Bug 679484

Summary: kernel oops/crash when unplugging USB audio device
Product: [openSUSE] openSUSE 11.4 Reporter: Jon Nelson <jnelson-suse>
Component: KernelAssignee: Takashi Iwai <tiwai>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None CC: jeffm, tiwai
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jon Nelson 2011-03-14 17:59:02 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:2.0b12) Gecko/20110222 Firefox/4.0b12

I can reliably cause my kernel to crash and burn (nothing but the "capslock key flashing -- magic sysrq doesn't even work) by unplugging one of my USB audio headsets. Hit ratio is at least 1 in 3.

The kernel as of this writing is: 2.6.37.1-1.2-desktop

After a bit of help, I got kdump working and here is the output from using 'crash' on the kernel dump:


crash> bt
PID: 3430   TASK: ffff88011fd54380  CPU: 1   COMMAND: "udevd"
 #0 [ffff8800bfd03a90] machine_kexec at ffffffff81026ebf
 #1 [ffff8800bfd03ad0] crash_kexec at ffffffff810a2e8a
 #2 [ffff8800bfd03ba0] oops_end at ffffffff81525448
 #3 [ffff8800bfd03bc0] do_page_fault at ffffffff81527675
 #4 [ffff8800bfd03cc0] page_fault at ffffffff815247cf
    [exception RIP: snd_complete_urb+115]
    RIP: ffffffffa0926ff3  RSP: ffff8800bfd03d78  RFLAGS: 00010002
    RAX: 0000000000000200  RBX: 0000000000000000  RCX: 0000000000000002
    RDX: ffff88010c94b1c0  RSI: ffff88010c94b1c0  RDI: ffff88010c94b1c0
    RBP: ffff88011147c2a8   R8: 0000000000000000   R9: 0000000000000001
    R10: 0000000000000000  R11: 000000000b5e4000  R12: ffff88011147c3e8
    R13: 0000000000000000  R14: ffff88010c94b1c0  R15: ffff88013088e230
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 #5 [ffff8800bfd03d70] unmap_urb_for_dma at ffffffff813854a3
 #6 [ffff8800bfd03da0] usb_hcd_giveback_urb at ffffffff8138566d
 #7 [ffff8800bfd03dc0] uhci_giveback_urb at ffffffff813a60c6
 #8 [ffff8800bfd03e30] uhci_scan_qh at ffffffff813a632a
 #9 [ffff8800bfd03e60] uhci_scan_schedule at ffffffff813a6833
#10 [ffff8800bfd03e90] uhci_irq at ffffffff813a8ea5
#11 [ffff8800bfd03ec0] usb_hcd_irq at ffffffff81384e2c
#12 [ffff8800bfd03ee0] handle_IRQ_event at ffffffff810c96eb
#13 [ffff8800bfd03f40] handle_fasteoi_irq at ffffffff810cc319
#14 [ffff8800bfd03f70] handle_irq at ffffffff810058b5
#15 [ffff8800bfd03f80] do_IRQ at ffffffff810054fe
--- <IRQ stack> ---
#16 [ffff880106bf3c98] ret_from_intr at ffffffff81524593
    [exception RIP: _atomic_dec_and_lock]
    RIP: ffffffff8125f8b0  RSP: ffff880106bf3d40  RFLAGS: 00000286
    RAX: 00000000000000f1  RBX: ffff880137802800  RCX: 0000000000000000
    RDX: ffff8801309af788  RSI: ffffffff81a02280  RDI: ffff880137802800
    RBP: ffffffff8152458e   R8: 0000000000629400   R9: 0000000000000000
    R10: 2e313a313a302d62  R11: 0000000000000206  R12: ffffffff811684a3
    R13: 0000000000000000  R14: 0000000000000001  R15: 0000000000000003
    ORIG_RAX: ffffffffffffffb6  CS: 0010  SS: 0018
#17 [ffff880106bf3d40] dput at ffffffff81166c7e
#18 [ffff880106bf3d60] link_path_walk at ffffffff8115efed
#19 [ffff880106bf3e00] path_walk at ffffffff8115f7ea
#20 [ffff880106bf3e40] do_path_lookup at ffffffff8115f97b
#21 [ffff880106bf3e70] user_path_parent at ffffffff8115fa65
#22 [ffff880106bf3eb0] do_unlinkat at ffffffff8115fae7
#23 [ffff880106bf3f80] system_call_fastpath at ffffffff81002f8b
    RIP: 00007fa7b200faf7  RSP: 00007fff2f5970a0  RFLAGS: 00010246
    RAX: 0000000000000057  RBX: ffffffff81002f8b  RCX: 00007fff2f59b0fa
    RDX: 0000000000000000  RSI: 0000000000629407  RDI: 00007fff2f59f100
    RBP: 00000000006298f0   R8: 0000000000629400   R9: 0000000000000000
    R10: 2e313a313a302d62  R11: 0000000000000206  R12: 0000000000621010
    R13: 0000000000629400  R14: 00000000006274a0  R15: 000000000000020d
    ORIG_RAX: 0000000000000057  CS: 0033  SS: 002b
crash> 


Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Greg Kroah-Hartman 2011-03-14 19:44:39 UTC 
This one is probably best handled by Takashi as he knows this driver best.
Comment 2 Takashi Iwai 2011-03-14 20:40:22 UTC 
Hrm, this type of Oops is new to me.  We've had a race in the disconnection handling, but it should have been fixed...  Or, maybe not included in the release kernel yet?

Please try the kernel package in OBS Kernel:openSUSE-11.4 repo,
    http://download.opensuse.org/repositories/Kernel:/openSUSE-11.4/openSUSE_11.4/
Comment 3 Jon Nelson 2011-03-14 22:46:38 UTC 
2.6.37.3 appears to resolve the issue.
I'm just going to take a wild guess and say this changelog entry is relevant:

* Tue Mar 08 2011 jslaby@suse.cz
- Update to 2.6.37.3:
  - obsoletes:
  - patches.drivers/alsa-usb-audio-fix-oops-due-to-cleanup-race-when-disconnect.
Comment 4 Takashi Iwai 2011-03-15 11:00:53 UTC 
Thanks for testing.  Then I guess this was a bug fixed recently, but slipped from the last 11.4 kernel.  Yes, it's the patch mentioned in comment 3.

Let's close now.  Please reopen if you encounter a problem even with the update kernel.