I can reproduce a crash on via-camera module unload. Running latest
linux-next. Simple modprobe then rmmod reproduces it.
I guess cafe_ccic is affected too.
BUG: unable to handle kernel paging request at 6b6b6b6b
IP: device_del
I've diagnosed it, but don't know the solution.
viacam_remove() calls v4l2_device_unregister()
v4l2_device_unregister() starts to unregister all the subdevs
list_for_each_entry_safe(sd, next, &v4l2_dev->subdevs, list) {
v4l2_device_unregister_subdev(sd);
So the subdev has been unregistered.
Still inside v4l2_device_unregister, it then realises its an i2c
subdev and unregisters it at the i2c layer:
if (sd->flags & V4L2_SUBDEV_FL_IS_I2C) {
...
i2c_unregister_device(client);
i2c_unregister_device() calls device_unregister()
...which calls device_del()
...which calls bus_remove_device()
...which calls device_release_driver()
...which calls __device_release_driver()
...which calls i2c_device_remove()
...which calls ov7670_remove()
This is where the badness starts.
ov7670_remove() calls v4l2_device_unregister_subdev *on the same
subdev that was released above*. Can't lead to good things.
ov7670_remove() then frees its ov7670_info structure (which contains
the v4l2_subdev structure) (eek)
then v4l2_device_unregister() continues, and it checks:
if (sd->flags & V4L2_SUBDEV_FL_IS_SPI) {
sd->flags is now freed, so it reads 6b6b6b6b, so we go on:
spi_unregister_device(spi);
and this calls device_unregister() on more of our freed memory
and now things have gone wrong enough for a BUG() to happen
Thoughts?
Daniel
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
