LinuxLists.cc - [accent_init] BUG: unable to handle kernel NULL pointer dereference at 00000078

2013-08-26 00:58:25

Subject: [accent_init] BUG: unable to handle kernel NULL pointer dereference at 00000078

Hi Russell King,

Here is another bug that's triggered by

commit c817a67ecba7c3c2aaa104796d78f160af60920d
Author: Russell King <[email protected]>
Date: Thu Jun 27 15:06:14 2013 +0100

kobject: delayed kobject release: help find buggy drivers

[ 50.519381] WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:260 debug_print_object+0x76/0x84()
[ 50.519381] ODEBUG: init active (active state 0) object type: timer_list hint: (null)
[ 50.519381] Modules linked in:
[ 50.519381] CPU: 0 PID: 1 Comm: swapper Not tainted 3.11.0-rc6-next-20130822-07070-g245f086 #1
[ 50.519381] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 50.519381] 40041b68 40041b68 40041b28 41340817 40041b58 41022949 41473af6 40041b84
[ 50.519381] 00000001 41473b33 00000104 411e84d7 411e84d7 40085698 414e1f14 41451647
[ 50.519381] 40041b70 4102298e 00000009 40041b68 41473af6 40041b84 40041ba4 411e84d7
[ 50.519381] Call Trace:
[ 50.519381] [<41340817>] dump_stack+0x16/0x18
[ 50.519381] [<41022949>] warn_slowpath_common+0x70/0x87
[ 50.519381] [<411e84d7>] ? debug_print_object+0x76/0x84
[ 50.519381] [<411e84d7>] ? debug_print_object+0x76/0x84
[ 50.519381] [<4102298e>] warn_slowpath_fmt+0x2e/0x30
[ 50.519381] [<411e84d7>] debug_print_object+0x76/0x84
[ 50.519381] [<411e8762>] __debug_object_init+0x27d/0x2bb
[ 50.519381] [<411e89c6>] debug_object_init+0x13/0x15
[ 50.519381] [<4102925e>] init_timer_key+0x17/0x64
[ 50.519381] [<411db4a5>] kobject_release+0x50/0x78
[ 50.519381] [<411db51c>] kobject_put+0x4f/0x55
[ 50.519381] [<410ad5bc>] cdev_del+0x23/0x26
[ 50.519381] [<41239fb5>] tty_unregister_device+0x33/0x37
[ 50.519381] [<41247439>] uart_remove_one_port+0xa1/0xee
[ 50.519381] [<41249025>] serial8250_register_8250_port+0xc1/0x235
[ 50.519381] [<41249354>] serial8250_probe+0x108/0x16a
[ 50.519381] [<4103f19a>] ? sched_clock_cpu+0xd8/0xee
[ 50.519381] [<4103f19a>] ? sched_clock_cpu+0xd8/0xee
[ 50.519381] [<4125f64a>] platform_drv_probe+0x29/0x4b
[ 50.519381] [<4125e242>] driver_probe_device+0x8f/0x194
[ 50.519381] [<4125f76c>] ? platform_match+0x52/0x66
[ 50.519381] [<4125e363>] __device_attach+0x1c/0x2c
[ 50.519381] [<4125ccb2>] bus_for_each_drv+0x38/0x6b
[ 50.519381] [<4125e17e>] device_attach+0x66/0x83
[ 50.519381] [<4125e347>] ? driver_probe_device+0x194/0x194
[ 50.519381] [<4125d8af>] bus_probe_device+0x25/0x84
[ 50.519381] [<4125c18b>] device_add+0x3e6/0x57b
[ 50.519381] [<411e35b9>] ? kvasprintf+0x3b/0x44
[ 50.519381] [<411db956>] ? kobject_set_name_vargs+0x3d/0x4a
[ 50.519381] [<4125f4ac>] platform_device_add+0x131/0x195
[ 50.519381] [<4125f97f>] platform_device_register+0x1c/0x1f
[ 50.519381] [<41677bb8>] ? setup_early_serial8250_console+0x376/0x376
[ 50.519381] [<41677bc5>] accent_init+0xd/0xf
[ 50.519381] [<410003df>] do_one_initcall+0x7e/0x10c
[ 50.519381] [<4165b400>] ? do_early_param+0x4f/0x7a
[ 50.519381] [<41035bcd>] ? parse_args+0x15d/0x222
[ 50.519381] [<4165ba89>] kernel_init_freeable+0x116/0x1b5
[ 50.519381] [<4165b42b>] ? do_early_param+0x7a/0x7a
[ 50.519381] [<4133b3b4>] kernel_init+0xb/0xc3
[ 50.519381] [<413499bb>] ret_from_kernel_thread+0x1b/0x30
[ 50.519381] [<4133b3a9>] ? rest_init+0xb5/0xb5
[ 50.519381] ---[ end trace b81fc16491f309ce ]---

git bisect start 5e8d1acd05687720cbb0b08975eacb7588fdfc42 v3.10 --
git bisect good 8cbd0eefcaf8cc32ded2bf229f0fc379b2ad69f2 # 11:22 60+ Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux
git bisect good 60a2b977533c312d271563d955ef7b8e35a6aa38 # 11:35 60+ Merge remote-tracking branch 'infiniband/for-next'
git bisect bad 4a225b466e040a70e7d12b159d2a36da1c2ef7dc # 11:41 0- next-20130821/driver-core
git bisect good 98246c1ae6f18fe1b710cdff687b6b7077f739c9 # 11:52 60+ Merge remote-tracking branch 'virtio/virtio-next'
git bisect good 38136c1f1471c7dcbe889beb790cc4d331e9d3ad # 12:20 60+ Merge remote-tracking branch 'spi/for-next'
git bisect good f07762be3b9222a7649cb29a3f5b959204d40446 # 12:29 60+ Merge branch 'x86/asmlinkage'
git bisect good 93d6294dfcdff81194086ed9bd6ceca3bc5e5863 # 12:59 60+ Merge remote-tracking branch 'kvm-ppc/kvm-ppc-next'
git bisect good c57e8c89b271af4ef914c439effffed53c39434c # 14:10 60+ Merge remote-tracking branch 'leds/for-next'
git bisect bad 76f411fb3a62711de7f59e0f4c56456fe356675a # 14:17 0- x86 / cpu topology: remove the stale macro arch_provides_topology_pointers
git bisect bad ea1bb7064fd6972ef00a93ba882a2f38450b273e # 14:23 0- video: backlight: convert class code to use dev_groups
git bisect good e56341ad380114454119ac043e6d710ddbbb7710 # 14:57 60+ staging: comedi: convert class code to use dev_groups
git bisect bad c817a67ecba7c3c2aaa104796d78f160af60920d # 15:09 0- kobject: delayed kobject release: help find buggy drivers
git bisect good 7c42721fe0c58a848849b43ff558cf2fb86aa35a # 15:42 60+ char: tile-srom: fix build error
git bisect good 7c42721fe0c58a848849b43ff558cf2fb86aa35a # 16:11 180+ char: tile-srom: fix build error
git bisect bad 245f08699d5320f021070ed8698ac89ebf2f0670 # 16:11 0- Add linux-next specific files for 20130822
git bisect good cac778c7124d65bf7e3cf27b117a1287f202cac2 # 18:26 180+ Revert "kobject: delayed kobject release: help find buggy drivers"
git bisect good 8495e9c4a9616c9d19f23182d0536485902259db # 22:05 180+ Merge tag 'acpi-3.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
git bisect bad 245f08699d5320f021070ed8698ac89ebf2f0670 # 22:05 0- Add linux-next specific files for 20130822

Thanks,
Fengguang

Attachments:

(No filename) (5.58 kB)
dmesg-kvm-ant-6043-20130824160438-3.11.0-rc6-next-20130822-07070-g245f086-1 (198.66 kB)
bisect-245f08699d5320f021070ed8698ac89ebf2f0670-i386-randconfig-j5-08241525-BUG:-unable-to-handle-kernel-NULL-pointer-dereference-at-81554.log (47.31 kB)
config-3.11.0-rc6-next-20130822-07070-g245f086 (79.60 kB)
Download all attachments

2013-08-26 09:13:40

by Russell King - ARM Linux

[permalink] [raw]

Subject: Re: [accent_init] BUG: unable to handle kernel NULL pointer dereference at 00000078

On Mon, Aug 26, 2013 at 08:58:09AM +0800, Fengguang Wu wrote:
> Hi Russell King,
>
> Here is another bug that's triggered by

Not much idea about this one, I don't understand what debugobjects.c is
indicating.

What I think it may be indicating is that the timer list inside the
delayed workqueue is being initialized when it is already active, but
if that is the case, it means that we're releasing the same kobject
multiple times - I believe that kref will complain if that were the
case, so I suspect that's not what's going on here.

Hmm. My guess is that the cdev kobject is being correctly freed, but
nothing is notifying the debugobjects code that that has happened.
I don't see any kind of interface to destroy a delayed workqueue (or
any workqueue) which isn't on the stack - or even a timer for that
matter.

What this suggests is that allocating a structure containing a
struct timer_list, initialising that timer list, freeing the structure,
allocating it again (and getting the same address), initialising it
a second time will produce this warning.

So, it looks to me like the debugobjects stuff is... buggy.