Hi,
when I remove the usb bluetooth adapter , the kernel reporting bug:
/* this two line is printk message I printed in net/bluetooth/hci_core.c */
#before free dev: c3758430
#after free dev
=============================================================================
BUG kmalloc-1024: Poison overwritten
-----------------------------------------------------------------------------
INFO: 0xc3758440-0xc3758440. First byte 0x6a instead of 0x6b
INFO: Allocated in hci_alloc_dev+0x1f/0x80 [bluetooth] age=6094 cpu=0 pid=9586
INFO: Freed in device_release+0x82/0x90 age=0 cpu=0 pid=7
INFO: Slab 0xc106eb00 used=6 fp=0xc3758430 flags=0x400020c3
INFO: Object 0xc3758430 @offset=1072 fp=0xc375b240
Bytes b4 0xc3758420: 00 00 00 00 b9 ea 09 00 5a 5a 5a 5a 5a 5a 5a 5a
....??..ZZZZZZZZ
Object 0xc3758430: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
kkkkkkkkkkkkkkkk
Object 0xc3758440: 6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
jkkkkkkkkkkkkkkk
Object 0xc3758450: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
kkkkkkkkkkkkkkkk
Object 0xc3758460: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
kkkkkkkkkkkkkkkk
Object 0xc3758470: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
kkkkkkkkkkkkkkkk
Object 0xc3758480: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
kkkkkkkkkkkkkkkk
Object 0xc3758490: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
kkkkkkkkkkkkkkkk
Object 0xc37584a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
kkkkkkkkkkkkkkkk
Redzone 0xc3758830: bb bb bb bb
????
Padding 0xc3758858: 5a 5a 5a 5a 5a 5a 5a 5a
ZZZZZZZZ
[<c016db1a>] check_bytes_and_report+0xaa/0xe0
[<c016de48>] check_object+0x198/0x1e0
[<c016e2ac>] alloc_debug_processing+0x9c/0x130
[<c016ed9a>] __slab_alloc+0x10a/0x220
[<c03c412a>] pskb_expand_head+0x4a/0x140
[<c016fa12>] __kmalloc+0x72/0x80
[<c03c412a>] pskb_expand_head+0x4a/0x140
[<c03c412a>] pskb_expand_head+0x4a/0x140
[<c016e2d6>] alloc_debug_processing+0xc6/0x130
[<c03dbcc8>] netlink_broadcast+0x68/0x370
[<c02727fd>] kobject_uevent_env+0x32d/0x4e0
[<c02728e4>] kobject_uevent_env+0x414/0x4e0
[<c01858df>] d_kill+0x3f/0x60
[<c018591a>] dput+0x1a/0xf0
[<c02dbd7c>] device_del+0x1ac/0x2e0
[<c0360e88>] usb_disable_device+0x78/0xf0
[<c035b923>] usb_disconnect+0x93/0xf0
[<c035cb02>] hub_port_connect_change+0x2f2/0x3b0
[<c035cdd2>] hub_events+0x212/0x420
[<c0138470>] autoremove_wake_function+0x0/0x50
[<c035d005>] hub_thread+0x25/0x110
[<c0138470>] autoremove_wake_function+0x0/0x50
[<c0138470>] autoremove_wake_function+0x0/0x50
[<c035cfe0>] hub_thread+0x0/0x110
[<c0137e99>] kthread+0x59/0xa0
[<c0137e40>] kthread+0x0/0xa0
[<c0104df3>] kernel_thread_helper+0x7/0x14
=======================
FIX kmalloc-1024: Restoring 0xc3758440-0xc3758440=0x6b
FIX kmalloc-1024: Marking all objects used
On Wed, 6 Jun 2007 01:56:01 +0000 "young dave" <[email protected]> wrote:
> Hi,
> when I remove the usb bluetooth adapter , the kernel reporting bug:
>
> /* this two line is printk message I printed in net/bluetooth/hci_core.c */
>
> #before free dev: c3758430
> #after free dev
>
> =============================================================================
> BUG kmalloc-1024: Poison overwritten
> -----------------------------------------------------------------------------
>
> INFO: 0xc3758440-0xc3758440. First byte 0x6a instead of 0x6b
> INFO: Allocated in hci_alloc_dev+0x1f/0x80 [bluetooth] age=6094 cpu=0 pid=9586
> INFO: Freed in device_release+0x82/0x90 age=0 cpu=0 pid=7
> INFO: Slab 0xc106eb00 used=6 fp=0xc3758430 flags=0x400020c3
> INFO: Object 0xc3758430 @offset=1072 fp=0xc375b240
I don't get it. device_release() doesn't call kfree() or kmem_cache_free()
or any such thing.
> Bytes b4 0xc3758420: 00 00 00 00 b9 ea 09 00 5a 5a 5a 5a 5a 5a 5a 5a
> ....??..ZZZZZZZZ
> Object 0xc3758430: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> kkkkkkkkkkkkkkkk
> Object 0xc3758440: 6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> jkkkkkkkkkkkkkkk
> Object 0xc3758450: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> kkkkkkkkkkkkkkkk
> Object 0xc3758460: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> kkkkkkkkkkkkkkkk
> Object 0xc3758470: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> kkkkkkkkkkkkkkkk
> Object 0xc3758480: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> kkkkkkkkkkkkkkkk
> Object 0xc3758490: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> kkkkkkkkkkkkkkkk
> Object 0xc37584a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> kkkkkkkkkkkkkkkk
> Redzone 0xc3758830: bb bb bb bb
> ????
> Padding 0xc3758858: 5a 5a 5a 5a 5a 5a 5a 5a
> ZZZZZZZZ
> [<c016db1a>] check_bytes_and_report+0xaa/0xe0
> [<c016de48>] check_object+0x198/0x1e0
> [<c016e2ac>] alloc_debug_processing+0x9c/0x130
> [<c016ed9a>] __slab_alloc+0x10a/0x220
> [<c03c412a>] pskb_expand_head+0x4a/0x140
> [<c016fa12>] __kmalloc+0x72/0x80
> [<c03c412a>] pskb_expand_head+0x4a/0x140
> [<c03c412a>] pskb_expand_head+0x4a/0x140
> [<c016e2d6>] alloc_debug_processing+0xc6/0x130
> [<c03dbcc8>] netlink_broadcast+0x68/0x370
> [<c02727fd>] kobject_uevent_env+0x32d/0x4e0
> [<c02728e4>] kobject_uevent_env+0x414/0x4e0
> [<c01858df>] d_kill+0x3f/0x60
> [<c018591a>] dput+0x1a/0xf0
> [<c02dbd7c>] device_del+0x1ac/0x2e0
> [<c0360e88>] usb_disable_device+0x78/0xf0
> [<c035b923>] usb_disconnect+0x93/0xf0
> [<c035cb02>] hub_port_connect_change+0x2f2/0x3b0
> [<c035cdd2>] hub_events+0x212/0x420
> [<c0138470>] autoremove_wake_function+0x0/0x50
> [<c035d005>] hub_thread+0x25/0x110
> [<c0138470>] autoremove_wake_function+0x0/0x50
> [<c0138470>] autoremove_wake_function+0x0/0x50
> [<c035cfe0>] hub_thread+0x0/0x110
> [<c0137e99>] kthread+0x59/0xa0
> [<c0137e40>] kthread+0x0/0xa0
> [<c0104df3>] kernel_thread_helper+0x7/0x14
> =======================
> FIX kmalloc-1024: Restoring 0xc3758440-0xc3758440=0x6b
>
> FIX kmalloc-1024: Marking all objects used
Could perhaps be due to bluetooth-postpone-hci_dev-unregistration.patch,
but I don't see how. (But that patch looks a bit dodgy wrt module unload
so I think I'll drop it).
Are you able to reproduce this in 2.6.22-rc4?
Hi,
> Are you able to reproduce this in 2.6.22-rc4?
The kmalloc in dmesg is in skbuff.c:pskb_expand_head, I will try
2.6.22-rc4 ASAP.
Hi,
> Are you able to reproduce this in 2.6.22-rc4?
The bug seems doesn't exist in 2.6.22-rc4, I have tested it, the
unpluging can't produce kernel bug message.
Regards
dave
On Wed, 6 Jun 2007 03:27:31 +0000 "young dave" <[email protected]> wrote:
> Hi,
> > Are you able to reproduce this in 2.6.22-rc4?
>
> The bug seems doesn't exist in 2.6.22-rc4, I have tested it, the
> unpluging can't produce kernel bug message.
>
OK, thanks. I'll drop bluetooth-postpone-hci_dev-unregistration.patch -
let's see if that helps.
Note that the corruption seems to have its cause in a decrement done at
offset 16 into the object pointing to the refcount in struct hci_dev. So
it looks like the refcount was decremented after the object was freed.
sysfs related?
Hi,
>2007/6/6, Christoph Lameter <[email protected]>:
> Note that the corruption seems to have its cause in a decrement done at
> offset 16 into the object pointing to the refcount in struct hci_dev. So
> it looks like the refcount was decremented after the object was freed.
>
> sysfs related?
>
I noticed in hci_core.c:
hci_dev_close call hci_dev_do_close , then call hci_dev_put
but in hci_dev_do_close also call hci_dev_put
Maybe this is the reason, by apply the below patch the bug seems
doesn't exist, but the strange thing is the 2.4.22-rc4 seems works, I
will test once more to see the result.
Signed-off-by: dave young <[email protected]>
---
net/bluetooth/hci_core.c | 1 -
1 file changed, 1 deletion(-)
diff -dur linux/net/bluetooth/hci_core.c linux.new/net/bluetooth/hci_core.c
--- linux/net/bluetooth/hci_core.c 2007-06-06 13:47:14.000000000 +0000
+++ linux.new/net/bluetooth/hci_core.c 2007-06-06 13:46:58.000000000 +0000
@@ -577,7 +577,6 @@
hci_req_unlock(hdev);
- hci_dev_put(hdev);
return 0;
}
Regards
dave
On Tue, 5 Jun 2007, Andrew Morton wrote:
> Could perhaps be due to bluetooth-postpone-hci_dev-unregistration.patch,
> but I don't see how. (But that patch looks a bit dodgy wrt module
> unload so I think I'll drop it).
It is perfectly fine to drop this one, as the issue it was trying to solve
has been already fixed in a different way (commit 4ce61d1c7 in mainline).
--
Jiri Kosina
SUSE Labs
Hi,
>2007/6/6, Christoph Lameter <[email protected]>:
> Note that the corruption seems to have its cause in a decrement done at
> offset 16 into the object pointing to the refcount in struct hci_dev. So
> it looks like the refcount was decremented after the object was freed.
>
> sysfs related?
>
I tested several more times under 2.6.22-rc4, there's no such problem.
The hci_dev_put is indeed a bug, isn't it? it decrement the refcout on
more time like you said.
But why the slub doesn't warning under 2.6.22-rc4 but do under
2.6.22-rc3-mm1? I'm puzzled.
And if this is a bug , should I write another post to list? then to
mm or mainline?
I'm still new to kernel list, thanks you all.
Regards
dave