From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ben Greear <greearb@candelatech.com>
Date: Wed, 08 May 2013 12:33:09 -0700
Subject: [ath9k-devel] Kernel crash on rmmod of ath9k in 3.9.1
Message-ID: <518AA875.7010204@candelatech.com>
List-Id: <ath9k-devel.lists.ath9k.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: ath9k-devel@lists.ath9k.org

The crash below is from a hacked 3.9.1 kernel, but I reproduced it
on an upstream 3.9.1 (with only a regdomain over-ride hack applied).

ath9k_htc and ath9k are loaded, but this appears to be and ath9k
and/or relayfs issue.

I haven't had time to debug further yet..curious if anyone else
sees similar bugs...

Memory poisioning is on, seems to be some use of free'd memory
somewhere...

[ 1331.097846] BUG: unable to handle kernel paging request at 6b6b6b8b
[ 1331.098170] IP: [<c063d0d6>] debugfs_remove+0x26/0x80
[ 1331.098170] *pdpt = 000000002f9aa001 *pde = 0000000000000000
[ 1331.098170] Oops: 0000 [#1] PREEMPT SMP
[ 1331.098170] Modules linked in: iptable_raw xt_CT nf_conntrack_ipv4 nf_defrag]
[ 1331.098170] Pid: 4794, comm: rmmod Tainted: G        WC   3.9.1+ #5 To Be Fi.
[ 1331.098170] EIP: 0060:[<c063d0d6>] EFLAGS: 00010202 CPU: 0
[ 1331.098170] EIP is at debugfs_remove+0x26/0x80
[ 1331.098170] EAX: f2f3acd0 EBX: f2f3acd0 ECX: 00000006 EDX: f8622348
[ 1331.098170] ESI: 6b6b6b6b EDI: 00000001 EBP: ee251e14 ESP: ee251e0c
[ 1331.098170]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 1331.098170] CR0: 8005003b CR2: 6b6b6b8b CR3: 2e7b7000 CR4: 000007e0
[ 1331.098170] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 1331.098170] DR6: ffff0ff0 DR7: 00000400
[ 1331.098170] Process rmmod (pid: 4794, ti=ee250000 task=efaa2560 task.ti=ee25)
[ 1331.098170] Stack:
[ 1331.098170]  f241e170 0000000a ee251e1c f861394d ee251e28 c04e3088 f241e170 4
[ 1331.098170]  c04e30fe f45482b0 ee251e54 c04e3187 f25e86b0 ee251e54 f8618748 0
[ 1331.098170]  0000000a 00000001 ee251e68 f860065b f2509e20 f25085a0 f5b6e8a4 8
[ 1331.098170] Call Trace:
[ 1331.098170]  [<f861394d>] remove_buf_file_handler+0xd/0x20 [ath9k]
[ 1331.098170]  [<c04e3088>] relay_remove_buf+0x18/0x30
[ 1331.098170]  [<c04e30fe>] relay_close_buf+0x2e/0x40
[ 1331.098170]  [<c04e3187>] relay_close+0x77/0xf0
[ 1331.098170]  [<f8618748>] ? dpd_exit+0x38/0x40 [ath9k]
[ 1331.098170]  [<f860065b>] ath9k_deinit_softc+0x8b/0xa0 [ath9k]
[ 1331.098170]  [<f86006b8>] ath9k_deinit_device+0x48/0x60 [ath9k]
[ 1331.098170]  [<f86107f1>] ath_pci_remove+0x31/0x50 [ath9k]
[ 1331.098170]  [<c06dbff8>] pci_device_remove+0x38/0xc0
[ 1331.098170]  [<c079daa4>] __device_release_driver+0x64/0xc0
[ 1331.098170]  [<c079db97>] driver_detach+0x97/0xa0
[ 1331.098170]  [<c079cacc>] bus_remove_driver+0x6c/0xe0
[ 1331.098170]  [<c079c197>] ? bus_put+0x17/0x20
[ 1331.098170]  [<c079cae3>] ? bus_remove_driver+0x83/0xe0
[ 1331.098170]  [<c079e709>] driver_unregister+0x49/0x80
[ 1331.098170]  [<c06dc138>] pci_unregister_driver+0x18/0x80
[ 1331.098170]  [<f8610602>] ath_pci_exit+0x12/0x20 [ath9k]
[ 1331.098170]  [<f8619ce0>] ath9k_exit+0x17/0x337 [ath9k]
[ 1331.098170]  [<c09e537d>] ? mutex_unlock+0xd/0x10
[ 1331.098170]  [<c04bd36c>] sys_delete_module+0x17c/0x250
[ 1331.098170]  [<c0540dc4>] ? do_munmap+0x244/0x2d0
[ 1331.098170]  [<c0540e96>] ? vm_munmap+0x46/0x60
[ 1331.098170]  [<c09e8dc4>] ? restore_all+0xf/0xf
[ 1331.098170]  [<c09ebf50>] ? __do_page_fault+0x4c0/0x4c0
[ 1331.098170]  [<c04b18e4>] ? trace_hardirqs_on_caller+0xf4/0x180
[ 1331.098170]  [<c09ef28d>] sysenter_do_call+0x12/0x38
[ 1331.098170] Code: 90 8d 74 26 00 55 89 e5 83 ec 08 89 1c 24 89 74 24 04 3e 82
[ 1331.098170] EIP: [<c063d0d6>] debugfs_remove+0x26/0x80 SS:ESP 0068:ee251e0c
[ 1331.098170] CR2: 000000006b6b6b8b
[ 1331.727971] ---[ end trace b5bb9f2066cef7f9 ]---

(gdb) l *(remove_buf_file_handler+0xd)
0x1594d is in remove_buf_file_handler (/home/greearb/git/linux-3.9.dev.y/drivers/net/wireless/ath/ath9k/debug.c:1237).
1232	static int remove_buf_file_handler(struct dentry *dentry)
1233	{
1234		debugfs_remove(dentry);
1235	
1236		return 0;
1237	}
1238	
1239	void ath_debug_send_fft_sample(struct ath_softc *sc,
1240				       struct fft_sample_tlv *fft_sample_tlv)
1241	{
(gdb) l *(ath9k_deinit_softc+0x8b)
0x265b is in ath9k_deinit_softc (/home/greearb/git/linux-3.9.dev.y/drivers/net/wireless/ath/ath9k/init.c:944).
939	
940		ath9k_eeprom_release(sc);
941	
942		if (config_enabled(CONFIG_ATH9K_DEBUGFS) && sc->rfs_chan_spec_scan) {
943			relay_close(sc->rfs_chan_spec_scan);
944			sc->rfs_chan_spec_scan = NULL;
945		}
946	}
947	
948	void ath9k_deinit_device(struct ath_softc *sc)
(gdb)

          (gdb) l *(debugfs_remove+0x26)
0xc063d0d6 is in debugfs_remove (/home/greearb/git/linux-3.9.dev.y/fs/debugfs/inode.c:511).
506	
507		if (IS_ERR_OR_NULL(dentry))
508			return;
509	
510		parent = dentry->d_parent;
511		if (!parent || !parent->d_inode)
512			return;
513	
514		mutex_lock(&parent->d_inode->i_mutex);
515		ret = __debugfs_remove(dentry, parent);
(gdb)

-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com