Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1765752AbYBZX2O (ORCPT ); Tue, 26 Feb 2008 18:28:14 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1760762AbYBZX17 (ORCPT ); Tue, 26 Feb 2008 18:27:59 -0500 Received: from mail-04.jhb.wbs.co.za ([196.2.97.3]:38392 "EHLO mail-04.jhb.wbs.co.za" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755305AbYBZX16 (ORCPT ); Tue, 26 Feb 2008 18:27:58 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAAABIvxEfEAmHGn2dsb2JhbACQaAEBAQEBBgQGCQgYnHGBdw From: Bongani Hlope To: Ingo Molnar Subject: [BUG] 2.6.25-rcX NULL Pointer when adding a mutex_waiter Date: Wed, 27 Feb 2008 01:27:36 +0200 User-Agent: KMail/1.9.9 Cc: Andrew Morton , Mauro Carvalho Chehab , linux-kernel@vger.kernel.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200802270127.37130.bonganilinux@mweb.co.za> X-Original-Subject: [BUG] 2.6.25-rcX NULL Pointer when adding a mutex_waiter X-Scan-Signature: c870bcb1dca054ae0483d14ce6ef3512 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 7791 Lines: 170 Hi I've been trying to figure out what causes [BUG 10027] on bugzilla , and I'm stuck. The 2.6.24 kernel works fine, the bttv drivers have been ported to V4L version 2 API, so bisecting doesn't work that well. My analysis of the bug is as follows: linux/driver/media/video/bt8x/bttv-driver.c:4284 mutex_init(&btv->lock); in __devinit bttv_probe() The printk's before and after this statement are printed, which implies that the mutex_init was successfull. This driver uses locks and unlocks this mutex in a lot of places and driving the TV part of the card works fine. linux/kernel/mutex.c:47 INIT_LIST_HEAD(&lock->wait_list); in __mutex_init, which is called by mutex_init. This initializes the list of waiters for this mutex the radio_g_tuner causes the following call chain: mutex_lock -> __mutex_lock_slowpath -> __mutex_lock_common, which does this: /* add waiting tasks to the end of the waitqueue (FIFO): */ list_add_tail(&waiter.list, &lock->wait_list); waiter.task = task; which causes __list_add to fail: Code disassembled: 0x4005c0 : mov %edi,%ebx 0x4005c2 : mov %r12,%rdi 0x4005c5 : sub $0x20,%rsp 0x4005c9 : mov %gs:0x0,%r14 0x4005d2 : callq 0x4017f0 0x4005d7 : lea 0x8(%rbx),%rax 0x4005db : lea 0xffffffffffffffc0(%rbp),%rdx 0x4005df : mov 0x8(%rax),%rcx 0x4005e3 : mov %rax,0xffffffffffffffc0(%rbp) 0x4005e7 : mov %rdx,0x8(%rax) 0x4005eb : mov %rdx,(%rcx) <============= Here 0x4005ee : or $0xffffffffffffffff,%rdx 0x4005f2 : mov %rcx,0xffffffffffffffc8(%rbp) 0x4005f6 : mov %r14,0xffffffffffffffd0(%rbp) 0x4005fa : mov %rdx,%rax 0x4005fd : xchg %eax,(%rbx) 0x4005ff : incl (%rax) 0x400601: and $0xa70,%eax 0x400606: add %al,(%rax) 0x400608: add %ebx,(%rbx) kernel/mutext.c dissamble: __mutex_lock_slowpath: pushq %rbp # movq %rsp, %rbp #, pushq %r14 # pushq %r13 # pushq %r12 # leaq 4(%rdi), %r12 #, D.13845 pushq %rbx # movq %rdi, %rbx # lock_count, lock movq %r12, %rdi # D.13845, D.13845 subq $32, %rsp #, #APP movq %gs:0,%r14 #, tsk #NO_APP call _spin_lock # leaq 8(%rbx), %rax #, next leaq -64(%rbp), %rdx #, tmp81 movq 8(%rax), %rcx # .prev, prev movq %rax, -64(%rbp) # next, waiter.list.next movq %rdx, 8(%rax) # tmp81, .prev movq %rdx, (%rcx) # tmp81, .next <========= Here orq $-1, %rdx #, tmp83 movq %rcx, -56(%rbp) # prev, waiter.list.prev movq %r14, -48(%rbp) # tsk, waiter.task movq %rdx, %rax # tmp83, x the oops BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 IP: [] __mutex_lock_slowpath+0x3b/0xb2 PGD 67671067 PUD 63f47067 PMD 0 Oops: 0002 [1] PREEMPT SMP CPU 0 Modules linked in: snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq binfmt_misc loop nls_cp437 vfat fat nls_iso8859_1 ntfs dm_mod thermal processor fan container button pcspkr snd_pcm_oss snd_mixer_oss tuner tea5767 tda8290 tuner_xc2028 tda9887 tuner_simple mt20xx tea5761 snd_emu10k1 snd_rawmidi bttv snd_ac97_codec videodev ac97_bus v4l1_compat snd_pcm ir_common firewire_ohci firewire_core snd_seq_device compat_ioctl32 snd_timer uhci_hcd ehci_hcd v4l2_common ide_cd_mod crc_itu_t snd_page_alloc usbcore videobuf_dma_sg snd_util_mem videobuf_core ohci1394 btcx_risc i2c_viapro sr_mod snd_hwdep ieee1394 emu10k1_gp snd tg3 cdrom tveeprom gameport sg evdev soundcore Pid: 7197, comm: radio Tainted: G M 2.6.25-rc1 #20 RIP: 0010:[] [] __mutex_lock_slowpath+0x3b/0xb2 RSP: 0018:ffff81007df515e8 EFLAGS: 00010246 RAX: ffff81007f13ef10 RBX: ffff81007f13ef08 RCX: 0000000000000000 RDX: ffff81007df515e8 RSI: ffffffff88184050 RDI: ffff81007f13ef0c RBP: ffff81007df51628 R08: 0000000000000004 R09: ffff81007df51aa8 R10: ffff81007e680a40 R11: 0000000000000202 R12: ffff81007f13ef0c R13: ffff81007f13ef08 R14: ffff810063cfc040 R15: ffffffff88184050 FS: 00007fa8d92ba6f0(0000) GS:ffffffff805b2000(0000) knlGS:00000000f61fb980 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000676dc000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process radio (pid: 7197, threadinfo ffff81007df50000, task ffff810063cfc040) Stack: ffff81007f13ef10 0005049900000000 018060f7018060fa 0000000000000024 ffff81007df51aa8 ffff81007f13e800 ffff81007f13ef08 ffff81007e0e5800 ffff81007df51638 ffffffff80457083 ffff81007df51668 ffffffff88162f2f Call Trace: [] [] :bttv:radio_g_tuner+0x40/0xa6 [] :videodev:__video_do_ioctl+0x2a6e/0x2e25 [] :v4l1_compat:v4l_compat_translate_ioctl+0xea9/0x1af5 [] ? :videodev:__video_do_ioctl+0x0/0x2e25 [] ? blk_recount_segments+0x3e/0x62 [] ? mempool_alloc_slab+0x11/0x13 [] ? mempool_alloc+0x48/0xf9 [] ? ext3_get_acl+0x87/0x332 [] ? __d_lookup+0x125/0x137 [] ? do_lookup+0x63/0x1b1 [] ? dput+0x22/0x120 [] ? __link_path_walk+0xbbd/0xd1b [] ? ext3_get_acl+0x87/0x332 [] ? native_read_tsc+0x11/0x22 [] ? __delay+0x27/0x59 last message repeated 2 times [] ? __udelay+0x40/0x42 [] ? i2c_stop+0x47/0x4b [] ? bit_xfer+0x412/0x423 [] ? i2c_transfer+0x79/0x85 [] ? :tuner_simple:simple_set_params+0x2bd/0xc1c [] ? get_unused_fd_flags+0x10d/0x11c [] ? touch_atime+0xe3/0xec [] ? mntput_no_expire+0x20/0x8f [] ? :tuner:fe_set_params+0x46/0x48 [] ? :tuner:set_radio_freq+0x159/0x162 [] ? klist_dec_and_del+0x14/0x16 [] ? klist_next+0x6b/0x8a [] ? i2c_cmd+0x0/0x3e [] ? device_for_each_child+0x4c/0x5c [] :videodev:__video_do_ioctl+0x139/0x2e25 [] ? :bttv:bttv_call_i2c_clients+0x16/0x18 [] ? :bttv:audio_mux+0x105/0x1b5 [] ? filemap_fault+0x1fe/0x371 [] :videodev:video_ioctl2+0x1b8/0x259 [] ? handle_mm_fault+0x341/0x697 [] vfs_ioctl+0x5e/0x77 [] do_vfs_ioctl+0x24d/0x262 [] ? do_page_fault+0x434/0x7aa [] sys_ioctl+0x42/0x67 [] system_call_after_swapgs+0x7b/0x80 Feb 15 08:42:03 bongani64 kernel: Feb 15 08:42:03 bongani64 kernel: Code: 89 fb 4c 89 e7 48 83 ec 20 65 4c 8b 34 25 00 00 00 00 e8 19 12 00 00 48 8d 43 08 48 8d 55 c0 48 8b 48 08 48 89 45 c0 48 89 50 08 <48> 89 11 48 83 ca ff 48 89 4d c8 4c 89 75 d0 48 89 d0 87 03 ff RIP [] __mutex_lock_slowpath+0x3b/0xb2 RSP CR2: 0000000000000000 ---[ end trace fdf145f4fc51dccd ]--- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/