All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andy Shevchenko <andy.shevchenko@gmail.com>
To: "Krogerus, Heikki" <heikki.krogerus@linux.intel.com>
Cc: USB <linux-usb@vger.kernel.org>
Subject: DWC3 (PCI) software node double free on shutdown
Date: Tue, 1 Jun 2021 12:50:18 +0300	[thread overview]
Message-ID: <CAHp75Vd-5U5zgtDfM5C3Jsx51HVYB+rNcHYC2XP=G7dOd=cdTg@mail.gmail.com> (raw)

From time to time I see this on shutdown.
I suspect this happens due to the device core trying to remove
software nodes when it should not.


[  238.266524] ------------[ cut here ]------------
[  238.271357] kernfs: can not remove 'dwc3.0.auto.ulpi', no directory
[  238.277919] WARNING: CPU: 1 PID: 257 at fs/kernfs/dir.c:1508
kernfs_remove_by_name_ns+0x74/0x80
[  238.286970] Modules linked in: usb_f_eem u_ether libcomposite
spi_dln2 i2c_dln2 gpio_dln2 dln2 brcmfmac brcmut
il mmc_block pwm_lpss_pci pwm_lpss spi_pxa2xx_platform
snd_sof_pci_intel_tng snd_sof_pci snd_sof_acpi_intel_byt s
nd_sof_intel_ipc snd_sof_acpi snd_sof snd_sof_xtensa_dsp
extcon_intel_mrfld spi_pxa2xx_pci intel_mrfld_adc sdhci_
pci cqhci sdhci intel_mrfld_pwrbtn mmc_core intel_soc_pmic_mrfld
hci_uart btbcm btintel
[  238.325715] CPU: 1 PID: 257 Comm: init Not tainted 5.13.0-rc4+ #215
[  238.332254] Hardware name: Intel Corporation Merrifield/BODEGA BAY,
BIOS 542 2015.01.21:18.19.48
[  238.341363] RIP: 0010:kernfs_remove_by_name_ns+0x74/0x80
[  238.346922] Code: 69 a3 00 31 c0 5d 41 5c 41 5d c3 48 c7 c7 80 91
b8 b2 e8 0f 69 a3 00 b8 fe ff ff ff eb e7 48
c7 c7 f8 d5 7e b2 e8 3b f4 9c 00 <0f> 0b b8 fe ff ff ff eb d2 0f 1f 00
0f 1f 44 00 00 41 57 41 56 41
[  238.366284] RSP: 0000:ffffb2be40293cf8 EFLAGS: 00010282
[  238.371752] RAX: 0000000000000000 RBX: ffff8ca40ad78440 RCX: 00000000ffffdfff
[  238.379164] RDX: 00000000ffffdfff RSI: 00000000ffffffea RDI: 0000000000000000
[  238.386628] RBP: ffff8ca40ad76018 R08: ffffffffb2b517a8 R09: 0000000000009ffb
[  238.394061] R10: 00000000ffffe000 R11: 3fffffffffffffff R12: ffff8ca402cecb80
[  238.401480] R13: ffff8ca40ad78400 R14: 0000000000000000 R15: 0000000000000000
[  238.408894] FS:  0000000000000000(0000) GS:ffff8ca43e300000(0063)
knlGS:00000000f7f9a690
[  238.417296] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  238.423284] CR2: 0000000056a400dc CR3: 0000000002f36000 CR4: 00000000001006e0
[  238.430698] Call Trace:
[  238.433316]  software_node_notify+0x7d/0x110
[  238.437828]  device_platform_notify+0x2c/0x70
[  238.442422]  device_del+0x1a9/0x3e0
[  238.446140]  device_unregister+0x16/0x60
[  238.450279]  dwc3_ulpi_exit+0x1a/0x30
[  238.454155]  dwc3_remove+0x6a/0x140
[  238.457920]  device_shutdown+0x15d/0x1c0
[  238.462070]  __do_sys_reboot.cold+0x2f/0x5b
[  238.466495]  ? __free_one_page+0xc6/0x330
[  238.470749]  ? __lock_acquire.constprop.0+0x27d/0x550
[  238.476067]  ? find_held_lock+0x2b/0x80
[  238.480124]  ? switch_fpu_return+0x48/0xf0
[  238.484464]  do_int80_syscall_32+0x4e/0x90
[  238.488785]  entry_INT80_compat+0x85/0x8a
[  238.493008] RIP: 0023:0xf7f17d74
[  238.496422] Code: 08 89 d8 5b 5e c3 53 b8 ad de e1 fe 8b 54 24 08
b9 69 19 12 28 e8 50 d5 ff ff 81 c3 10 af 06
00 53 89 c3 b8 58 00 00 00 cd 80 <5b> 3d 00 f0 ff ff 76 0e 8b 93 b4 02
00 00 f7 d8 65 89 02 83 c8 ff
[  238.515809] RSP: 002b:00000000ff92fa64 EFLAGS: 00000286 ORIG_RAX:
0000000000000058
[  238.523763] RAX: ffffffffffffffda RBX: 00000000fee1dead RCX: 0000000028121969
[  238.531228] RDX: 0000000001234567 RSI: 000000000000000f RDI: 00000000566701a0
[  238.538642] RBP: 00000000566701a0 R08: 0000000000000000 R09: 0000000000000000
[  238.546055] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  238.553464] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  238.560952] ---[ end trace 1339144ac23765f6 ]---
[  238.566393] ------------[ cut here ]------------
[  238.571290] refcount_t: underflow; use-after-free.
[  238.576360] WARNING: CPU: 0 PID: 257 at lib/refcount.c:28
refcount_warn_saturate+0xa6/0xf0
...

-- 
With Best Regards,
Andy Shevchenko

             reply	other threads:[~2021-06-01  9:50 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-01  9:50 Andy Shevchenko [this message]
2021-06-01 10:28 ` DWC3 (PCI) software node double free on shutdown Heikki Krogerus
2021-06-01 14:57   ` Andy Shevchenko
2021-06-02 16:03     ` Andy Shevchenko
2021-06-03  7:01       ` Heikki Krogerus
2021-06-03 14:39 ` Felipe Balbi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHp75Vd-5U5zgtDfM5C3Jsx51HVYB+rNcHYC2XP=G7dOd=cdTg@mail.gmail.com' \
    --to=andy.shevchenko@gmail.com \
    --cc=heikki.krogerus@linux.intel.com \
    --cc=linux-usb@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.