3.4.0-4-goldfish in i386 emulator: kernel NULL pointer dereference at 000000bc

Bug #1349709 reported by Martin Pitt
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
goget-ubuntu-touch (Ubuntu)
New
Undecided
Unassigned
linux-goldfish (Ubuntu)
Confirmed
High
Unassigned

Bug Description

Current Ubuntu Touch images cause a kernel panic at boot:

$ sudo ubuntu-emulator create --channel=ubuntu-touch/devel-proposed --arch=i386 devel-proposed

The current revision as of the time of reporting is 160. This did not yet happen with earlier revisions. I re-tested with --revision=157 and that does not crash (it also doesn't show unity due to bug 1349444, but that's a different story :) ).

$ ubuntu-emulator run devel-proposed

You'll see the first-time wizard. Click through, then unity8 is supposed to restart. Instead, the kernel oopses:

 * Setting up X socket directories... [ OK ]
 * Starting automatic crash report generation: apport [ OK ]
[ 14.594142] systemd-logind[1349]: cgmanager: cgm_list_children for controller=systemd, cgroup_path=user failed: invalid request
[ 17.114734] BUG: unable to handle kernel NULL pointer dereference at 000000bc
[ 17.114734] IP: [<c047b355>] tty_buffer_request_room+0x1d/0x128
[ 17.114734] *pde = 00000000
[ 17.114734] Oops: 0000 [#1] PREEMPT
[ 17.114734] Modules linked in:
[ 17.114734]
[ 17.114734] Pid: 1142, comm: ntpdate Not tainted 3.4.0-4-goldfish #20-Ubuntu
[ 17.114734] EIP: 0060:[<c047b355>] EFLAGS: 00210017 CPU: 0
[ 17.114734] EIP is at tty_buffer_request_room+0x1d/0x128
[ 17.114734] EAX: 00010203 EBX: 00000000 ECX: df008000 EDX: 00000000
[ 17.114734] ESI: e1006000 EDI: df009f94 EBP: df009f74 ESP: df009f5c
[ 17.114734] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[ 17.114734] CR0: 80050033 CR2: 000000bc CR3: 1f3d5000 CR4: 00000690
[ 17.114734] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 17.114734] DR6: ffff0ff0 DR7: 00000400
[ 17.114734] Process ntpdate (pid: 1142, ti=df008000 task=de87c4c0 task.ti=de810000)
[ 17.114734] Stack:
[ 17.114734] 0016f508 00200096 00000001 00000000 e1006000 df009f94 df009f88 c047b4a7
[ 17.114734] de6c20d8 e1006000 c0278a75 df009fa4 c048d96b c0223361 00000000 de6bd880
[ 17.114734] df006580 c0278a75 df009fdc c0276c86 00000000 00000000 00000000 00000000
[ 17.114734] Call Trace:
[ 17.114734] [<c047b4a7>] tty_prepare_flip_string+0x11/0x3d
[ 17.114734] [<c0278a75>] ? cond_unmask_irq+0x23/0x23
[ 17.114734] [<c048d96b>] goldfish_tty_interrupt+0x29/0x82
[ 17.114734] [<c0223361>] ? __do_softirq+0x38/0x197
[ 17.114734] [<c0278a75>] ? cond_unmask_irq+0x23/0x23
[ 17.114734] [<c0276c86>] handle_irq_event_percpu+0x5a/0x1c1
[ 17.114734] [<c0278a75>] ? cond_unmask_irq+0x23/0x23
[ 17.114734] [<c0276e2b>] handle_irq_event+0x3e/0x57
[ 17.114734] [<c0278aef>] handle_level_irq+0x7a/0xa1
[ 17.114734] <IRQ>
[ 17.114734] [<c0203021>] ? do_IRQ+0x34/0x83
[ 17.114734] [<c0782370>] ? common_interrupt+0x30/0x38
[ 17.114734] [<c027007b>] ? gdb_serial_stub+0x929/0x9ac
[ 17.114734] [<c02700e0>] ? gdb_serial_stub+0x98e/0x9ac
[ 17.114734] [<c02768ee>] ? __irq_put_desc_unlock+0xb/0x40
[ 17.114734] [<c027769b>] ? enable_irq+0x59/0x6d
[ 17.114734] [<c0548d47>] ? ei_start_xmit+0x324/0x385
[ 17.114734] [<c0677ceb>] ? __nf_ct_refresh_acct+0x3e/0x8a
[ 17.114734] [<c0223225>] ? local_bh_enable+0x64/0x86
[ 17.114734] [<c06becbf>] ? ipt_do_table+0x419/0x437
[ 17.114734] [<c0223225>] ? local_bh_enable+0x64/0x86
[ 17.114734] [<c06becbf>] ? ipt_do_table+0x419/0x437
[ 17.114734] [<c065d7b3>] ? dev_hard_start_xmit+0x368/0x569
[ 17.114734] [<c0671026>] ? sch_direct_xmit+0x6a/0x183
[ 17.114734] [<c065dbd8>] ? dev_queue_xmit+0x224/0x458
[ 17.114734] [<c0688e7e>] ? ip_fragment+0x660/0x660
[ 17.114734] [<c068907a>] ? ip_finish_output+0x1fc/0x258
[ 17.114734] [<c0688e7e>] ? ip_fragment+0x660/0x660
[ 17.114734] [<c068a13d>] ? ip_output+0x65/0xa7
[ 17.114734] [<c0688e7e>] ? ip_fragment+0x660/0x660
[ 17.114734] [<c0689a30>] ? ip_local_out+0x1b/0x1e
[ 17.114734] [<c068a8ec>] ? ip_send_skb+0x10/0x47
[ 17.114734] [<c06a4063>] ? udp_send_skb+0x256/0x2a8
[ 17.114734] [<c06a5232>] ? udp_sendmsg+0x508/0x76a
[ 17.114734] [<c0689888>] ? __ip_append_data.isra.31+0x721/0x721
[ 17.114734] [<c02db327>] ? __pollwait+0xa3/0xa3
[ 17.114734] [<c06aac1d>] ? inet_recvmsg+0x3d/0x4f
[ 17.114734] [<c06ab484>] ? inet_sendmsg+0x28/0x50
[ 17.114734] [<c064d760>] ? sock_sendmsg+0xb4/0xd1
[ 17.114734] [<c0401e31>] ? rb_insert_color+0x58/0xc9
[ 17.114734] [<c040702a>] ? __copy_to_user_ll+0x1c/0x4b
[ 17.114734] [<c0407186>] ? _copy_from_user+0x2b/0x3e
[ 17.114734] [<c064e633>] ? move_addr_to_kernel+0x23/0x5d
[ 17.114734] [<c064ee40>] ? sys_sendto+0xf7/0x130
[ 17.114734] [<c020854c>] ? restore_i387_xstate+0x1e0/0x215
[ 17.114734] [<c064f6b5>] ? sys_socketcall+0x165/0x29e
[ 17.114734] [<c0781e13>] ? sysenter_do_call+0x12/0x22
[ 17.114734] Code: 86 a8 00 00 00 e8 6a 84 db ff 5b 5e 5d c3 55 89 e5 57 56 53 89 c3 83 ec 0c 89 55 f0 9c 8f 45 ec fa b8 01 00 00 00 e8 4c 44 30 00 <8b> b3 bc 00 00 00 85 f6 74 08 8b 4e 10 2b 4e 0c eb 02 31 c9 3b
[ 17.114734] EIP: [<c047b355>] tty_buffer_request_room+0x1d/0x128 SS:ESP 0068:df009f5c
[ 17.114734] CR2: 00000000000000bc
[ 17.114734] ---[ end trace 312bae50abe94af8 ]---
[ 17.114734] Kernel panic - not syncing: Fatal exception in interrupt

Martin Pitt (pitti)
description: updated
Martin Pitt (pitti)
description: updated
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1349709

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Martin Pitt (pitti)
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
description: updated
Revision history for this message
Martin Pitt (pitti) wrote :

I get the same crash in tty_buffer_request_room+0x1d/0x128 when I do "phablet-shell" and "sudo poweroff", also on previous images.

Tim Gardner (timg-tpi)
affects: linux (Ubuntu) → linux-goldfish (Ubuntu)
Changed in linux-goldfish (Ubuntu):
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.