From: Ben Greear <greearb@candelatech.com>
To: ath9k-devel@lists.ath9k.org
Subject: [ath9k-devel] Kernel crash on rmmod of ath9k in 3.9.1
Date: Wed, 08 May 2013 12:33:09 -0700 [thread overview]
Message-ID: <518AA875.7010204@candelatech.com> (raw)
The crash below is from a hacked 3.9.1 kernel, but I reproduced it
on an upstream 3.9.1 (with only a regdomain over-ride hack applied).
ath9k_htc and ath9k are loaded, but this appears to be and ath9k
and/or relayfs issue.
I haven't had time to debug further yet..curious if anyone else
sees similar bugs...
Memory poisioning is on, seems to be some use of free'd memory
somewhere...
[ 1331.097846] BUG: unable to handle kernel paging request at 6b6b6b8b
[ 1331.098170] IP: [<c063d0d6>] debugfs_remove+0x26/0x80
[ 1331.098170] *pdpt = 000000002f9aa001 *pde = 0000000000000000
[ 1331.098170] Oops: 0000 [#1] PREEMPT SMP
[ 1331.098170] Modules linked in: iptable_raw xt_CT nf_conntrack_ipv4 nf_defrag]
[ 1331.098170] Pid: 4794, comm: rmmod Tainted: G WC 3.9.1+ #5 To Be Fi.
[ 1331.098170] EIP: 0060:[<c063d0d6>] EFLAGS: 00010202 CPU: 0
[ 1331.098170] EIP is at debugfs_remove+0x26/0x80
[ 1331.098170] EAX: f2f3acd0 EBX: f2f3acd0 ECX: 00000006 EDX: f8622348
[ 1331.098170] ESI: 6b6b6b6b EDI: 00000001 EBP: ee251e14 ESP: ee251e0c
[ 1331.098170] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 1331.098170] CR0: 8005003b CR2: 6b6b6b8b CR3: 2e7b7000 CR4: 000007e0
[ 1331.098170] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 1331.098170] DR6: ffff0ff0 DR7: 00000400
[ 1331.098170] Process rmmod (pid: 4794, ti=ee250000 task=efaa2560 task.ti=ee25)
[ 1331.098170] Stack:
[ 1331.098170] f241e170 0000000a ee251e1c f861394d ee251e28 c04e3088 f241e170 4
[ 1331.098170] c04e30fe f45482b0 ee251e54 c04e3187 f25e86b0 ee251e54 f8618748 0
[ 1331.098170] 0000000a 00000001 ee251e68 f860065b f2509e20 f25085a0 f5b6e8a4 8
[ 1331.098170] Call Trace:
[ 1331.098170] [<f861394d>] remove_buf_file_handler+0xd/0x20 [ath9k]
[ 1331.098170] [<c04e3088>] relay_remove_buf+0x18/0x30
[ 1331.098170] [<c04e30fe>] relay_close_buf+0x2e/0x40
[ 1331.098170] [<c04e3187>] relay_close+0x77/0xf0
[ 1331.098170] [<f8618748>] ? dpd_exit+0x38/0x40 [ath9k]
[ 1331.098170] [<f860065b>] ath9k_deinit_softc+0x8b/0xa0 [ath9k]
[ 1331.098170] [<f86006b8>] ath9k_deinit_device+0x48/0x60 [ath9k]
[ 1331.098170] [<f86107f1>] ath_pci_remove+0x31/0x50 [ath9k]
[ 1331.098170] [<c06dbff8>] pci_device_remove+0x38/0xc0
[ 1331.098170] [<c079daa4>] __device_release_driver+0x64/0xc0
[ 1331.098170] [<c079db97>] driver_detach+0x97/0xa0
[ 1331.098170] [<c079cacc>] bus_remove_driver+0x6c/0xe0
[ 1331.098170] [<c079c197>] ? bus_put+0x17/0x20
[ 1331.098170] [<c079cae3>] ? bus_remove_driver+0x83/0xe0
[ 1331.098170] [<c079e709>] driver_unregister+0x49/0x80
[ 1331.098170] [<c06dc138>] pci_unregister_driver+0x18/0x80
[ 1331.098170] [<f8610602>] ath_pci_exit+0x12/0x20 [ath9k]
[ 1331.098170] [<f8619ce0>] ath9k_exit+0x17/0x337 [ath9k]
[ 1331.098170] [<c09e537d>] ? mutex_unlock+0xd/0x10
[ 1331.098170] [<c04bd36c>] sys_delete_module+0x17c/0x250
[ 1331.098170] [<c0540dc4>] ? do_munmap+0x244/0x2d0
[ 1331.098170] [<c0540e96>] ? vm_munmap+0x46/0x60
[ 1331.098170] [<c09e8dc4>] ? restore_all+0xf/0xf
[ 1331.098170] [<c09ebf50>] ? __do_page_fault+0x4c0/0x4c0
[ 1331.098170] [<c04b18e4>] ? trace_hardirqs_on_caller+0xf4/0x180
[ 1331.098170] [<c09ef28d>] sysenter_do_call+0x12/0x38
[ 1331.098170] Code: 90 8d 74 26 00 55 89 e5 83 ec 08 89 1c 24 89 74 24 04 3e 82
[ 1331.098170] EIP: [<c063d0d6>] debugfs_remove+0x26/0x80 SS:ESP 0068:ee251e0c
[ 1331.098170] CR2: 000000006b6b6b8b
[ 1331.727971] ---[ end trace b5bb9f2066cef7f9 ]---
(gdb) l *(remove_buf_file_handler+0xd)
0x1594d is in remove_buf_file_handler (/home/greearb/git/linux-3.9.dev.y/drivers/net/wireless/ath/ath9k/debug.c:1237).
1232 static int remove_buf_file_handler(struct dentry *dentry)
1233 {
1234 debugfs_remove(dentry);
1235
1236 return 0;
1237 }
1238
1239 void ath_debug_send_fft_sample(struct ath_softc *sc,
1240 struct fft_sample_tlv *fft_sample_tlv)
1241 {
(gdb) l *(ath9k_deinit_softc+0x8b)
0x265b is in ath9k_deinit_softc (/home/greearb/git/linux-3.9.dev.y/drivers/net/wireless/ath/ath9k/init.c:944).
939
940 ath9k_eeprom_release(sc);
941
942 if (config_enabled(CONFIG_ATH9K_DEBUGFS) && sc->rfs_chan_spec_scan) {
943 relay_close(sc->rfs_chan_spec_scan);
944 sc->rfs_chan_spec_scan = NULL;
945 }
946 }
947
948 void ath9k_deinit_device(struct ath_softc *sc)
(gdb)
(gdb) l *(debugfs_remove+0x26)
0xc063d0d6 is in debugfs_remove (/home/greearb/git/linux-3.9.dev.y/fs/debugfs/inode.c:511).
506
507 if (IS_ERR_OR_NULL(dentry))
508 return;
509
510 parent = dentry->d_parent;
511 if (!parent || !parent->d_inode)
512 return;
513
514 mutex_lock(&parent->d_inode->i_mutex);
515 ret = __debugfs_remove(dentry, parent);
(gdb)
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
reply other threads:[~2013-05-08 19:33 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=518AA875.7010204@candelatech.com \
--to=greearb@candelatech.com \
--cc=ath9k-devel@lists.ath9k.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.