From: Johannes Erdfelt <johannes@erdfelt.com>
To: Oleg Drokin <green@linuxhacker.ru>
Cc: linux-kernel@vger.kernel.org
Subject: Re: USB SMP race in 2.4.11
Date: Wed, 10 Oct 2001 14:34:57 -0400 [thread overview]
Message-ID: <20011010143457.D19707@sventech.com> (raw)
In-Reply-To: <20011010222223.A1223@linuxhacker.ru>
In-Reply-To: <20011010222223.A1223@linuxhacker.ru>; from green@linuxhacker.ru on Wed, Oct 10, 2001 at 10:22:23PM +0400
On Wed, Oct 10, 2001, Oleg Drokin <green@linuxhacker.ru> wrote:
> I have caught kernel oops that is related to SMP race on usb modules
> deregistering.
> 2.4.10 was fine with the same setup.
> USB core is compiled-in, hub driver is uhci (as module).
> Here is the decoded oops:
>
> Unable to handle kernel paging request at virtual address d890c138
> c018f709
> *pde = 01662067
> Oops: 0000
> CPU: 1
> EIP: 0010:[<c018f709>] Not tainted
> Using defaults from ksymoops -t elf32-i386 -a i386
> EFLAGS: 00010286
> eax: d890c12c ebx: c1664800 ecx: c1661ef4 edx: d71cff60
> esi: 00000064 edi: c1661ef0 ebp: c1660000 esp: c1661ee0
> ds: 0018 es: 0018 ss: 0018
> Process khubd (pid: 10, stackpage=c1661000)
> Stack: d71cff60 c018f7fb d71cff60 c1661f00 00000001 c1661f08 c1661f08 00000000
> 00000000 c1660000 c1661ef4 c1661ef4 c1664800 80000180 c160e720 c1661fbc
> c018f96f d71cff60 00000064 c1661f30 c1660000 c1661fbc c160e720 00000064
> Call Trace: [<c018f7fb>] [<c018f96f>] [<c018fa04>] [<c0191dbc>] [<c0192b7b>]
> [<c0192d95>] [<c0105000>] [<c0105656>] [<c0192d50>]
> Code: ff 50 0c 5a c3 89 f6 b8 ed ff ff ff c3 8d 76 00 8d bc 27 00
>
> >>EIP; c018f709 <usb_submit_urb+19/30> <=====
> Trace; c018f7fb <usb_start_wait_urb+8b/1a0>
> Trace; c018f96f <usb_internal_control_msg+5f/70>
> Trace; c018fa04 <usb_control_msg+84/a0>
> Trace; c0191dbc <usb_get_port_status+3c/40>
> Trace; c0192b7b <usb_hub_events+eb/2c0>
> Trace; c0192d95 <usb_hub_thread+45/a0>
> Trace; c0105000 <_stext+0/0>
> Trace; c0105656 <kernel_thread+26/30>
> Trace; c0192d50 <usb_hub_thread+0/a0>
> Code; c018f709 <usb_submit_urb+19/30>
> 00000000 <_EIP>:
> Code; c018f709 <usb_submit_urb+19/30> <=====
> 0: ff 50 0c call *0xc(%eax) <=====
> Code; c018f70c <usb_submit_urb+1c/30>
> 3: 5a pop %edx
> Code; c018f70d <usb_submit_urb+1d/30>
> 4: c3 ret
> Code; c018f70e <usb_submit_urb+1e/30>
> 5: 89 f6 mov %esi,%esi
> Code; c018f710 <usb_submit_urb+20/30>
> 7: b8 ed ff ff ff mov $0xffffffed,%eax
> Code; c018f715 <usb_submit_urb+25/30>
> c: c3 ret
> Code; c018f716 <usb_submit_urb+26/30>
> d: 8d 76 00 lea 0x0(%esi),%esi
> Code; c018f719 <usb_submit_urb+29/30>
> 10: 8d bc 27 00 00 00 00 lea 0x0(%edi,1),%edi
>
> It seems to die while dereferencing urb->dev->bus->op->submit_urb(urb),
> and urb->dev->bus->op pointer is bogus.
> Looking at the kernel messages, I have found that it dies at usb bus
> deregistering (when RedHat initscripts unload usb host controller driver
> for some reason).
> Here are the messages:
>
> uhci.c: USB Universal Host Controller Interface driver v1.1
> uhci.c: USB UHCI at I/O 0xc400, IRQ 19
> usb.c: new USB bus registered, assigned bus number 1
> usb: raced timeout, pipe 0x80000000 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000100 status 0 time left 0
> hub.c: USB hub found
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> hub.c: 2 ports detected
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000100 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000100 status 0 time left 0
> uhci.c: USB UHCI at I/O 0xc800, IRQ 19
> usb.c: new USB bus registered, assigned bus number 2
> usb: raced timeout, pipe 0x80000100 status 0 time left 0
> usb: raced timeout, pipe 0x80000100 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000000 status 0 time left 0
> usb: raced timeout, pipe 0x80000100 status 0 time left 0
> hub.c: USB new device connect on bus1/1, assigned device number 2
> usb.c: USB device 2 (vend/prod 0x49f/0x505a) is not claimed by any active driver.
> usb.c: registered new driver usbnet
> usb0: register usbnet 001/002, Linux Device
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000100 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000100 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000100 status 0 time left 0
> hub.c: USB hub found
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> hub.c: 2 ports detected
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000100 status 0 time left 0
> usb: raced timeout, pipe 0x80000180 status 0 time left 0
> usb: raced timeout, pipe 0x80000100 status 0 time left 0
> usb.c: USB disconnect on device 1
> usb.c: USB disconnect on device 2
> usb0: unregister usbnet 001/002, Linux Device
> usb.c: USB bus 1 deregistered
> usb.c: USB disconnect on device 1
> usb.c: USB bus 2 deregistered
> usb: raced timeout, pipe 0x80000100 status 0 time left 0
> Unable to handle kernel paging request at virtual address d890c138
> ...
Did you remove the uhci module?
This patch will fix the raced timeout messages, but you may have found a
reference counting bug as well.
JE
diff --minimal -Nru a/drivers/usb/uhci.c b/drivers/usb/uhci.c
--- a/drivers/usb/uhci.c Wed Oct 10 07:32:38 2001
+++ b/drivers/usb/uhci.c Wed Oct 10 07:32:38 2001
@@ -1594,9 +1594,7 @@
}
uhci_unlink_generic(uhci, urb);
- uhci_destroy_urb_priv(urb);
-
- usb_dec_dev_use(urb->dev);
+ uhci_call_completion(urb);
return ret;
}
next prev parent reply other threads:[~2001-10-10 18:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-10-10 18:22 USB SMP race in 2.4.11 Oleg Drokin
2001-10-10 18:31 ` Greg KH
2001-10-10 18:34 ` Johannes Erdfelt [this message]
2001-10-10 18:37 ` Davide Libenzi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20011010143457.D19707@sventech.com \
--to=johannes@erdfelt.com \
--cc=green@linuxhacker.ru \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.