2002-10-09 08:45:00

by Maciej Babinski

[permalink] [raw]
Subject: uinput oops in 2.5.41

I get a NULL pointer dereference by running "cat" on /dev/misc/uinput
I'm a newbie, but I think the patch at the bottom fixes it.


ksymoops 2.4.6 on i586 2.5.41. Options used
-v /usr/src/linux/vmlinux (specified)
-k /proc/ksyms (default)
-l /proc/modules (default)
-o /lib/modules/2.5.41/ (default)
-m /usr/src/linux/System.map (default)

Unable to handle kernel NULL pointer dereference at virtual address 00000004
c0112986
*pde = 00000000
Oops: 0002
CPU: 0
EIP: 0060:[<c0112986>] Not tainted
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00010046
eax: c521e008 ebx: 00000000 ecx: c3919f5c edx: c3919f50
esi: 00000246 edi: c3918000 ebp: c3b76b40 esp: c3919f20
ds: 0068 es: 0068 ss: 0068
Stack: c521e000 00000000 c69305cd c521e008 00000000 c3cfd380 c01118c0 00000000
00000000 00000000 00000000 00000000 00000000 c3cfd380 c01118c0 00000000
00000000 00000000 c3919f7c bffff864 c3b76b40 0804e758 00000400 c3b76b60
Call Trace: [<c69305cd>] [<c01118c0>] [<c01118c0>] [<c0137f09>] [<c013803a>] [<c0107357>]
Code: 89 4b 04 89 41 04 56 9d 5b 5e c3 90 8d b4 26 00 00 00 00 8d


>>EIP; c0112986 <add_wait_queue+16/30> <=====

>>eax; c521e008 <_end+4f5f81c/6543814>
>>ecx; c3919f5c <_end+365b770/6543814>
>>edx; c3919f50 <_end+365b764/6543814>
>>edi; c3918000 <_end+3659814/6543814>
>>ebp; c3b76b40 <_end+38b8354/6543814>
>>esp; c3919f20 <_end+365b734/6543814>

Trace; c69305cd <[uinput]uinput_read+fd/170>
Trace; c01118c0 <default_wake_function+0/40>
Trace; c01118c0 <default_wake_function+0/40>
Trace; c0137f09 <vfs_read+99/d0>
Trace; c013803a <sys_read+2a/40>
Trace; c0107357 <syscall_call+7/b>

Code; c0112986 <add_wait_queue+16/30>
00000000 <_EIP>:
Code; c0112986 <add_wait_queue+16/30> <=====
0: 89 4b 04 mov %ecx,0x4(%ebx) <=====
Code; c0112989 <add_wait_queue+19/30>
3: 89 41 04 mov %eax,0x4(%ecx)
Code; c011298c <add_wait_queue+1c/30>
6: 56 push %esi
Code; c011298d <add_wait_queue+1d/30>
7: 9d popf
Code; c011298e <add_wait_queue+1e/30>
8: 5b pop %ebx
Code; c011298f <add_wait_queue+1f/30>
9: 5e pop %esi
Code; c0112990 <add_wait_queue+20/30>
a: c3 ret
Code; c0112991 <add_wait_queue+21/30>
b: 90 nop
Code; c0112992 <add_wait_queue+22/30>
c: 8d b4 26 00 00 00 00 lea 0x0(%esi,1),%esi
Code; c0112999 <add_wait_queue+29/30>
13: 8d 00 lea (%eax),%eax



--- linux-2.5.41/drivers/input/misc/uinput.c Mon Oct 7 13:24:50 2002
+++ linux-2.5.41.new/drivers/input/misc/uinput.c Wed Oct 9 03:47:15 2002
@@ -224,15 +224,14 @@

udev = (struct uinput_device *)file->private_data;

+ if (!(udev->state & UIST_CREATED))
+ return -ENODEV;
+
if (udev->head == udev->tail) {
add_wait_queue(&udev->waitq, &waitq);
current->state = TASK_INTERRUPTIBLE;

while (udev->head == udev->tail) {
- if (!(udev->state & UIST_CREATED)) {
- retval = -ENODEV;
- break;
- }
if (file->f_flags & O_NONBLOCK) {
retval = -EAGAIN;
break;


2002-10-09 09:37:00

by Vojtech Pavlik

[permalink] [raw]
Subject: Re: uinput oops in 2.5.41

On Wed, Oct 09, 2002 at 03:50:41AM -0500, Maciej Babinski wrote:
> I get a NULL pointer dereference by running "cat" on /dev/misc/uinput
> I'm a newbie, but I think the patch at the bottom fixes it.

> --- linux-2.5.41/drivers/input/misc/uinput.c Mon Oct 7 13:24:50 2002
> +++ linux-2.5.41.new/drivers/input/misc/uinput.c Wed Oct 9 03:47:15 2002
> @@ -224,15 +224,14 @@
>
> udev = (struct uinput_device *)file->private_data;
>
> + if (!(udev->state & UIST_CREATED))
> + return -ENODEV;
> +
> if (udev->head == udev->tail) {
> add_wait_queue(&udev->waitq, &waitq);
> current->state = TASK_INTERRUPTIBLE;
>
> while (udev->head == udev->tail) {
> - if (!(udev->state & UIST_CREATED)) {
> - retval = -ENODEV;
> - break;
> - }
> if (file->f_flags & O_NONBLOCK) {
> retval = -EAGAIN;
> break;

Your patch is almost correct - you have to keep both the checks. The
first could happen when the device disappears while being waited for.

--
Vojtech Pavlik
SuSE Labs

2002-10-10 21:27:08

by Zach Welch

[permalink] [raw]
Subject: Re: uinput oops in 2.5.41

Vojtech Pavlik wrote:
> On Wed, Oct 09, 2002 at 03:50:41AM -0500, Maciej Babinski wrote:
>
>>I get a NULL pointer dereference by running "cat" on /dev/misc/uinput
>>I'm a newbie, but I think the patch at the bottom fixes it.
>
>
> Your patch is almost correct - you have to keep both the checks. The
> first could happen when the device disappears while being waited for.
>

I've added this to my backport to 2.4. I'll be posting it very shortly
under the subject 'backport of uinput.c to 2.4, fixes for 2.5'. This
will include numerous additional fixes to uinput.c.

Cheers,

Zach Welch
Superlucidity Services