On Sat, Nov 26, 2005 at 04:01:06PM -0500, Alan Stern wrote:
> On Sat, 26 Nov 2005, Ville Syrjälä wrote:
> > Doing rmmod/insmod or unplug/plug a few times causes kernel oopses. A
> > simple usb test module which does nothing but register/unregister an
> > input device in the probe()/disconnect() callbacks exhibits the same
> > behaviour. I'm running 2.6.14-mm1 currently. Are there know problems
> > with that kernel that could cause the oopses?
>
> If they were known, they'd be fixed. :-)
>
> Can you post an example of a very simple test driver along with a kernel
> log showing the oops messages? Try using 2.6.15-rc2 or something similar.
When I tried to reproduce the oops the box would just hang and when I
eventually got oopses out of it they didn't seem very consistent.
The usbtest module source code is at the end of this message.
So I just compiled 2.6.15-rc2 with some debug options turned on and used
a serial console to get this trace.
usbcore: registered new driver usbfs
usbcore: registered new driver hub
USB Universal Host Controller Interface driver v2.3
ACPI: PCI Interrupt 0000:00:1d.0[A] -> Link [LNKA] -> GSI 10 (level, low) ->
IRQ 10
uhci_hcd 0000:00:1d.0: UHCI Host Controller
uhci_hcd 0000:00:1d.0: new USB bus registered, assigned bus number 1
uhci_hcd 0000:00:1d.0: irq 10, io base 0x00001800
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
usbcore: registered new driver usbtest
usb 1-1: new full speed USB device using uhci_hcd and address 2
input: usbtest as /class/input/input1
input: usbtest as /class/input/input2
usb 1-1: USB disconnect, address 2
slab error in cache_free_debugcheck(): cache `size-2048': double free, or
memory outside object was overwritten
[<c01036f7>] dump_stack+0x17/0x20
[<c013e066>] __slab_error+0x26/0x30
[<c013fc9a>] cache_free_debugcheck+0x1aa/0x220
[<c0140771>] kfree+0x51/0x90
[<d080d034>] usbtest_delete+0x14/0x20 [usbtest]
[<d080d1cb>] usbtest_disconnect+0x1b/0x20 [usbtest]
[<d084017c>] usb_unbind_interface+0x7c/0x80 [usbcore]
[<c0246168>] __device_release_driver+0x78/0x80
[<c0246198>] device_release_driver+0x28/0x40
[<c0245955>] bus_remove_device+0x55/0x70
[<c02448bf>] device_del+0x3f/0x80
[<d08480af>] usb_disable_device+0xcf/0x100 [usbcore]
[<d0842a6d>] usb_disconnect+0xad/0x140 [usbcore]
[<d0843efc>] hub_port_connect_change+0x37c/0x3a0 [usbcore]
[<d08441be>] hub_events+0x29e/0x3e0 [usbcore]
[<d0844315>] hub_thread+0x15/0xf0 [usbcore]
[<c012a73d>] kthread+0x9d/0xb0
[<c01013ed>] kernel_thread_helper+0x5/0x18
cfa3a0a8: redzone 1: 0x5a2cf071, redzone 2: 0x5a2cf071.
slab error in cache_free_debugcheck(): cache `size-2048': double free, or
memory outside object was overwritten
[<c01036f7>] dump_stack+0x17/0x20
[<c013e066>] __slab_error+0x26/0x30
[<c013fc9a>] cache_free_debugcheck+0x1aa/0x220
[<c0140771>] kfree+0x51/0x90
[<d080d034>] usbtest_delete+0x14/0x20 [usbtest]
[<d080d1cb>] usbtest_disconnect+0x1b/0x20 [usbtest]
[<d084017c>] usb_unbind_interface+0x7c/0x80 [usbcore]
[<c0246168>] __device_release_driver+0x78/0x80
[<c0246198>] device_release_driver+0x28/0x40
[<c0245955>] bus_remove_device+0x55/0x70
[<c02448bf>] device_del+0x3f/0x80
[<d08480af>] usb_disable_device+0xcf/0x100 [usbcore]
[<d0842a6d>] usb_disconnect+0xad/0x140 [usbcore]
[<d0843efc>] hub_port_connect_change+0x37c/0x3a0 [usbcore]
[<d08441be>] hub_events+0x29e/0x3e0 [usbcore]
[<d0844315>] hub_thread+0x15/0xf0 [usbcore]
[<c012a73d>] kthread+0x9d/0xb0
[<c01013ed>] kernel_thread_helper+0x5/0x18
cfa3a8b4: redzone 1: 0x5a2cf071, redzone 2: 0x5a2cf071.
slab: double free detected in cache 'size-2048', objp cfa3a0a8
------------[ cut here ]------------
kernel BUG at mm/slab.c:2656!
invalid operand: 0000 [#1]
PREEMPT
Modules linked in: usbtest uhci_hcd usbcore
CPU: 0
EIP: 0060:[<c01402a7>] Not tainted VLI
EFLAGS: 00010086 (2.6.15-rc2)
EIP is at free_block+0xb7/0x170
eax: 00000045 ebx: cfa3a080 ecx: 00000000 edx: 00000001
esi: c127ea1c edi: 00000000 ebp: cff0aef4 esp: cff0aec0
ds: 007b es: 007b ss: 0068
Process events/0 (pid: 4, threadinfo=cff0a000 task=cff09a70)
Stack: c02e1a00 c02e0a9d cfa3a0a8 c013b3f1 cfa3a09c cfa3a0a8 00000004 00000005
c127a254 c127fa80 c127a254 c127a234 00000005 cff0af10 c0140c3c 00000000
c127fa80 c127eac4 c127fa80 c127ea1c cff0af3c c0140cdb 00000000 c127eac4
Call Trace:
[<c01036ca>] show_stack+0x7a/0x90
[<c0103858>] show_registers+0x158/0x1c0
[<c0103a4f>] die+0xdf/0x160
[<c02c554f>] do_trap+0x9f/0xb0
[<c0103da9>] do_invalid_op+0xa9/0xc0
[<c010338f>] error_code+0x4f/0x54
[<c0140c3c>] drain_array_locked+0x7c/0xa0
[<c0140cdb>] cache_reap+0x7b/0x1b0
[<c012664a>] worker_thread+0x17a/0x210
[<c012a73d>] kthread+0x9d/0xb0
[<c01013ed>] kernel_thread_helper+0x5/0x18
Code: 00 00 8d 43 1c 89 45 dc 83 3c b8 fe 74 25 8b 55 e0 8b 4d f0 89 54 24 08
8b 41 58 c7 04 24 00 1a 2e c0 89 44 24 04 e8 f9 73 fd ff <0f> 0b 60 0a df 09 2e
c0 8b 55 dc 8b 43 14 89 04 ba 89 da 89 7b
<6>note: events/0[4] exited with preempt_count 1
#include <linux/usb_input.h>
static struct usb_device_id usbtest_id_table[] = {
{ USB_DEVICE(0x0471, 0x0602) },
{ }
};
MODULE_DEVICE_TABLE(usb, usbtest_id_table);
struct usbtest {
struct input_dev *idev;
struct usb_device *udev;
char name[64];
char phys[64];
};
static int usbtest_probe(struct usb_interface *interface, const struct
usb_device_id *id);
static void usbtest_disconnect(struct usb_interface *interface);
static struct usb_driver usbtest_driver = {
.owner = THIS_MODULE,
.name = "usbtest",
.probe = usbtest_probe,
.disconnect = usbtest_disconnect,
.id_table = usbtest_id_table,
};
static int usbtest_open(struct input_dev *idev)
{
return 0;
}
static void usbtest_close(struct input_dev *idev)
{
}
static void usbtest_delete(struct usbtest *ut)
{
input_unregister_device(ut->idev);
input_free_device(ut->idev);
kfree(ut);
}
static int usbtest_input_init(struct usbtest *ut)
{
struct input_dev *idev;
idev = input_allocate_device();
if (!idev)
return -ENOMEM;
ut->idev = idev;
idev->private = ut;
idev->evbit[0] = BIT(EV_KEY);
idev->open = usbtest_open;
idev->close = usbtest_close;
idev->name = ut->name;
idev->phys = ut->phys;
usb_to_input_id(ut->udev, &idev->id);
idev->cdev.dev = &ut->udev->dev;
idev->rep[REP_DELAY] = 250;
idev->rep[REP_PERIOD] = 50;
return input_register_device(idev);
}
static int usbtest_probe(struct usb_interface *interface, const struct
usb_device_id *id)
{
struct usb_device *udev = interface_to_usbdev(interface);
struct usbtest *ut;
int r;
ut = kzalloc(sizeof (struct usbtest), GFP_KERNEL);
if (!ut)
return -ENOMEM;
ut->udev = udev;
usb_make_path(udev, ut->phys, sizeof(ut->phys));
strlcat(ut->phys, "/input0", sizeof(ut->phys));
strlcat(ut->name, "usbtest", sizeof(ut->name));
r = usbtest_input_init(ut);
if (r)
goto error;
usb_set_intfdata(interface, ut);
return 0;
error:
usbtest_delete(ut);
return r;
}
static void usbtest_disconnect(struct usb_interface *interface)
{
struct usbtest *ut = usb_get_intfdata(interface);
usb_set_intfdata(interface, NULL);
usbtest_delete(ut);
}
static int __init usbtest_init(void)
{
int r;
r = usb_register(&usbtest_driver);
if (r)
printk(KERN_ERR "usbtest: usb_register() = %d\n", r);
return r;
}
static void __exit usbtest_exit(void)
{
usb_deregister(&usbtest_driver);
}
module_init(usbtest_init);
module_exit(usbtest_exit);
MODULE_AUTHOR("usbtest");
MODULE_DESCRIPTION("usbtest");
MODULE_VERSION("001");
MODULE_LICENSE("GPL");
--
Ville Syrjälä
[EMAIL PROTECTED]
http://www.sci.fi/~syrjala/
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id�865&op=click
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
