From: greg@kroah.com (Greg KH)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 3/7] s3c-hsudc: add a remove function
Date: Mon, 19 Dec 2011 22:08:05 -0800 [thread overview]
Message-ID: <20111220060805.GD25439@kroah.com> (raw)
In-Reply-To: <20111218213704.GZ14542@n2100.arm.linux.org.uk>
On Sun, Dec 18, 2011 at 09:37:04PM +0000, Russell King - ARM Linux wrote:
> On Sun, Dec 18, 2011 at 09:46:08PM +0100, Heiko St?bner wrote:
> > > > kobject: 'holders' (c7addc80): kobject_cleanup
> > > > Unable to handle kernel paging request at virtual address bf055504
> > > > pgd = c0004000
> > > > [bf055504] *pgd=371f9811, *pte=00000000, *ppte=00000000
> > > > Internal error: Oops: 7 [#1]
> > >
> > > Please post the entire first oops dump for the above run - it may contain
> > > useful information to properly track this down.
> >
> > kobject: 'holders' (c7addc80): kobject_cleanup
> > Unable to handle kernel paging request at virtual address bf055504
> > pgd = c0004000
> > [bf055504] *pgd=371f9811, *pte=00000000, *ppte=00000000
> > Internal error: Oops: 7 [#1]
> > Modules linked in: ohci_hcd usbcore leds_s3c24xx i2c_s3c2410 i2c_core
> > CPU: 0 Not tainted (3.2.0-rc5-next-20111216+ #33)
> > PC is at kobject_put+0x18/0x7c
> > LR is at kobject_del+0x64/0x70
> > pc : [<c0114624>] lr : [<c011470c>] psr: a0000013
> > sp : c70bdef8 ip : c70bdf18 fp : c70bdf14
> > r10: 00000000 r9 : c0114718 r8 : c7803a00
> > r7 : c7abd360 r6 : c02e1de0 r5 : c7addca0 r4 : bf0554a0
> > r3 : 00000001 r2 : 00000000 r1 : 00000000 r0 : bf0554a0
> > Backtrace:
> > [<c011460c>] (kobject_put+0x0/0x7c) from [<c011470c>] (kobject_del+0x64/0x70)
> > r4:c7addc80
> > [<c01146a8>] (kobject_del+0x0/0x70) from [<c01147ec>] (kobject_delayed_cleanup+0xd4/0x174)
> > r4:c7addc80
> > [<c0114718>] (kobject_delayed_cleanup+0x0/0x174) from [<c00318fc>] (process_one_work+0x24c/0x3a8)
>
> Right, here's what I think is happening.
>
> You're right that 0xc7addc80 is being cleaned up. So, we enter
> kobject_cleanup() with kobj = 0xc7addc80. We get to this:
>
> /* remove from sysfs if the caller did not do it */
> if (kobj->state_in_sysfs) {
> pr_debug("kobject: '%s' (%p): auto cleanup kobject_del\n",
> kobject_name(kobj), kobj);
> kobject_del(kobj);
> }
>
> So, we call kobject_del() on c7addc80 (which we can see in r4 in the
> backtrace):
>
> void kobject_del(struct kobject *kobj)
> {
> if (!kobj)
> return;
>
> sysfs_remove_dir(kobj);
> kobj->state_in_sysfs = 0;
> kobj_kset_leave(kobj);
> kobject_put(kobj->parent);
>
> And so we get to kobject_put(), and we call that with a pointer of
> 0xbf0554a0. This is a pointer into struct module. And this is where
> the problem lies...
>
> The struct module is free'd as part of the core of the module
> (mod->module_core) here:
>
> static void module_deallocate(struct module *mod, struct load_info *info)
> {
> kfree(info->strmap);
> percpu_modfree(mod);
> module_free(mod, mod->module_init);
> module_free(mod, mod->module_core);
> }
>
> A struct module contains:
>
> struct module
> {
> ...
> /* Sysfs stuff. */
> struct module_kobject mkobj;
>
> which in turn is defined as:
>
> struct module_kobject {
> struct kobject kobj;
> ...
> }
>
> So, we have a struct kobject contained within a data structure which is
> independently allocated and freed - and this is highly illegal. I'm
> sure GregKH will want to discuss this with Rusty...
Ugh, that sucks, yes I'll work on this when I get back from vacation the
first week in January.
greg k-h
next prev parent reply other threads:[~2011-12-20 6:08 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-17 19:23 [PATCH v2 0/7] s3c-hsudc: regulator handling and a lot of fixes Heiko Stübner
2011-12-17 19:24 ` [PATCH 1/7] s3c-hsudc: move platform_data struct to global header Heiko Stübner
2011-12-17 19:25 ` [PATCH 2/7] s3c-hsudc: add __devinit to probe function Heiko Stübner
2011-12-17 19:26 ` [PATCH 3/7] s3c-hsudc: add a remove function Heiko Stübner
2011-12-18 8:03 ` Russell King - ARM Linux
2011-12-18 8:10 ` Russell King - ARM Linux
2011-12-18 9:42 ` Heiko Stübner
2011-12-18 13:44 ` Heiko Stübner
2011-12-18 14:43 ` Russell King - ARM Linux
2011-12-18 18:50 ` Heiko Stübner
2011-12-18 19:01 ` Russell King - ARM Linux
2011-12-18 19:33 ` Heiko Stübner
2011-12-18 19:45 ` Russell King - ARM Linux
2011-12-18 20:24 ` Heiko Stübner
2011-12-18 20:39 ` Russell King - ARM Linux
2011-12-18 20:46 ` Heiko Stübner
2011-12-18 21:37 ` Russell King - ARM Linux
2011-12-20 6:08 ` Greg KH [this message]
2011-12-20 6:07 ` Greg KH
2011-12-17 19:27 ` [PATCH 4/7] s3c-hsudc: add missing otg_put_transceiver in probe Heiko Stübner
2011-12-17 19:28 ` [PATCH 5/7] s3c-hsudc: move device registration to probe and remove Heiko Stübner
2011-12-18 8:09 ` Russell King - ARM Linux
2011-12-17 19:29 ` [PATCH 6/7] s3c-hsudc: use udc_start and udc_stop functions Heiko Stübner
2011-12-17 19:30 ` [PATCH 7/7] s3c-hsudc: Add regulator handling Heiko Stübner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111220060805.GD25439@kroah.com \
--to=greg@kroah.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).