From: Greg KH <greg@kroah.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>,
LKML <linux-kernel@vger.kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>
Subject: Re: rb tree hrtimer lockup bug (found by perf_fuzzer)
Date: Sat, 5 Apr 2014 20:47:50 -0700 [thread overview]
Message-ID: <20140406034750.GA7674@kroah.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1403311201520.14882@ionos.tec.linutronix.de>
On Mon, Mar 31, 2014 at 01:18:34PM +0200, Thomas Gleixner wrote:
> On Thu, 27 Mar 2014, Vince Weaver wrote:
> > On Wed, 26 Mar 2014, Thomas Gleixner wrote:
> > > Ok. So we know now what we are looking for.
> > >
> > > [ 1.579996] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
> > > ÿ[ 1.607279] 00:09: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
> > > [ 1.615032] kobject: 'ttyS1' (ffff88011772ac10): kobject_release, parent (null) (delayed 250)
> > > [ 1.624534] kobject: '(null)' (ffff8801177400f0): kobject_release, parent (null) (delayed 500)
> > > [ 1.654213] 0000:00:16.3: ttyS1 at I/O 0xf0e0 (irq = 19, base_baud = 115200) is a 16550A
> > >
> > > [ 3.294047] Invalid timer base: tmr ffff880117740150 tmr->base (null) base ffff880118898000
> > >
> > > 1634110us : obj: ffff880117740130 initialized kobject_delayed_cleanup+0x0/0x90
> > >
> > > So that happens in the context of the 8250 serial driver.
> > >
> > > ...
> > >
> > > Below is a patch which gives us the call path of the unnamed object
> > > which causes the crash.
> >
> > I've attached the boot log with that patch applied.
>
> Vince, can you please disable CONFIG_DEBUG_KOBJECT_RELEASE and remove
> all the debug patches to see whether the issue goes away?
>
> I had a deeper look down that code path and the issue is, that the
> serial core is not compatible with the deferred kobject release.
>
> The tty_io layer uses a kobject embedded in its internal tty device
> representation and reuses that.
It does? What kobject is that? I've dug through the code and I can't
find it. I see where we create a new device in
tty_register_device_attr() which is dynamic and should be torn down when
free_tty_struct() is called eventually.
> So it seems that for whatever reason the tty layer releases ttyS1 and
> then initializes it again. So the deferred release will queue the
> object for release while the tty layer happily reinitializes it.
That's not good, but I can't find that code path, any hints?
thanks,
greg k-h
next prev parent reply other threads:[~2014-04-06 3:45 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-03 20:34 perf_fuzzer: lockup/reboot bug Vince Weaver
2014-03-04 21:32 ` Vince Weaver
2014-03-18 16:56 ` rb tree hrtimer lockup bug (found by perf_fuzzer) Vince Weaver
2014-03-18 18:21 ` Thomas Gleixner
2014-03-18 19:25 ` Vince Weaver
2014-03-18 20:52 ` Thomas Gleixner
2014-03-18 21:10 ` Vince Weaver
2014-03-18 21:45 ` Thomas Gleixner
2014-03-19 13:46 ` Vince Weaver
2014-03-19 13:58 ` Thomas Gleixner
2014-03-19 14:42 ` Vince Weaver
2014-03-19 15:05 ` Thomas Gleixner
2014-03-19 17:04 ` Vince Weaver
2014-03-20 10:47 ` Thomas Gleixner
2014-03-20 14:47 ` Vince Weaver
2014-03-20 15:12 ` Thomas Gleixner
2014-03-20 21:25 ` Vince Weaver
2014-03-21 9:02 ` Thomas Gleixner
2014-03-21 20:11 ` Vince Weaver
2014-03-22 10:24 ` Thomas Gleixner
2014-03-22 20:22 ` Thomas Gleixner
2014-03-23 15:14 ` Thomas Gleixner
2014-03-23 23:25 ` Thomas Gleixner
2014-03-25 21:06 ` Vince Weaver
2014-03-25 21:52 ` Thomas Gleixner
2014-03-26 21:33 ` Vince Weaver
2014-03-26 22:00 ` Thomas Gleixner
2014-03-27 13:41 ` Vince Weaver
2014-03-31 11:18 ` Thomas Gleixner
2014-03-31 11:46 ` Ingo Molnar
2014-03-31 13:30 ` Vince Weaver
2014-03-31 13:48 ` Thomas Gleixner
2014-04-06 3:47 ` Greg KH [this message]
2014-04-16 23:00 ` Thomas Gleixner
2014-04-17 2:38 ` Greg KH
2014-04-17 7:59 ` Thomas Gleixner
2014-04-24 19:37 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140406034750.GA7674@kroah.com \
--to=greg@kroah.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=vincent.weaver@maine.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.