Ticket #2240 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

removing/reloading g_ether not working

Reported by: frankmpunkt Owned by: openmoko-devel
Priority: high Milestone:
Component: unknown Version: unspecified
Severity: normal Keywords:
Cc: Blocked By:
Blocking: Estimated Completion (week):
HasPatchForReview: yes PatchReviewResult: positive
Reproducible: always

Description

The problem has already been recognized long ago:
https://docs.openmoko.org/trac/ticket/15 . This defect has been marked to be fixed later. Now, two years later the same problem still occurs when doing

ifconfig usb0 down
rmmod g_ether
modprobe g_ether

I'd like to switch between different USB Gadgets easily. But with this bug it's even impossible to reboot properly.

Attachments

s3c2410_udc-do-unbind.patch (431 bytes) - added by lindi 4 years ago.
call unbind() from usb_gadget_unregister_driver of s3c2410_udc.c

Change History

comment:1 Changed 4 years ago by lindi

I can reproduce this with andy-tracking b4136a36f31a65d0 (Apr 25).

[ 1494.355000] Unable to handle kernel paging request at virtual address 2e780330
[ 1494.360000] pgd = c6f10000
[ 1494.360000] [2e780330] *pgd=00000000
[ 1494.365000] Internal error: Oops: 0 [#1] PREEMPT
[ 1494.365000] Modules linked in: g_ether fuse s3c2410_wdt bnep l2cap btusb bluetooth ohci_hcd snd_soc_neo1973_gta02_wm8753 snd_soc_s3c24xx_i2s snd_soc_s3c24xx ar6000 snd_soc_wm8753 s3cmci snd_soc_core snd_pcm snd_timer snd_page_alloc snd [last unloaded: g_ether]
[ 1494.365000] CPU: 0    Not tainted  (2.6.29-GTA02_lindi-andy-tracking-mokodev #1)
[ 1494.365000] PC is at 0x2e780330
[ 1494.365000] LR is at dev_get_stats+0x24/0x30
[ 1494.365000] pc : [<2e780330>]    lr : [<c022d3c4>]    psr: 20000013
[ 1494.365000] sp : c7b65bd0  ip : c7b65be0  fp : c7b65bdc
[ 1494.365000] r10: c7b34000  r9 : c7a83160  r8 : c6fbb0f0
[ 1494.365000] r7 : 00000000  r6 : 00000000  r5 : 00000000  r4 : c6fbb188
[ 1494.365000] r3 : 2e780333  r2 : 000001e8  r1 : 00000000  r0 : c7b34000
[ 1494.365000] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[ 1494.365000] Control: c000717f  Table: 36f10000  DAC: 00000015
[ 1494.365000] Process sudo (pid: 3343, stack limit = 0xc7b64268)
[ 1494.365000] Stack: (0xc7b65bd0 to 0xc7b66000)
[ 1494.365000] 5bc0:                                     c7b65c3c c7b65be0 c023acc8 c022d3b0 
[ 1494.365000] 5be0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[ 1494.365000] 5c00: 00000000 c006fca4 c7b65c3c 000005dc c7b65c7c c7b34000 00000001 c6f4b5e0 
[ 1494.365000] 5c20: c0911e8c c7a83160 00000002 00000000 c7b65c7c c7b65c40 c023ae3c c023a9e8 
[ 1494.365000] 5c40: 49f47529 00000000 00000002 22222222 c6ceba00 c6cba000 c7a83160 c6cba000 
[ 1494.365000] 5c60: c6f4b5e0 c7841c00 00000000 00000038 c7b65cac c7b65c80 c0246428 c023ade4 
[ 1494.365000] 5c80: c6f4b5e0 c6cba000 c6f4b5e0 c6cba000 c6f4b5e0 00000d0f c6ceba00 c7841c00 
[ 1494.365000] 5ca0: c7b65cd4 c7b65cb0 c0247044 c02463e0 c6ceba00 00000000 c6ceba00 00000000 
[ 1494.365000] 5cc0: c7b65d54 c6cba000 c7b65d14 c7b65cd8 c023b798 c0246ee4 00000000 00000000 
[ 1494.365000] 5ce0: c023b69c c7b7f4a0 c023b69c c6ceba00 c7b7f4a0 c023b6b8 c7b65d54 c6cba000 
[ 1494.365000] 5d00: 00000000 00000038 c7b65d34 c7b65d18 c0248880 c023b6c8 c7b65d54 c7b7f4a0 
[ 1494.365000] 5d20: 00000014 c7b7f4a0 c7b65d4c c7b65d38 c023b6a8 c0248834 c7b7f4a0 c7841c00 
[ 1494.365000] 5d40: c7b65d84 c7b65d50 c024829c c023b68c 00000014 7fffffff c02293dc 00000000 
[ 1494.365000] 5d60: c7b7f4a0 c6cba000 00000000 c7b65f54 c7b65e70 c7712400 c7b65ddc c7b65d88 
[ 1494.365000] 5d80: c02485ec c0248060 00000001 c1008ba8 00000014 00000000 c7b65dc4 00000d0f 
[ 1494.365000] 5da0: 000003e8 000003e8 00000000 00000000 00000000 c6f02020 c7b65f54 c7b65de0 
[ 1494.365000] 5dc0: 00000014 befee558 c7b64000 0000000c c7b65ecc c7b65de0 c02217c0 c0248354 
[ 1494.365000] 5de0: c7b65e04 c7b65df0 00000000 00000001 ffffffff 00000000 00000000 00000000 
[ 1494.365000] 5e00: 00000000 00000000 c6f02020 00000000 00000000 00000000 c6f02020 c6f02020 
[ 1494.365000] 5e20: c0065d8c c7b65e24 c7b65e24 400d49dc c7b65e5c c7b65e40 c7b65e70 c00700f0 
[ 1494.365000] 5e40: 60000093 c7b64000 00000000 c7b65fb0 c7b65e7c c7b65e60 c00735bc c00733b4 
[ 1494.365000] 5e60: 00000001 c7b5b8f8 60000013 c7b5b8f8 c7b65e94 c7b65e80 c02aca68 00000014 
[ 1494.365000] 5e80: c7712400 c7b5b8f8 c7b65d9c c7b65f54 c016071c 00000000 c7b65ed4 00000014 
[ 1494.365000] 5ea0: befee558 c7b65ed4 0000000c 00000000 befee558 c7712400 00000000 c7b65ed4 
[ 1494.365000] 5ec0: c7b65fa4 c7b65ed0 c0221a90 c0221720 0000000c 00000010 00000000 00000000 
[ 1494.365000] 5ee0: c7712400 c7b65efc c7b65fa4 c7b65ef8 c0222830 c02223e4 c0221278 00000010 
[ 1494.365000] 5f00: 00000d0f 00000000 00000000 c7a56b44 c7a56b44 c7a56b44 c7b65f3c c7b65f28
[ 1494.365000] 5f20: c02acab8 c004b290 00000005 c7a56b20 c7b65f5c c7b65f40 c00aae00 c02aca94
[ 1494.365000] 5f40: 00047771 000f4240 113a0730 c0032cdc c7b65f84 c7b65ed4 0000000c c7b65f70
[ 1494.365000] 5f60: 00000001 00000000 00000000 00000000 befee558 00000000 00000000 00000000
[ 1494.365000] 5f80: befee558 0000000c befee558 00000122 c002f048 00000000 00000000 c7b65fa8
[ 1494.365000] 5fa0: c002eea0 c02219ec befee558 0000000c 00000005 befee544 00000014 00000000
[ 1494.365000] 5fc0: befee558 0000000c befee558 00000122 000428c4 00000000 00000001 befee5a4
[ 1494.365000] 5fe0: 0000000c befed500 40139898 40118f88 60000010 00000005 ffffffff ffffffff
[ 1494.365000] Backtrace:
[ 1494.365000] [<c022d3a0>] (dev_get_stats+0x0/0x30) from [<c023acc8>] (rtnl_fill_ifinfo+0x2f0/0x3fc)
[ 1494.365000] [<c023a9d8>] (rtnl_fill_ifinfo+0x0/0x3fc) from [<c023ae3c>] (rtnl_dump_ifinfo+0x68/0x9c)
[ 1494.365000] [<c023add4>] (rtnl_dump_ifinfo+0x0/0x9c) from [<c0246428>] (netlink_dump+0x58/0x1b0)
[ 1494.365000] [<c02463d0>] (netlink_dump+0x0/0x1b0) from [<c0247044>] (netlink_dump_start+0x170/0x1b8)
[ 1494.365000]  r8:c7841c00 r7:c6ceba00 r6:00000d0f r5:c6f4b5e0 r4:c6cba000
[ 1494.365000] [<c0246ed4>] (netlink_dump_start+0x0/0x1b8) from [<c023b798>] (rtnetlink_rcv_msg+0xe0/0x22c)
[ 1494.365000]  r8:c6cba000 r7:c7b65d54 r6:00000000 r5:c6ceba00 r4:00000000
[ 1494.365000] [<c023b6b8>] (rtnetlink_rcv_msg+0x0/0x22c) from [<c0248880>] (netlink_rcv_skb+0x5c/0xbc)
[ 1494.365000] [<c0248824>] (netlink_rcv_skb+0x0/0xbc) from [<c023b6a8>] (rtnetlink_rcv+0x2c/0x3c)
[ 1494.365000]  r6:c7b7f4a0 r5:00000014 r4:c7b7f4a0
[ 1494.365000] [<c023b67c>] (rtnetlink_rcv+0x0/0x3c) from [<c024829c>] (netlink_unicast+0x24c/0x2f4)
[ 1494.365000]  r4:c7841c00
[ 1494.365000] [<c0248050>] (netlink_unicast+0x0/0x2f4) from [<c02485ec>] (netlink_sendmsg+0x2a8/0x2bc)
[ 1494.365000] [<c0248344>] (netlink_sendmsg+0x0/0x2bc) from [<c02217c0>] (sock_sendmsg+0xb0/0xcc)
[ 1494.365000] [<c0221710>] (sock_sendmsg+0x0/0xcc) from [<c0221a90>] (sys_sendto+0xb4/0xd4)
[ 1494.365000]  r6:c7b65ed4 r5:00000000 r4:c7712400
[ 1494.365000] [<c02219dc>] (sys_sendto+0x0/0xd4) from [<c002eea0>] (ret_fast_syscall+0x0/0x2c)
[ 1494.365000] Code: bad PC value.
[ 1494.425000] ---[ end trace c2ac4ab43ac05a62 ]---

comment:2 Changed 4 years ago by lindi

When ifconfig usb0 up is called. dev->netdev_ops contains a bogus ndo_get_stats pointer:

Breakpoint 5, dev_get_stats (dev=0xc6e48000) at /local/lindi/neolinux/net/core/dev.c:4649
(gdb) p *dev->netdev_ops
$9 = {
  ndo_init = 0xe1a0c00d,
  ndo_uninit = 0xe92dd800,
  ndo_open = 0xe24cb004,
  ndo_stop = 0xe5d03030,
  ndo_start_xmit = 0xe35300fd,
  ndo_select_queue = 0x92833001,
  ndo_change_rx_flags = 0x920330ff,
  ndo_set_rx_mode = 0x95c03030,
  ndo_set_multicast_list = 0x83e00012,
  ndo_set_mac_address = 0x91a00003,
  ndo_validate_addr = 0xe89da800,
  ndo_do_ioctl = 0xe1a0c00d,
  ndo_set_config = 0xe92dd810,
  ndo_change_mtu = 0xe24cb004,
  ndo_neigh_setup = 0xe3a03000,
  ndo_tx_timeout = 0xe1a04000,
  ndo_get_stats = 0xea000003,
  ndo_vlan_rx_register = 0xe1500002,
  ndo_vlan_rx_add_vid = 0x1a000001,
  ndo_vlan_rx_kill_vid = 0xe59c0000
}

The backtrace to this call is

#0  dev_get_stats (dev=0xc6e48000) at /local/lindi/neolinux/net/core/dev.c:4649
#1  0xc023acc8 in rtnl_fill_ifinfo (skb=0xc7a6bd60, dev=0xc6e48000, type=<value optimized out>, pid=<value optimized out>, seq=1240760974, change=0, flags=<value optimi\
zed out>) at /local/lindi/neolinux/net/core/rtnetlink.c:669
#2  0xc023ae3c in rtnl_dump_ifinfo (skb=0xc7a6bd60, cb=0xc7a976e0) at /local/lindi/neolinux/net/core/rtnetlink.c:695
#3  0xc0246428 in netlink_dump (sk=0xc6f05000) at /local/lindi/neolinux/net/netlink/af_netlink.c:1550
#4  0xc0247044 in netlink_dump_start (ssk=0xc7840c00, skb=<value optimized out>, nlh=0xc6c13e00, dump=<value optimized out>, done=0) at /local/lindi/neolinux/net/netlin\
k/af_netlink.c:1629
#5  0xc023b798 in rtnetlink_rcv_msg (skb=0xc7a6be20, nlh=0xc6c13e00) at /local/lindi/neolinux/net/core/rtnetlink.c:1301
#6  0xc0248880 in netlink_rcv_skb (skb=0xc7a6be20, cb=0xc023b6b8 <rtnetlink_rcv_msg>) at /local/lindi/neolinux/net/netlink/af_netlink.c:1697
#7  0xc023b6a8 in rtnetlink_rcv (skb=0xc7a6be20) at /local/lindi/neolinux/net/core/rtnetlink.c:1337
#8  0xc024829c in netlink_unicast (ssk=0xc6f05000, skb=0xc7a6be20, pid=0, nonblock=<value optimized out>) at /local/lindi/neolinux/net/netlink/af_netlink.c:870
#9  0xc02485ec in netlink_sendmsg (kiocb=<value optimized out>, sock=0xc3413480, msg=0xc6edff54, len=20) at /local/lindi/neolinux/net/netlink/af_netlink.c:1285
#10 0xc02217c0 in sock_sendmsg (sock=<value optimized out>, msg=0xc6edff54, size=96) at /local/lindi/neolinux/net/socket.c:563
#11 0xc0221a90 in sys_sendto (fd=<value optimized out>, buff=0xc6edfed4, len=20, flags=0, addr=0xbe8fd548, addr_len=12) at /local/lindi/neolinux/net/socket.c:1651
#12 0xc002eea0 in kuser_cmpxchg_fixup ()

comment:3 Changed 4 years ago by lindi

A reliable way to crash the kernel is

insmod g_ether.ko.2
sleep 1
ifconfig usb0 up
sleep 1
ifconfig usb0 down
sleep 1
rmmod g_ether # ip link still shows usb0
sleep 2
insmod g_ether.ko.2 # now uses usb1 instead of usb0
sleep 2
ifconfig usb0 up # crash when dev_open tries to use usb0
sleep 2

I can even do "ifconfig usb0 up" after I have removed the g_ether module completely.

comment:4 Changed 4 years ago by lindi

It seems that "insmod g_ether.ko" calls register_netdev() but "rmmod g_ether" does not call unregister_netdev(). I think the calls _should_ go like

insmod g_ether.ko
 init()
  usb_composite_register()
   usb_gadget_register_driver()
    driver->bind() = eth_bind()
     gether_setup()
      register_netdev()

rmmod g_ether
 cleanup()
  usb_composite_unregister()
   usb_gadget_unregister_driver()
    driver->unbind() = eth_unbind()
     gether_cleanup()
      unregister_netdev()

but the problem is that in s3c2410_udc.c

  • usb_gadget_register_driver calls bind() but
  • usb_gadget_unregister_driver() does not call unbind().

I checked that _every other_ usb_gadget_unregister_driver in the kernel does call unbind(), for example

  • atmel_usba_udc.c
  • pxa25x_udc.c
  • omap_udc.c
  • fsl_usb2_udc.c

so why does s3c2410_udc.c not call unbind()?

Changed 4 years ago by lindi

call unbind() from usb_gadget_unregister_driver of s3c2410_udc.c

comment:5 Changed 4 years ago by lindi

If I just call unbind() from usb_gadget_unregister_driver I can successfully alternate between g_serial and g_ether as many times as I like. Can you please test and review this patch?

comment:6 Changed 4 years ago by arhuaco

  • Status changed from new to closed
  • PatchReviewResult set to positive
  • HasPatchForReview set
  • Reproducible set to always
  • Resolution set to fixed

Patch sent to andy-tracking. Closing as fixed.

Note: See TracTickets for help on using tickets.