669239 – BUG: unable to handle kernel paging request in akmod-omnibook and kmod-omnibook

Bug 669239 - BUG: unable to handle kernel paging request in akmod-omnibook and kmod-omnibook

Summary: BUG: unable to handle kernel paging request in akmod-omnibook and kmod-omnibook

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	14
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-01-13 00:12 UTC by Ryan Martin
Modified:	2011-01-15 03:08 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-01-15 03:08:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Patch that fixes this module on x86_64 by padding struct omnibook_feature to 128 bytes. Also includes some cleanup of declarations and extra dprintks for debugging above issue (3.25 KB, patch) 2011-01-13 00:12 UTC, Ryan Martin	no flags	Details \| Diff
Improved warnings cleanup patch for akmod-omnibook (2.34 KB, patch) 2011-01-13 00:14 UTC, Ryan Martin	no flags	Details \| Diff
Improved fix that pads to 64 bytes on 32-bit arch and 128 bytes on 64-bit arch. (3.25 KB, patch) 2011-01-13 22:37 UTC, Ryan Martin	no flags	Details \| Diff
Show Obsolete (1) View All

Description Ryan Martin 2011-01-13 00:12:46 UTC

Created attachment 473162 [details]
Patch that fixes this module on x86_64 by padding struct omnibook_feature to 128 bytes. Also includes some cleanup of declarations and extra dprintks for debugging above issue

Description of problem:
Package:    	kernel
Latest Crash:	Mon 10 Jan 2011 11:14:04 AM 
Command:    	not_applicable
Reason:     	BUG: unable to handle kernel paging request at 000000000000b800
Comment:    	This has apparently been an issue with the omnibook module since kernel 2.6.33. Without this module, I'm unable to use laptop-specific keys and functions, or to get suspend/hibernate to work. What's worse is that without this module the fan speed control is broken, and so my laptop can easily overheat and shut down under high CPU loads.
Bug Reports:	Kernel oops report was uploaded

Version-Release number of selected component (if applicable):
kmod-omnibook-2.6.35.10-74.fc14.x86_64.x86_64 and akmod-omnibook

How reproducible:
# modprobe omnibook

Steps to Reproduce:
1. Install akmod- or kmod-omnibook
2. Attempt to load it via modprobe
3. Module crashes during init, generates kernel oops
  
Actual results:
Crashed module, cannot be removed via modprobe -r

Expected results:
Omnibook laptop functionality enabled

Additional info:
 I've tracked this to an alignment issue in the initialization code. This
 module uses a section(.features) directive to register all of its features
 into a portion of the .data section, and then defines a start and end
 pointer via sections.lds which it pulls back into init.c. It then iterates
 over &_start_features_driver[i] to test all of the defined features, one at
 a time.
 
 The failed paging request appears to be happening because of unexpected
 linker behavior, possibly only on x86_64, and possibly due to a change in
 GNU ld or gcc since 2007. I used objdump -t on omnibook.ko, and found that
 while the sizeof(omnibook_feature) was 104, the alignment was sometimes 104
 and sometimes 108. This caused the array math in the feature loop to
 misaddress the struct omnibook_feature found in the .feature section,
 eventually leading to invalid calls and the above crash.
 
 Now, I'm not a kernel hacker, and I haven't done any C programming since
 college. I fixed this on my Toshiba Satellite L355D-S7901 running kernel
 2.6.35 on arch x86_64 by padding struct omnibook_feature to 128 bytes, via
 a char pad[24] at the end of the struct. Perhaps someone who is a more
 skilled C programmer or kernel hacker can think of a better way to make
 this work, and to guarantee that it works on both 32 and 64 bit
 architectures.

Comment 1 Ryan Martin 2011-01-13 00:14:06 UTC

Created attachment 473163 [details]
Improved warnings cleanup patch for akmod-omnibook

Some extra warnings cleanup to get a warning-free build process.

Comment 2 Ryan Martin 2011-01-13 00:33:16 UTC

Crash trace before my patch:

Jan 10 11:12:48 sigma359 kernel: [  203.054867] omnibook: Driver version 2.20090707-trunk.
Jan 10 11:12:48 sigma359 kernel: [  203.054894] omnibook: Unknown model.
Jan 10 11:12:48 sigma359 kernel: [  203.054983] omnibook: Begin table match of (null) feature.
Jan 10 11:12:48 sigma359 kernel: [  203.054997] BUG: unable to handle kernel paging request at 000000000000b800
Jan 10 11:12:48 sigma359 kernel: [  203.055002] IP: [<ffffffffa05e61fe>] omnibook_probe+0x1b4/0x3fd [omnibook]
Jan 10 11:12:48 sigma359 kernel: [  203.055011] PGD 8f12f067 PUD 7b0b5067 PMD 0 
Jan 10 11:12:48 sigma359 kernel: [  203.055011] Oops: 0000 [#1] SMP 
Jan 10 11:12:48 sigma359 kernel: [  203.055011] last sysfs file: /sys/devices/pci0000:00/0000:00:18.3/temp1_input
Jan 10 11:12:48 sigma359 kernel: [  203.055011] CPU 0 
Jan 10 11:12:48 sigma359 kernel: [  203.055011] Modules linked in: omnibook(+) nls_utf8 fuse rfcomm sco bnep l2cap sunrpc cpufreq_ondemand powernow_k8 freq_table mperf ip6t_REJECT nf_conntrack_ipv6 ip6table_filter ip6_tables ipv6 uinput snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep arc4 snd_seq snd_seq_device ecb snd_pcm microcode ath5k mac80211 uvcvideo ath snd_timer videodev cfg80211 btusb snd bluetooth v4l1_compat r8169 edac_core k10temp v4l2_compat_ioctl32 soundcore rfkill shpchp i2c_piix4 joydev snd_page_alloc edac_mce_amd mii ata_generic pata_acpi video output pata_atiixp radeon ttm drm_kms_helper usb_storage drm i2c_algo_bit i2c_core [last unloaded: scsi_wait_scan]
Jan 10 11:12:48 sigma359 kernel: [  203.055011] 
Jan 10 11:12:48 sigma359 kernel: [  203.055011] Pid: 2643, comm: modprobe Not tainted 2.6.35.10-74.fc14.x86_64 #1 Portable PC/Satellite L355D
Jan 10 11:12:48 sigma359 kernel: [  203.055011] RIP: 0010:[<ffffffffa05e61fe>]  [<ffffffffa05e61fe>] omnibook_probe+0x1b4/0x3fd [omnibook]
Jan 10 11:12:48 sigma359 kernel: [  203.055011] RSP: 0018:ffff88007b1afd18  EFLAGS: 00010246
Jan 10 11:12:48 sigma359 kernel: [  203.055011] RAX: 0000000000000044 RBX: 0000000000000003 RCX: 00000000000012a8
Jan 10 11:12:48 sigma359 kernel: [  203.055011] RDX: 000000000000b800 RSI: 0000000000000096 RDI: 0000000000000246
Jan 10 11:12:48 sigma359 kernel: [  203.055011] RBP: ffff88007b1afd58 R08: 0000000000000002 R09: 00000000fffffffe
Jan 10 11:12:48 sigma359 kernel: [  203.055011] R10: ffff8800fb1afc37 R11: 0000000000000000 R12: 3b13b13b13b13b28
Jan 10 11:12:48 sigma359 kernel: [  203.055011] R13: 0000000000000003 R14: 0000000000000000 R15: 000000000000b800
Jan 10 11:12:48 sigma359 kernel: [  203.055011] FS:  00007fa5bdb3f720(0000) GS:ffff880002000000(0000) knlGS:0000000000000000
Jan 10 11:12:48 sigma359 kernel: [  203.055011] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Jan 10 11:12:48 sigma359 kernel: [  203.055011] CR2: 000000000000b800 CR3: 000000007b046000 CR4: 00000000000006f0
Jan 10 11:12:48 sigma359 kernel: [  203.055011] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jan 10 11:12:48 sigma359 kernel: [  203.055011] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Jan 10 11:12:48 sigma359 kernel: [  203.055011] Process modprobe (pid: 2643, threadinfo ffff88007b1ae000, task ffff88007b150000)
Jan 10 11:12:48 sigma359 kernel: [  203.055011] Stack:
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  0000000000000000 0000000000f46410 ffff88007b1afd38 ffff880073090c10
Jan 10 11:12:48 sigma359 kernel: [  203.055011] <0> ffffffffa05df478 00000000ffffffed 0000000000000000 0000000000f46410
Jan 10 11:12:48 sigma359 kernel: [  203.055011] <0> ffff88007b1afd68 ffffffff812d921e ffff88007b1afd98 ffffffff812d8133
Jan 10 11:12:48 sigma359 kernel: [  203.055011] Call Trace:
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffff812d921e>] platform_drv_probe+0x17/0x19
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffff812d8133>] driver_probe_device+0x14b/0x271
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffff812d8314>] __device_attach+0x3a/0x3f
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffff812d82da>] ? __device_attach+0x0/0x3f
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffff812d6d1a>] bus_for_each_drv+0x56/0x8d
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffff812d7ee8>] device_attach+0x71/0x94
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffff812d76f2>] bus_probe_device+0x27/0x3e
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffff812d521f>] device_add+0x3d9/0x590
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffff812d9a52>] platform_device_add+0x155/0x1ad
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffffa05e6479>] ? omnibook_module_init+0x0/0x116 [omnibook]
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffffa05e6479>] ? omnibook_module_init+0x0/0x116 [omnibook]
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffffa05e656b>] omnibook_module_init+0xf2/0x116 [omnibook]
an 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffff810021a1>] do_one_initcall+0x5e/0x155
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffff8107cc7d>] sys_init_module+0xa6/0x1e4
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  [<ffffffff81009cf2>] system_call_fastpath+0x16/0x1b
Jan 10 11:12:48 sigma359 kernel: [  203.055011] Code: 44 89 f2 48 c7 c6 09 bc 5d a0 48 c7 c7 6b bc 5d a0 e8 c3 1c e8 e0 4d 85 ff 75 3b eb 14 41 ff c6 49 63 d6 48 6b d2 30 49 8d 14 17 <8b> 02 85 c0 75 84 48 6b db 68 48 c7 c6 09 bc 5d a0 48 c7 c7 90 
Jan 10 11:12:48 sigma359 kernel: [  203.055011] RIP  [<ffffffffa05e61fe>] omnibook_probe+0x1b4/0x3fd [omnibook]
Jan 10 11:12:48 sigma359 kernel: [  203.055011]  RSP <ffff88007b1afd18>
Jan 10 11:12:48 sigma359 kernel: [  203.055011] CR2: 000000000000b800
Jan 10 11:12:48 sigma359 kernel: [  203.055306] ---[ end trace 12837216501a4709 ]---

Comment 3 Ryan Martin 2011-01-13 00:38:31 UTC

Objdump -t showing the inconsistent alignment produced when unpatched using
gcc version 4.5.1 20100924 (Red Hat 4.5.1-4) (GCC) 
GNU ld version 2.20.51.0.7-6.fc14 20100318

$ objdump -t omnibook.ko | fgrep driver
00000000000009e8 l     O .data  0000000000000068 battery_driver
0000000000000a50 l     O .data  0000000000000068 blank_driver
0000000000000ac0 l     O .data  0000000000000068 bt_driver
0000000000000b90 l     O .data  0000000000000068 display_driver
0000000000000c00 l     O .data  0000000000000068 dock_driver
0000000000000c68 l     O .data  0000000000000068 dump_driver
0000000000000cd0 l     O .data  0000000000000068 fan_driver
0000000000000d38 l     O .data  0000000000000068 fan_policy_driver
0000000000000da0 l     O .data  0000000000000068 hotkeys_driver
0000000000000e08 l     O .data  0000000000000068 dmi_driver
0000000000000e70 l     O .data  0000000000000068 version_driver
0000000000000ed8 l     O .data  0000000000000068 lcd_driver
0000000000000f40 l     O .data  0000000000000068 muteled_driver
0000000000000fb0 l     O .data  0000000000000068 key_polling_driver
0000000000001018 l     O .data  0000000000000068 temperature_driver
0000000000001080 l     O .data  0000000000000068 touchpad_driver
00000000000010f0 l     O .data  0000000000000068 wifi_driver

00000000000011c0 g       .data  0000000000000000 _end_features_driver
0000000000000980 g       .data  0000000000000000 _start_features_driver

Comment 4 Ryan Martin 2011-01-13 00:40:53 UTC

Objdump -t showing consistent alignment after patch padding struct omnibook_feature to 128 bytes, same compiler/linker version and arch (x86_64) as above

$ objdump -t omnibook.ko | fgrep driver
0000000000000980 l     O .data  0000000000000080 ac_driver
0000000000000a00 l     O .data  0000000000000080 battery_driver
0000000000000a80 l     O .data  0000000000000080 blank_driver
0000000000000b00 l     O .data  0000000000000080 bt_driver
0000000000000b80 l     O .data  0000000000000080 cooling_driver
0000000000000c00 l     O .data  0000000000000080 display_driver
0000000000000c80 l     O .data  0000000000000080 dock_driver
0000000000000d00 l     O .data  0000000000000080 dump_driver
0000000000000d80 l     O .data  0000000000000080 fan_driver
0000000000000e00 l     O .data  0000000000000080 fan_policy_driver
0000000000000e80 l     O .data  0000000000000080 hotkeys_driver
0000000000000f00 l     O .data  0000000000000080 dmi_driver
0000000000000f80 l     O .data  0000000000000080 version_driver
0000000000001000 l     O .data  0000000000000080 lcd_driver
0000000000001080 l     O .data  0000000000000080 muteled_driver
0000000000001100 l     O .data  0000000000000080 key_polling_driver
0000000000001180 l     O .data  0000000000000080 temperature_driver
0000000000001200 l     O .data  0000000000000080 touchpad_driver
0000000000001280 l     O .data  0000000000000080 wifi_driver
0000000000001300 l     O .data  0000000000000080 throttle_driver

0000000000001380 g       .data  0000000000000000 _end_features_driver
0000000000000980 g       .data  0000000000000000 _start_features_driver

Comment 5 Ryan Martin 2011-01-13 00:42:58 UTC

dmesg output after patch, showing successful probe/load of features with extra address math debugging statements active

[  279.001943] omnibook: Driver version 2.20110111-trunk.
[  279.001948] omnibook: Forced load with EC type 15.
[  279.005908] omnibook: Feature range ffffffffa0580b80 - ffffffffa0581580
[  279.005913] omnibook: Testing feature ac at address ffffffffa0580b80
[  279.005916] omnibook: Begin table match of ac feature.
[  279.005918] omnibook: Attempting backend ec init.
[  279.005920] omnibook: Returning table entry nr 0.
[  279.005923] omnibook: Match succeeded: continuing with ac.
[  279.005930] omnibook: Testing feature battery at address ffffffffa0580c00
[  279.005933] omnibook: Begin table match of battery feature.
[  279.005935] omnibook: Attempting backend ec init.
[  279.005937] omnibook: Returning table entry nr 0.
[  279.005939] omnibook: Match succeeded: continuing with battery.
[  279.005944] omnibook: Testing feature blank at address ffffffffa0580c80
[  279.005946] omnibook: Begin table match of blank feature.
[  279.005948] omnibook: Attempting backend i8042 init.
[  279.005950] omnibook: Returning table entry nr 1.
[  279.005952] omnibook: Match succeeded: continuing with blank.
[  279.005956] omnibook: LCD backlight turn off at console blanking is enabled.
[  279.005960] omnibook: Testing feature bluetooth at address ffffffffa0580d00
[  279.005962] omnibook: Testing feature cooling at address ffffffffa0580d80
[  279.005965] omnibook: Testing feature display at address ffffffffa0580e00
[  279.005968] omnibook: Begin table match of display feature.
[  279.005970] omnibook: Attempting backend ec init.
[  279.005972] omnibook: Returning table entry nr 2.
[  279.005974] omnibook: Match succeeded: continuing with display.
[  279.009377] omnibook: Testing feature dock at address ffffffffa0580e80
[  279.009380] omnibook: Testing feature dump at address ffffffffa0580f00
[  279.009383] omnibook: Testing feature fan at address ffffffffa0580f80
[  279.009386] omnibook: Testing feature fan_policy at address ffffffffa0581000
[  279.009388] omnibook: Testing feature hotkeys at address ffffffffa0581080
[  279.009391] omnibook: Begin table match of hotkeys feature.
[  279.009393] omnibook: Attempting backend i8042 init.
[  279.009395] omnibook: Returning table entry nr 0.
[  279.009397] omnibook: Match succeeded: continuing with hotkeys.
[  279.009400] omnibook: Enabling all hotkeys.
[  279.013587] omnibook: Testing feature dmi at address ffffffffa0581100
[  279.013590] omnibook: dmi feature has no backend table, io_op not initialized.
[  279.013595] omnibook: Testing feature version at address ffffffffa0581180
[  279.013597] omnibook: version feature has no backend table, io_op not initialized.
[  279.013601] omnibook: Testing feature lcd at address ffffffffa0581200
[  279.013604] omnibook: Begin table match of lcd feature.
[  279.013606] omnibook: Attempting backend ec init.
[  279.013608] omnibook: Returning table entry nr 2.
[  279.013610] omnibook: Match succeeded: continuing with lcd.
[  279.021836] omnibook: Testing feature muteled at address ffffffffa0581280
[  279.021839] omnibook: Testing feature key_polling at address ffffffffa0581300
[  279.021842] omnibook: Testing feature temperature at address ffffffffa0581380
[  279.021845] omnibook: Begin table match of temperature feature.
[  279.021847] omnibook: Attempting backend ec init.
[  279.021849] omnibook: Returning table entry nr 0.
[  279.021851] omnibook: Match succeeded: continuing with temperature.
[  279.021856] omnibook: Testing feature touchpad at address ffffffffa0581400
[  279.021858] omnibook: Testing feature wifi at address ffffffffa0581480
[  279.021861] omnibook: Testing feature throttling at address ffffffffa0581500
[  279.021863] omnibook: Enabled features: ac battery blank display hotkeys dmi version lcd temperature.

Comment 6 Ryan Martin 2011-01-13 22:37:27 UTC

Created attachment 473438 [details]
Improved fix that pads to 64 bytes on 32-bit arch and 128 bytes on 64-bit arch.

Per Rolf Eike Beer's suggestion, I replaced char pad[24] with long pad[3].
 This provides 12 bytes of padding in i686 and 24 bytes in x86_64, which
 should be optimal for both arches.

Comment 7 Chuck Ebbert 2011-01-15 03:08:41 UTC

We don't provide the omnibook driver; it's not even in the kernel source tree.

Note You need to log in before you can comment on or make changes to this bug.