On Sat, 2007-02-17 at 11:23 +0100, Johannes Berg wrote: > Hah, I get to complain too. and I also give some debugging info........ > [ 441.994183] bcm43xx_d80211: Radio turned off > [ 442.310739] eth1: skb_queue not empty > [ 442.313338] Unable to handle kernel paging request for data at address 0x6b6b6b73 > [ 442.315881] NIP [C0030ADC] tasklet_action+0x80/0xec ok so I was guessing that we free a used tasklet, and I'm right. Attached is a debug patch that gave me the following log instead of the oops: [ 281.135208] bcm43xx_d80211: Radio turned off [ 281.371838] eth1: skb_queue not empty [ 281.372089] attempt to free scheduled tasklet c0506188 in object c0506000! [ 281.372107] will leak memory instead! [ 281.372122] Call Trace: [ 281.372138] [E8FF9CD0] [C0009024] show_stack+0x3c/0x194 (unreliable) [ 281.372199] [E8FF9D00] [C0030900] __tasklet_free_check+0x70/0x98 [ 281.372244] [E8FF9D20] [C007F670] kfree+0x78/0x120 [ 281.372288] [E8FF9D40] [F208A104] cfg80211_dev_free+0x24/0x38 [cfg80211] [ 281.372358] [E8FF9D60] [F208A580] wiphy_class_dev_release+0x14/0x24 [cfg80211] [ 281.372406] [E8FF9D70] [C01D04D8] class_dev_release+0x74/0x9c [ 281.372450] [E8FF9D90] [C016ED7C] kobject_cleanup+0x70/0xd4 [ 281.372490] [E8FF9DB0] [C016FD30] kref_put+0x54/0x6c [ 281.372537] [E8FF9DC0] [C016ECFC] kobject_put+0x24/0x34 [ 281.372573] [E8FF9DD0] [C01CF5EC] class_device_put+0x1c/0x2c [ 281.372613] [E8FF9DE0] [F208A0D0] wiphy_free+0x14/0x24 [cfg80211] [ 281.372655] [E8FF9DF0] [F224AACC] ieee80211_free_hw+0x24/0x38 [80211] [ 281.372744] [E8FF9E10] [F24836F8] bcm43xx_wireless_exit+0x24/0x38 [bcm43xx_d80211] [ 281.372813] [E8FF9E30] [F2081464] ssb_device_remove+0x34/0x54 [ssb] [ 281.372863] [E8FF9E40] [C01CEA08] __device_release_driver+0x88/0xc0 [ 281.372910] [E8FF9E50] [C01CF180] driver_detach+0x110/0x140 [ 281.372949] [E8FF9E70] [C01CE49C] bus_remove_driver+0x8c/0xc8 [ 281.372987] [E8FF9E90] [C01CF208] driver_unregister+0x18/0x34 [ 281.373025] [E8FF9EB0] [F2081CBC] ssb_driver_unregister+0x14/0x24 [ssb] [ 281.373078] [E8FF9EC0] [F249B7F4] bcm43xx_exit+0x18/0x35e4 [bcm43xx_d80211] [ 281.373126] [E8FF9ED0] [C004CC98] sys_delete_module+0x1ac/0x210 [ 281.373173] [E8FF9F40] [C0011380] ret_from_syscall+0x0/0x38 [ 281.373223] --- Exception: c01 at 0xff6ae18 [ 281.373253] LR = 0x10001214 As you can see (compile with debug info and get the struct sizes etc.), the tasklet in question must be struct tasklet_struct tasklet; in struct ieee80211_local. Now to figure out why it is scheduled while we do ieee80211_free_hw, but I think that's good enough for me today. johannes
---
kernel/softirq.c | 23 +++++++++++++++++++++++
mm/slab.c | 6 +++++-
2 files changed, 28 insertions(+), 1 deletion(-)
--- wireless-dev.orig/kernel/softirq.c 2007-02-17 11:35:52.381777421 +0100
+++ wireless-dev/kernel/softirq.c 2007-02-17 11:59:54.431777421 +0100
@@ -353,6 +353,29 @@ void fastcall __tasklet_schedule(struct
EXPORT_SYMBOL(__tasklet_schedule);
+int fastcall __tasklet_free_check(char *from, unsigned long len)
+{
+ struct tasklet_struct *t;
+ unsigned long start = (unsigned long) from;
+ int ret = 0;
+
+ /* really should check all CPUs but I only have one
+ * right now so I'm fine. hah! */
+ t = __get_cpu_var(tasklet_vec).list;
+ while (t) {
+ unsigned long tul = (unsigned long)t;
+ if (tul >= start && tul < (start+len)) {
+ printk(KERN_ERR "attempt to free scheduled tasklet %p in object %p!\n", t, from);
+ printk(KERN_ERR "will leak memory instead!\n");
+ dump_stack();
+ ret = -EBUSY;
+ }
+ t = t->next;
+ }
+
+ return ret;
+}
+
void fastcall __tasklet_hi_schedule(struct tasklet_struct *t)
{
unsigned long flags;
--- wireless-dev.orig/mm/slab.c 2007-02-17 11:36:56.181777421 +0100
+++ wireless-dev/mm/slab.c 2007-02-17 11:45:17.161777421 +0100
@@ -3747,6 +3747,9 @@ EXPORT_SYMBOL(kmem_cache_free);
* Don't free memory not originally allocated by kmalloc()
* or you will run into trouble.
*/
+
+extern int fastcall __tasklet_free_check(char *from, unsigned long length);
+
void kfree(const void *objp)
{
struct kmem_cache *c;
@@ -3758,7 +3761,8 @@ void kfree(const void *objp)
kfree_debugcheck(objp);
c = virt_to_cache(objp);
debug_check_no_locks_freed(objp, obj_size(c));
- __cache_free(c, (void *)objp);
+ if (__tasklet_free_check(objp, obj_size(c)) == 0)
+ __cache_free(c, (void *)objp);
local_irq_restore(flags);
}
EXPORT_SYMBOL(kfree);
Attachment:
signature.asc
Description: This is a digitally signed message part
