Re: PROBLEM: Oops when deactivating gadget serial driver
Hi, For me, it is always reproducible when CONFIG_U_SERIAL_CONSOLE is enabled. But I think that GDB is misleading, it has probably nothing to do with gs_buf_free(). For me, it looks like the real problem is that in gserial_console_exit(), kthread_stop() is called on the (in my case) uninitialised variable gscons_info.console_thread. I am going to propose a fix. Regards Felix > Hello, > > In 4.8.6 and 4.9-rc5, the gadget serial driver crashes during > deinitialisation when compiled with CONFIG_U_SERIAL_CONSOLE. > > Steps to reproduce: > modprobe g-serial > rmmod g-serial > > The problem also occurs when using configfs, when the UDC is unbound. > > I does not make a difference if I use my PLX3380 (driver net2280) as > UDC, or dummy-hcd. > > > excerpt from dmesg output (complete output see below): > > [ 75.705246] BUG: unable to handle kernel > [ 75.751165] NULL pointer dereference > [ 75.791826] at 0018 > [ 75.814807] IP: [] kthread_stop+0x16/0x110 > [ 75.882611] PGD 0 > > [ 75.922339] Oops: 0002 [#1] SMP > [ 75.959880] Modules linked in: cdc_acm usb_f_acm u_serial g_serial(-) > libcomposite configfs dummy_hcd bnep nls_ascii nls_cp437 vfat fat > intel_rapl x86_pkg_temp_thermal coretemp kvm_intel kvm irqbypass > crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 > lrw gf128mul glue_helper ablk_helper cryptd uvcvideo videobuf2_vmalloc > videobuf2_memops videobuf2_v4l2 videobuf2_core videodev xpad ff_memless > media joydev snd_hda_codec_hdmi snd_usb_audio snd_usbmidi_lib > snd_hda_codec_realtek btusb btrtl efi_pstore btbcm snd_hda_codec_generic > btintel bluetooth serio_raw rfkill crc16 efivars snd_hda_intel sg > snd_hda_codec snd_hda_core snd_hwdep snd_seq_midi snd_seq_midi_event > snd_pcm_oss snd_rawmidi snd_mixer_oss udc_core snd_pcm snd_seq > snd_seq_device lpc_ich snd_timer mfd_core snd soundcore battery > [ 76.816163] nuvoton_cir rc_core mei_me mei evdev intel_smartconnect > shpchp ie31200_edac tpm_tis tpm_tis_core tpm edac_core parport_pc ppdev > lp parport efivarfs autofs4 btrfs xor raid6_pq hid_logitech_hidpp > hid_logitech_dj hid_generic usbhid hid uas usb_storage sr_mod cdrom > sd_mod nouveau ahci libahci i915 crc32c_intel libata ttm i2c_algo_bit > ehci_pci xhci_pci psmouse xhci_hcd drm_kms_helper ehci_hcd scsi_mod > r8169 mii usbcore drm nvme nvme_core fjes button [last unloaded: net2280] > [ 77.316999] CPU: 2 PID: 853 Comm: rmmod Not tainted 4.9.0-rc5 #3 > [ 77.388856] Hardware name: To Be Filled By O.E.M. To Be Filled By > O.E.M./Z77 Extreme3, BIOS P1.50 07/11/2013 > [ 77.506474] task: 880419f6a100 task.stack: c90002e8c000 > [ 77.577292] RIP: 0010:[] [] > kthread_stop+0x16/0x110 > [ 77.674214] RSP: 0018:c90002e8fdb0 EFLAGS: 00010286 > [ 77.737754] RAX: 0001 RBX: RCX: > > [ 77.823133] RDX: 0001 RSI: 0246 RDI: > > [ 77.908513] RBP: c90002e8fdc8 R08: R09: > 0001 > [ 77.993892] R10: 019d R11: 001f R12: > > [ 78.079271] R13: 88041b8d8400 R14: 0001 R15: > 55fd59f5a1e0 > [ 78.164649] FS: 7f82500be700() GS:88042f28() > knlGS: > [ 78.261467] CS: 0010 DS: ES: CR0: 80050033 > [ 78.330206] CR2: 0018 CR3: 00041bee2000 CR4: > 001406e0 > [ 78.415586] Stack: > [ 78.439609] c0b8e720 88041b8d8400 > c90002e8fdf0 > [ 78.528522] c0b8bb52 88041a106300 0001 > 880419fc2ea8 > [ 78.617436] c90002e8fe08 c0aed749 c0aef600 > c90002e8fe20 > [ 78.706350] Call Trace: > [ 78.735579] [] gserial_free_line+0x72/0xb0 [u_serial] > [ 78.815758] [] acm_free_instance+0x19/0x30 [usb_f_acm] > [ 78.896978] [] usb_put_function_instance+0x20/0x30 > [libcomposite] > [ 78.989634] [] gs_unbind+0x3b/0x70 [g_serial] > [ 79.061493] [] __composite_unbind+0x61/0xb0 > [libcomposite] > [ 79.146872] [] composite_unbind+0x13/0x20 > [libcomposite] > [ 79.230172] [] usb_gadget_remove_driver+0x3d/0x90 > [udc_core] > [ 79.317632] [] > usb_gadget_unregister_driver+0x6e/0xc0 [udc_core] > [ 79.409248] [] usb_composite_unregister+0x12/0x20 > [libcomposite] > [ 79.500866] [] cleanup+0x10/0xda8 [g_serial] > [ 79.571685] [] SyS_delete_module+0x192/0x270 > [ 79.642508] [] ? exit_to_usermode_loop+0x90/0xb0 > [ 79.717486] [] entry_SYSCALL_64_fastpath+0x1e/0xad > [ 79.794543] Code: 89 c6 e8 6e ff ff ff 48 89 df e8 06 bd fd ff 5b 5d > c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 49 89 fc 53 0f 1f 44 > 00 00 41 ff 44 24 18 4c 89 e7 e8 bc f1 ff ff 48 85 c0 48 89 c3 74 > [ 80.027071] RIP [] kthread_stop+0x16/0x110 > [ 80.095915] RSP > [ 80.137617] CR2: 0018 > [ 80.177270] ---[ end trace 5b3336a407e1698c ]--- > > > (gdb) list *(gserial_free_line+0x72) > 0x1b
Re: PROBLEM: Oops when deactivating gadget serial driver
On Wed, Nov 16, 2016 at 12:15:34AM +0100, Felix Hädicke wrote: > Hello, > > In 4.8.6 and 4.9-rc5, the gadget serial driver crashes during > deinitialisation when compiled with CONFIG_U_SERIAL_CONSOLE. > > Steps to reproduce: > modprobe g-serial > rmmod g-serial > > The problem also occurs when using configfs, when the UDC is unbound. > > I does not make a difference if I use my PLX3380 (driver net2280) as > UDC, or dummy-hcd. > I have tried v4.9-rc3 at nxp imx platform, and do not reproduce it, no matter connect line or not. root@imx6qdlsolo:~# modprobe g_serial [ 80.394264] g_serial gadget: Gadget Serial v2.4 [ 80.398844] g_serial gadget: g_serial ready root@imx6qdlsolo:~# root@imx6qdlsolo:~# root@imx6qdlsolo:~# [ 90.685049] g_serial gadget: high-speed config #2: CDC ACM config root@imx6qdlsolo:~# modprobe -r g_serial root@imx6qdlsolo:~# root@imx6qdlsolo:~# root@imx6qdlsolo:~# modprobe g_serial [ 98.787081] g_serial gadget: Gadget Serial v2.4 [ 98.791679] g_serial gadget: g_serial ready root@imx6qdlsolo:~# [ 99.238035] g_serial gadget: high-speed config #2: CDC ACM config root@imx6qdlsolo:~# root@imx6qdlsolo:~# modprobe -r g_serial root@imx6qdlsolo:~# root@imx6qdlsolo:~# modprobe g_serial [ 106.474225] g_serial gadget: Gadget Serial v2.4 [ 106.478804] g_serial gadget: g_serial ready root@imx6qdlsolo:~# modprobe -r g_serial root@imx6qdlsolo:~# modprobe g_serial [ 109.219829] g_serial gadget: Gadget Serial v2.4 [ 109.224476] g_serial gadget: g_serial ready root@imx6qdlsolo:~# [ 112.667040] g_serial gadget: high-speed config #2: CDC ACM config root@imx6qdlsolo:~# root@imx6qdlsolo:~# cat /proc/version Linux version 4.9.0-rc3-00079-g4b75f1d (b29397@b29397-desktop) (gcc version 5.3.0 (GCC) ) #1210 SMP Tue Nov 15 13:45:54 CST 2016 root@imx6qdlsolo:~# modprobe -r g_serial root@imx6qdlsolo:~# modprobe g_serial [ 519.882929] g_serial gadget: Gadget Serial v2.4 [ 519.887653] g_serial gadget: g_serial ready root@imx6qdlsolo:~# [ 520.355520] g_serial gadget: high-speed config #2: CDC ACM config > > excerpt from dmesg output (complete output see below): > > [ 75.705246] BUG: unable to handle kernel > [ 75.751165] NULL pointer dereference > [ 75.791826] at 0018 > [ 75.814807] IP: [] kthread_stop+0x16/0x110 > [ 75.882611] PGD 0 > > [ 75.922339] Oops: 0002 [#1] SMP > [ 75.959880] Modules linked in: cdc_acm usb_f_acm u_serial g_serial(-) > libcomposite configfs dummy_hcd bnep nls_ascii nls_cp437 vfat fat > intel_rapl x86_pkg_temp_thermal coretemp kvm_intel kvm irqbypass > crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 > lrw gf128mul glue_helper ablk_helper cryptd uvcvideo videobuf2_vmalloc > videobuf2_memops videobuf2_v4l2 videobuf2_core videodev xpad ff_memless > media joydev snd_hda_codec_hdmi snd_usb_audio snd_usbmidi_lib > snd_hda_codec_realtek btusb btrtl efi_pstore btbcm snd_hda_codec_generic > btintel bluetooth serio_raw rfkill crc16 efivars snd_hda_intel sg > snd_hda_codec snd_hda_core snd_hwdep snd_seq_midi snd_seq_midi_event > snd_pcm_oss snd_rawmidi snd_mixer_oss udc_core snd_pcm snd_seq > snd_seq_device lpc_ich snd_timer mfd_core snd soundcore battery > [ 76.816163] nuvoton_cir rc_core mei_me mei evdev intel_smartconnect > shpchp ie31200_edac tpm_tis tpm_tis_core tpm edac_core parport_pc ppdev > lp parport efivarfs autofs4 btrfs xor raid6_pq hid_logitech_hidpp > hid_logitech_dj hid_generic usbhid hid uas usb_storage sr_mod cdrom > sd_mod nouveau ahci libahci i915 crc32c_intel libata ttm i2c_algo_bit > ehci_pci xhci_pci psmouse xhci_hcd drm_kms_helper ehci_hcd scsi_mod > r8169 mii usbcore drm nvme nvme_core fjes button [last unloaded: net2280] > [ 77.316999] CPU: 2 PID: 853 Comm: rmmod Not tainted 4.9.0-rc5 #3 > [ 77.388856] Hardware name: To Be Filled By O.E.M. To Be Filled By > O.E.M./Z77 Extreme3, BIOS P1.50 07/11/2013 > [ 77.506474] task: 880419f6a100 task.stack: c90002e8c000 > [ 77.577292] RIP: 0010:[] [] > kthread_stop+0x16/0x110 > [ 77.674214] RSP: 0018:c90002e8fdb0 EFLAGS: 00010286 > [ 77.737754] RAX: 0001 RBX: RCX: > > [ 77.823133] RDX: 0001 RSI: 0246 RDI: > > [ 77.908513] RBP: c90002e8fdc8 R08: R09: > 0001 > [ 77.993892] R10: 019d R11: 001f R12: > > [ 78.079271] R13: 88041b8d8400 R14: 0001 R15: > 55fd59f5a1e0 > [ 78.164649] FS: 7f82500be700() GS:88042f28() > knlGS: > [ 78.261467] CS: 0010 DS: ES: CR0: 80050033 > [ 78.330206] CR2: 0018 CR3: 00041bee2000 CR4: > 001406e0 > [ 78.415586] Stack: > [ 78.439609] c0b8e720 88041b8d8400 > c90002e8fdf0 > [ 78.528522] c0b8bb52 88041a106300 0001 > 880419fc2ea8 > [ 78.617436] c90002e8fe08
PROBLEM: Oops when deactivating gadget serial driver
Hello,
In 4.8.6 and 4.9-rc5, the gadget serial driver crashes during
deinitialisation when compiled with CONFIG_U_SERIAL_CONSOLE.
Steps to reproduce:
modprobe g-serial
rmmod g-serial
The problem also occurs when using configfs, when the UDC is unbound.
I does not make a difference if I use my PLX3380 (driver net2280) as
UDC, or dummy-hcd.
excerpt from dmesg output (complete output see below):
[ 75.705246] BUG: unable to handle kernel
[ 75.751165] NULL pointer dereference
[ 75.791826] at 0018
[ 75.814807] IP: [] kthread_stop+0x16/0x110
[ 75.882611] PGD 0
[ 75.922339] Oops: 0002 [#1] SMP
[ 75.959880] Modules linked in: cdc_acm usb_f_acm u_serial g_serial(-)
libcomposite configfs dummy_hcd bnep nls_ascii nls_cp437 vfat fat
intel_rapl x86_pkg_temp_thermal coretemp kvm_intel kvm irqbypass
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64
lrw gf128mul glue_helper ablk_helper cryptd uvcvideo videobuf2_vmalloc
videobuf2_memops videobuf2_v4l2 videobuf2_core videodev xpad ff_memless
media joydev snd_hda_codec_hdmi snd_usb_audio snd_usbmidi_lib
snd_hda_codec_realtek btusb btrtl efi_pstore btbcm snd_hda_codec_generic
btintel bluetooth serio_raw rfkill crc16 efivars snd_hda_intel sg
snd_hda_codec snd_hda_core snd_hwdep snd_seq_midi snd_seq_midi_event
snd_pcm_oss snd_rawmidi snd_mixer_oss udc_core snd_pcm snd_seq
snd_seq_device lpc_ich snd_timer mfd_core snd soundcore battery
[ 76.816163] nuvoton_cir rc_core mei_me mei evdev intel_smartconnect
shpchp ie31200_edac tpm_tis tpm_tis_core tpm edac_core parport_pc ppdev
lp parport efivarfs autofs4 btrfs xor raid6_pq hid_logitech_hidpp
hid_logitech_dj hid_generic usbhid hid uas usb_storage sr_mod cdrom
sd_mod nouveau ahci libahci i915 crc32c_intel libata ttm i2c_algo_bit
ehci_pci xhci_pci psmouse xhci_hcd drm_kms_helper ehci_hcd scsi_mod
r8169 mii usbcore drm nvme nvme_core fjes button [last unloaded: net2280]
[ 77.316999] CPU: 2 PID: 853 Comm: rmmod Not tainted 4.9.0-rc5 #3
[ 77.388856] Hardware name: To Be Filled By O.E.M. To Be Filled By
O.E.M./Z77 Extreme3, BIOS P1.50 07/11/2013
[ 77.506474] task: 880419f6a100 task.stack: c90002e8c000
[ 77.577292] RIP: 0010:[] []
kthread_stop+0x16/0x110
[ 77.674214] RSP: 0018:c90002e8fdb0 EFLAGS: 00010286
[ 77.737754] RAX: 0001 RBX: RCX:
[ 77.823133] RDX: 0001 RSI: 0246 RDI:
[ 77.908513] RBP: c90002e8fdc8 R08: R09:
0001
[ 77.993892] R10: 019d R11: 001f R12:
[ 78.079271] R13: 88041b8d8400 R14: 0001 R15:
55fd59f5a1e0
[ 78.164649] FS: 7f82500be700() GS:88042f28()
knlGS:
[ 78.261467] CS: 0010 DS: ES: CR0: 80050033
[ 78.330206] CR2: 0018 CR3: 00041bee2000 CR4:
001406e0
[ 78.415586] Stack:
[ 78.439609] c0b8e720 88041b8d8400
c90002e8fdf0
[ 78.528522] c0b8bb52 88041a106300 0001
880419fc2ea8
[ 78.617436] c90002e8fe08 c0aed749 c0aef600
c90002e8fe20
[ 78.706350] Call Trace:
[ 78.735579] [] gserial_free_line+0x72/0xb0 [u_serial]
[ 78.815758] [] acm_free_instance+0x19/0x30 [usb_f_acm]
[ 78.896978] [] usb_put_function_instance+0x20/0x30
[libcomposite]
[ 78.989634] [] gs_unbind+0x3b/0x70 [g_serial]
[ 79.061493] [] __composite_unbind+0x61/0xb0
[libcomposite]
[ 79.146872] [] composite_unbind+0x13/0x20
[libcomposite]
[ 79.230172] [] usb_gadget_remove_driver+0x3d/0x90
[udc_core]
[ 79.317632] []
usb_gadget_unregister_driver+0x6e/0xc0 [udc_core]
[ 79.409248] [] usb_composite_unregister+0x12/0x20
[libcomposite]
[ 79.500866] [] cleanup+0x10/0xda8 [g_serial]
[ 79.571685] [] SyS_delete_module+0x192/0x270
[ 79.642508] [] ? exit_to_usermode_loop+0x90/0xb0
[ 79.717486] [] entry_SYSCALL_64_fastpath+0x1e/0xad
[ 79.794543] Code: 89 c6 e8 6e ff ff ff 48 89 df e8 06 bd fd ff 5b 5d
c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 49 89 fc 53 0f 1f 44
00 00 41 ff 44 24 18 4c 89 e7 e8 bc f1 ff ff 48 85 c0 48 89 c3 74
[ 80.027071] RIP [] kthread_stop+0x16/0x110
[ 80.095915] RSP
[ 80.137617] CR2: 0018
[ 80.177270] ---[ end trace 5b3336a407e1698c ]---
(gdb) list *(gserial_free_line+0x72)
0x1b52 is in gserial_free_line (drivers/usb/gadget/function/u_serial.c:187).
182 *
183 * Free the buffer and all associated memory.
184 */
185 static void gs_buf_free(struct gs_buf *gb)
186 {
187 kfree(gb->buf_buf);
188 gb->buf_buf = NULL;
189 }
190
191 /*
Complete dmesg output:
[0.00] Linux version 4.9.0-rc5 (root@han) (gcc version 5.3.1
20160413 (Ubuntu 5.3.1-14ubuntu2) ) #3 SMP Tue Nov 15 22:38:23 UTC 2016
[0.00] Command line: BOOT_IMAGE=/boot/vmlinuz-4.9.0-rc5
root=UUID=97b8d297-4ca3-40ad-b9c3-ba803
