From: Greg KH <greg-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
To: Russell King - ARM Linux <linux-lFZ/pmaqli7XmaaqVzeoHQ@public.gmane.org>
Cc: "Heiko Stübner" <heiko-4mtYJXux2i+zQB+pC5nmwQ@public.gmane.org>,
"Felipe Balbi" <balbi-l0cyMroinI0@public.gmane.org>,
"Kukjin Kim" <kgene.kim-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>,
linux-samsung-soc-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
"Thomas Abraham"
<thomas.abraham-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org
Subject: Re: [PATCH 3/7] s3c-hsudc: add a remove function
Date: Mon, 19 Dec 2011 22:08:05 -0800 [thread overview]
Message-ID: <20111220060805.GD25439@kroah.com> (raw)
In-Reply-To: <20111218213704.GZ14542-l+eeeJia6m9vn6HldHNs0ANdhmdF6hFW@public.gmane.org>
On Sun, Dec 18, 2011 at 09:37:04PM +0000, Russell King - ARM Linux wrote:
> On Sun, Dec 18, 2011 at 09:46:08PM +0100, Heiko Stübner wrote:
> > > > kobject: 'holders' (c7addc80): kobject_cleanup
> > > > Unable to handle kernel paging request at virtual address bf055504
> > > > pgd = c0004000
> > > > [bf055504] *pgd=371f9811, *pte=00000000, *ppte=00000000
> > > > Internal error: Oops: 7 [#1]
> > >
> > > Please post the entire first oops dump for the above run - it may contain
> > > useful information to properly track this down.
> >
> > kobject: 'holders' (c7addc80): kobject_cleanup
> > Unable to handle kernel paging request at virtual address bf055504
> > pgd = c0004000
> > [bf055504] *pgd=371f9811, *pte=00000000, *ppte=00000000
> > Internal error: Oops: 7 [#1]
> > Modules linked in: ohci_hcd usbcore leds_s3c24xx i2c_s3c2410 i2c_core
> > CPU: 0 Not tainted (3.2.0-rc5-next-20111216+ #33)
> > PC is at kobject_put+0x18/0x7c
> > LR is at kobject_del+0x64/0x70
> > pc : [<c0114624>] lr : [<c011470c>] psr: a0000013
> > sp : c70bdef8 ip : c70bdf18 fp : c70bdf14
> > r10: 00000000 r9 : c0114718 r8 : c7803a00
> > r7 : c7abd360 r6 : c02e1de0 r5 : c7addca0 r4 : bf0554a0
> > r3 : 00000001 r2 : 00000000 r1 : 00000000 r0 : bf0554a0
> > Backtrace:
> > [<c011460c>] (kobject_put+0x0/0x7c) from [<c011470c>] (kobject_del+0x64/0x70)
> > r4:c7addc80
> > [<c01146a8>] (kobject_del+0x0/0x70) from [<c01147ec>] (kobject_delayed_cleanup+0xd4/0x174)
> > r4:c7addc80
> > [<c0114718>] (kobject_delayed_cleanup+0x0/0x174) from [<c00318fc>] (process_one_work+0x24c/0x3a8)
>
> Right, here's what I think is happening.
>
> You're right that 0xc7addc80 is being cleaned up. So, we enter
> kobject_cleanup() with kobj = 0xc7addc80. We get to this:
>
> /* remove from sysfs if the caller did not do it */
> if (kobj->state_in_sysfs) {
> pr_debug("kobject: '%s' (%p): auto cleanup kobject_del\n",
> kobject_name(kobj), kobj);
> kobject_del(kobj);
> }
>
> So, we call kobject_del() on c7addc80 (which we can see in r4 in the
> backtrace):
>
> void kobject_del(struct kobject *kobj)
> {
> if (!kobj)
> return;
>
> sysfs_remove_dir(kobj);
> kobj->state_in_sysfs = 0;
> kobj_kset_leave(kobj);
> kobject_put(kobj->parent);
>
> And so we get to kobject_put(), and we call that with a pointer of
> 0xbf0554a0. This is a pointer into struct module. And this is where
> the problem lies...
>
> The struct module is free'd as part of the core of the module
> (mod->module_core) here:
>
> static void module_deallocate(struct module *mod, struct load_info *info)
> {
> kfree(info->strmap);
> percpu_modfree(mod);
> module_free(mod, mod->module_init);
> module_free(mod, mod->module_core);
> }
>
> A struct module contains:
>
> struct module
> {
> ...
> /* Sysfs stuff. */
> struct module_kobject mkobj;
>
> which in turn is defined as:
>
> struct module_kobject {
> struct kobject kobj;
> ...
> }
>
> So, we have a struct kobject contained within a data structure which is
> independently allocated and freed - and this is highly illegal. I'm
> sure GregKH will want to discuss this with Rusty...
Ugh, that sucks, yes I'll work on this when I get back from vacation the
first week in January.
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: greg@kroah.com (Greg KH)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 3/7] s3c-hsudc: add a remove function
Date: Mon, 19 Dec 2011 22:08:05 -0800 [thread overview]
Message-ID: <20111220060805.GD25439@kroah.com> (raw)
In-Reply-To: <20111218213704.GZ14542@n2100.arm.linux.org.uk>
On Sun, Dec 18, 2011 at 09:37:04PM +0000, Russell King - ARM Linux wrote:
> On Sun, Dec 18, 2011 at 09:46:08PM +0100, Heiko St?bner wrote:
> > > > kobject: 'holders' (c7addc80): kobject_cleanup
> > > > Unable to handle kernel paging request at virtual address bf055504
> > > > pgd = c0004000
> > > > [bf055504] *pgd=371f9811, *pte=00000000, *ppte=00000000
> > > > Internal error: Oops: 7 [#1]
> > >
> > > Please post the entire first oops dump for the above run - it may contain
> > > useful information to properly track this down.
> >
> > kobject: 'holders' (c7addc80): kobject_cleanup
> > Unable to handle kernel paging request at virtual address bf055504
> > pgd = c0004000
> > [bf055504] *pgd=371f9811, *pte=00000000, *ppte=00000000
> > Internal error: Oops: 7 [#1]
> > Modules linked in: ohci_hcd usbcore leds_s3c24xx i2c_s3c2410 i2c_core
> > CPU: 0 Not tainted (3.2.0-rc5-next-20111216+ #33)
> > PC is at kobject_put+0x18/0x7c
> > LR is at kobject_del+0x64/0x70
> > pc : [<c0114624>] lr : [<c011470c>] psr: a0000013
> > sp : c70bdef8 ip : c70bdf18 fp : c70bdf14
> > r10: 00000000 r9 : c0114718 r8 : c7803a00
> > r7 : c7abd360 r6 : c02e1de0 r5 : c7addca0 r4 : bf0554a0
> > r3 : 00000001 r2 : 00000000 r1 : 00000000 r0 : bf0554a0
> > Backtrace:
> > [<c011460c>] (kobject_put+0x0/0x7c) from [<c011470c>] (kobject_del+0x64/0x70)
> > r4:c7addc80
> > [<c01146a8>] (kobject_del+0x0/0x70) from [<c01147ec>] (kobject_delayed_cleanup+0xd4/0x174)
> > r4:c7addc80
> > [<c0114718>] (kobject_delayed_cleanup+0x0/0x174) from [<c00318fc>] (process_one_work+0x24c/0x3a8)
>
> Right, here's what I think is happening.
>
> You're right that 0xc7addc80 is being cleaned up. So, we enter
> kobject_cleanup() with kobj = 0xc7addc80. We get to this:
>
> /* remove from sysfs if the caller did not do it */
> if (kobj->state_in_sysfs) {
> pr_debug("kobject: '%s' (%p): auto cleanup kobject_del\n",
> kobject_name(kobj), kobj);
> kobject_del(kobj);
> }
>
> So, we call kobject_del() on c7addc80 (which we can see in r4 in the
> backtrace):
>
> void kobject_del(struct kobject *kobj)
> {
> if (!kobj)
> return;
>
> sysfs_remove_dir(kobj);
> kobj->state_in_sysfs = 0;
> kobj_kset_leave(kobj);
> kobject_put(kobj->parent);
>
> And so we get to kobject_put(), and we call that with a pointer of
> 0xbf0554a0. This is a pointer into struct module. And this is where
> the problem lies...
>
> The struct module is free'd as part of the core of the module
> (mod->module_core) here:
>
> static void module_deallocate(struct module *mod, struct load_info *info)
> {
> kfree(info->strmap);
> percpu_modfree(mod);
> module_free(mod, mod->module_init);
> module_free(mod, mod->module_core);
> }
>
> A struct module contains:
>
> struct module
> {
> ...
> /* Sysfs stuff. */
> struct module_kobject mkobj;
>
> which in turn is defined as:
>
> struct module_kobject {
> struct kobject kobj;
> ...
> }
>
> So, we have a struct kobject contained within a data structure which is
> independently allocated and freed - and this is highly illegal. I'm
> sure GregKH will want to discuss this with Rusty...
Ugh, that sucks, yes I'll work on this when I get back from vacation the
first week in January.
greg k-h
next prev parent reply other threads:[~2011-12-20 6:08 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-17 19:23 [PATCH v2 0/7] s3c-hsudc: regulator handling and a lot of fixes Heiko Stübner
2011-12-17 19:23 ` Heiko Stübner
2011-12-17 19:24 ` [PATCH 1/7] s3c-hsudc: move platform_data struct to global header Heiko Stübner
2011-12-17 19:24 ` Heiko Stübner
2011-12-17 19:25 ` [PATCH 2/7] s3c-hsudc: add __devinit to probe function Heiko Stübner
2011-12-17 19:25 ` Heiko Stübner
2011-12-17 19:26 ` [PATCH 3/7] s3c-hsudc: add a remove function Heiko Stübner
2011-12-17 19:26 ` Heiko Stübner
2011-12-18 8:03 ` Russell King - ARM Linux
2011-12-18 8:03 ` Russell King - ARM Linux
2011-12-18 8:10 ` Russell King - ARM Linux
2011-12-18 8:10 ` Russell King - ARM Linux
2011-12-18 9:42 ` Heiko Stübner
2011-12-18 9:42 ` Heiko Stübner
2011-12-18 13:44 ` Heiko Stübner
2011-12-18 13:44 ` Heiko Stübner
2011-12-18 14:43 ` Russell King - ARM Linux
2011-12-18 14:43 ` Russell King - ARM Linux
2011-12-18 18:50 ` Heiko Stübner
2011-12-18 18:50 ` Heiko Stübner
[not found] ` <201112181950.38993.heiko-4mtYJXux2i+zQB+pC5nmwQ@public.gmane.org>
2011-12-18 19:01 ` Russell King - ARM Linux
2011-12-18 19:01 ` Russell King - ARM Linux
2011-12-18 19:33 ` Heiko Stübner
2011-12-18 19:33 ` Heiko Stübner
2011-12-18 19:45 ` Russell King - ARM Linux
2011-12-18 19:45 ` Russell King - ARM Linux
2011-12-18 20:24 ` Heiko Stübner
2011-12-18 20:24 ` Heiko Stübner
[not found] ` <201112182124.13313.heiko-4mtYJXux2i+zQB+pC5nmwQ@public.gmane.org>
2011-12-18 20:39 ` Russell King - ARM Linux
2011-12-18 20:39 ` Russell King - ARM Linux
[not found] ` <20111218203953.GY14542-l+eeeJia6m9vn6HldHNs0ANdhmdF6hFW@public.gmane.org>
2011-12-18 20:46 ` Heiko Stübner
2011-12-18 20:46 ` Heiko Stübner
2011-12-18 21:37 ` Russell King - ARM Linux
2011-12-18 21:37 ` Russell King - ARM Linux
[not found] ` <20111218213704.GZ14542-l+eeeJia6m9vn6HldHNs0ANdhmdF6hFW@public.gmane.org>
2011-12-20 6:08 ` Greg KH [this message]
2011-12-20 6:08 ` Greg KH
2011-12-20 6:07 ` Greg KH
2011-12-20 6:07 ` Greg KH
2011-12-17 19:27 ` [PATCH 4/7] s3c-hsudc: add missing otg_put_transceiver in probe Heiko Stübner
2011-12-17 19:27 ` Heiko Stübner
2011-12-17 19:28 ` [PATCH 5/7] s3c-hsudc: move device registration to probe and remove Heiko Stübner
2011-12-17 19:28 ` Heiko Stübner
2011-12-18 8:09 ` Russell King - ARM Linux
2011-12-18 8:09 ` Russell King - ARM Linux
[not found] ` <201112172023.05519.heiko-4mtYJXux2i+zQB+pC5nmwQ@public.gmane.org>
2011-12-17 19:29 ` [PATCH 6/7] s3c-hsudc: use udc_start and udc_stop functions Heiko Stübner
2011-12-17 19:29 ` Heiko Stübner
2011-12-17 19:30 ` [PATCH 7/7] s3c-hsudc: Add regulator handling Heiko Stübner
2011-12-17 19:30 ` Heiko Stübner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111220060805.GD25439@kroah.com \
--to=greg-u8xffu+wg4eavxtiumwx3w@public.gmane.org \
--cc=balbi-l0cyMroinI0@public.gmane.org \
--cc=heiko-4mtYJXux2i+zQB+pC5nmwQ@public.gmane.org \
--cc=kgene.kim-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org \
--cc=linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org \
--cc=linux-lFZ/pmaqli7XmaaqVzeoHQ@public.gmane.org \
--cc=linux-samsung-soc-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=thomas.abraham-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.