[i2c] 2.6.19-rc3 Segmentation fault on i2c_register_driver.

Fri Oct 27 14:54:54 CEST 2006

Hi Tom:

* Tom Rathbone <tom.rathbone at gmail.com> [2006-10-27 10:20:08 +0100]:
> Hi All,
> 
> Recently upgraded from 2.6.17-rc4 to 2.6.19-rc2 and found an audio
> driver we are developing was causing segfaults whenever it was
> inserted, previously it worked just fine.
> 
> Quickly traced the problem to i2c_register_driver and created a
> minimal test case (listed below).  The crash is strange as the trace
> varies with each crash but always relates to device registration or
> kobject code called from beneath i2c_register_driver or
> i2c_detach_client.
> 
> I'm using Andrew Victor's AT91 bus driver
> (http://lists.lm-sensors.org/pipermail/i2c/2006-October/000396.html)
> on Linus' git head with only minor modifications to support my board.
> I can't see a direct connection between this driver and the crash.
> 
> Has anyone seen anything similar?  Is the test case just doing
> something wrong?  Any ideas at all would be greatly appreciated.

Yes, pretty sure there's a bug.  See below.

> Thanks,
> 
> Tom.
> 
> ~ # insmod mintest.ko
> mintest: module license 'unspecified' taintskernel.
> Unable to handle kernel paging request at virtual address 00100100
> pgd = c0cdc000
> [00100100] *pgd=20cf6031, *pte=00000000, *ppte=00000000
> Internal error: Oops: 17 [#1]
> Modules linked in: mintest(P) g_ether
> CPU: 0
> PC is at device_add+0x280/0x45c
> LR is at kobject_put+0x20/0x28
> pc : [<c0101d2c>]    lr : [<c00de7b0>]    Tainted: P
> sp : c02d1e04  ip : c0061ab4  fp : c02d1e34
> r10: 00000000  r9 : c0418c04  r8 : 00000000
> r7 : 00000000  r6 : c0c52754  r5 : c0c526ec  r4 : c0c526ec
> r3 : 00100100  r2 : 20000013  r1 : 00000000  r0 : 00000000
> Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  Segment user
> Control: C000717F
> Table: 20CDC000  DAC: 00000015
> Process insmod (pid: 37, stack limit = 0xc02d0250)
> Stack: (0xc02d1e04 to 0xc02d2000)
> 1e00:          c0c527a8 00000000 c0c526ec c0c526d8 c0c526ec c0418bc8 c0c5281c
> 1e20: c0418ca8 c0418c04 c02d1e48 c02d1e38 c0101f24 c0101abc c0c52790 c02d1e8c
> 1e40: c02d1e4c c0123890 c0101f18 c0c52790 000000d0 c0c52824 00000000 c0418bf0
> 1e60: 00000000 c0c526d8 00000000 c0418bc8 0000000e c1855498 c1855000 c02b2330
> 1e80: c02d1ea8 c02d1e90 bf007058 c01237ac c0418dd0 bf0074fc c01f0bf4 c02d1ec4
> 1ea0: c02d1eac c0123560 bf007010 c02b2314 bf0075c0 00000000 c02d1ed4 c02d1ec8
> 1ec0: bf0070dc c01234ec c02d1fa4 c02d1ed8 c0049efc bf0070d4 00000000 00000208
> 1ee0: c01ab6bc c01ab6bc 00000124 00000020 0000000e 00000000 00000000 c012379c
> 1f00: bf0073c0 00000000 0000002a 00000034 00000030 0000001c c02d0000 00000000
> 1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 1f40: 00000004 00000000 00000007 00000000 00000000 00000000 0000000d 0000000c
> 1f60: c1855a10 c029c980 c1855424 c001fdf0 c0064e70 00000000 00000000 00000003
> 1f80: 00000000 00000100 00000080 c001cd44 c02d0000 00000002 00000000 c02d1fa8
> 1fa0: c001cba0 c0048a2c 00000000 00000100 00900080 40017000 00000b40 00067050
> 1fc0: 00000003 00000000 00000100 bec1fe94 bec1ff5c 00000000 00000002 00000000
> 1fe0: bec1fdd4 bec1fdc8 0001e578 401261c0 60000010 00900080 40181250 40181258
> Backtrace:
> [<c0101aac>] (device_add+0x0/0x45c) from [<c0101f24>]
> (device_register+0x1c/0x20)
> [<c0101f08>] (device_register+0x0/0x20) from [<c0123890>]
> (i2c_attach_client+0xf4/0x214)
>  r4 = C0C52790
> [<c012379c>] (i2c_attach_client+0x0/0x214) from [<bf007058>]
> (mintest_attach_client+0x58/0x80 [mintest])
> [<bf007000>] (mintest_attach_client+0x0/0x80 [mintest]) from
> [<c0123560>] (i2c_register_driver+0x84/0xb0)
>  r6 = C01F0BF4  r5 = BF0074FC  r4 = C0418DD0
> [<c01234dc>] (i2c_register_driver+0x0/0xb0) from [<bf0070dc>]
> (mintest_i2c_init+0x18/0x44 [mintest])
>  r6 = 00000000  r5 = BF0075C0  r4 = C02B2314
> [<bf0070c4>] (mintest_i2c_init+0x0/0x44 [mintest]) from [<c0049efc>]
> (sys_init_module+0x14e0/0x15b8)
> [<c0048a1c>] (sys_init_module+0x0/0x15b8) from [<c001cba0>]
> (ret_fast_syscall+0x0/0x2c)
> Code: e5953128 e1a08007 e3530000 0a000015 (e5933000)
>  Segmentation fault
> ~ #
> 
> mintest.c
> ------------
> /* GPL */
> #include <linux/init.h>
> #include <linux/i2c.h>
> 
> #define I2C_CLIENT_ADDR		0x4d
> #define MAX_REGISTER 	0xa
> 
> static int registered = 0;
> static struct	i2c_driver mintest_driver;
> 
> static int mintest_attach_client(struct i2c_adapter *adapter)
> {
> 	int rc = 0;
> 	struct i2c_client *new_client;
> 	const char *client_name = "Mintest Client";
> 
> 	new_client = kmalloc(sizeof(struct i2c_client), GFP_KERNEL);

That should be kzalloc instead of kmalloc, because struct i2c_client contains
a struct device that has to be zeroed prior to use.

If that doesn't fix it, let me know and I'll look closer.

> 	if (!new_client) {
> 		rc = -ENOMEM;
> 		goto bail;
> 	}
> 	
> 	new_client->addr = I2C_CLIENT_ADDR;
> 	new_client->adapter = adapter;
> 	new_client->driver = &mintest_driver;
> 	new_client->flags = 0;
> 	strcpy(new_client->name, client_name);
> 	
> /* crash here */
> 	if (i2c_attach_client(new_client)) {
> 		rc = -ENODEV;
> 		goto bail;
> 	}
> 
> 	return 0;	
> bail:
> 	kfree(new_client);
> 	return rc;
> }
> 
> static int mintest_detach_client(struct i2c_client *client)
> {
> /* or crash here */
> 	return i2c_detach_client(client);
> }
> 
> static struct i2c_driver mintest_driver = {
> 	.driver= {
> 		.name =	"Minimal I2C Test",
> 	},
> 	.attach_adapter = &mintest_attach_client,
> 	.detach_client	= &mintest_detach_client,
> };
> 
> 
> static void mintest_i2c_cleanup(void)
> {
> 	if(registered)
> 		i2c_del_driver(&mintest_driver);
> }
> 
> static int mintest_i2c_init(void)
> {
> 	if (i2c_add_driver(&mintest_driver)) {
> 		mintest_i2c_cleanup();
> 		return -ENODEV;
> 	}
> 	registered = 1;
> 	
> 	return 0;
> }
> 
> module_init(mintest_i2c_init)
> module_exit(mintest_i2c_cleanup)
> 

Regards,

-- 
Mark M. Hoffman
mhoffman at lightlink.com