16 03:31:02 localhost kernel: [<ffffffff81256062>] pci_device_remove+0x52/0x120
Aug 16 03:31:02 localhost kernel: [<ffffffff812f8295>] __device_release_driver+0x75/0xe0
Aug 16 03:31:02 localhost kernel: [<ffffffff812f8ae8>] driver_detach+0xb8/0xc0
Aug 16 03:31:02 localhost kernel: [<ffffffff812f80ea>] bus_remove_driver+0x8a/0xf0
Aug 16 03:31:02 localhost kernel: [<ffffffff812f8b82>] driver_unregister+0x62/0xa0
Aug 16 03:31:02 localhost kernel: [<ffffffff81255286>] pci_unregister_driver+0x46/0xc0
Aug 16 03:31:02 localhost kernel: [<ffffffffa00b6c27>] cx8802_fini+0x15/0x17 [cx8802]
Aug 16 03:31:02 localhost kernel: [<ffffffff810a8992>] sys_delete_module+0x192/0x290
Aug 16 03:31:02 localhost kernel: [<ffffffff8100be92>] system_call_fastpath+0x16/0x1b
Aug 16 03:31:02 localhost kernel: Code: 90 55 48 89 e5 0f 1f 44 00 00 c9 c3 eb 03 90 90 90 55 48 89 e5 41 54 53 0f 1f 44 00 00 48 8b 9f b0 02 00 00 48 8b 83 e0 00 00 00 <8b> 78 28 e8 9e 06 fe ff 48 8b 83 e0 00 00 00 4c 8b 60 58 41 80 
Aug 16 03:31:02 localhost kernel: RIP  [<ffffffffa01d403a>] ir_lirc_unregister+0x1a/0x90 [ir_lirc_codec]
Aug 16 03:31:02 localhost kernel: RSP <ffff880077b53cf8>
Aug 16 03:31:02 localhost kernel: CR2: 0000000000000028
Aug 16 03:31:02 localhost kernel: ---[ end trace 35faed9d55bd1166 ]---
Comment 1 Samuel Verschelde 2011-10-01 14:41:00 CEST 
Assigning to kernel maintainer. Please assign back to bugsquad@mageia.org if the problem is not in the kernel.

CC: (none) => stormi
Assignee: bugsquad => tmb

Comment 2 Herbert Poetzl 2011-10-04 21:56:51 CEST 
why should a 'kernel BUG' be a problem outside the kernel?
Comment 3 Samuel Verschelde 2011-10-04 21:58:56 CEST 
Can be a driver, and we have different maintainers for some drivers than for the core kernel.
Comment 4 Marja Van Waes 2012-01-09 17:33:17 CET 
pinging. because nothing happened to this report since more than 3 months ago, and it still has the status NEW or REOPENED


@ Thomas

Please set status to ASSIGNED if you think this bug was assigned correctly. If for work flow reasons you can't do that, then please put OK on the whiteboard instead.

CC: (none) => marja11

Comment 5 Marja Van Waes 2012-04-23 16:51:47 CEST 
3-monthly ping
Comment 6 Herbert Poetzl 2012-04-24 23:40:23 CEST 
I didn't manage to trigger this specific one on 2.6.38.8, but I did hit a quite similar one (Bug 5599) when testing again.

CC: (none) => herbert

Comment 7 Marja Van Waes 2012-04-25 07:51:52 CEST 
(In reply to comment #6)
> I didn't manage to trigger this specific one on 2.6.38.8, but I did hit a quite
> similar one (Bug 5599) when testing again.

I understand this bug isn't there anymore with kernel-desktop-2.6.38.8-10.mga-1-1.mga1 (you used 2.6.38.8-4 when you reported this one), so closing as fixed. 

Feel free to reopen if I misunderstand.

Status: NEW => RESOLVED
Resolution: (none) => FIXED