Bug 101461 - Kernel panic on shutdown when using broadcom module
Summary: Kernel panic on shutdown when using broadcom module
Status: NEW
Alias: None
Product: Drivers
Classification: Unclassified
Component: Bluetooth (show other bugs)
Hardware: Intel Linux
: P1 blocking
Assignee: linux-bluetooth@vger.kernel.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-13 20:17 UTC by Bill Mair
Modified: 2016-02-15 15:04 UTC (History)
5 users (show)

See Also:
Kernel Version: 4.1.0 and 4.1.2
Subsystem:
Regression: No
Bisected commit-id:

Attachments
kernel 4.1.3 log (5.16 KB, text/plain)
2015-07-27 10:58 UTC, H.J. Lu 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Bill Mair 2015-07-13 20:17:25 UTC 
I and others have had repeated kernel panics on shutdown when using the Bluetooth module from Broadcom btbcm.

See: https://bbs.archlinux.org/viewtopic.php?id=199112

With 4.0.[5-7] there are no errors.

I installed my system as per the instructions shown here, including the extraction of the required firmware from the Windows drivers: https://wiki.archlinux.org/index.php/Dell_XPS_13_%282015%29











--------------------------

Linux turbine 4.1.2-1-ARCH #1 SMP PREEMPT Fri Jul 10 17:25:57 UTC 2015 x86_64 GNU/Linux
 
Gnu C                  5.1.0
Gnu make               4.1
binutils               2.25.0
util-linux             2.26.2
mount                  debug
module-init-tools      21
e2fsprogs              1.42.12
jfsutils               1.1.15
reiserfsprogs          3.6.24
xfsprogs               3.2.2
pcmciautils            018
Linux C Library        Dynamic linker (ldd)   2.21
Linux C++ Library      6.0.21
Procps                 3.3.10
Kbd                    2.0.2
Sh-utils               8.24
Modules Loaded         hidp cmac ecb rfcomm fuse xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter bnep nls_iso8859_1 nls_cp437 vfat fat nvram msr iTCO_wdt iTCO_vendor_support dell_wmi sparse_keymap dell_laptop dcdbas joydev intel_rapl iosf_mbi uvcvideo mousedev cdc_acm videobuf2_vmalloc x86_pkg_temp_thermal videobuf2_memops btusb intel_powerclamp coretemp btbcm videobuf2_core btintel kvm_intel v4l2_common bluetooth kvm videodev media wl serio_raw pcspkr i2c_i801 cfg80211 rtsx_pci_ms memstick rfkill mei_me mei shpchp lpc_ich battery thermal wmi fan int3403_thermal snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic snd_soc_rt286 snd_hda_intel snd_soc_core snd_hda_controller dw_dmac snd_compress i2c_hid dw_dmac_core snd_hda_codec snd_pcm_dmaengine snd_soc_sst_acpi evdev gpio_lynxpoint snd_hda_core mac_hid snd_hwdep i2c_designware_platform 8250_dw tpm_crb i2c_designware_core snd_pcm tpm int3400_thermal spi_pxa2xx_platform snd_timer int3402_thermal acpi_thermal_rel snd processor_thermal_device soundcore ac int340x_thermal_zone acpi_pad processor sch_fq_codel ip_tables x_tables ext4 crc16 mbcache jbd2 hid_generic hid_multitouch algif_skcipher af_alg usbhid hid dm_crypt dm_mod sd_mod rtsx_pci_sdmmc atkbd libps2 crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd ahci libahci libata xhci_pci ehci_pci scsi_mod xhci_hcd ehci_hcd rtsx_pci usbcore usb_common i8042 serio sdhci_acpi sdhci led_class mmc_core i915 button i2c_algo_bit video drm_kms_helper drm i2c_core intel_agp intel_gtt
Comment 1 Bill Mair 2015-07-15 08:30:40 UTC 
Although I have not had a chance to test this, it has been reported that the following patch fixes the problem: https://github.com/torvalds/linux/commit/b8830a4e71b15d0364ac8e6c55301eea73f211da
Comment 2 hephooey 2015-07-19 06:12:18 UTC 
I have the almost the same kernel panic message with 4.1.x, I am using a MacBook 11.3 so I do not think the dell laptop patch would help me. It has a broadcom BT chip (05ac:8289), it does not require any special patches and with 4.1.x it only works when I do NOT compile btbcm into the kernel (because btbcm_read_verbose_config always return an "Read verbose config info failed" error thus interrupt the initiation of the module). The fastest way to trigger the panic is to unload the btusb module (it is loaded automatically by udev), then run something with heavy cpu/io, for me I just start kmail and the system will halt almost immediately everytime, on the other side if I only run some vim in the console the system seems can last forever.
Comment 3 H.J. Lu 2015-07-27 10:58:41 UTC 
Created attachment 183771 [details]
kernel 4.1.3 log

After disabling btbcm, I got this kernel bug.
Comment 4 H.J. Lu 2015-07-27 11:24:29 UTC 
There are

static void hidinput_cleanup_battery(struct hid_device *dev)
{
        if (!dev->battery)
                return;

        power_supply_unregister(dev->battery);
        kfree(dev->battery->desc->name);
        kfree(dev->battery->desc);
        dev->battery = NULL;
}

Is it safe to access dev->battery->desc->name after power_supply_unregister?
Comment 5 H.J. Lu 2015-07-27 12:51:02 UTC 
Does this patch make any senses:

diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index 008e89b..6e7f6c2 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -462,12 +462,14 @@ out:
 
 static void hidinput_cleanup_battery(struct hid_device *dev)
 {
+	struct power_supply_desc *desc;
 	if (!dev->battery)
 		return;
 
+	desc = (struct power_supply_desc *)dev->battery->desc;
 	power_supply_unregister(dev->battery);
-	kfree(dev->battery->desc->name);
-	kfree(dev->battery->desc);
+	kfree(desc->name);
+	kfree(desc);
 	dev->battery = NULL;
 }
Note You need to log in before you can comment on or make changes to this bug.