9034 – OOPS in floppy sysfs

Bug 9034 - OOPS in floppy sysfs

Summary: OOPS in floppy sysfs

Status:	CLOSED CODE_FIX

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	drivers_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-09-18 08:59 UTC by Stephen Hemminger
Modified:	2007-10-29 22:56 UTC (History)
CC List:	5 users (show)

See Also:
Kernel Version:	2.6.23-rc6
Subsystem:
Regression:	Yes
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Stephen Hemminger 2007-09-18 08:59:34 UTC

The OOPS happens in floppy uevent file, not sure why it only happens
if earlier file is read.

To reproduce:
	cat /sys/devices/platform/floppy.0/*

Unable to handle kernel paging request at ffffffff806b6680 RIP: 
 [<ffffffff8035269e>] strnlen+0xe/0x40
PGD 203067 PUD 207063 PMD 37e11163 PTE 6b6000
Oops: 0000 [1] SMP 
last sysfs file: /devices/platform/floppy.0/uevent
CPU 1 
Modules linked in: autofs4 cpufreq_ondemand acpi_cpufreq video output sbs dock battery ac radeon drm ipv6 i2c_i801 i2c_core snd_hda_intel snd_seq_dummy button sky2 sg snd_seq_oss snd_seq_midi_event snd_seq sr_mod snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm cdrom iTCO_wdt iTCO_vendor_support snd_timer serio_raw rtc_cmos snd_page_alloc floppy ohci_hcd
Pid: 3494, comm: sum Not tainted 2.6.23-rc6 #66
RIP: 0010:[<ffffffff8035269e>]  [<ffffffff8035269e>] strnlen+0xe/0x40
RSP: 0018:ffff81005613fc28  EFLAGS: 00010297
RAX: ffffffff805cb68d RBX: ffff810066d5f038 RCX: ffffffff805d15f9
RDX: fffffffffffffffe RSI: ffffffffffffffff RDI: ffffffff806b6680
RBP: ffff81005613fc28 R08: 00000000ffffffff R09: ffff81005613fd38
R10: ffff81005613fc98 R11: 0000000000000246 R12: ffffffff806b6680
R13: ffff8100e6d5f037 R14: 0000000000000000 R15: 00000000ffffffff
FS:  00002b074b6676f0(0000) GS:ffff8100026b4d40(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffffff806b6680 CR3: 000000007e0e9000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process sum (pid: 3494, threadinfo ffff81005613e000, task ffff810037c93000)
Stack:  ffff81005613fc88 ffffffff80353ff6 ffff81005613fc58 ffff81005613fc98
 000000007fffffff ffff810066d5f038 ffffffff805d15f9 ffff81005613fda8
 0000000000000038 0000000000000000 ffff810056266000 ffff810066d5f000
Call Trace:
 [<ffffffff80353ff6>] vsnprintf+0x456/0x6a0
 [<ffffffff803542e3>] sprintf+0xa3/0xb0
 [<ffffffff803d9d92>] platform_uevent+0x22/0x30
 [<ffffffff803d5d4e>] dev_uevent+0x20e/0x360
 [<ffffffff803d4ae9>] show_uevent+0xf9/0x140
 [<ffffffff8027848e>] get_page_from_freelist+0x2ee/0x3f0
 [<ffffffff802785ef>] __alloc_pages+0x5f/0x350
 [<ffffffff802123f1>] arch_get_unmapped_area+0xf1/0x280
 [<ffffffff803d45dd>] dev_attr_show+0x1d/0x20
 [<ffffffff802ebc7b>] sysfs_read_file+0x9b/0x130
 [<ffffffff8029bbc1>] vfs_read+0xe1/0x1a0
 [<ffffffff8029c0a0>] sys_read+0x50/0x90
 [<ffffffff8020c28c>] tracesys+0xdc/0xe1


Code: 80 3f 00 74 22 48 89 f8 eb 0a 80 38 00 0f 1f 44 00 00 74 0e 
RIP  [<ffffffff8035269e>] strnlen+0xe/0x40
 RSP <ffff81005613fc28>
CR2: ffffffff806b6680

Comment 1 Kay Sievers 2007-09-19 04:26:19 UTC

Might be another buggy usage of uevent env handling. It's hopefully all fixed in -mm, with the easier to understand core logic.

Does terminating the array fix it?

+++ a/drivers/base/platform.c
        snprintf(buffer, buffer_size, "MODALIAS=%s", pdev->name);
+       envp[1] = NULL;

Comment 2 Stephen Hemminger 2007-10-29 22:56:26 UTC

Fixed in 2.6.23

Note You need to log in before you can comment on or make changes to this bug.