Re: 2.6.27-rc1-mm1: rmmod ide-cd_mod oops

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Mariusz Kozlowski <m.kozlowski@...>

To: Bartlomiej Zolnierkiewicz <bzolnier@...>

Cc: Andrew Morton <akpm@...>, <kernel-testers@...>, <linux-kernel@...>, <linux-ide@...>

Subject: Re: 2.6.27-rc1-mm1: rmmod ide-cd_mod oops

Date: Saturday, August 2, 2008 - 7:25 pm

Hi,
 
quoted text> > 	rmmod on ide-cd_mod causes this oops:
> > 
> > BUG: unable to handle kernel paging request at 83535683
> > IP: [<c0246ffa>] ide_device_put+0xc/0x33
> > *pde = 00000000 
> > Oops: 0000 [#1] PREEMPT 
> > last sysfs file: /sys/devices/pci0000:00/0000:00:01.0/0000:01:05.0/resource
> > Modules linked in: radeon drm nfsd lockd sunrpc exportfs pcmcia uhci_hcd ehci_hcd usbcore snd_ali5451 yenta_socket pcspkr snd_ac97_codec ac97_bus rsrc_nonstatic snd_pcm snd_timer ati_agp agpgart snd soundcore snd_page_alloc ide_cd_mod(-) cdrom 8139too psmouse sony_laptop backlight floppy rtc
> > 
> > Pid: 3890, comm: rmmod Not tainted (2.6.27-rc1-mm1 #2)
> > EIP: 0060:[<c0246ffa>] EFLAGS: 00010286 CPU: 0
> > EIP is at ide_device_put+0xc/0x33
> > EAX: 83535657 EBX: dc927a00 ECX: 00000003 EDX: 00000001
> > ESI: dec34e34 EDI: dec34e34 EBP: d9f46ee0 ESP: d9f46edc
> >  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> > Process rmmod (pid: 3890, ti=d9f46000 task=dd88e780 task.ti=d9f46000)
> > Stack: dc927c00 d9f46eec dec2e202 dc927c00 d9f46ef8 dec2e225 dd9138dc d9f46f00 
> >        c02469e0 d9f46f10 c024156f dd9138dc dd9139f4 d9f46f24 c024162c 00000880 
> >        dec34e34 c0397dc0 d9f46f38 c0240a33 00000880 dec34e34 00000000 d9f46f48 
> > Call Trace:
> >  [<dec2e202>] ? ide_cd_put+0x26/0x33 [ide_cd_mod]
> >  [<dec2e225>] ? ide_cd_remove+0x16/0x19 [ide_cd_mod]
> >  [<c02469e0>] ? generic_ide_remove+0x1a/0x1e
> >  [<c024156f>] ? __device_release_driver+0x59/0x7f
> >  [<c024162c>] ? driver_detach+0x97/0x99
> >  [<c0240a33>] ? bus_remove_driver+0x6f/0x8b
> >  [<c02419f1>] ? driver_unregister+0x2f/0x33
> >  [<dec31331>] ? ide_cdrom_exit+0xd/0xf [ide_cd_mod]
> >  [<c014265a>] ? sys_delete_module+0x10d/0x1e2
> >  [<c015fedc>] ? do_munmap+0x1d7/0x234
> >  [<c01e8684>] ? trace_hardirqs_on_thunk+0xc/0x10
> >  [<c0103015>] ? sysenter_do_call+0x12/0x35
> >  =======================
> > Code: ff ff 89 44 24 08 c7 44 24 04 a7 de 35 c0 89 34 24 e8 cb ce f9 ff 31 c0 83 c4 0c 5b 5e 5d c3 55 89 e5 53 89 c3 8b 40 24 8b 40 10 <8b> 40 2c 85 c0 74 12 8b 80 44 01 00 00 8b 40 08 85 c0 74 05 e8 
> > EIP: [<c0246ffa>] ide_device_put+0xc/0x33 SS:ESP 0068:d9f46edc
> > ---[ end trace a2eed48430d87636 ]---
> > 
> > this is easily reporoducible, more investigation points here:
> 
> Unfortunately, I'm unable to reproduce it here with 2.6.27-rc1-mm1.
> 
> Which IDE host driver is it happening with?  Could you send me your .config?

It's ALI M15x3 chipset. .config is attached.

# lspci 
00:00.0 Host bridge: ATI Technologies Inc RS200/RS200M AGP Bridge [IGP 340M] (rev 02)
00:01.0 PCI bridge: ATI Technologies Inc PCI Bridge [IGP 340M]
00:03.0 Modem: ALi Corporation M5457 AC'97 Modem Controller
00:04.0 Multimedia audio controller: ALi Corporation M5451 PCI AC-Link Controller Audio Device (rev 02)
00:06.0 Bridge: ALi Corporation M7101 Power Management Controller [PMU]
00:07.0 ISA bridge: ALi Corporation M1533/M1535 PCI to ISA Bridge [Aladdin IV/V/V+]
00:0a.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev aa)
00:0a.1 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev aa)
00:0a.2 FireWire (IEEE 1394): Ricoh Co Ltd R5C552 IEEE 1394 Controller (rev 02)
00:0c.0 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 50)
00:0c.1 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 50)
00:0c.2 USB Controller: VIA Technologies, Inc. USB 2.0 (rev 51)
00:0f.0 IDE interface: ALi Corporation M5229 IDE (rev c4)
00:12.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10)
01:05.0 VGA compatible controller: ATI Technologies Inc Radeon IGP 330M/340M/350M


quoted text> > (gdb) l *ide_device_put+0xc
> > 0xc0246ffa is in ide_device_put (/home/mako/linux/lkt/sources/linux-2.6.27-rc1-mm1/drivers/ide/ide.c:717).
> > 712      * the underlying LLDD module.
> > 713      */
> > 714     void ide_device_put(ide_drive_t *drive)
> > 715     {
> > 716     #ifdef CONFIG_MODULE_UNLOAD
> > 717             struct device *host_dev = drive->hwif->host->dev[0]; <--------------------------
> 
> Could you please check whether it is drive->hwif or hwif->host exploding?
> [ hmm, both should never be changed after host driver initialization ]

I saw it exploding in two ways. I added simple debugging stuff:

--- linux-2.6.27-rc1-mm1/drivers/ide/ide.c      2008-08-02 11:42:05.000000000 +0200
+++ linux-2.6.27-rc1-mm1-dirty/drivers/ide/ide.c        2008-08-02 23:26:52.000000000 +0200
@@ -714,6 +714,21 @@ EXPORT_SYMBOL_GPL(ide_device_get);
 void ide_device_put(ide_drive_t *drive)
 {
 #ifdef CONFIG_MODULE_UNLOAD
+       void *tmp;
+
+       tmp = drive;
+       printk("drive: 0x%p\n", tmp);
+       tmp = drive->hwif;
+       printk("drive->hwif: 0x%p\n", tmp);
+       tmp = drive->hwif->host;
+       printk("drive->hwif->host: 0x%p\n", tmp);
+       tmp = drive->hwif->host->dev;
+       printk("drive->hwif->host->dev: 0x%p\n", tmp);
+       tmp = drive->hwif->host->dev[0];
+       printk("drive->hwif->host->dev[0]: 0x%p\n", tmp);
+       tmp = drive->hwif->host->dev[0]->driver;
+       printk("drive->hwif->host->dev[0]->driver: 0x%p\n", tmp);
+
        struct device *host_dev = drive->hwif->host->dev[0];
        struct module *module = host_dev ? host_dev->driver->owner : NULL;


1) on drive->hwif (drive is null)

drive: 0x00000000
BUG: unable to handle kernel NULL pointer dereference at 00000024
IP: [<c0247007>] ide_device_put+0x19/0xc3
*pde = 00000000 
Oops: 0000 [#1] PREEMPT 
last sysfs file: /sys/class/power_supply/BAT1/energy_full
Modules linked in: nfsd lockd sunrpc exportfs orinoco_cs orinoco hermes pcmcia ehci_hcd uhci_hcd usbcore yenta_socket snd_ali5451 snd_ac97_codec ac97_bus snd_pcm rsrc_nonstatic ati_agp snd_timer agpgart psmouse pcspkr rtc ide_cd_mod(-) snd soundcore snd_page_alloc cdrom 8139too sony_laptop backlight floppy

Pid: 4477, comm: rmmod Not tainted (2.6.27-rc1-mm1-dirty #7)
EIP: 0060:[<c0247007>] EFLAGS: 00010286 CPU: 0
EIP is at ide_device_put+0x19/0xc3
EAX: 00000015 EBX: 00000000 ECX: ddaac000 EDX: 00000000
ESI: dec3de34 EDI: dec3de34 EBP: ddaacee0 ESP: ddaaced4
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process rmmod (pid: 4477, ti=ddaac000 task=dd901700 task.ti=ddaac000)
Stack: c035e577 00000000 dd83ae00 ddaaceec dec37202 dd83ae00 ddaacef8 dec37225 
       dd9138dc ddaacf00 c02469e0 ddaacf10 c024156f dd9138dc dd9139f4 ddaacf24 
       c024162c 00000880 dec3de34 c0398dc0 ddaacf38 c0240a33 00000880 dec3de34 
Call Trace:
 [<dec37202>] ? ide_cd_put+0x26/0x33 [ide_cd_mod]
 [<dec37225>] ? ide_cd_remove+0x16/0x19 [ide_cd_mod]
 [<c02469e0>] ? generic_ide_remove+0x1a/0x1e
 [<c024156f>] ? __device_release_driver+0x59/0x7f
 [<c024162c>] ? driver_detach+0x97/0x99
 [<c0240a33>] ? bus_remove_driver+0x6f/0x8b
 [<c02419f1>] ? driver_unregister+0x2f/0x33
 [<dec3a331>] ? ide_cdrom_exit+0xd/0xf [ide_cd_mod]
 [<c014265a>] ? sys_delete_module+0x10d/0x1e2
 [<c015fedc>] ? do_munmap+0x1d7/0x234
 [<c01e8684>] ? trace_hardirqs_on_thunk+0xc/0x10
 [<c0103015>] ? sysenter_do_call+0x12/0x35
 =======================
Code: c0 89 34 24 e8 cb ce f9 ff 31 c0 83 c4 0c 5b 5e 5d c3 55 89 e5 53 83 ec 08 89 c3 89 44 24 04 c7 04 24 77 e5 35 c0 e8 25 6c ed ff <8b> 43 24 89 44 24 04 c7 04 24 84 e5 35 c0 e8 12 6c ed ff 8b 43 
EIP: [<c0247007>] ide_device_put+0x19/0xc3 SS:ESP 0068:ddaaced4
---[ end trace b3172ff03a3b3a53 ]---

(gdb) l *ide_device_put+0x19
0xc0247007 is in ide_device_put (/home/mako/linux/lkt/sources/linux-2.6.27-rc1-mm1-dirty/drivers/ide/ide.c:722).
717             void *tmp;
718     
719             tmp = drive;
720             printk("drive: 0x%p\n", tmp);
721             tmp = drive->hwif;
722             printk("drive->hwif: 0x%p\n", tmp); <----
723             tmp = drive->hwif->host;
724             printk("drive->hwif->host: 0x%p\n", tmp);
725             tmp = drive->hwif->host->dev;
726             printk("drive->hwif->host->dev: 0x%p\n", tmp);



2) on drive->hwif->host->dev[0] (->dev is bogus?)

drive: 0xdd97c200
drive->hwif: 0xc023f3b8
drive->hwif->host: 0x83535657
drive->hwif->host->dev: 0x83535683
BUG: unable to handle kernel paging request at 83535683
IP: [<c024704f>] ide_device_put+0x61/0xc3
*pde = 00000000 
Oops: 0000 [#1] PREEMPT 
last sysfs file: /sys/class/power_supply/BAT1/energy_full
Modules linked in: radeon drm nfsd lockd sunrpc exportfs orinoco_cs orinoco hermes pcmcia uhci_hcd ehci_hcd snd_ali5451 usbcore yenta_socket snd_ac97_codec ac97_bus snd_pcm snd_timer rsrc_nonstatic pcspkr ati_agp ide_cd_mod(-) snd psmouse sony_laptop agpgart floppy cdrom soundcore snd_page_alloc backlight rtc 8139too

Pid: 4596, comm: rmmod Not tainted (2.6.27-rc1-mm1-dirty #7)
EIP: 0060:[<c024704f>] EFLAGS: 00010286 CPU: 0
EIP is at ide_device_put+0x61/0xc3
EAX: 83535657 EBX: dd97c200 ECX: d9e68000 EDX: 00000000
ESI: dec53e34 EDI: dec53e34 EBP: d9e68ee0 ESP: d9e68ed4
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process rmmod (pid: 4596, ti=d9e68000 task=dd837300 task.ti=d9e68000)
Stack: c035e5b0 83535683 dd97c600 d9e68eec dec4d202 dd97c600 d9e68ef8 dec4d225 
       dd9138dc d9e68f00 c02469e0 d9e68f10 c024156f dd9138dc dd9139f4 d9e68f24 
       c024162c 00000880 dec53e34 c0398dc0 d9e68f38 c0240a33 00000880 dec53e34 
Call Trace:
 [<dec4d202>] ? ide_cd_put+0x26/0x33 [ide_cd_mod]
 [<dec4d225>] ? ide_cd_remove+0x16/0x19 [ide_cd_mod]
 [<c02469e0>] ? generic_ide_remove+0x1a/0x1e
 [<c024156f>] ? __device_release_driver+0x59/0x7f
 [<c024162c>] ? driver_detach+0x97/0x99
 [<c0240a33>] ? bus_remove_driver+0x6f/0x8b
 [<c02419f1>] ? driver_unregister+0x2f/0x33
 [<dec50331>] ? ide_cdrom_exit+0xd/0xf [ide_cd_mod]
 [<c014265a>] ? sys_delete_module+0x10d/0x1e2
 [<c015fedc>] ? do_munmap+0x1d7/0x234
 [<c01e8684>] ? trace_hardirqs_on_thunk+0xc/0x10
 [<c0103015>] ? sysenter_do_call+0x12/0x35
 =======================
Code: c7 04 24 97 e5 35 c0 e8 fc 6b ed ff 8b 43 24 8b 40 10 83 c0 2c 89 44 24 04 c7 04 24 b0 e5 35 c0 e8 e3 6b ed ff 8b 43 24 8b 40 10 <8b> 40 2c 89 44 24 04 c7 04 24 70 2a 35 c0 e8 ca 6b ed ff 8b 43 
EIP: [<c024704f>] ide_device_put+0x61/0xc3 SS:ESP 0068:d9e68ed4
---[ end trace ad4ca87090e240bd ]---

(gdb) l *ide_device_put+0x61
0xc024704f is in ide_device_put (/home/mako/linux/lkt/sources/linux-2.6.27-rc1-mm1-dirty/drivers/ide/ide.c:728).
723             tmp = drive->hwif->host;
724             printk("drive->hwif->host: 0x%p\n", tmp);
725             tmp = drive->hwif->host->dev;
726             printk("drive->hwif->host->dev: 0x%p\n", tmp);
727             tmp = drive->hwif->host->dev[0];
728             printk("drive->hwif->host->dev[0]: 0x%p\n", tmp); <----
729             tmp = drive->hwif->host->dev[0]->driver;
730             printk("drive->hwif->host->dev[0]->driver: 0x%p\n", tmp);
731     
732             struct device *host_dev = drive->hwif->host->dev[0];


Hope that helps.

	Mariusz



quoted text> 
> > 718             struct module *module = host_dev ? host_dev->driver->owner : NULL;
> > 719     
> > 720             if (module)
> > 721                     module_put(module);
> > 
> > 	Mariusz
>

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

2.6.27-rc1-mm1, Andrew Morton, (Thu Jul 31, 3:03 am)

Re: 2.6.27-rc1-mm1: unable to boot with gcov on x86_64, Mariusz Kozlowski, (Tue Aug 5, 4:26 pm)

Re: 2.6.27-rc1-mm1: unable to boot with gcov on x86_64, Peter Oberparleiter, (Wed Aug 6, 3:23 am)

Re: 2.6.27-rc1-mm1: unable to boot with gcov on x86_64, Mariusz Kozlowski, (Tue Aug 5, 4:29 pm)

Re: 2.6.27-rc1-mm1: sparc64 BUG: using smp_processor_id() in..., Mariusz Kozlowski, (Sat Aug 2, 11:17 am)

Re: 2.6.27-rc1-mm1: sparc64 BUG: using smp_processor_id() in..., David Miller, (Sun Aug 3, 3:02 am)

Re: 2.6.27-rc1-mm1: rmmod ide-cd_mod oops, Mariusz Kozlowski, (Sat Aug 2, 5:23 am)

Re: 2.6.27-rc1-mm1: rmmod ide-cd_mod oops, Bartlomiej Zolnierkiewicz..., (Sat Aug 2, 12:15 pm)

Re: 2.6.27-rc1-mm1: rmmod ide-cd_mod oops, Mariusz Kozlowski, (Sat Aug 2, 7:25 pm)

Re: 2.6.27-rc1-mm1: rmmod ide-cd_mod oops, Bartlomiej Zolnierkiewicz..., (Sun Aug 3, 10:41 am)

Re: 2.6.27-rc1-mm1: rmmod ide-cd_mod oops, Mariusz Kozlowski, (Sun Aug 3, 11:45 am)

[BUILD-FAILURE] 2.6.27-rc1-mm1 - allyesconfig build fails on..., Kamalesh Babulal, (Thu Jul 31, 8:43 am)

Re: [BUILD-FAILURE] 2.6.27-rc1-mm1 - allyesconfig build fail..., Tony Breeds, (Fri Aug 1, 1:29 am)

Re: [BUILD-FAILURE] 2.6.27-rc1-mm1 - allyesconfig build fail..., Kamalesh Babulal, (Fri Aug 1, 12:16 pm)

Re: [BUILD-FAILURE] 2.6.27-rc1-mm1 - allyesconfig build fail..., Peter 1 Oberparleiter, (Fri Aug 1, 11:44 am)

Re: [BUILD-FAILURE] 2.6.27-rc1-mm1 - allyesconfig build fail..., Andrew Morton, (Fri Aug 1, 2:12 am)

Re: [BUILD-FAILURE] 2.6.27-rc1-mm1 - allyesconfig build fail..., Sam Ravnborg, (Fri Aug 1, 12:45 pm)

Re: [BUILD-FAILURE] 2.6.27-rc1-mm1 - allyesconfig build fail..., Peter 1 Oberparleiter, (Fri Aug 1, 11:40 am)

2.6.27-rc1-mm1: busyloop time-schedule, Alexey Dobriyan, (Thu Jul 31, 8:23 am)

Re: 2.6.27-rc1-mm1, Balbir Singh, (Thu Jul 31, 4:10 am)


linux-kernel:
Linus Torvalds	Linux 2.6.21
Greg Kroah-Hartman	[PATCH 002/196] Chinese: rephrase English introduction in HOWTO
Con Kolivas	Re: [PATCH][RSDL-mm 0/7] RSDL cpu scheduler for 2.6.21-rc3-mm2
Andrew Morton	echo mem > /sys/power/state
git:

linux-netdev:
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
David Miller	Re: [GIT]: Networking
Michael S. Tsirkin	Re: [RFC PATCH v2 03/19] vbus: add connection-client helper infrastructure
openbsd-misc: