[ltp] NULL pointer dereference crash when lt_hotswap attempts eject

Kamen Rider linux-thinkpad@linux-thinkpad.org
Tue, 28 Nov 2006 17:43:49 +0000 

Hi all,

I wonder if anyone have similar problem ? I am seeing wierd messages in
/var/log/messages when I pressed the request eject button on the
ultrabase. I have a thinkpad x21 and the ultrabase has a dvdrom drive. I
have Suse 10.1 (2.6.16.21-0.25-default). lt_hotswap compiled and loaded
fine I think (I am using Andre Wyrwa's modified lths.sh , which loads
lt_hotswap automatically with auto_eject=1 when the MSTR event is received)

I boot the machine up with the ultrabase attached and the dvdrom was
mounted and working. Then I press the request eject button the
/var/log/acpid file look fine:

Nov 28 12:49:04 eris [acpid]: received event "ibm/bay MSTR 00000003
00000000"
Nov 28 12:49:04 eris [acpid]: notifying client 2226[0:0]
Nov 28 12:49:04 eris [acpid]: notifying client 2750[0:0]
Nov 28 12:49:04 eris [acpid]: notifying client 2955[0:0]
Nov 28 12:49:04 eris [acpid]: executing action "/usr/local/sbin/lths.sh
ibm/bay MSTR 00000003 00000000"
Nov 28 12:49:04 eris [acpid]: BEGIN HANDLER MESSAGES
Nov 28 12:49:04 eris [acpid]: END HANDLER MESSAGES
Nov 28 12:49:04 eris [acpid]: action exited with status 0
Nov 28 12:49:04 eris [acpid]: completed event "ibm/bay MSTR 00000003
00000000"

But I got this on /var/log/messages:

Nov 28 12:49:04 eris kernel: lt_hotswap: module not supported by Novell,
setting U taint flag.
Nov 28 12:49:04 eris kernel: Laptop ultrabay hotswap driver version 0.3.6
Nov 28 12:49:04 eris kernel: lt_hotswap: Failed to find 'BAT1'
Nov 28 12:49:04 eris kernel: lt_hotswap: Failed to find 'PMST'
Nov 28 12:49:04 eris kernel: lt_hotswap: '\_SB.PCI0.IDE0.SCND.MSTR'
found (Hot-Swappable)
Nov 28 12:49:04 eris kernel: lt_hotswap: '\_SB.PCI0.ISA.FDC.FDD0' found
(Non-Swappable)
Nov 28 12:49:04 eris kernel: lt_hotswap: '\_SB.PCI0.DOCK' found
(Hot-Swappable)
Nov 28 12:49:04 eris kernel: ACPI Exception (acpi_bus-0072):
AE_NOT_FOUND, No context for object [cffd41e0] [20060127]
Nov 28 12:49:04 eris kernel: lt_hotswap: Attempting to eject
Nov 28 12:49:05 eris kernel: Unable to handle kernel NULL pointer
dereference at virtual address 00000120
Nov 28 12:49:05 eris kernel:  printing eip:
Nov 28 12:49:05 eris kernel: d0f746a4
Nov 28 12:49:05 eris kernel: *pde = 00000000
Nov 28 12:49:05 eris kernel: Oops: 0000 [#1]
Nov 28 12:49:05 eris kernel: last sysfs file:
/devices/pci0000:00/0000:00:0a.0/subsystem_device
Nov 28 12:49:05 eris kernel: Modules linked in: lt_hotswap michael_mic
arc4 ieee80211_crypt_tkip xt_pkttype ipt_LOG xt_limit af_packet
snd_pcm_oss snd_mixer_oss snd_seq_midi snd_seq_midi_event snd_opl3_synth
snd_seq_instr snd_seq_midi_emul snd_ainstr_fm snd_seq edd ibm_acpi
button battery ac ip6t_REJECT xt_tcpudp ipt_REJECT xt_state
iptable_mangle iptable_nat ip_nat iptable_filter ip6table_mangle
ip_conntrack nfnetlink ip_tables ip6table_filter ip6_tables x_tables
ipv6 apparmor aamatch_pcre loop dm_mod pcmcia shpchp pci_hotplug
uhci_hcd i2c_piix4 ide_cd usbcore i2c_core cdrom intel_agp agpgart
snd_cs4281 gameport snd_rawmidi snd_ac97_codec snd_ac97_bus snd_pcm
snd_page_alloc snd_opl3_lib snd_seq_device snd_timer snd_hwdep
yenta_socket rsrc_nonstatic pcmcia_core snd soundcore ipw2200 ieee80211
ieee80211_crypt firmware_class parport_pc lp parport reiserfs fan
thermal processor piix ide_disk ide_core

Nov 28 12:49:05 eris kernel: CPU:    0
Nov 28 12:49:05 eris kernel: EIP:    0060:[<d0f746a4>]    Tainted: G
 U VLI
Nov 28 12:49:05 eris kernel: EFLAGS: 00010246   (2.6.16.21-0.25-default #1)
Nov 28 12:49:05 eris kernel: EIP is at cdrom_lockdoor+0x1e/0xc6 [ide_cd]
Nov 28 12:49:05 eris kernel: eax: 00000000   ebx: cf402400   ecx:
00000000   edx: 00000000
Nov 28 12:49:05 eris kernel: esi: c55f9e84   edi: d0d31e44   ebp:
00000000   esp: c55f9dd4
Nov 28 12:49:05 eris kernel: ds: 007b   es: 007b   ss: 0068
Nov 28 12:49:05 eris kernel: Process umount (pid: 3629,
threadinfo=c55f8000 task=cc597ab0)
Nov 28 12:49:05 eris kernel: Stack: <0>c346e20c 00000000 00000000
00000000 c027e820 00000000 32320000 cf4dbb94
Nov 28 12:49:05 eris kernel:        00000005 c55f9e7c d0d94a2f cdf34614
c48a9d34 00000001 00000001 ffffffff
Nov 28 12:49:05 eris kernel:        00000000 cffe4920 c55f9e88 c0155197
8c2b5fc6 008a9d34 c027e820 00000000
Nov 28 12:49:05 eris kernel: Call Trace:
Nov 28 12:49:05 eris kernel:  [<d0d94a2f>] xattr_lookup_poison+0x4f/0x5c
[reiserfs]
Nov 28 12:49:05 eris kernel:  [<c0155197>] __follow_mount+0x1e/0x64
Nov 28 12:49:05 eris kernel:  [<c01352d9>] find_get_pages+0x14/0x36
Nov 28 12:49:05 eris kernel:  [<c0138cef>] pagevec_lookup+0x17/0x1d
Nov 28 12:49:05 eris kernel:  [<d0f6157b>] cdrom_release+0x167/0x1be [cdrom]
Nov 28 12:49:05 eris kernel:  [<c015e3cc>] destroy_inode+0x3f/0x4e
Nov 28 12:49:05 eris kernel:  [<c015e8d4>] dispose_list+0x87/0x9d
Nov 28 12:49:05 eris kernel:  [<c015eb29>] invalidate_inodes+0xaa/0xc1
Nov 28 12:49:05 eris kernel:  [<d0f7498b>] idecd_release+0x1e/0x30 [ide_cd]
Nov 28 12:49:05 eris kernel:  [<c0150c44>] blkdev_put+0x5a/0x104
Nov 28 12:49:05 eris kernel:  [<c01500f5>] deactivate_super+0x5a/0x6d
Nov 28 12:49:05 eris kernel:  [<c01615c4>] sys_umount+0x20f/0x219
Nov 28 12:49:05 eris kernel:  [<c02731cb>] do_page_fault+0x16c/0x51e
Nov 28 12:49:05 eris kernel:  [<c010299b>] sysenter_past_esp+0x54/0x79
Nov 28 12:49:05 eris kernel: Code: 8b 43 08 e8 7f 27 20 ef 89 d8 5b eb
b6 55 89 d5 57 89 c7 56 89 ce 53 81 ec f0 00 00 00 85 c9 75 07 8d b4 24
b0 00 00 00 8b 47 1c <f6> 80 20 01 00 00 02 0f 85 8a 00 00 00 89 e2 89
f8 e8 ac fb ff

After that I can no longer get any response from the dvdrom drive no
matter how many times I re-seat the thinkpad or reload lt_hotswap. The
system still runs fine tho (the kernel didn't panic or anything). But
the only way to get the dvdrom to work again is to reboot.

Does anyone know how to debug this? Any help would be greatly
appreciated. I can recreate this very easily please let me know if there
is any other logs I need to collect. Many thanks!

Simon