[Bug 1067548] Re: Restarting hangs

Marius B. Kotsbak 1067548 at bugs.launchpad.net
Wed Jan 23 21:12:37 UTC 2013 

I've now gone through reverse bisecting between mainline stable kernels
3.7.1 and 3.7.2, and the commit that seems to solve this issue is:

235db1e98f49a39427b87b491388cf645406e5fc is the first bad commit
commit 235db1e98f49a39427b87b491388cf645406e5fc
Author: Chuansheng Liu <chuansheng.liu at intel.com>
Date: Sat Nov 10 01:27:22 2012 +0800

firmware loader: Fix the concurrent request_firmware() race for
kref_get/put

commit bd9eb7fbe69111ea0ff1f999ef4a5f26d223d1d5 upstream.

There is one race that both request_firmware() with the same
firmware name.

The race scenerio is as below:
CPU1 CPU2
request_firmware() -->
_request_firmware_load() return err another request_firmware() is coming -->
_request_firmware_cleanup is called --> _request_firmware_prepare -->
release_firmware ---> fw_lookup_and_allocate_buf -->
spin_lock(&fwc->lock)
... __fw_lookup_buf() return true
fw_free_buf() will be called --> ...
kref_put -->
decrease the refcount to 0
kref_get(&tmp->ref) ==> it will trigger warning
due to refcount == 0
__fw_free_buf() -->
... spin_unlock(&fwc->lock)
spin_lock(&fwc->lock)
list_del(&buf->list)
spin_unlock(&fwc->lock)
kfree(buf)
After that, the freed buf will be used.

The key race is decreasing refcount to 0 and list_del is not protected together by
fwc->lock, and it is possible another thread try to get it between refcount==0
and list_del.

Fix it here to protect it together.

Acked-by: Ming Lei <ming.lei at canonical.com>
Signed-off-by: liu chuansheng <chuansheng.liu at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to upstart in Ubuntu.
https://bugs.launchpad.net/bugs/1067548

Title:
  Restarting hangs

Status in The Linux Kernel:
  Fix Released
Status in “linux” package in Ubuntu:
  Confirmed
Status in “upstart” package in Ubuntu:
  Invalid

Bug description:
  Usually when I restart my laptop, it hangs with black screen. Shutdown
  works fine.

  After testing it is clear that the bug was introduced between Oneiric
  and Precise.

  This is reproducible in Quantal with the kernel package from Oneiric
  linux-image-generic (3.0.0.29.33).

  ProblemType: Bug
  DistroRelease: Ubuntu 12.10
  Package: upstart 1.5-0ubuntu9
  Uname: Linux 3.7.0-030700rc1-generic i686
  ApportVersion: 2.6.1-0ubuntu3
  Architecture: i386
  Date: Wed Oct 17 01:16:06 2012
  EcryptfsInUse: Yes
  SourcePackage: upstart
  UpgradeStatus: Upgraded to quantal on 2012-08-31 (46 days ago)
  ---
  ApportVersion: 2.6.1-0ubuntu3
  Architecture: i386
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  marius     6338 F.... pulseaudio
  CRDA:
   country NO:
    (2402 - 2482 @ 40), (N/A, 20)
    (5170 - 5250 @ 40), (N/A, 20)
    (5250 - 5330 @ 40), (N/A, 20), DFS
    (5490 - 5710 @ 40), (N/A, 27), DFS
  DistroRelease: Ubuntu 12.10
  EcryptfsInUse: Yes
  HibernationDevice: RESUME=UUID=49e028f9-7435-4850-8244-8523020782de
  MachineType: GIGABYTE T1005
  Package: upstart 1.5-0ubuntu9
  PackageArchitecture: i386
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.5.0-17-generic root=UUID=f1d0446d-3ea3-46a7-9842-8773acca78e6 ro crashkernel=384M-2G:64M,2G-:128M quiet
  ProcVersionSignature: Ubuntu 3.5.0-17.28-generic 3.5.5
  RelatedPackageVersions:
   linux-restricted-modules-3.5.0-17-generic N/A
   linux-backports-modules-3.5.0-17-generic  N/A
   linux-firmware                            1.95
  RfKill:
   0: phy0: Wireless LAN
    Soft blocked: no
    Hard blocked: no
  Tags:  quantal running-unity quantal running-unity
  Uname: Linux 3.5.0-17-generic i686
  UpgradeStatus: Upgraded to quantal on 2012-08-31 (47 days ago)
  UserGroups: adm cdrom dialout dip lpadmin plugdev sambashare sudo
  dmi.bios.date: 08/30/2010
  dmi.bios.vendor: GIGABYTE
  dmi.bios.version: GSBF05
  dmi.board.asset.tag: Base Board Asset Tag
  dmi.board.name: T1005
  dmi.board.vendor: GIGABYTE
  dmi.board.version: Base Board Version
  dmi.chassis.asset.tag: Chassis Asset Tag
  dmi.chassis.type: 1
  dmi.chassis.vendor: Chassis Manufacturer
  dmi.chassis.version: Chassis Version
  dmi.modalias: dmi:bvnGIGABYTE:bvrGSBF05:bd08/30/2010:svnGIGABYTE:pnT1005:pvrGSBF05:rvnGIGABYTE:rnT1005:rvrBaseBoardVersion:cvnChassisManufacturer:ct1:cvrChassisVersion:
  dmi.product.name: T1005
  dmi.product.version: GSBF05
  dmi.sys.vendor: GIGABYTE

To manage notifications about this bug go to:
https://bugs.launchpad.net/linux/+bug/1067548/+subscriptions

More information about the foundations-bugs mailing list