>From Jiri Kosina <jkosina@xxxxxxx>, Tue, Sep 02, 2014 at 11:32:30PM +0200:
> On Tue, 2 Sep 2014, Benjamin Tissoires wrote:
>
> > > Whenever either disconnecting the USB device or simply rmmod'ing the module
> > > (even when not in use), I get a kernel panic. I haven't managed to capture a
> > > backtrace, but at least the first two lines were saved after an rmmod:
> > >
> > > 18:53:17 kernel: thingm 0003:27B8:01ED.0004: hidraw3: USB HID v1.01 Device [ThingM blink(1) mk2] on usb-0000:00:12.2-3.1.4/input0
> > > <snip, rmmod hid-thingm:>
> > > 08:38:42 kernel: BUG: unable to handle kernel paging request at fffffffb8a80aaf8
> > > 08:38:42 kernel: IP: [<ffffffff8106e30c>] osq_lock+0x3c/0x110
>
> Hmm, so the only lock that is taken in thingm driver itself is
> rgb->tdev->lock, which is thingm_device->lock, properly initialized in
> _probe().
>
> So my first thought was that the work is not cancelled properly, causing
> use-after-free on the lock with the workqueue firing at the time the
> drvier has cleaned up everything, but that doesn't seem to be the case, as
> thingm_remove() -> thingm_remove_rgb() seems to be doing the right thing.
>
> Dylan, is there any chance for you to capture more complete backtrace from
> the oops? serial console, netconsole, anything?
Some combination of kernel debugging options and killing processes let it
survive long enough to write the backtrace to disk. A simple modprobe/rmmod
wasn't enough, though, it required a few tries removing the device and then
rmmod (though has definitely happend on just one removal before). Let me know
if there's anything else I can try.
<insmod>
[ 28.855960] thingm 0003:27B8:01ED.0004: hidraw3: USB HID v1.01 Device [ThingM blink(1) mk2] on usb-0000:00:12.2-3.1.4/input0
<rmmod;insmod>
[ 147.037008] thingm 0003:27B8:01ED.0004: hidraw3: USB HID v1.01 Device [ThingM blink(1) mk2] on usb-0000:00:12.2-3.1.4/input0
<unplug>
[ 218.496688] usb 1-3.1.4: USB disconnect, device number 7
[ 218.502278] hid : failed to write color
[ 218.506131] hid : failed to write color
<plug>
[ 233.557300] usb 1-3.1.4: new full-speed USB device number 8 using ehci-pci
[ 233.657195] usb 1-3.1.4: config 1 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 1
[ 233.660402] thingm 0003:27B8:01ED.0005: hidraw3: USB HID v1.01 Device [ThingM blink(1) mk2] on usb-0000:00:12.2-3.1.4/input0
<rmmod>
[ 253.682724] BUG: unable to handle kernel paging request at ffffffffa00af0cf
[ 253.682807] IP:
[ 253.682812] [<ffffffffa00af0cf>] 0xffffffffa00af0cf
[ 253.682817] PGD 1814067 PUD 1815063 PMD 42cace067 PTE 0
[ 253.682820] Oops: 0010 [#1] SMP
[ 253.682830] Modules linked in: led_class cuse fuse snd_emu10k1 snd_hwdep snd_util_mem snd_ac97_codec ac97_bus snd_rawmidi snd_seq_device snd_pcm snd_timer ipt_ULOG [last unloaded: hid_thingm]
[ 253.682833] CPU: 0 PID: 849 Comm: kworker/0:2 Not tainted 3.16.1-00001-g98fed6d #145
[ 253.682835] Hardware name: empty empty/S8010-LE, BIOS 'V2.03B ' 03/15/2012
[ 253.682838] Workqueue: events 0xffffffffa00af040
[ 253.682840] task: ffff88042e330050 ti: ffff880429d8c000 task.ti: ffff880429d8c000
[ 253.682844] RIP: 0010:[<ffffffffa00af0cf>] [<ffffffffa00af0cf>] 0xffffffffa00af0cf
[ 253.682846] RSP: 0018:ffff880429d8fdd0 EFLAGS: 00010286
[ 253.682847] RAX: 0000000000000009 RBX: ffff88042ca83af0 RCX: 0000000000000302
[ 253.682849] RDX: 0000000000000078 RSI: 0000000000000286 RDI: ffff88042caaade0
[ 253.682850] RBP: ffff880429d8fdf0 R08: ffff8804acaaade0 R09: 0000000000000282
[ 253.682852] R10: ffff88042c93dbc0 R11: 000000000000001f R12: ffff88042c885e80
[ 253.682853] R13: 0000000000000000 R14: ffff88043ec14e00 R15: ffff88043ec113c0
[ 253.682856] FS: 00007f58ebcec700(0000) GS:ffff88043ec00000(0000) knlGS:0000000000000000
[ 253.682857] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 253.682859] CR2: ffffffffa00af0cf CR3: 0000000001813000 CR4: 00000000000407f0
[ 253.682859] Stack:
[ 253.682863] 010000000000a000 0001000000000063 000000008867f918 ffff88042ca83af0
[ 253.682866] ffff880429d8fe38 ffffffff81052c2f ffff88043ec113c0 000000003ec113c0
[ 253.682869] ffff88043ec113c0 ffff88043ec113e8 ffff88042e330050 ffff88042c885eb0
[ 253.682870] Call Trace:
[ 253.682878] [<ffffffff81052c2f>] process_one_work+0x14f/0x400
[ 253.682882] [<ffffffff81053423>] worker_thread+0x63/0x540
[ 253.682886] [<ffffffff810533c0>] ? create_and_start_worker+0x60/0x60
[ 253.682889] [<ffffffff81059038>] kthread+0xe8/0x100
[ 253.682893] [<ffffffff81058f50>] ? kthread_create_on_node+0x1b0/0x1b0
[ 253.682897] [<ffffffff815323ec>] ret_from_fork+0x7c/0xb0
[ 253.682900] [<ffffffff81058f50>] ? kthread_create_on_node+0x1b0/0x1b0
[ 253.682906] Code: Bad RIP value.
[ 253.682908] RIP [<ffffffffa00af0cf>] 0xffffffffa00af0cf
[ 253.682909] RSP <ffff880429d8fdd0>
[ 253.682910] CR2: ffffffffa00af0cf
[ 253.682913] ---[ end trace 38f1b789201cd967 ]---
[ 253.682946] BUG: unable to handle kernel paging request at ffffffffffffffc8
[ 253.682950] IP: [<ffffffff810595eb>] kthread_data+0xb/0x20
[ 253.682953] PGD 1814067 PUD 1816067 PMD 0
[ 253.682955] Oops: 0000 [#2] SMP
[ 253.682964] Modules linked in: led_class cuse fuse snd_emu10k1 snd_hwdep snd_util_mem snd_ac97_codec ac97_bus snd_rawmidi snd_seq_device snd_pcm snd_timer ipt_ULOG [last unloaded: hid_thingm]
[ 253.682967] CPU: 0 PID: 849 Comm: kworker/0:2 Tainted: G D 3.16.1-00001-g98fed6d #145
[ 253.682969] Hardware name: empty empty/S8010-LE, BIOS 'V2.03B ' 03/15/2012
[ 253.682987] task: ffff88042e330050 ti: ffff880429d8c000 task.ti: ffff880429d8c000
[ 253.682990] RIP: 0010:[<ffffffff810595eb>] [<ffffffff810595eb>] kthread_data+0xb/0x20
[ 253.682992] RSP: 0018:ffff880429d8fa40 EFLAGS: 00010002
[ 253.682993] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffff80cd76
[ 253.682995] RDX: 0000000050f1eeb6 RSI: 0000000000000000 RDI: ffff88042e330050
[ 253.682996] RBP: ffff880429d8fa40 R08: ffff88042c8928a0 R09: 0000000000000001
[ 253.682998] R10: 00000000000001ea R11: 0000000000000000 R12: 0000000000000000
[ 253.682999] R13: ffff88042e330400 R14: 0000000000000000 R15: ffff88042e330050
[ 253.683002] FS: 00007f58ebcec700(0000) GS:ffff88043ec00000(0000) knlGS:0000000000000000
[ 253.683003] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 253.683005] CR2: 0000000000000028 CR3: 0000000001813000 CR4: 00000000000407f0
[ 253.683005] Stack:
[ 253.683009] ffff880429d8fa58 ffffffff8105396c ffff88043ec11c40 ffff880429d8fac0
[ 253.683011] ffffffff8152db81 000000000000a000 ffff88042e330050 ffff880429d8fa88
[ 253.683014] ffff880429d8ffd8 ffff880429d8fad0 ffffffff8103e2a9 ffff88042e330610
[ 253.683015] Call Trace:
[ 253.683019] [<ffffffff8105396c>] wq_worker_sleeping+0xc/0x90
[ 253.683024] [<ffffffff8152db81>] __schedule+0x4b1/0x730
[ 253.683029] [<ffffffff8103e2a9>] ? release_task+0x249/0x3d0
[ 253.683033] [<ffffffff8152de24>] schedule+0x24/0x60
[ 253.683036] [<ffffffff8103eb92>] do_exit+0x762/0xa10
[ 253.683041] [<ffffffff81005998>] oops_end+0x68/0x90
[ 253.683046] [<ffffffff8103242c>] no_context+0x12c/0x2f0
[ 253.683050] [<ffffffff81032675>] __bad_area_nosemaphore+0x85/0x1f0
[ 253.683054] [<ffffffff810327ee>] bad_area_nosemaphore+0xe/0x10
[ 253.683058] [<ffffffff81032b16>] __do_page_fault+0xb6/0x4d0
[ 253.683062] [<ffffffff81531e09>] ? _raw_spin_unlock_irq+0x9/0x10
[ 253.683066] [<ffffffff8141a43f>] ? urb_destroy+0x1f/0x30
[ 253.683069] [<ffffffff8141ad09>] ? usb_free_urb+0x19/0x20
[ 253.683072] [<ffffffff8141b342>] ? usb_start_wait_urb+0xa2/0xf0
[ 253.683075] [<ffffffff81032f5c>] do_page_fault+0xc/0x10
[ 253.683079] [<ffffffff81533922>] page_fault+0x22/0x30
[ 253.683084] [<ffffffff81052c2f>] process_one_work+0x14f/0x400
[ 253.683087] [<ffffffff81053423>] worker_thread+0x63/0x540
[ 253.683091] [<ffffffff810533c0>] ? create_and_start_worker+0x60/0x60
[ 253.683093] [<ffffffff81059038>] kthread+0xe8/0x100
[ 253.683097] [<ffffffff81058f50>] ? kthread_create_on_node+0x1b0/0x1b0
[ 253.683100] [<ffffffff815323ec>] ret_from_fork+0x7c/0xb0
[ 253.683103] [<ffffffff81058f50>] ? kthread_create_on_node+0x1b0/0x1b0
[ 253.683132] Code: 00 48 89 e5 5d 48 8b 40 b8 48 c1 e8 02 83 e0 01 c3 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 87 58 03 00 00 55 48 89 e5 <48> 8b 40 c8 5d c3 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
[ 253.683135] RIP [<ffffffff810595eb>] kthread_data+0xb/0x20
[ 253.683136] RSP <ffff880429d8fa40>
[ 253.683137] CR2: ffffffffffffffc8
[ 253.683139] ---[ end trace 38f1b789201cd968 ]---
[ 253.683140] Fixing recursive fault but reboot is needed!
[ 313.753106] INFO: rcu_sched detected stalls on CPUs/tasks: { 0} (detected by 7, t=18003 jiffies, g=1479, c=1478, q=300)
<more traces follow but probably irrelevant>
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
