crash when cleaning up gadget configfs directory on sama5d2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!  I can reliably produce an oops + reboot on sama5d2 when
attempting to remove a gadget configuration from configfs.

The stack trace follows:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 1109 at
drivers/usb/gadget/function/u_serial.c:1184
gserial_free_port+0xe4/0xec
Modules linked in: can_raw can at91_sama5d2_adc
industrialio_triggered_buffer kfifo_buf gpio_sama5d2_piobu
industrialio m_can_platform m_can sdhci_of_at91 can_dev sdhci_pltfm
sdhci mmc_core ohci_at91 ohci_hcd ehci_atmel sch_fq_codel prox2_hal(O)
CPU: 0 PID: 1109 Comm: rmdir Tainted: G           O      5.7.6-prox2+ #1
Hardware name: Atmel SAMA5
[<c010c5a0>] (unwind_backtrace) from [<c0109ef4>] (show_stack+0x10/0x14)
[<c0109ef4>] (show_stack) from [<c012a4f8>] (__warn+0xbc/0xd4)
[<c012a4f8>] (__warn) from [<c012a574>] (warn_slowpath_fmt+0x64/0xc4)
[<c012a574>] (warn_slowpath_fmt) from [<c04c0f4c>] (gserial_free_port+0xe4/0xec)
[<c04c0f4c>] (gserial_free_port) from [<c04c0f94>] (gserial_free_line+0x40/0x74)
[<c04c0f94>] (gserial_free_line) from [<c04c0a8c>] (acm_free_instance+0x10/0x1c)
[<c04c0a8c>] (acm_free_instance) from [<c04b9f2c>]
(usb_put_function_instance+0x1c/0x28)
[<c04b9f2c>] (usb_put_function_instance) from [<c027f8b4>]
(config_item_put.part.0+0x90/0xb0)
[<c027f8b4>] (config_item_put.part.0) from [<c027e2bc>]
(configfs_rmdir+0x1b4/0x270)
[<c027e2bc>] (configfs_rmdir) from [<c0203560>] (vfs_rmdir+0x6c/0x1b4)
[<c0203560>] (vfs_rmdir) from [<c02077b8>] (do_rmdir+0x154/0x1bc)
[<c02077b8>] (do_rmdir) from [<c0100060>] (ret_fast_syscall+0x0/0x54)
Exception stack(0xc118bfa8 to 0xc118bff0)
bfa0:                   bea1de4d bea1dd38 bea1de4d 00000001 00493a74 b6e770e8
bfc0: bea1de4d bea1dd38 00000000 00000028 0047c6d4 0047c2b0 00000000 00000000
bfe0: 00493b5c bea1db94 004509a3 b6e18858
---[ end trace db1d6cc2dc22fb43 ]---
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000004
pgd = 4b49c8b1
[00000004] *pgd=00000000
Internal error: Oops: 80000005 [#1] ARM
Modules linked in: can_raw can at91_sama5d2_adc
industrialio_triggered_buffer kfifo_buf gpio_sama5d2_piobu
industrialio m_can_platform m_can sdhci_of_at91 can_dev sdhci_pltfm
sdhci mmc_core ohci_at91 ohci_hcd ehci_atmel sch_fq_codel prox2_hal(O)
CPU: 0 PID: 1111 Comm: rmdir Tainted: G        W  O      5.7.6-prox2+ #1
Hardware name: Atmel SAMA5
PC is at 0x4
LR is at eth_stop+0x4c/0xa4
pc : [<00000004>]    lr : [<c04c2470>]    psr: 200f0093
sp : c1223de0  ip : 000003e8  fp : c78e3d40
r10: 00000000  r9 : c0899e04  r8 : 00000001
r7 : 00000001  r6 : a00f0013  r5 : c6014000  r4 : c62eb300
r3 : 00000004  r2 : c785f980  r1 : a00f0013  r0 : c62eb300
Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c53c7d  Table: 21224059  DAC: 00000051
Process rmdir (pid: 1111, stack limit = 0xbbf9cfde)
Stack: (0xc1223de0 to 0xc1224000)
3de0: c6014000 c1223e5c 00000000 00000001 00000001 c05515cc b3b5ffa3 c0204f00
3e00: 00000000 c6014000 00000000 c0d03208 c1223e68 c6014000 c1223e5c c05516cc
3e20: 00000000 c02020b8 00000000 c0d03208 c1223e68 c6014000 c1223ea4 c1223e5c
3e40: 00000001 c055256c c1223ea8 c7891c60 c1223e80 c7891c60 c789b850 c6014044
3e60: c6014044 c0211524 5e46c117 00000000 232aaf83 c0d03208 c6014000 00000000
3e80: c073f69c 00000000 00000000 c0d2da34 00000000 c05529f4 c788a2a8 c7891c60
3ea0: c789b850 c601403c c601403c c0d03208 232aaf83 c6014000 00000000 c0552a98
3ec0: c6014500 c04c2cd8 c785fa00 c04c3d2c 00000000 c04b9f2c c785fa00 c027f8b4
3ee0: 00000000 c785fa00 c7a9ed20 00000000 c789b850 c027e2bc 00000002 c0d03208
3f00: c788a2a8 c788a2a8 00000000 c79958c0 be84ce4c ffffff9c c1223f68 c1223f5c
3f20: c4b41000 c0203560 00000000 c0203244 00000001 00000000 c788a2a8 be84ce4c
3f40: ffffff9c c02077b8 c1223f68 c1223f5c c1223f7c c070b5c0 00000000 00000000
3f60: c6bacd90 c788ae58 13f1481e 00000008 c4b4103e 00100000 00000070 c0d03208
3f80: be84c6f0 be84ce4c be84cd38 00000000 00000028 c0100264 c1222000 00000028
3fa0: 00000000 c0100060 be84ce4c be84cd38 be84ce4c 00000001 004e9a74 b6f6d0e8
3fc0: be84ce4c be84cd38 00000000 00000028 004d26d4 004d22b0 00000000 00000000
3fe0: 004e9b5c be84cb94 004a69a3 b6f0e858 600f0030 be84ce4c 00000000 00000000
[<c04c2470>] (eth_stop) from [<c05515cc>] (__dev_close_many+0xac/0x12c)
[<c05515cc>] (__dev_close_many) from [<c05516cc>] (dev_close_many+0x80/0x118)
[<c05516cc>] (dev_close_many) from [<c055256c>]
(rollback_registered_many+0x114/0x504)
[<c055256c>] (rollback_registered_many) from [<c05529f4>]
(unregister_netdevice_queue+0x98/0x124)
[<c05529f4>] (unregister_netdevice_queue) from [<c0552a98>]
(unregister_netdev+0x18/0x20)
[<c0552a98>] (unregister_netdev) from [<c04c2cd8>] (gether_cleanup+0x14/0x28)
[<c04c2cd8>] (gether_cleanup) from [<c04c3d2c>] (ecm_free_inst+0x20/0x3c)
[<c04c3d2c>] (ecm_free_inst) from [<c04b9f2c>]
(usb_put_function_instance+0x1c/0x28)
[<c04b9f2c>] (usb_put_function_instance) from [<c027f8b4>]
(config_item_put.part.0+0x90/0xb0)
[<c027f8b4>] (config_item_put.part.0) from [<c027e2bc>]
(configfs_rmdir+0x1b4/0x270)
[<c027e2bc>] (configfs_rmdir) from [<c0203560>] (vfs_rmdir+0x6c/0x1b4)
[<c0203560>] (vfs_rmdir) from [<c02077b8>] (do_rmdir+0x154/0x1bc)
[<c02077b8>] (do_rmdir) from [<c0100060>] (ret_fast_syscall+0x0/0x54)
Exception stack(0xc1223fa8 to 0xc1223ff0)
3fa0:                   be84ce4c be84cd38 be84ce4c 00000001 004e9a74 b6f6d0e8
3fc0: be84ce4c be84cd38 00000000 00000028 004d26d4 004d22b0 00000000 00000000
3fe0: 004e9b5c be84cb94 004a69a3 b6f0e858
Code: bad PC value
---[ end trace db1d6cc2dc22fb44 ]---

The tainted flag is set, but it has nothing to do with the oops.  I
can produce another trace with the module unloaded if needed to remove
the flag.

The oops occurs when I do the following:

rmdir /sys/kernel/config/usb_gadget/prox2/functions/ecm.usb0

I have been able to reproduce on kernels ranging from 4.4.x to 5.7.6.

This is the script that I am using to start / stop the gadget device:

#!/bin/sh

grep -q configfs /proc/mounts ||  mount -t configfs none /sys/kernel/config

case "$1" in
        "start" )
                if [ -e /sys/kernel/config/usb_gadget/prox2 ]; then
                        exit 0
                fi
                mkdir -p /sys/kernel/config/usb_gadget/prox2
                echo 0x0004 > /sys/kernel/config/usb_gadget/prox2/idVendor
                echo 0xF00D > /sys/kernel/config/usb_gadget/prox2/idProduct

                mkdir -p /sys/kernel/config/usb_gadget/prox2/strings/0x409
                echo "Internet Widgets, LTD" >
/sys/kernel/config/usb_gadget/prox2/strings/0x409/manufacturer
                echo nano-cv >
/sys/kernel/config/usb_gadget/prox2/strings/0x409/product
                mkdir -p /sys/kernel/config/usb_gadget/prox2/functions/acm.GS0
                mkdir -p /sys/kernel/config/usb_gadget/prox2/functions/ecm.usb0

                mkdir -p /sys/kernel/config/usb_gadget/prox2/configs/
                mkdir -p /sys/kernel/config/usb_gadget/prox2/configs/c.1
                mkdir -p
/sys/kernel/config/usb_gadget/prox2/configs/c.1/strings/0x409
                echo "CDC ACM+ECM" >
/sys/kernel/config/usb_gadget/prox2/configs/c.1/strings/0x409/configuration
                ln -s
/sys/kernel/config/usb_gadget/prox2/functions/acm.GS0
/sys/kernel/config/usb_gadget/prox2/configs/c.1/
                ln -s
/sys/kernel/config/usb_gadget/prox2/functions/ecm.usb0
/sys/kernel/config/usb_gadget/prox2/configs/c.1/
                echo 300000.gadget > /sys/kernel/config/usb_gadget/prox2/UDC
                ;;
        "stop" )
                if [ -e /sys/kernel/config/usb_gadget/prox2/UDC ]; then
                        echo > /sys/kernel/config/usb_gadget/prox2/UDC
2>/dev/null
                        rm -f
/sys/kernel/config/usb_gadget/prox2/configs/c.1/acm.GS0
/sys/kernel/config/usb_gadget/prox2/configs/c.1/ecm.usb0
                        rmdir
/sys/kernel/config/usb_gadget/prox2/configs/c.1/strings/0x409
2>/dev/null
                        rmdir
/sys/kernel/config/usb_gadget/prox2/configs/c.1 2>/dev/null
                        rmdir
/sys/kernel/config/usb_gadget/prox2/configs 2>/dev/null
                        rmdir
/sys/kernel/config/usb_gadget/prox2/functions/acm.GS0 2>/dev/null
                        rmdir
/sys/kernel/config/usb_gadget/prox2/functions/ecm.usb0 2>/dev/null
                        rmdir
/sys/kernel/config/usb_gadget/prox2/strings/0x409 2>/dev/null
                        rmdir /sys/kernel/config/usb_gadget/prox2 2>/dev/null
                fi
        ;;
        * )
                echo "Usage: gadget [start | stop]"
                exit 255
                ;;
esac
exit 0

Am I doing something incorrectly? What can I do to debug this further?

All the best,
Mark Deneen



[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux