Bug 14185

Summary: Oops in drivers\base\firmware_class
Product: Drivers Reporter: lars
Component: OtherAssignee: drivers_other
Status: CLOSED DUPLICATE    
Severity: blocking CC: rjw
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.31 Subsystem:
Regression: Yes Bisected commit-id:
Bug Depends on:    
Bug Blocks: 13615    
Attachments: Vanilla_Opps.txt
BUG_ON_firmware_class.c.patch
BUG_ON_Oops.txt
Proposed fix: mutex accesses to fw_priv->fw

Description lars 2009-09-17 05:09:04 UTC 
Hi,

I have discovered a Oops in the firmware_loading_store function. 
At first it looks like a timing issue but after adding a BUG_ON test,
it fails every time. 

drivers\base\firmware_class:
------------------------------
 541 01c0 F6463401 	testb $1,52(%esi)
 542 01c4 0F843FFF 	je .L38
 542      FFFF
 543              	.loc 1 174 0
 544 01ca 8B4630   	movl 48(%esi),%eax
 545 01cd 8B4004   	movl 4(%eax),%eax	<---- Oops
 546 01d0 E8FCFFFF 	call vfree
 546      FF

The code that fails was introduced in commit
6e03a201bbe8137487f340d26aa662110e324b20 

Attached you will find the:
- Oops with the vanilla 2.6.31
- The BUG_ON patch
- Oops with the patched 2.6.31

/Lars
Comment 1 lars 2009-09-17 09:28:43 UTC 
Created attachment 23111 [details]
Vanilla_Opps.txt
Comment 2 lars 2009-09-17 09:29:45 UTC 
Created attachment 23112 [details]
BUG_ON_firmware_class.c.patch
Comment 3 lars 2009-09-17 09:30:43 UTC 
Created attachment 23113 [details]
BUG_ON_Oops.txt
Comment 4 Rafael J. Wysocki 2009-09-30 20:51:07 UTC 
First-Bad-Commit : 6e03a201bbe8137487f340d26aa662110e324b20
Notify-Also : David Woodhouse <dwmw2@infradead.org>
Comment 5 Rafael J. Wysocki 2009-10-02 16:52:40 UTC 
Notify-Also : Frederik Deweerdt <frederik.deweerdt@xprog.eu>
Comment 6 Frederik Deweerdt 2009-10-02 21:18:12 UTC 
Created attachment 23237 [details]
Proposed fix: mutex accesses to fw_priv->fw

The patch to be found on the above URL should fix the race between _request_firmware and firmware_loading_store by protecting the accesses to fw_priv->fw.
Comment 7 Rafael J. Wysocki 2009-10-12 21:43:21 UTC 

*** This bug has been marked as a duplicate of bug 14253 ***