Bug 8312

Summary: fault in vt_ioctl
Product: IO/Storage Reporter: Martin Jürgens (martin)
Component: OtherAssignee: Olaf Kirch (okir)
Status: CLOSED CODE_FIX    
Severity: normal CC: bunk, cw, okir
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.20 Subsystem:
Regression: --- Bisected commit-id:
Attachments: dmesg
lspci -vv
lspci -vvn
Potential fix for this problem

Description Martin Jürgens 2007-04-08 06:02:51 UTC
Most recent kernel where this bug did *NOT* occur: 2.6.12
Distribution: Ubuntu, SuSE
Hardware Environment: Asrock K7S8X
Software Environment:
Problem Description:

Sometimes the kernel oopses, see dmesg

Steps to reproduce: I do not know any, I just work with my computer, it then
beeps and the entries appear in dmesg.
Comment 1 Martin Jürgens 2007-04-08 06:04:44 UTC
Created attachment 11105 [details]
dmesg
Comment 2 Martin Jürgens 2007-04-08 06:05:20 UTC
Created attachment 11106 [details]
lspci -vv
Comment 3 Martin Jürgens 2007-04-08 06:07:32 UTC
Created attachment 11107 [details]
lspci -vvn
Comment 4 Martin Jürgens 2007-04-08 06:09:26 UTC
This is the bad thing:

[   81.196522] BUG: unable to handle kernel NULL pointer dereference at virtual
address 00000000
[   81.196534]  printing eip:
[   81.196537] c023f621
[   81.196539] *pde = 00000000
[   81.196544] Oops: 0000 [#1]
[   81.196546] SMP 
[   81.196551] Modules linked in: ppdev cpufreq_userspace cpufreq_stats
cpufreq_powersave cpufreq_ondemand freq_table cpufreq_conservative tc1100_wmi
pcc_acpi dev_acpi sony_acpi video sbs i2c_ec dock button battery container ac
asus_acpi backlight ieee80211 ieee80211_crypt af_packet nls_iso8859_1 nls_cp437
vfat fat nls_utf8 ntfs lp snd_intel8x0 snd_ac97_codec nvidia(P) ac97_bus
snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss usbhid
dvb_usb_dtt200u dvb_usb dvb_core dvb_pll snd_seq_midi snd_rawmidi
snd_seq_midi_event snd_seq snd_timer snd_seq_device hid analog gameport
parport_pc parport pcspkr snd soundcore snd_page_alloc sis_agp shpchp
pci_hotplug agpgart i2c_sis96x i2c_core tsdev evdev ext3 jbd mbcache ide_cd
cdrom ide_disk pata_sis ata_generic libata scsi_mod floppy ehci_hcd sis900 mii
ohci_hcd usbcore sis5513 generic thermal processor fan fbcon tileblit font
bitblit softcursor vesafb capability commoncap
[   81.196646] CPU:    0
[   81.196647] EIP:    0060:[<c023f621>]    Tainted: P      VLI
[   81.196649] EFLAGS: 00010246   (2.6.20-12-generic #2)
[   81.196667] EIP is at getkeycode+0x61/0x80
[   81.196671] eax: 00000000   ebx: 00000000   ecx: f7d22000   edx: f7eba97c
[   81.196677] esi: f46ac400   edi: df87a000   ebp: 00004b4c   esp: f43bbe28
[   81.196680] ds: 007b   es: 007b   ss: 0068
[   81.196685] Process dumpkeycodes (pid: 4972, ti=f43ba000 task=df9d3560
task.ti=f43ba000)
[   81.196689] Stack: 00000006 c023c479 dfd155b8 c20daea0 fffb4c44 00000000
c0478b5e 00000001 
[   81.196698]        00000001 00000000 00000001 00000002 77804067 00000003
0000001d 00000003 
[   81.196706]        dfae9220 f644e4e0 f7d52000 00000003 00000000 00000000
00000000 c023b180 
[   81.196714] Call Trace:
[   81.196720]  [<c023c479>] vt_ioctl+0x12f9/0x1840
[   81.196746]  [<c023b180>] vt_ioctl+0x0/0x1840
[   81.196754]  [<c0236775>] tty_ioctl+0x105/0xda0
[   81.196769]  [<c0156f80>] find_get_page+0x20/0x60
[   81.196784]  [<c0159ac1>] filemap_nopage+0x2f1/0x3a0
[   81.196800]  [<c011dd16>] kmap_atomic+0x86/0xa0
[   81.196812]  [<c011db5b>] kunmap_atomic+0x6b/0x70
[   81.196820]  [<c0164499>] __handle_mm_fault+0x279/0xa40
[   81.196835]  [<c0174ce5>] nameidata_to_filp+0x35/0x40
[   81.196864]  [<c0182568>] do_ioctl+0x78/0x90
[   81.196874]  [<c01825dc>] vfs_ioctl+0x5c/0x2a0
[   81.196885]  [<c0182892>] sys_ioctl+0x72/0x90
[   81.196894]  [<c01031f0>] sysenter_past_esp+0x69/0xa9
[   81.196917]  =======================
[   81.196919] Code: ff 76 19 8b 81 8c 00 00 00 83 f8 01 74 17 83 f8 02 74 1e 8b
81 90 00 00 00 8b 04 98 5b c3 5b b8 ed ff ff ff c3 8b 81 90 00 00 00 <0f> b6 04
18 5b c3 8b 81 90 00 00 00 0f b7 04 58 5b c3 8d b6 00 
[   81.196955] EIP: [<c023f621>] getkeycode+0x61/0x80 SS:ESP 0068:f43bbe28



(see dmesg)
Comment 5 Adrian Bunk 2007-04-08 11:48:39 UTC
Does it work without the nvidia binary-only driver?
Comment 6 Martin Jürgens 2007-04-08 12:59:02 UTC
No, it does not work either.

I had the same issue when installing openSuSE 10.2, which ships without binary
drivers.
Comment 7 Olaf Kirch 2007-04-11 02:36:36 UTC
It dies here:

int getkeycode(unsigned int scancode)
{
        struct list_head *node;
        struct input_dev *dev = NULL;

[...]

        if (scancode >= dev->keycodemax)
                return -EINVAL;

        return INPUT_KEYCODE(dev, scancode);
		^^^^^^^^^^^ here
}

because dev->keycode is NULL. So something registers an input device that
claims to be a keyboard, has keycodemax and keycodesize set, but no keycode
table.

The input devices registered prior to the oops are these:

[   25.839856] input: Macintosh mouse button emulation as /class/input/input0
[   45.650469] input: PC Speaker as /class/input/input1
[   46.288050] input: IR-receiver inside an USB DVB receiver 
as /class/input/input2
[   49.717736] input: Logitech USB-PS/2 Optical Mouse as /class/input/input3
[   49.718303] input: USB HID v1.10 Mouse [Logitech USB-PS/2 Optical Mouse] on 
usb-0000:00:03.1-2
[   49.718337] drivers/usb/input/hid-core.c: v2.6:USB HID core driver
[   67.216907] input: Power Button (FF) as /class/input/input4
[   67.224966] input: Power Button (CM) as /class/input/input5

There's also an AT keyboard, but it's registered later:

[   85.303668] input: AT Translated Set 2 keyboard as /class/input/input6

It looks to me as if the DVB IR-receiver is the culprit. From
drivers//media/dvb/dvb-usb/dvb-usb-remote.c:

        input_dev->evbit[0] = BIT(EV_KEY);
        input_dev->keycodesize = sizeof(unsigned char);
        input_dev->keycodemax = KEY_MAX;
        input_dev->name = "IR-receiver inside an USB DVB receiver";

So, for starters disconnect your DVB receiver and see if the problem
goes away. If it does, talk to the DVB developers how to fix this correctly.
Comment 8 Olaf Kirch 2007-04-12 02:06:48 UTC
Created attachment 11134 [details]
Potential fix for this problem
Comment 9 Olaf Kirch 2007-04-13 13:55:49 UTC
patch was added to -mm tree
Comment 10 Adrian Bunk 2007-04-13 18:51:21 UTC
The fix from this bug is now in Linus' tree (and will therefore be in 2.6.21-rc7).