Re: BUG: unable to handle kernel paging request at 6b6b6bcb (v4l2_device_disconnect+0x11/0x30)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sitsofe Wheeler <sitsofe@yahoo.com>
To: Hans Verkuil <hverkuil@xs4all.nl>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
	Dave Young <hidave.darkstar@gmail.com>,
	linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
	Guennadi Liakhovetski <g.liakhovetski@gmx.de>,
	Mauro Carvalho Chehab <mchehab@infradead.org>
Subject: Re: BUG: unable to handle kernel paging request at 6b6b6bcb (v4l2_device_disconnect+0x11/0x30)
Date: Mon, 5 Sep 2011 23:31:03 +0100	[thread overview]
Message-ID: <20110905223102.GA26980@sucs.org> (raw)
In-Reply-To: <201109051216.42579.hverkuil@xs4all.nl>

On Mon, Sep 05, 2011 at 12:16:42PM +0200, Hans Verkuil wrote:
> On Monday, September 05, 2011 12:13:26 Hans Verkuil wrote:
> > 
> > The original order is correct, but what I missed is that for drivers
> > that release (free) everything in the videodev release callback the
> > v4l2_device struct is also freed and v4l2_device_put will fail.
> > 
> > To fix this, add this code just before the vdev->release call:
> > 
> > 	/* Do not call v4l2_device_put if there is no release callback set. */
> > 	if (v4l2_dev->release == NULL)
> > 		v4l2_dev = NULL;
> > 
> > If there is no release callback, then the refcounting is pointless
> > anyway.
> > 
> > This should work.
> 
> Note that in the long run using the v4l2_device release callback
> instead of the videodev release is better. But it's a lot of work to
> convert everything so that's long term. I'm quite surprised BTW that
> this bug wasn't found much earlier.

This inline patch fixes the second "poison overwritten" problem so:
Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>

However, it does not prevent the original oops that was reported in the
original message. Yang Ruirui's patch in
https://lkml.org/lkml/2011/9/1/74 seems to be required to resolve
that initial problem - can it be ACK'd? Yang's patch is reproduced
inline below:

For uvc device, dev->vdev.dev is the &intf->dev,
uvc_delete code is as below:
	usb_put_intf(dev->intf);
	usb_put_dev(dev->udev);

	uvc_status_cleanup(dev);
	uvc_ctrl_cleanup_device(dev);

## the intf dev is released above, so below code will oops.

	if (dev->vdev.dev)
		v4l2_device_unregister(&dev->vdev);
Fix it by get_device in v4l2_device_register and put_device in v4l2_device_disconnect
---
 drivers/media/video/v4l2-device.c |    2 ++
 1 file changed, 2 insertions(+)
diff --git a/drivers/media/video/v4l2-device.c b/drivers/media/video/v4l2-device.c
index c72856c..e6a2c3b 100644
--- a/drivers/media/video/v4l2-device.c
+++ b/drivers/media/video/v4l2-device.c
@@ -38,6 +38,7 @@ int v4l2_device_register(struct device *dev, struct v4l2_device *v4l2_dev)
 	mutex_init(&v4l2_dev->ioctl_lock);
 	v4l2_prio_init(&v4l2_dev->prio);
 	kref_init(&v4l2_dev->ref);
+	get_device(dev);
 	v4l2_dev->dev = dev;
 	if (dev == NULL) {
 		/* If dev == NULL, then name must be filled in by the caller */
@@ -93,6 +94,7 @@ void v4l2_device_disconnect(struct v4l2_device *v4l2_dev)
 
 	if (dev_get_drvdata(v4l2_dev->dev) == v4l2_dev)
 		dev_set_drvdata(v4l2_dev->dev, NULL);
+	put_device(v4l2_dev->dev);
 	v4l2_dev->dev = NULL;
 }
 EXPORT_SYMBOL_GPL(v4l2_device_disconnect);

-- 
Sitsofe | http://sucs.org/~sits/

next prev parent reply	other threads:[~2011-09-05 22:31 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-08-29 20:48 BUG: unable to handle kernel paging request at 6b6b6bcb (v4l2_device_disconnect+0x11/0x30) Sitsofe Wheeler
2011-08-30 22:20 ` Laurent Pinchart
2011-08-31  7:30   ` Sitsofe Wheeler
2011-09-01  9:02 ` Dave Young
2011-09-01 19:10   ` Sitsofe Wheeler
2011-09-02  4:59     ` Dave Young
2011-09-02  5:35       ` Dave Young
2011-09-02  7:29         ` Sitsofe Wheeler
2011-09-05  9:59           ` Laurent Pinchart
2011-09-05 10:13             ` Hans Verkuil
2011-09-05 10:16               ` Hans Verkuil
2011-09-05 22:31                 ` Sitsofe Wheeler [this message]
2011-09-06  8:07                   ` Dave Young
2011-09-06  8:20                   ` Laurent Pinchart
2011-09-05 14:10               ` Yang Ruirui

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c72856c dfblob:e6a2c3b )
 OR (
bs:"Re: BUG: unable to handle kernel paging request at 6b6b6bcb (v4l2_device_disconnect+0x11/0x30)" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110905223102.GA26980@sucs.org \
    --to=sitsofe@yahoo.com \
    --cc=g.liakhovetski@gmx.de \
    --cc=hidave.darkstar@gmail.com \
    --cc=hverkuil@xs4all.nl \
    --cc=laurent.pinchart@ideasonboard.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.