Kernel Bug Tracker – Bug 2786
The 'uinput' device Oops when select()ed or poll()ed
Last modified: 2004-05-30 03:02:48 UTC
Hardware Environment: i386
Software Environment: gcc 3.3.3
After loading the 'uinput' module (drivers/input/misc/uinput.c), a char device
/dev/misc/uinput is created. (For non-devfs based systems, use "cat /proc/misc"
to find out the device minor. The major is 10. Then, you can create the
device node yourself.)
This device node is for interacting with the input subsystem to let userland
programs create and manipulate "virtual" devices. The node can be open()ed,
read() and write()n without problems. However, as soon as I do a select()
or poll(), it Oops! The userland program gets a SEGV signal.
Steps to reproduce:
Compile the attached file. Then, run it. You'll get the Oops and SEGV.
Changing the device file to /dev/zero, the program runs without problems.
Try other files, and the program runs without problems.
Created attachment 3001 [details]
C program to generate the Oops (Change the filename in the open line to "/dev/misc/uinput" to trigger the bug.)
Created attachment 3002 [details]
The oops message
Apparently, there is a null pointer deference in kernel code.
Created attachment 3007 [details]
Patch to avoid oopsing in uinput_poll
You need to create userspace device before starting polling. Please try the
attached patch (it checks whether the device has been created before doing
poll_wait as the user device may not be created yet and corresponding wait
queue is not yet initialized).
Thanks, Dmitry. The patch looks obviously correct, so I implemented a similar
fix in my input tree.