On Wed, 18 Apr 2012 13:17:00 +0200, Sebastian Andrzej Siewior <bigeasy@xxxxxxxxxxxxx> wrote:
> On 04/18/2012 01:12 PM, Alexander Shishkin wrote:
> > On Wed, 18 Apr 2012 13:48:40 +0300, Felipe Balbi<balbi@xxxxxx> wrote:
> >> On Tue, Apr 17, 2012 at 05:02:30PM +0300, Alexander Shishkin wrote:
> >>> Currently, on gadget removal path, dummy_pullup() gets called after
> >>> gadget's disconnect(). Now, dummy_pullup() decides that it needs to
> >>> disconnect again, resulting in a crash. IOW, rmmod g_zero will crash
> >>> with dummy_hcd.
> >>
> >> Isn't the fix then simply:
> >
> > Nope. It never reaches dummy_udc_stop(), because dummy_pullup() that
> > crashes the kernel is called before it.
>
> Could you please a backtrace and how you get there?
Sure:
<0>Process rmmod (pid: 861, ti=f5884000 task=f6095f10 task.ti=f5884000)
<0>Stack:
<c> 00000000<c> 00000000<c> 00000002<c> 000001fd<c> 0000004c<c> 00000000<c> 00000000<c> 00000002<c>
<c> f6095f10<c> f6095f10<c> 00000000<c> 00000046<c> f5885eac<c> c1060387<c> 00000000<c> 00000002<c>
<c> 00000001<c> 00000000<c> f895f5f2<c> 00000000<c> 00000000<c> 0000004c<c> 0000003c<c> 00000086<c>
<0>Call Trace:
<0> [<c1060387>] lock_acquire+0xde/0xfb
<0> [<f895f5f2>] ? composite_disconnect+0x1a/0x48 [g_zero]
<0> [<c14ab4e0>] _raw_spin_lock_irqsave+0x32/0x42
[1]more>
<0> [<f895f5f2>] ? composite_disconnect+0x1a/0x48 [g_zero]
<0> [<f895f5f2>] composite_disconnect+0x1a/0x48 [g_zero]
<0> [<f8921634>] set_link_state+0xc5/0x143 [dummy_hcd]
<0> [<f892175d>] dummy_pullup+0xab/0xc9 [dummy_hcd]
<0> [<c12d581f>] usb_gadget_remove_driver+0x41/0x68
<0> [<c12d5878>] usb_gadget_unregister_driver+0x32/0x5d
<0> [<f895fd2d>] usb_composite_unregister+0x15/0x17 [g_zero]
<0> [<f89610b1>] cleanup+0xd/0xf [g_zero]
<0> [<c1067d7e>] sys_delete_module+0x17f/0x1f8
<0> [<c14abcbf>] ? restore_all+0xf/0xf
<0> [<c105ed49>] ? __trace_hardirqs_on_caller+0x5c/0x8b
<0> [<c14abcbf>] ? restore_all+0xf/0xf
<0> [<c105ee5d>] ? trace_hardirqs_on_caller+0xe5/0xf3
<0> [<c14ac553>] sysenter_do_call+0x12/0x32
It doesn't show the usb_gadget_disconnect(), but gdb does:
#0 0xc105fba6 in __lock_acquire (lock=0x4c, subclass=<optimized out>, trylock=0,
read=0, check=2, hardirqs_off=1, nest_lock=0x0, ip=4170577394, references=0)
at /home/ash/work/linux/kernel/lockdep.c:3033
#1 0xc1060387 in lock_acquire (lock=0x4c, subclass=0, trylock=0, read=0, check=2,
nest_lock=0x0, ip=4170577394) at /home/ash/work/linux/kernel/lockdep.c:3555
#2 0xc14ab4e0 in __raw_spin_lock_irqsave (lock=0x3c)
at /home/ash/work/linux/include/linux/spinlock_api_smp.h:110
#3 _raw_spin_lock_irqsave (lock=0x3c) at /home/ash/work/linux/kernel/spinlock.c:145
#4 0xf895f5f2 in ?? ()
#5 0xf8921634 in ?? ()
#6 0xf892175d in ?? ()
#7 0xc12d581f in usb_gadget_disconnect (gadget=<optimized out>)
at /home/ash/work/linux/include/linux/usb/gadget.h:764
#8 usb_gadget_remove_driver (udc=0x3c)
at /home/ash/work/linux/drivers/usb/gadget/udc-core.c:267
#9 0xc12d5878 in usb_gadget_unregister_driver (driver=0xf89616f0)
at /home/ash/work/linux/drivers/usb/gadget/udc-core.c:384
#10 0xf895fd2d in ?? ()
#11 0xf89610b1 in ?? ()
#12 0xc1067d7e in sys_delete_module (name_user=0xbfec30b0 "g_zero", flags=2176)
at /home/ash/work/linux/kernel/module.c:831
#13 <signal handler called>
#14 0xb778d424 in ?? ()
Cannot access memory at address 0x884
(gdb) frame 7
#7 0xc12d581f in usb_gadget_disconnect (gadget=<optimized out>)
at /home/ash/work/linux/include/linux/usb/gadget.h:764
764 return gadget->ops->pullup(gadget, 0);
(gdb)
Reproduced by modprobe dummy_hcd && modprobe g_zero && rmmod g_zero.
Regards,
--
Alex
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
