From: Jarek Poplawski <jarkao2@o2.pl>
To: Stephen Hemminger <shemminger@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
netdev@vger.kernel.org,
"bugme-daemon\@kernel-bugs\.osdl\.org"
<bugme-daemon@bugzilla.kernel.org>,
pterjan@gmail.com
Subject: Re: [Bugme-new] [Bug 7962] New: oops in port_carrier_check
Date: Mon, 12 Feb 2007 07:44:46 +0100 [thread overview]
Message-ID: <20070212064446.GA1651@ff.dom.local> (raw)
In-Reply-To: <20070209095204.7f43a964@oldman>
On Fri, Feb 09, 2007 at 09:52:04AM -0800, Stephen Hemminger wrote:
> On Fri, 9 Feb 2007 08:42:11 +0100
> Jarek Poplawski <jarkao2@o2.pl> wrote:
>
> > On 07-02-2007 23:09, Stephen Hemminger wrote:
> > > On Wed, 7 Feb 2007 12:52:16 -0800
> > > Andrew Morton <akpm@linux-foundation.org> wrote:
> > ...
> > >> Feb 7 21:20:18 plop kernel: BUG: unable to handle kernel paging request at
> > >> virtual address 6b6b6b6b
> > >> Feb 7 21:20:18 plop kernel: printing eip:
> > >> Feb 7 21:20:18 plop kernel: *pde = 00000000
> > >> Feb 7 21:20:18 plop kernel: Oops: 0000 [#1]
> > >> Feb 7 21:20:18 plop kernel: CPU: 0
> > >> Feb 7 21:20:19 plop kernel: EIP: 0060:[pg0+814360305/1067136000] Not
> > >> tainted VLI
> > >> Feb 7 21:20:19 plop kernel: EIP: 0060:[<f0eed6f1>] Not tainted VLI
> > >> Feb 7 21:20:19 plop kernel: EFLAGS: 00010202 (2.6.20.0.rc7-1mdv #1)
> > >> Feb 7 21:20:19 plop kernel: EIP is at port_carrier_check+0x22/0x75 [bridge]
> > >> Feb 7 21:20:19 plop kernel: eax: 6b6b6b6b ebx: 6b6b6b6b ecx: 00000000
> >
> > I think it's caused by pending delayed workqueue
> > trying to use dev after kfree (POISON_FREE in eax, ebx).
> >
> > > static void port_carrier_check(struct work_struct *work)
> > > {
> > > struct net_bridge_port *p;
> > > struct net_device *dev;
> > > struct net_bridge *br;
> > >
> > > dev = container_of(work, struct net_bridge_port,
> > > carrier_check.work)->dev;
> > > work_release(work);
> > >
> > > rtnl_lock();
> > > p = dev->br_port;
> > > if (!p)
> > > goto done;
> > > br = p->br;
> > >
> > > if (netif_carrier_ok(dev))
> > > p->path_cost = port_cost(dev);
> > >
> > > if (br->dev->flags & IFF_UP) {
> >
> > My investigation seems to point at this line (p == ebx
> > but not NULL because of mem debugging on, probably).
Sorry, I overpasted. This is the line:
--> br = p->br;
> The carrier_check is canceled by removal of port from bridge.
> Perhaps there is something broken in rcu assumptions under Qemu
If you mean this:
> static void del_nbp(struct net_bridge_port *p)
> {
> ...
> cancel_delayed_work(&p->carrier_check);
it's not sufficient. According to workqueue.h:
> /*
> * Kill off a pending schedule_delayed_work(). Note that the work callback
> * function may still be running on return from cancel_delayed_work(). Run
> * flush_scheduled_work() to wait on it.
> */
> static inline int cancel_delayed_work(struct delayed_work *work)
I can't see how rcu could help here with this pointer
to dev passed on to delayed_work (out of any rcu block).
IMHO dev_hold/dev_put (or something alike) is needed here.
Regards,
Jarek P.
next prev parent reply other threads:[~2007-02-12 6:41 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-07 20:52 Fw: [Bugme-new] [Bug 7962] New: oops in port_carrier_check Andrew Morton
2007-02-07 22:09 ` Stephen Hemminger
2007-02-09 7:42 ` Jarek Poplawski
2007-02-09 17:52 ` Stephen Hemminger
2007-02-09 18:50 ` Pascal Terjan
2007-02-12 6:44 ` Jarek Poplawski [this message]
2007-02-12 10:28 ` [PATCH][NET][BRIDGE] br_if: " Jarek Poplawski
2007-02-12 17:47 ` Stephen Hemminger
2007-02-13 6:26 ` Jarek Poplawski
2007-02-13 19:55 ` Stephen Hemminger
2007-02-13 20:35 ` David Miller
2007-02-14 8:07 ` Jarek Poplawski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070212064446.GA1651@ff.dom.local \
--to=jarkao2@o2.pl \
--cc=akpm@linux-foundation.org \
--cc=bugme-daemon@bugzilla.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pterjan@gmail.com \
--cc=shemminger@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.