From: Greg KH <greg@kroah.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>,
LKML <linux-kernel@vger.kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>
Subject: Re: rb tree hrtimer lockup bug (found by perf_fuzzer)
Date: Wed, 16 Apr 2014 19:38:18 -0700 [thread overview]
Message-ID: <20140417023818.GB6448@kroah.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1404170056140.22697@ionos.tec.linutronix.de>
On Thu, Apr 17, 2014 at 01:00:53AM +0200, Thomas Gleixner wrote:
> On Sat, 5 Apr 2014, Greg KH wrote:
> > On Mon, Mar 31, 2014 at 01:18:34PM +0200, Thomas Gleixner wrote:
> > > On Thu, 27 Mar 2014, Vince Weaver wrote:
> > > > On Wed, 26 Mar 2014, Thomas Gleixner wrote:
> > > > > Ok. So we know now what we are looking for.
> > > > >
> > > > > [ 1.579996] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
> > > > > ÿ[ 1.607279] 00:09: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
> > > > > [ 1.615032] kobject: 'ttyS1' (ffff88011772ac10): kobject_release, parent (null) (delayed 250)
> > > > > [ 1.624534] kobject: '(null)' (ffff8801177400f0): kobject_release, parent (null) (delayed 500)
> > > > > [ 1.654213] 0000:00:16.3: ttyS1 at I/O 0xf0e0 (irq = 19, base_baud = 115200) is a 16550A
> > > > >
> > > > > [ 3.294047] Invalid timer base: tmr ffff880117740150 tmr->base (null) base ffff880118898000
> > > > >
> > > > > 1634110us : obj: ffff880117740130 initialized kobject_delayed_cleanup+0x0/0x90
> > > > >
> > > > > So that happens in the context of the 8250 serial driver.
> > > > >
> > > > > ...
> > > > >
> > > > > Below is a patch which gives us the call path of the unnamed object
> > > > > which causes the crash.
> > > >
> > > > I've attached the boot log with that patch applied.
> > >
> > > Vince, can you please disable CONFIG_DEBUG_KOBJECT_RELEASE and remove
> > > all the debug patches to see whether the issue goes away?
> > >
> > > I had a deeper look down that code path and the issue is, that the
> > > serial core is not compatible with the deferred kobject release.
> > >
> > > The tty_io layer uses a kobject embedded in its internal tty device
> > > representation and reuses that.
> >
> > It does? What kobject is that? I've dug through the code and I can't
> > find it. I see where we create a new device in
> > tty_register_device_attr() which is dynamic and should be torn down when
> > free_tty_struct() is called eventually.
>
> It's not about the dynamic stuff.
>
> > > So it seems that for whatever reason the tty layer releases ttyS1 and
> > > then initializes it again. So the deferred release will queue the
> > > object for release while the tty layer happily reinitializes it.
> >
> > That's not good, but I can't find that code path, any hints?
>
> static int tty_cdev_add(struct tty_driver *driver, dev_t dev,
> unsigned int index, unsigned int count)
> {
> /* init here, since reused cdevs cause crashes */
> cdev_init(&driver->cdevs[index], &tty_fops);
>
> The comment is interesting ...
>
> And cdevs is an array of struct cdev:
>
> struct cdev {
> struct kobject kobj;
Those are not "real" kobjects, and are never registered with the kobject
core.
I really need to go rename those one of these days, and just make them a
separate object, as they have nothing to do with a "normal" kobject
other than the reference count and the use of the kobject map stuff.
So if this is showing up as a problem, something else is going on here,
as this should not be an issue at all.
thanks,
greg k-h
next prev parent reply other threads:[~2014-04-17 2:38 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-03 20:34 perf_fuzzer: lockup/reboot bug Vince Weaver
2014-03-04 21:32 ` Vince Weaver
2014-03-18 16:56 ` rb tree hrtimer lockup bug (found by perf_fuzzer) Vince Weaver
2014-03-18 18:21 ` Thomas Gleixner
2014-03-18 19:25 ` Vince Weaver
2014-03-18 20:52 ` Thomas Gleixner
2014-03-18 21:10 ` Vince Weaver
2014-03-18 21:45 ` Thomas Gleixner
2014-03-19 13:46 ` Vince Weaver
2014-03-19 13:58 ` Thomas Gleixner
2014-03-19 14:42 ` Vince Weaver
2014-03-19 15:05 ` Thomas Gleixner
2014-03-19 17:04 ` Vince Weaver
2014-03-20 10:47 ` Thomas Gleixner
2014-03-20 14:47 ` Vince Weaver
2014-03-20 15:12 ` Thomas Gleixner
2014-03-20 21:25 ` Vince Weaver
2014-03-21 9:02 ` Thomas Gleixner
2014-03-21 20:11 ` Vince Weaver
2014-03-22 10:24 ` Thomas Gleixner
2014-03-22 20:22 ` Thomas Gleixner
2014-03-23 15:14 ` Thomas Gleixner
2014-03-23 23:25 ` Thomas Gleixner
2014-03-25 21:06 ` Vince Weaver
2014-03-25 21:52 ` Thomas Gleixner
2014-03-26 21:33 ` Vince Weaver
2014-03-26 22:00 ` Thomas Gleixner
2014-03-27 13:41 ` Vince Weaver
2014-03-31 11:18 ` Thomas Gleixner
2014-03-31 11:46 ` Ingo Molnar
2014-03-31 13:30 ` Vince Weaver
2014-03-31 13:48 ` Thomas Gleixner
2014-04-06 3:47 ` Greg KH
2014-04-16 23:00 ` Thomas Gleixner
2014-04-17 2:38 ` Greg KH [this message]
2014-04-17 7:59 ` Thomas Gleixner
2014-04-24 19:37 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140417023818.GB6448@kroah.com \
--to=greg@kroah.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=vincent.weaver@maine.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.