Bug 2786

Summary: The 'uinput' device Oops when select()ed or poll()ed
Product: Drivers Reporter: LEE Sau Dan (danlee)
Component: Input DevicesAssignee: Vojtech Pavlik (vojtech)
Status: CLOSED PATCH_ALREADY_AVAILABLE    
Severity: normal    
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.7-rc1 Subsystem:
Regression: --- Bisected commit-id:
Attachments: C program to generate the Oops (Change the filename in the open line to "/dev/misc/uinput" to trigger the bug.)
The oops message
Patch to avoid oopsing in uinput_poll

Description LEE Sau Dan 2004-05-28 09:59:26 UTC 
Distribution: Debian
Hardware Environment: i386
Software Environment: gcc 3.3.3
Problem Description:

After loading the 'uinput' module (drivers/input/misc/uinput.c), a char device
/dev/misc/uinput is created.  (For non-devfs based systems, use "cat /proc/misc"
to find out the device minor.  The major is 10.  Then, you can create the
device node yourself.)

This device node is for interacting with the input subsystem to let userland
programs create and manipulate "virtual" devices.  The node can be open()ed,
read() and write()n without problems.  However, as soon as I do a select()
or poll(), it Oops!  The userland program gets a SEGV signal.


Steps to reproduce:

Compile the attached file.  Then, run it.  You'll get the Oops and SEGV.

Changing the device file to /dev/zero, the program runs without problems.
Try other files, and the program runs without problems.
Comment 1 LEE Sau Dan 2004-05-28 10:02:33 UTC 
Created attachment 3001 [details]
C program to generate the Oops (Change the filename in the open line to "/dev/misc/uinput" to trigger the bug.)
Comment 2 LEE Sau Dan 2004-05-28 10:07:41 UTC 
Created attachment 3002 [details]
The oops message

Apparently, there is a null pointer deference in kernel code.
Comment 3 Dmitry Torokhov 2004-05-28 12:52:13 UTC 
Created attachment 3007 [details]
Patch to avoid oopsing in uinput_poll

You need to create userspace device before starting polling. Please try the
attached patch (it checks whether the device has been created before doing
poll_wait as the user device may not be created yet and corresponding wait
queue is not yet initialized).
Comment 4 Vojtech Pavlik 2004-05-28 13:59:33 UTC 
Thanks, Dmitry. The patch looks obviously correct, so I implemented a similar
fix in my input tree.