From: Andrew Morton <akpm@linux-foundation.org>
To: knife@toaster.net
Cc: bugzilla-daemon@bugzilla.kernel.org,
bugme-daemon@bugzilla.kernel.org, linux-media@vger.kernel.org,
linux-usb@vger.kernel.org, Ingo Molnar <mingo@elte.hu>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [Bugme-new] [Bug 14564] New: capture-example sleeping function called from invalid context at arch/x86/mm/fault.c
Date: Wed, 11 Nov 2009 15:21:27 -0800 [thread overview]
Message-ID: <20091111152127.0c97a620.akpm@linux-foundation.org> (raw)
In-Reply-To: <bug-14564-10286@http.bugzilla.kernel.org/>
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
(lotsa cc's added)
On Mon, 9 Nov 2009 08:59:05 GMT
bugzilla-daemon@bugzilla.kernel.org wrote:
> http://bugzilla.kernel.org/show_bug.cgi?id=14564
>
> Summary: capture-example sleeping function called from invalid
> context at arch/x86/mm/fault.c
> Product: Memory Management
> Version: 2.5
> Kernel Version: 2.6.31.5
> Platform: All
> OS/Version: Linux
> Tree: Mainline
> Status: NEW
> Severity: high
> Priority: P1
> Component: Slab Allocator
> AssignedTo: akpm@linux-foundation.org
> ReportedBy: knife@toaster.net
> Regression: No
>
Thhis is odd.
> On a DM&P ebox2300sx, 300Mhz Vortex86 cpu, I have a vanilla 2.6.31.5 kernel
> with a pac207 webcam. I run capture-example from the v4l-dvb sample
> applications and it crashes 1 out of 5 times. Let me know if I need to collect
> more data or try anything.
>
> [root@X-Linux]:~ # capture-example
> ......................................................................BUG:
> sleeping function called from invalid context at arch/x86/mm/fault.c:1069
> in_atomic(): 0, irqs_disabled(): 1, pid: 1178, name: capture-example
> 4 locks held by capture-example/1178:
> #0: (&gspca_dev->queue_lock){+.+.+.}, at: [<c8872eda>]
> vidioc_streamoff+0x3b/0xb4 [gspca_main]
> #1: (&gspca_dev->usb_lock){+.+.+.}, at: [<c8872eed>]
> vidioc_streamoff+0x4e/0xb4 [gspca_main]
> #2: (&ohci->lock){-.-...}, at: [<c11c8093>] ohci_endpoint_disable+0x31/0x192
> #3: (&mm->mmap_sem){++++++}, at: [<c100c168>] do_page_fault+0xc1/0x1fe
> irq event stamp: 11656
> hardirqs last enabled at (11655): [<c12e41a0>] _spin_unlock_irq+0x22/0x26
> hardirqs last disabled at (11656): [<c12e41da>] _spin_lock_irqsave+0x10/0x5a
> softirqs last enabled at (11610): [<c101a87f>] __do_softirq+0x145/0x14d
> softirqs last disabled at (11605): [<c101a8b1>] do_softirq+0x2a/0x42
> Pid: 1178, comm: capture-example Not tainted 2.6.31.5 #2
> Call Trace:
> [<c101222d>] __might_sleep+0xcb/0xd0
> [<c100c1ad>] do_page_fault+0x106/0x1fe
> [<c100c0a7>] ? do_page_fault+0x0/0x1fe
> [<c12e43c3>] error_code+0x63/0x70
> [<c100c0a7>] ? do_page_fault+0x0/0x1fe
> [<c11c5cef>] ? td_free+0x23/0x75
> [<c11c8175>] ohci_endpoint_disable+0x113/0x192
> [<c11b4428>] usb_hcd_disable_endpoint+0x2e/0x32
> [<c11b5b3f>] usb_disable_endpoint+0x6d/0x72
> [<c11b5cae>] usb_disable_interface+0x30/0x3f
> [<c11b70ac>] usb_set_interface+0x11b/0x1a0
> [<c8872e1d>] gspca_set_alt0+0x23/0x46 [gspca_main]
> [<c8872e75>] gspca_stream_off+0x35/0x5f [gspca_main]
> [<c8872ef8>] vidioc_streamoff+0x59/0xb4 [gspca_main]
> [<c8817244>] __video_do_ioctl+0x17af/0x3920 [videodev]
> [<c1032fa1>] ? __lock_acquire+0x6ef/0x755
> [<c102f436>] ? lock_release_holdtime+0x81/0x86
> [<c103315c>] ? lock_release_non_nested+0xab/0x1cf
> [<c105382f>] ? might_fault+0x3d/0x79
> [<c105382f>] ? might_fault+0x3d/0x79
> [<c11123d4>] ? copy_from_user+0x31/0x54
> [<c88196b8>] video_ioctl2+0x303/0x3ea [videodev]
> [<c102f436>] ? lock_release_holdtime+0x81/0x86
> [<c12e430e>] ? _spin_unlock_irqrestore+0x36/0x3c
> [<c103086c>] ? trace_hardirqs_on_caller+0x104/0x12b
> [<c103089e>] ? trace_hardirqs_on+0xb/0xd
> [<c88193b5>] ? video_ioctl2+0x0/0x3ea [videodev]
> [<c88156d8>] v4l2_unlocked_ioctl+0x2e/0x32 [videodev]
> [<c88156aa>] ? v4l2_unlocked_ioctl+0x0/0x32 [videodev]
> [<c106dd91>] vfs_ioctl+0x19/0x50
> [<c106e36b>] do_vfs_ioctl+0x458/0x4a3
> [<c1155a42>] ? tty_ldisc_deref+0x8/0xa
> [<c1150c1c>] ? tty_write+0x1b1/0x1c2
> [<c1152d69>] ? n_tty_write+0x0/0x2e6
> [<c1150a6b>] ? tty_write+0x0/0x1c2
> [<c106431d>] ? vfs_write+0xe3/0xfa
> [<c1002858>] ? restore_all_notrace+0x0/0x18
> [<c106e3e2>] sys_ioctl+0x2c/0x45
> [<c1002825>] syscall_call+0x7/0xb
We oopsed in td_free() (see below). But as part of that oops
processing the kernel entered do_page_fault() and emitted a
might_sleep() warning because we took a pagefault with local interrupts
disabled.
This is undesirable behaviour from the low-level x86 fault code and I
don't think it normally happens.
Did we break something in x86 land, or is this oops sufficiently weird
and whacky to bypass existing checks for this false positive?
> BUG: unable to handle kernel paging request at a7a7a7c3
> IP: [<c11c5cef>] td_free+0x23/0x75
> *pde = 00000000
> Oops: 0000 [#1] DEBUG_PAGEALLOC
> last sysfs file:
> Modules linked in: gspca_pac207 gspca_main videodev v4l1_compat
>
> Pid: 1178, comm: capture-example Not tainted (2.6.31.5 #2)
> EIP: 0060:[<c11c5cef>] EFLAGS: 00000083 CPU: 0
> EIP is at td_free+0x23/0x75
> EAX: a7a7a7a7 EBX: c6b35bf0 ECX: c6b35ce4 EDX: a7a7a7c3
> ESI: c6b7d800 EDI: c6b35cd4 EBP: c6785cc4 ESP: c6785cb8
> DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> Process capture-example (pid: 1178, ti=c6784000 task=c678d338 task.ti=c6784000)
> Stack:
> c6b35bf0 000003e8 c6b35cd4 c6785cf0 c11c8175 c6ba2ea0 c6b35bf0 00000000
> <0> c6b35bf0 00000292 c6b7c040 c6b35bf0 c6ba2ea0 c6b99ed8 c6785d00 c11b4428
> <0> c6b32bf0 c6ba2ea0 c6785d14 c11b5b3f 01ba3df0 000000dc 00000005 c6785d30
> Call Trace:
> [<c11c8175>] ? ohci_endpoint_disable+0x113/0x192
> [<c11b4428>] ? usb_hcd_disable_endpoint+0x2e/0x32
> [<c11b5b3f>] ? usb_disable_endpoint+0x6d/0x72
> [<c11b5cae>] ? usb_disable_interface+0x30/0x3f
> [<c11b70ac>] ? usb_set_interface+0x11b/0x1a0
> [<c8872e1d>] ? gspca_set_alt0+0x23/0x46 [gspca_main]
> [<c8872e75>] ? gspca_stream_off+0x35/0x5f [gspca_main]
> [<c8872ef8>] ? vidioc_streamoff+0x59/0xb4 [gspca_main]
> [<c8817244>] ? __video_do_ioctl+0x17af/0x3920 [videodev]
> [<c1032fa1>] ? __lock_acquire+0x6ef/0x755
> [<c102f436>] ? lock_release_holdtime+0x81/0x86
> [<c103315c>] ? lock_release_non_nested+0xab/0x1cf
> [<c105382f>] ? might_fault+0x3d/0x79
> [<c105382f>] ? might_fault+0x3d/0x79
> [<c11123d4>] ? copy_from_user+0x31/0x54
> [<c88196b8>] ? video_ioctl2+0x303/0x3ea [videodev]
> [<c102f436>] ? lock_release_holdtime+0x81/0x86
> [<c12e430e>] ? _spin_unlock_irqrestore+0x36/0x3c
> [<c103086c>] ? trace_hardirqs_on_caller+0x104/0x12b
> [<c103089e>] ? trace_hardirqs_on+0xb/0xd
> [<c88193b5>] ? video_ioctl2+0x0/0x3ea [videodev]
> [<c88156d8>] ? v4l2_unlocked_ioctl+0x2e/0x32 [videodev]
> [<c88156aa>] ? v4l2_unlocked_ioctl+0x0/0x32 [videodev]
> [<c106dd91>] ? vfs_ioctl+0x19/0x50
> [<c106e36b>] ? do_vfs_ioctl+0x458/0x4a3
> [<c1155a42>] ? tty_ldisc_deref+0x8/0xa
> [<c1150c1c>] ? tty_write+0x1b1/0x1c2
> [<c1152d69>] ? n_tty_write+0x0/0x2e6
> [<c1150a6b>] ? tty_write+0x0/0x1c2
> [<c106431d>] ? vfs_write+0xe3/0xfa
> [<c1002858>] ? restore_all_notrace+0x0/0x18
> [<c106e3e2>] ? sys_ioctl+0x2c/0x45
> [<c1002825>] ? syscall_call+0x7/0xb
> Code: e5 e8 bf 7b e9 ff 5d c3 55 89 e5 57 89 c7 56 89 d6 53 8b 42 28 89 c2 c1
> ea 06 31 d0 83 e0 3f 8d 94 87 cc 00 00 00 eb 03 8d 50 1c <8b> 02 85 c0 74 0b 39
> EIP: [<c11c5cef>] td_free+0x23/0x75 SS:ESP 0068:c6785cb8
> CR2: 00000000a7a7a7c3
And here's the real oops. drivers/usb/host/ohci-mem.c:td_free()
dereferenced a7a7a7c3. Which looks like
/********** drivers/base/dmapool.c **********/
#define POOL_POISON_FREED 0xa7 /* !inuse */
#define POOL_POISON_ALLOCATED 0xa9 /* !initted */
next parent reply other threads:[~2009-11-11 23:21 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-14564-10286@http.bugzilla.kernel.org/>
2009-11-11 23:21 ` Andrew Morton [this message]
2009-11-12 16:20 ` [Bugme-new] [Bug 14564] New: capture-example sleeping function called from invalid context at arch/x86/mm/fault.c Alan Stern
2009-12-03 5:48 ` Sean
2009-12-03 21:03 ` Alan Stern
2009-12-16 23:30 ` Sean
2009-12-17 15:22 ` Alan Stern
2009-12-29 9:19 ` Sean
2009-12-29 19:48 ` Sean
2009-12-29 21:23 ` Alan Stern
2009-12-30 0:37 ` Sean
2009-12-30 3:22 ` Alan Stern
2010-01-02 9:00 ` Sean
2010-01-02 20:43 ` Alan Stern
2010-01-03 1:56 ` Sean
2010-01-03 17:35 ` Alan Stern
2010-01-03 23:47 ` Sean
2010-01-04 16:06 ` Alan Stern
2010-01-04 20:02 ` Sean
2010-01-04 20:48 ` Alan Stern
2010-01-04 22:24 ` Sean
2010-01-05 2:40 ` Alan Stern
2010-01-05 3:32 ` Sean
2010-01-05 15:11 ` Alan Stern
2010-01-05 20:05 ` Sean
2010-01-05 21:06 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091111152127.0c97a620.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=bugme-daemon@bugzilla.kernel.org \
--cc=bugzilla-daemon@bugzilla.kernel.org \
--cc=hpa@zytor.com \
--cc=knife@toaster.net \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox