diff mbox

hid-thingm: kernel panic on remove

Message ID alpine.LNX.2.00.1409030928200.12309@pobox.suse.cz (mailing list archive)
State New, archived
Delegated to: Jiri Kosina
Headers show

Commit Message

Jiri Kosina Sept. 3, 2014, 7:29 a.m. UTC 
On Tue, 2 Sep 2014, Dylan Alex Simon wrote:

> Some combination of kernel debugging options and killing processes let it
> survive long enough to write the backtrace to disk.  A simple modprobe/rmmod
> wasn't enough, though, it required a few tries removing the device and then
> rmmod (though has definitely happend on just one removal before).  Let me know
> if there's anything else I can try.
> 
> <insmod>
> [   28.855960] thingm 0003:27B8:01ED.0004: hidraw3: USB HID v1.01 Device [ThingM blink(1) mk2] on usb-0000:00:12.2-3.1.4/input0
> <rmmod;insmod>
> [  147.037008] thingm 0003:27B8:01ED.0004: hidraw3: USB HID v1.01 Device [ThingM blink(1) mk2] on usb-0000:00:12.2-3.1.4/input0
> <unplug>
> [  218.496688] usb 1-3.1.4: USB disconnect, device number 7
> [  218.502278] hid : failed to write color
> [  218.506131] hid : failed to write color
> <plug>
> [  233.557300] usb 1-3.1.4: new full-speed USB device number 8 using ehci-pci
> [  233.657195] usb 1-3.1.4: config 1 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 1
> [  233.660402] thingm 0003:27B8:01ED.0005: hidraw3: USB HID v1.01 Device [ThingM blink(1) mk2] on usb-0000:00:12.2-3.1.4/input0
> <rmmod>
> [  253.682724] BUG: unable to handle kernel paging request at ffffffffa00af0cf
> [  253.682807] IP:
> [  253.682812]  [<ffffffffa00af0cf>] 0xffffffffa00af0cf
> [  253.682817] PGD 1814067 PUD 1815063 PMD 42cace067 PTE 0
> [  253.682820] Oops: 0010 [#1] SMP 
> [  253.682830] Modules linked in: led_class cuse fuse snd_emu10k1 snd_hwdep snd_util_mem snd_ac97_codec ac97_bus snd_rawmidi snd_seq_device snd_pcm snd_timer ipt_ULOG [last unloaded: hid_thingm]
> [  253.682833] CPU: 0 PID: 849 Comm: kworker/0:2 Not tainted 3.16.1-00001-g98fed6d #145
> [  253.682835] Hardware name: empty empty/S8010-LE, BIOS 'V2.03B   ' 03/15/2012
> [  253.682838] Workqueue: events 0xffffffffa00af040
> [  253.682840] task: ffff88042e330050 ti: ffff880429d8c000 task.ti: ffff880429d8c000
> [  253.682844] RIP: 0010:[<ffffffffa00af0cf>]  [<ffffffffa00af0cf>] 0xffffffffa00af0cf
> [  253.682846] RSP: 0018:ffff880429d8fdd0  EFLAGS: 00010286
> [  253.682847] RAX: 0000000000000009 RBX: ffff88042ca83af0 RCX: 0000000000000302
> [  253.682849] RDX: 0000000000000078 RSI: 0000000000000286 RDI: ffff88042caaade0
> [  253.682850] RBP: ffff880429d8fdf0 R08: ffff8804acaaade0 R09: 0000000000000282
> [  253.682852] R10: ffff88042c93dbc0 R11: 000000000000001f R12: ffff88042c885e80
> [  253.682853] R13: 0000000000000000 R14: ffff88043ec14e00 R15: ffff88043ec113c0
> [  253.682856] FS:  00007f58ebcec700(0000) GS:ffff88043ec00000(0000) knlGS:0000000000000000
> [  253.682857] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [  253.682859] CR2: ffffffffa00af0cf CR3: 0000000001813000 CR4: 00000000000407f0
> [  253.682859] Stack:
> [  253.682863]  010000000000a000 0001000000000063 000000008867f918 ffff88042ca83af0
> [  253.682866]  ffff880429d8fe38 ffffffff81052c2f ffff88043ec113c0 000000003ec113c0
> [  253.682869]  ffff88043ec113c0 ffff88043ec113e8 ffff88042e330050 ffff88042c885eb0
> [  253.682870] Call Trace:
> [  253.682878]  [<ffffffff81052c2f>] process_one_work+0x14f/0x400
> [  253.682882]  [<ffffffff81053423>] worker_thread+0x63/0x540
> [  253.682886]  [<ffffffff810533c0>] ? create_and_start_worker+0x60/0x60
> [  253.682889]  [<ffffffff81059038>] kthread+0xe8/0x100
> [  253.682893]  [<ffffffff81058f50>] ? kthread_create_on_node+0x1b0/0x1b0
> [  253.682897]  [<ffffffff815323ec>] ret_from_fork+0x7c/0xb0
> [  253.682900]  [<ffffffff81058f50>] ? kthread_create_on_node+0x1b0/0x1b0

Alright, this supports my original hunch. I think I see the race. Could 
you please try the patch below? Thanks.

Comments

Dylan Alex Simon Sept. 3, 2014, 8:17 a.m. UTC | #1 
From Jiri Kosina <jkosina@suse.cz>, Wed, Sep 03, 2014 at 09:29:07AM +0200:
> On Tue, 2 Sep 2014, Dylan Alex Simon wrote:
> 
> > Some combination of kernel debugging options and killing processes let it
> > survive long enough to write the backtrace to disk.  A simple modprobe/rmmod
> > wasn't enough, though, it required a few tries removing the device and then
> > rmmod (though has definitely happend on just one removal before).  Let me know
> > if there's anything else I can try.
> 
> Alright, this supports my original hunch. I think I see the race. Could 
> you please try the patch below? Thanks.
> 
> 
> 
> 
> diff --git a/drivers/hid/hid-thingm.c b/drivers/hid/hid-thingm.c
> index 134be89..743a517 100644
> --- a/drivers/hid/hid-thingm.c
> +++ b/drivers/hid/hid-thingm.c
> @@ -208,7 +208,7 @@ unregister_red:
>  
>  static void thingm_remove_rgb(struct thingm_rgb *rgb)
>  {
> -	flush_work(&rgb->work);
> +	cancel_work_sync(&rgb->work);
>  	led_classdev_unregister(&rgb->red.ldev);
>  	led_classdev_unregister(&rgb->green.ldev);
>  	led_classdev_unregister(&rgb->blue.ldev);

Same problem (only rmmod this time, no write error, but still
doesn't happen every time):

[  213.180726] thingm 0003:27B8:01ED.0004: hidraw3: USB HID v1.01 Device [ThingM blink(1) mk2] on usb-0000:00:12.2-3.1.4/input0
<rmmod>
[  217.399934] BUG: unable to handle kernel paging request at ffffffffa00aa0cf
[  217.400034] IP:
[  217.400038]  [<ffffffffa00aa0cf>] 0xffffffffa00aa0cf
[  217.400039] PGD 1814067 
[  217.400040] PUD 1815063 
[  217.400044] PMD 42c266067 PTE 0
[  217.400048] Oops: 0010 [#1] SMP 
[  217.400057] Modules linked in: led_class cuse fuse snd_emu10k1 snd_hwdep snd_util_mem snd_ac97_codec ac97_bus snd_rawmidi snd_seq_device snd_pcm snd_timer ipt_ULOG [last unloaded: hid_thingm]
[  217.400061] CPU: 1 PID: 749 Comm: kworker/1:2 Not tainted 3.16.1-00001-g98fed6d-dirty #146
[  217.400063] Hardware name: empty empty/S8010-LE, BIOS 'V2.03B   ' 03/15/2012
[  217.400066] Workqueue: events 0xffffffffa00aa040
[  217.400068] task: ffff88042df88790 ti: ffff8800bb9e4000 task.ti: ffff8800bb9e4000
[  217.400072] RIP: 0010:[<ffffffffa00aa0cf>]  [<ffffffffa00aa0cf>] 0xffffffffa00aa0cf
[  217.400073] RSP: 0018:ffff8800bb9e7dd0  EFLAGS: 00010286
[  217.400075] RAX: 0000000000000009 RBX: ffff88042c285af0 RCX: 0000000000000302
[  217.400077] RDX: 0000000000000078 RSI: 0000000000000286 RDI: ffff88042d0e1a80
[  217.400078] RBP: ffff8800bb9e7df0 R08: ffff8804ad0e1a80 R09: 0000000000000282
[  217.400079] R10: 0000000000000001 R11: 000000002c95c8ba R12: ffff88042c8b0580
[  217.400081] R13: 0000000000000000 R14: ffff88043ec54e00 R15: ffff88043ec513c0
[  217.400087] FS:  00007f02217fc700(0000) GS:ffff88043ec40000(0000) knlGS:0000000000000000
[  217.400089] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  217.400091] CR2: ffffffffa00aa0cf CR3: 000000042af90000 CR4: 00000000000407e0
[  217.400091] Stack:
[  217.400096]  010000000000a000 0001000000000063 000000000ba997f6 ffff88042c285af0
[  217.400099]  ffff8800bb9e7e38 ffffffff81052c2f ffff88043ec513c0 000000003ec513c0
[  217.400104]  ffff88043ec513c0 ffff88043ec513e8 ffff88042df88790 ffff88042c8b05b0
[  217.400105] Call Trace:
[  217.400114]  [<ffffffff81052c2f>] process_one_work+0x14f/0x400
[  217.400120]  [<ffffffff81053423>] worker_thread+0x63/0x540
[  217.400125]  [<ffffffff810533c0>] ? create_and_start_worker+0x60/0x60
[  217.400130]  [<ffffffff81059038>] kthread+0xe8/0x100
[  217.400136]  [<ffffffff8152de24>] ? schedule+0x24/0x60
[  217.400144]  [<ffffffff81058f50>] ? kthread_create_on_node+0x1b0/0x1b0
[  217.400149]  [<ffffffff815323ec>] ret_from_fork+0x7c/0xb0
[  217.400153]  [<ffffffff81058f50>] ? kthread_create_on_node+0x1b0/0x1b0
[  217.400159] Code:  Bad RIP value.
[  217.400163] RIP  [<ffffffffa00aa0cf>] 0xffffffffa00aa0cf
[  217.400164]  RSP <ffff8800bb9e7dd0>
[  217.400165] CR2: ffffffffa00aa0cf
[  217.400168] ---[ end trace 9bd9c9db3e942a93 ]---
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/hid/hid-thingm.c b/drivers/hid/hid-thingm.c
index 134be89..743a517 100644
--- a/drivers/hid/hid-thingm.c
+++ b/drivers/hid/hid-thingm.c
@@ -208,7 +208,7 @@  unregister_red:
 
 static void thingm_remove_rgb(struct thingm_rgb *rgb)
 {
-	flush_work(&rgb->work);
+	cancel_work_sync(&rgb->work);
 	led_classdev_unregister(&rgb->red.ldev);
 	led_classdev_unregister(&rgb->green.ldev);
 	led_classdev_unregister(&rgb->blue.ldev);