Bug 2786 - The 'uinput' device Oops when select()ed or poll()ed
The 'uinput' device Oops when select()ed or poll()ed
Status: CLOSED PATCH_ALREADY_AVAILABLE
Product: Drivers
Classification: Unclassified
Component: Input Devices
i386 Linux
: P2 normal
Assigned To: Vojtech Pavlik
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-28 09:59 UTC by LEE Sau Dan
Modified: 2004-05-30 03:02 UTC (History)
0 users

See Also:
Kernel Version: 2.6.7-rc1
Tree: Mainline
Regression: ---


Attachments
C program to generate the Oops (Change the filename in the open line to "/dev/misc/uinput" to trigger the bug.) (538 bytes, text/plain)
2004-05-28 10:02 UTC, LEE Sau Dan
Details
The oops message (2.22 KB, text/plain)
2004-05-28 10:07 UTC, LEE Sau Dan
Details
Patch to avoid oopsing in uinput_poll (508 bytes, patch)
2004-05-28 12:52 UTC, Dmitry Torokhov
Details | Diff

Description LEE Sau Dan 2004-05-28 09:59:26 UTC
Distribution: Debian
Hardware Environment: i386
Software Environment: gcc 3.3.3
Problem Description:

After loading the 'uinput' module (drivers/input/misc/uinput.c), a char device
/dev/misc/uinput is created.  (For non-devfs based systems, use "cat /proc/misc"
to find out the device minor.  The major is 10.  Then, you can create the
device node yourself.)

This device node is for interacting with the input subsystem to let userland
programs create and manipulate "virtual" devices.  The node can be open()ed,
read() and write()n without problems.  However, as soon as I do a select()
or poll(), it Oops!  The userland program gets a SEGV signal.


Steps to reproduce:

Compile the attached file.  Then, run it.  You'll get the Oops and SEGV.

Changing the device file to /dev/zero, the program runs without problems.
Try other files, and the program runs without problems.
Comment 1 LEE Sau Dan 2004-05-28 10:02:33 UTC
Created attachment 3001 [details]
C program to generate the Oops (Change the filename in the open line to "/dev/misc/uinput" to trigger the bug.)
Comment 2 LEE Sau Dan 2004-05-28 10:07:41 UTC
Created attachment 3002 [details]
The oops message

Apparently, there is a null pointer deference in kernel code.
Comment 3 Dmitry Torokhov 2004-05-28 12:52:13 UTC
Created attachment 3007 [details]
Patch to avoid oopsing in uinput_poll

You need to create userspace device before starting polling. Please try the
attached patch (it checks whether the device has been created before doing
poll_wait as the user device may not be created yet and corresponding wait
queue is not yet initialized).
Comment 4 Vojtech Pavlik 2004-05-28 13:59:33 UTC
Thanks, Dmitry. The patch looks obviously correct, so I implemented a similar
fix in my input tree.

Note You need to log in before you can comment on or make changes to this bug.