NULL pointer dereference at s3cmci (was: Re: Testing 2.6.26 on a GTA01)

Cesar Eduardo Barros cesarb at cesarb.net
Sun Aug 3 03:20:03 CEST 2008 

Cesar Eduardo Barros escreveu:
> [21474554.520000] Unable to handle kernel NULL pointer dereference at 
> virtual address 00000004
> [21474554.525000] pgd = c0004000
> [21474554.535000] [00000004] *pgd=00000000
> [21474554.540000] Internal error: Oops: 5 [#1] PREEMPT
> [21474554.540000] Modules linked in:
> [21474554.540000] CPU: 0    Not tainted  (2.6.26-mokodev #3)
> [21474554.540000] PC is at mmc_power_up+0xb8/0x100
> [21474554.540000] LR is at mmc_power_up+0xbc/0x100
> [21474554.540000] pc : [<c01fe3d8>]    lr : [<c01fe3dc>]    psr: 60000013
> [21474554.540000] sp : c7c85f20  ip : c7c85f38  fp : c7c85f34
> [21474554.540000] r10: c01fed4c  r9 : 00000000  r8 : c7c85f68
> [21474554.540000] r7 : c7fc6a68  r6 : 60000013  r5 : c7fc6800  r4 : 
> c7fc6a28
> [21474554.540000] r3 : 00000000  r2 : 00000000  r1 : c7fc6a28  r0 : 
> c7fc6800
> [21474554.540000] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM 
> Segment kernel
> [21474554.540000] Control: c000717f  Table: 30004000  DAC: 00000017
> [21474554.540000] Process kmmcd (pid: 103, stack limit = 0xc7c84268)
> [21474554.540000] Stack: (0xc7c85f20 to 0xc7c86000)
> [21474554.540000] 5f20: c7fc6800 c7fc6a08 c7c85f5c c7c85f38 c01fede4 
> c01fe330 c005bbac c7c85f48
> [21474554.540000] 5f40: c02f40d0 00000002 c7c617a0 c7c84000 c7c85f9c 
> c7c85f60 c005bc14 c01fed5c
> [21474554.540000] 5f60: 00000002 c005bbac c06504ac c047db7c c039f810 
> 00000000 c7c85fb0 c7c617a0
> [21474554.540000] 5f80: c7c84000 00000000 00000000 00000000 c7c85fd4 
> c7c85fa0 c005c968 c005bb20
> [21474554.540000] 5fa0: c7c85fd4 00000000 c7c3c040 c005fe20 c7c85fb0 
> c7c85fb0 00000000 c7c84000
> [21474554.540000] 5fc0: c7c617a0 c005c884 c7c85ff4 c7c85fd8 c005fd1c 
> c005c894 00000000 00000000
> [21474554.540000] 5fe0: 00000000 00000000 00000000 c7c85ff8 c004dcfc 
> c005fccc 00000000 00000000
> [21474554.540000] Backtrace:
> [21474554.540000] [<c01fe320>] (mmc_power_up+0x0/0x100) from 
> [<c01fede4>] (mmc_rescan+0x98/0x1a8)
> [21474554.540000]  r5:c7fc6a08 r4:c7fc6800
> [21474554.540000] [<c01fed4c>] (mmc_rescan+0x0/0x1a8) from [<c005bc14>] 
> (run_workqueue+0x104/0x208)
> [21474554.540000]  r6:c7c84000 r5:c7c617a0 r4:00000002
> [21474554.540000] [<c005bb10>] (run_workqueue+0x0/0x208) from 
> [<c005c968>] (worker_thread+0xe4/0xf8)
> [21474554.540000] [<c005c884>] (worker_thread+0x0/0xf8) from 
> [<c005fd1c>] (kthread+0x60/0x94)
> [21474554.540000]  r6:c005c884 r5:c7c617a0 r4:c7c84000
> [21474554.540000] [<c005fcbc>] (kthread+0x0/0x94) from [<c004dcfc>] 
> (do_exit+0x0/0x68c)
> [21474554.540000]  r6:00000000 r5:00000000 r4:00000000
> [21474554.540000] Code: e5c53230 e1a00005 e59531dc e1a0e00f (e593f004)
> [21474554.545000] ---[ end trace 3a6f88715d2dafbc ]---
> [21474554.555000] kmmcd used greatest stack depth: 5544 bytes left

Looking at the assembly code, the oops happens at the first 
mmc_set_ios(host) within mmc_power_up(). For some reason, host->ops is NULL.

The only possible call path I can imagine for that is s3cmci_irq_cd 
getting called before host->ops is set, thus calling mmc_detect_change() 
which will schedule host->detect which is mmc_rescan.

Attempting to add Thomas Kleffel <tk at maintech.de> (who is the original 
code author) to the CC (some CCs are getting lost for some reason; I'm 
hoping this one works).

-- 
Cesar Eduardo Barros
cesarb at cesarb.net
cesar.barros at gmail.com

More information about the openmoko-kernel mailing list