2021-08-25 21:14:57

by Ferry Toth

[permalink] [raw]
Subject: Crash on unplug smsc95xx on 5.14.0-rc6

With 5.14.0-rc6 smsc9504 attached to dwc3 host (Intel Merrifield)
unplugging leads to the following stack trace:

kernel: kernfs: can not remove 'attached_dev', no directory
kernel: WARNING: CPU: 0 PID: 23 at fs/kernfs/dir.c:1508
kernfs_remove_by_name_ns+0x7e/0x90
kernel: Modules linked in: rfcomm iptable_nat bnep snd_sof_nocodec
spi_pxa2xx_platform dw_dmac smsc smsc95xx pwm_lpss_pci dw_dmac_pci
pwm_lpss dw_dmac_core snd_sof_pc>
kernel: CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted
5.14.0-rc6-edison-acpi-standard #1
kernel: Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542
2015.01.21:18.19.48
kernel: Workqueue: usb_hub_wq hub_event
kernel: RIP: 0010:kernfs_remove_by_name_ns+0x7e/0x90
kernel: Code: ff 9a 00 31 c0 5d 41 5c 41 5d c3 48 c7 c7 e0 48 f6 b2 e8
15 ff 9a 00 b8 fe ff ff ff eb e7 48 c7 c7 d0 fa a8 b2 e8 cb c6 94 00
<0f> 0b b8 fe ff ff ff eb >
kernel: RSP: 0018:ffffa514000cfa10 EFLAGS: 00010282
kernel: RAX: 0000000000000000 RBX: ffff9a9008a3d8c0 RCX: ffff9a903e217478
kernel: RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9a903e217470
kernel: RBP: ffff9a90023d3000 R08: ffffffffb2f341c8 R09: 0000000000009ffb
kernel: R10: 00000000ffffe000 R11: 3fffffffffffffff R12: ffffffffb2af705d
kernel: R13: ffff9a9008a3d8c0 R14: ffffa514000cfb10 R15: 0000000000000003
kernel: FS:  0000000000000000(0000) GS:ffff9a903e200000(0000)
knlGS:0000000000000000
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 00007fe6971fcca0 CR3: 0000000007b02000 CR4: 00000000001006f0
kernel: Call Trace:
kernel:  phy_detach+0x10b/0x170
kernel:  smsc95xx_disconnect_phy+0x2a/0x30 [smsc95xx]
kernel:  usbnet_stop+0x5d/0x130
kernel:  __dev_close_many+0x99/0x110
kernel:  dev_close_many+0x76/0x120
kernel:  unregister_netdevice_many+0x13d/0x750
kernel:  unregister_netdevice_queue+0x80/0xc0
kernel:  unregister_netdev+0x13/0x20
kernel:  usbnet_disconnect+0x54/0xb0
kernel:  usb_unbind_interface+0x85/0x270
kernel:  ? kernfs_find_ns+0x30/0xc0
kernel:  __device_release_driver+0x175/0x230
kernel:  device_release_driver+0x1f/0x30
kernel:  bus_remove_device+0xd3/0x140
kernel:  device_del+0x186/0x3e0
kernel:  ? kobject_put+0x91/0x1d0
kernel:  usb_disable_device+0xc1/0x1e0
kernel:  usb_disconnect.cold+0x7a/0x1f7
kernel:  usb_disconnect.cold+0x29/0x1f7
kernel:  hub_event+0xbb9/0x1830
kernel:  ? __switch_to_asm+0x42/0x70
kernel:  ? __switch_to_asm+0x36/0x70
kernel:  process_one_work+0x1cf/0x370
kernel:  worker_thread+0x48/0x3d0
kernel:  ? rescuer_thread+0x360/0x360
kernel:  kthread+0x122/0x140
kernel:  ? set_kthread_struct+0x40/0x40
kernel:  ret_from_fork+0x22/0x30

The unplug event happen when switching dwc3 from host  to device mode.

I'm not sure when this behavior started exactly, but al least since
5.14.0-rc1.

Maybe related: smsc95xx plugin seems to trigger:

DMA-API: cacheline tracking EEXIST, overlapping mappings aren't supported



2021-08-27 22:44:06

by Ferry Toth

[permalink] [raw]
Subject: Re: Crash on unplug smsc95xx on 5.14.0-rc6

Hi

Op 25-08-2021 om 22:42 schreef Ferry Toth:
> With 5.14.0-rc6 smsc9504 attached to dwc3 host (Intel Merrifield)
> unplugging leads to the following stack trace:
>
> kernel: kernfs: can not remove 'attached_dev', no directory
> kernel: WARNING: CPU: 0 PID: 23 at fs/kernfs/dir.c:1508
> kernfs_remove_by_name_ns+0x7e/0x90
> kernel: Modules linked in: rfcomm iptable_nat bnep snd_sof_nocodec
> spi_pxa2xx_platform dw_dmac smsc smsc95xx pwm_lpss_pci dw_dmac_pci
> pwm_lpss dw_dmac_core snd_sof_pc>
> kernel: CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted
> 5.14.0-rc6-edison-acpi-standard #1
> kernel: Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542
> 2015.01.21:18.19.48
> kernel: Workqueue: usb_hub_wq hub_event
> kernel: RIP: 0010:kernfs_remove_by_name_ns+0x7e/0x90
> kernel: Code: ff 9a 00 31 c0 5d 41 5c 41 5d c3 48 c7 c7 e0 48 f6 b2 e8
> 15 ff 9a 00 b8 fe ff ff ff eb e7 48 c7 c7 d0 fa a8 b2 e8 cb c6 94 00
> <0f> 0b b8 fe ff ff ff eb >
> kernel: RSP: 0018:ffffa514000cfa10 EFLAGS: 00010282
> kernel: RAX: 0000000000000000 RBX: ffff9a9008a3d8c0 RCX: ffff9a903e217478
> kernel: RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9a903e217470
> kernel: RBP: ffff9a90023d3000 R08: ffffffffb2f341c8 R09: 0000000000009ffb
> kernel: R10: 00000000ffffe000 R11: 3fffffffffffffff R12: ffffffffb2af705d
> kernel: R13: ffff9a9008a3d8c0 R14: ffffa514000cfb10 R15: 0000000000000003
> kernel: FS:  0000000000000000(0000) GS:ffff9a903e200000(0000)
> knlGS:0000000000000000
> kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> kernel: CR2: 00007fe6971fcca0 CR3: 0000000007b02000 CR4: 00000000001006f0
> kernel: Call Trace:
> kernel:  phy_detach+0x10b/0x170
> kernel:  smsc95xx_disconnect_phy+0x2a/0x30 [smsc95xx]
> kernel:  usbnet_stop+0x5d/0x130
> kernel:  __dev_close_many+0x99/0x110
> kernel:  dev_close_many+0x76/0x120
> kernel:  unregister_netdevice_many+0x13d/0x750
> kernel:  unregister_netdevice_queue+0x80/0xc0
> kernel:  unregister_netdev+0x13/0x20
> kernel:  usbnet_disconnect+0x54/0xb0
> kernel:  usb_unbind_interface+0x85/0x270
> kernel:  ? kernfs_find_ns+0x30/0xc0
> kernel:  __device_release_driver+0x175/0x230
> kernel:  device_release_driver+0x1f/0x30
> kernel:  bus_remove_device+0xd3/0x140
> kernel:  device_del+0x186/0x3e0
> kernel:  ? kobject_put+0x91/0x1d0
> kernel:  usb_disable_device+0xc1/0x1e0
> kernel:  usb_disconnect.cold+0x7a/0x1f7
> kernel:  usb_disconnect.cold+0x29/0x1f7
> kernel:  hub_event+0xbb9/0x1830
> kernel:  ? __switch_to_asm+0x42/0x70
> kernel:  ? __switch_to_asm+0x36/0x70
> kernel:  process_one_work+0x1cf/0x370
> kernel:  worker_thread+0x48/0x3d0
> kernel:  ? rescuer_thread+0x360/0x360
> kernel:  kthread+0x122/0x140
> kernel:  ? set_kthread_struct+0x40/0x40
> kernel:  ret_from_fork+0x22/0x30
>
> The unplug event happen when switching dwc3 from host  to device mode.
>
> I'm not sure when this behavior started exactly, but al least since
> 5.14.0-rc1.

Ideas how to continue welcome.

> Maybe related: smsc95xx plugin seems to trigger:
>
> DMA-API: cacheline tracking EEXIST, overlapping mappings aren't supported
>
OTOH the cache line error might be due to reporting the error is
relatively new:
https://lore.kernel.org/lkml/[email protected]/

So maybe unrelated to crash.