Related to bug 14564. On a DM&P ebox2300sx, 300Mhz Vortex86 cpu, I have a vanilla 2.6.31.5 kernel with a pac207 webcam. I run capture-example from the v4l-dvb sample applications and then remove the webcam while it is capturing. [root@X-Linux]:~ # capture-example ....................................usb 4-2: USB disconnect, address 3 pac207: Failed to write a register (index 0x001C, value 0x01, error -19) BUG: unable to handle kernel paging request at a7a7a7c3 IP: [<c11c5cef>] td_free+0x23/0x75 *pde = 00000000 Oops: 0000 [#1] DEBUG_PAGEALLOC last sysfs file: Modules linked in: gspca_pac207 gspca_main videodev v4l1_compat Pid: 160, comm: khubd Not tainted (2.6.31.5 #2) EIP: 0060:[<c11c5cef>] EFLAGS: 00000083 CPU: 0 EIP is at td_free+0x23/0x75 EAX: a7a7a7a7 EBX: c6b35bf0 ECX: c6b35ce4 EDX: a7a7a7c3 ESI: c6b7f800 EDI: c6b35cd4 EBP: c799de78 ESP: c799de6c DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 Process khubd (pid: 160, ti=c799c000 task=c78dd338 task.ti=c799c000) Stack: c6b35bf0 000003e8 c6b35cd4 c799dea4 c11c8175 c6b96ea0 c6b35bf0 00000000 <0> c11b518a 00000286 c6b7e000 c6b35bf0 c6b96ea0 c14062e5 c799deb4 c11b4428 <0> c6b32bf0 c6b96ea0 c799dec8 c11b5b3f 014234b3 00000006 00000000 c799deec Call Trace: [<c11c8175>] ? ohci_endpoint_disable+0x113/0x192 [<c11b518a>] ? usb_free_urb+0x11/0x13 [<c11b4428>] ? usb_hcd_disable_endpoint+0x2e/0x32 [<c11b5b3f>] ? usb_disable_endpoint+0x6d/0x72 [<c11b5bad>] ? usb_disable_device+0x69/0x13a [<c1017619>] ? printk+0x15/0x17 [<c11b12a8>] ? usb_disconnect+0xa1/0xf7 [<c11b18bf>] ? hub_thread+0x484/0xcec [<c12e23cd>] ? schedule+0x3b0/0x3d5 [<c1026151>] ? autoremove_wake_function+0x0/0x33 [<c11b143b>] ? hub_thread+0x0/0xcec [<c10260aa>] ? kthread+0x6b/0x71 [<c102603f>] ? kthread+0x0/0x71 [<c1002f97>] ? kernel_thread_helper+0x7/0x10 Code: e5 e8 bf 7b e9 ff 5d c3 55 89 e5 57 89 c7 56 89 d6 53 8b 42 28 89 c2 c1 ea 06 31 d0 83 e0 3f 8d 94 87 cc 00 00 00 eb 03 8d 50 1c <8b> 02 85 c0 74 0b 39 EIP: [<c11c5cef>] td_free+0x23/0x75 SS:ESP 0068:c799de6c CR2: 00000000a7a7a7c3 ---[ end trace 314e56b8ff991482 ]--- .BUG: spinlock lockup on CPU#0, swapper/0, c6b35cd4 Pid: 0, comm: swapper Tainted: G D 2.6.31.5 #2 Call Trace: [<c111e85c>] _raw_spin_lock+0xad/0xc9 [<c12e4210>] _spin_lock_irqsave+0x46/0x5a [<c11c991e>] ohci_hub_status_data+0x1d/0x1d8 [<c11b3779>] usb_hcd_poll_rh_status+0x49/0x148 [<c11b3880>] rh_timer_func+0x8/0xa [<c101dcbe>] run_timer_softirq+0x154/0x1c3 [<c101dc59>] ? run_timer_softirq+0xef/0x1c3 [<c11b3878>] ? rh_timer_func+0x0/0xa [<c101a7d9>] __do_softirq+0x9f/0x14d [<c101a8b1>] do_softirq+0x2a/0x42 [<c101ab94>] irq_exit+0x33/0x35 [<c1004086>] do_IRQ+0x5b/0x71 [<c1002e6e>] common_interrupt+0x2e/0x40 [<c10018f8>] ? cpu_idle+0x1b/0x35 [<c1006d03>] ? default_idle+0x59/0x9c [<c12e007b>] ? sdhci_pci_probe+0x410/0x42c [<c1006d05>] ? default_idle+0x5b/0x9c [<c10018fe>] cpu_idle+0x21/0x35 [<c12d3c31>] rest_init+0x4d/0x4f [<c15ed72e>] start_kernel+0x2a6/0x2ad [<c15ed068>] i386_start_kernel+0x68/0x6d
Created attachment 23708 [details] kernel config
This patch works around the bug. --- ohci-mem.c.orig 2009-12-16 22:57:49.000000000 +0000 +++ ohci-mem.c 2009-12-16 22:49:37.000000000 +0000 @@ -103,8 +103,13 @@ { struct td **prev = &hc->td_hash [TD_HASH_FUNC (td->td_dma)]; - while (*prev && *prev != td) + while (*prev && *prev != td) { + if ((unsigned long) *prev == 0xa7a7a7a7) { + ohci_info(hc, "poisoned hash at %p\n", prev); + return; + } prev = &(*prev)->td_hash; + } if (*prev) *prev = td->td_hash; else if ((td->hwINFO & cpu_to_hc32(hc, TD_DONE)) != 0)
See bug 14564 for final working patch. Hardware error.