lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 3 Aug 2008 01:25:04 +0200
From:	Mariusz Kozlowski <m.kozlowski@...land.pl>
To:	Bartlomiej Zolnierkiewicz <bzolnier@...il.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	kernel-testers@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-ide@...r.kernel.org
Subject: Re: 2.6.27-rc1-mm1: rmmod ide-cd_mod oops

Hi,
 
> > 	rmmod on ide-cd_mod causes this oops:
> > 
> > BUG: unable to handle kernel paging request at 83535683
> > IP: [<c0246ffa>] ide_device_put+0xc/0x33
> > *pde = 00000000 
> > Oops: 0000 [#1] PREEMPT 
> > last sysfs file: /sys/devices/pci0000:00/0000:00:01.0/0000:01:05.0/resource
> > Modules linked in: radeon drm nfsd lockd sunrpc exportfs pcmcia uhci_hcd ehci_hcd usbcore snd_ali5451 yenta_socket pcspkr snd_ac97_codec ac97_bus rsrc_nonstatic snd_pcm snd_timer ati_agp agpgart snd soundcore snd_page_alloc ide_cd_mod(-) cdrom 8139too psmouse sony_laptop backlight floppy rtc
> > 
> > Pid: 3890, comm: rmmod Not tainted (2.6.27-rc1-mm1 #2)
> > EIP: 0060:[<c0246ffa>] EFLAGS: 00010286 CPU: 0
> > EIP is at ide_device_put+0xc/0x33
> > EAX: 83535657 EBX: dc927a00 ECX: 00000003 EDX: 00000001
> > ESI: dec34e34 EDI: dec34e34 EBP: d9f46ee0 ESP: d9f46edc
> >  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> > Process rmmod (pid: 3890, ti=d9f46000 task=dd88e780 task.ti=d9f46000)
> > Stack: dc927c00 d9f46eec dec2e202 dc927c00 d9f46ef8 dec2e225 dd9138dc d9f46f00 
> >        c02469e0 d9f46f10 c024156f dd9138dc dd9139f4 d9f46f24 c024162c 00000880 
> >        dec34e34 c0397dc0 d9f46f38 c0240a33 00000880 dec34e34 00000000 d9f46f48 
> > Call Trace:
> >  [<dec2e202>] ? ide_cd_put+0x26/0x33 [ide_cd_mod]
> >  [<dec2e225>] ? ide_cd_remove+0x16/0x19 [ide_cd_mod]
> >  [<c02469e0>] ? generic_ide_remove+0x1a/0x1e
> >  [<c024156f>] ? __device_release_driver+0x59/0x7f
> >  [<c024162c>] ? driver_detach+0x97/0x99
> >  [<c0240a33>] ? bus_remove_driver+0x6f/0x8b
> >  [<c02419f1>] ? driver_unregister+0x2f/0x33
> >  [<dec31331>] ? ide_cdrom_exit+0xd/0xf [ide_cd_mod]
> >  [<c014265a>] ? sys_delete_module+0x10d/0x1e2
> >  [<c015fedc>] ? do_munmap+0x1d7/0x234
> >  [<c01e8684>] ? trace_hardirqs_on_thunk+0xc/0x10
> >  [<c0103015>] ? sysenter_do_call+0x12/0x35
> >  =======================
> > Code: ff ff 89 44 24 08 c7 44 24 04 a7 de 35 c0 89 34 24 e8 cb ce f9 ff 31 c0 83 c4 0c 5b 5e 5d c3 55 89 e5 53 89 c3 8b 40 24 8b 40 10 <8b> 40 2c 85 c0 74 12 8b 80 44 01 00 00 8b 40 08 85 c0 74 05 e8 
> > EIP: [<c0246ffa>] ide_device_put+0xc/0x33 SS:ESP 0068:d9f46edc
> > ---[ end trace a2eed48430d87636 ]---
> > 
> > this is easily reporoducible, more investigation points here:
> 
> Unfortunately, I'm unable to reproduce it here with 2.6.27-rc1-mm1.
> 
> Which IDE host driver is it happening with?  Could you send me your .config?

It's ALI M15x3 chipset. .config is attached.

# lspci 
00:00.0 Host bridge: ATI Technologies Inc RS200/RS200M AGP Bridge [IGP 340M] (rev 02)
00:01.0 PCI bridge: ATI Technologies Inc PCI Bridge [IGP 340M]
00:03.0 Modem: ALi Corporation M5457 AC'97 Modem Controller
00:04.0 Multimedia audio controller: ALi Corporation M5451 PCI AC-Link Controller Audio Device (rev 02)
00:06.0 Bridge: ALi Corporation M7101 Power Management Controller [PMU]
00:07.0 ISA bridge: ALi Corporation M1533/M1535 PCI to ISA Bridge [Aladdin IV/V/V+]
00:0a.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev aa)
00:0a.1 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev aa)
00:0a.2 FireWire (IEEE 1394): Ricoh Co Ltd R5C552 IEEE 1394 Controller (rev 02)
00:0c.0 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 50)
00:0c.1 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 50)
00:0c.2 USB Controller: VIA Technologies, Inc. USB 2.0 (rev 51)
00:0f.0 IDE interface: ALi Corporation M5229 IDE (rev c4)
00:12.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10)
01:05.0 VGA compatible controller: ATI Technologies Inc Radeon IGP 330M/340M/350M


> > (gdb) l *ide_device_put+0xc
> > 0xc0246ffa is in ide_device_put (/home/mako/linux/lkt/sources/linux-2.6.27-rc1-mm1/drivers/ide/ide.c:717).
> > 712      * the underlying LLDD module.
> > 713      */
> > 714     void ide_device_put(ide_drive_t *drive)
> > 715     {
> > 716     #ifdef CONFIG_MODULE_UNLOAD
> > 717             struct device *host_dev = drive->hwif->host->dev[0]; <--------------------------
> 
> Could you please check whether it is drive->hwif or hwif->host exploding?
> [ hmm, both should never be changed after host driver initialization ]

I saw it exploding in two ways. I added simple debugging stuff:

--- linux-2.6.27-rc1-mm1/drivers/ide/ide.c      2008-08-02 11:42:05.000000000 +0200
+++ linux-2.6.27-rc1-mm1-dirty/drivers/ide/ide.c        2008-08-02 23:26:52.000000000 +0200
@@ -714,6 +714,21 @@ EXPORT_SYMBOL_GPL(ide_device_get);
 void ide_device_put(ide_drive_t *drive)
 {
 #ifdef CONFIG_MODULE_UNLOAD
+       void *tmp;
+
+       tmp = drive;
+       printk("drive: 0x%p\n", tmp);
+       tmp = drive->hwif;
+       printk("drive->hwif: 0x%p\n", tmp);
+       tmp = drive->hwif->host;
+       printk("drive->hwif->host: 0x%p\n", tmp);
+       tmp = drive->hwif->host->dev;
+       printk("drive->hwif->host->dev: 0x%p\n", tmp);
+       tmp = drive->hwif->host->dev[0];
+       printk("drive->hwif->host->dev[0]: 0x%p\n", tmp);
+       tmp = drive->hwif->host->dev[0]->driver;
+       printk("drive->hwif->host->dev[0]->driver: 0x%p\n", tmp);
+
        struct device *host_dev = drive->hwif->host->dev[0];
        struct module *module = host_dev ? host_dev->driver->owner : NULL;


1) on drive->hwif (drive is null)

drive: 0x00000000
BUG: unable to handle kernel NULL pointer dereference at 00000024
IP: [<c0247007>] ide_device_put+0x19/0xc3
*pde = 00000000 
Oops: 0000 [#1] PREEMPT 
last sysfs file: /sys/class/power_supply/BAT1/energy_full
Modules linked in: nfsd lockd sunrpc exportfs orinoco_cs orinoco hermes pcmcia ehci_hcd uhci_hcd usbcore yenta_socket snd_ali5451 snd_ac97_codec ac97_bus snd_pcm rsrc_nonstatic ati_agp snd_timer agpgart psmouse pcspkr rtc ide_cd_mod(-) snd soundcore snd_page_alloc cdrom 8139too sony_laptop backlight floppy

Pid: 4477, comm: rmmod Not tainted (2.6.27-rc1-mm1-dirty #7)
EIP: 0060:[<c0247007>] EFLAGS: 00010286 CPU: 0
EIP is at ide_device_put+0x19/0xc3
EAX: 00000015 EBX: 00000000 ECX: ddaac000 EDX: 00000000
ESI: dec3de34 EDI: dec3de34 EBP: ddaacee0 ESP: ddaaced4
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process rmmod (pid: 4477, ti=ddaac000 task=dd901700 task.ti=ddaac000)
Stack: c035e577 00000000 dd83ae00 ddaaceec dec37202 dd83ae00 ddaacef8 dec37225 
       dd9138dc ddaacf00 c02469e0 ddaacf10 c024156f dd9138dc dd9139f4 ddaacf24 
       c024162c 00000880 dec3de34 c0398dc0 ddaacf38 c0240a33 00000880 dec3de34 
Call Trace:
 [<dec37202>] ? ide_cd_put+0x26/0x33 [ide_cd_mod]
 [<dec37225>] ? ide_cd_remove+0x16/0x19 [ide_cd_mod]
 [<c02469e0>] ? generic_ide_remove+0x1a/0x1e
 [<c024156f>] ? __device_release_driver+0x59/0x7f
 [<c024162c>] ? driver_detach+0x97/0x99
 [<c0240a33>] ? bus_remove_driver+0x6f/0x8b
 [<c02419f1>] ? driver_unregister+0x2f/0x33
 [<dec3a331>] ? ide_cdrom_exit+0xd/0xf [ide_cd_mod]
 [<c014265a>] ? sys_delete_module+0x10d/0x1e2
 [<c015fedc>] ? do_munmap+0x1d7/0x234
 [<c01e8684>] ? trace_hardirqs_on_thunk+0xc/0x10
 [<c0103015>] ? sysenter_do_call+0x12/0x35
 =======================
Code: c0 89 34 24 e8 cb ce f9 ff 31 c0 83 c4 0c 5b 5e 5d c3 55 89 e5 53 83 ec 08 89 c3 89 44 24 04 c7 04 24 77 e5 35 c0 e8 25 6c ed ff <8b> 43 24 89 44 24 04 c7 04 24 84 e5 35 c0 e8 12 6c ed ff 8b 43 
EIP: [<c0247007>] ide_device_put+0x19/0xc3 SS:ESP 0068:ddaaced4
---[ end trace b3172ff03a3b3a53 ]---

(gdb) l *ide_device_put+0x19
0xc0247007 is in ide_device_put (/home/mako/linux/lkt/sources/linux-2.6.27-rc1-mm1-dirty/drivers/ide/ide.c:722).
717             void *tmp;
718     
719             tmp = drive;
720             printk("drive: 0x%p\n", tmp);
721             tmp = drive->hwif;
722             printk("drive->hwif: 0x%p\n", tmp); <----
723             tmp = drive->hwif->host;
724             printk("drive->hwif->host: 0x%p\n", tmp);
725             tmp = drive->hwif->host->dev;
726             printk("drive->hwif->host->dev: 0x%p\n", tmp);



2) on drive->hwif->host->dev[0] (->dev is bogus?)

drive: 0xdd97c200
drive->hwif: 0xc023f3b8
drive->hwif->host: 0x83535657
drive->hwif->host->dev: 0x83535683
BUG: unable to handle kernel paging request at 83535683
IP: [<c024704f>] ide_device_put+0x61/0xc3
*pde = 00000000 
Oops: 0000 [#1] PREEMPT 
last sysfs file: /sys/class/power_supply/BAT1/energy_full
Modules linked in: radeon drm nfsd lockd sunrpc exportfs orinoco_cs orinoco hermes pcmcia uhci_hcd ehci_hcd snd_ali5451 usbcore yenta_socket snd_ac97_codec ac97_bus snd_pcm snd_timer rsrc_nonstatic pcspkr ati_agp ide_cd_mod(-) snd psmouse sony_laptop agpgart floppy cdrom soundcore snd_page_alloc backlight rtc 8139too

Pid: 4596, comm: rmmod Not tainted (2.6.27-rc1-mm1-dirty #7)
EIP: 0060:[<c024704f>] EFLAGS: 00010286 CPU: 0
EIP is at ide_device_put+0x61/0xc3
EAX: 83535657 EBX: dd97c200 ECX: d9e68000 EDX: 00000000
ESI: dec53e34 EDI: dec53e34 EBP: d9e68ee0 ESP: d9e68ed4
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process rmmod (pid: 4596, ti=d9e68000 task=dd837300 task.ti=d9e68000)
Stack: c035e5b0 83535683 dd97c600 d9e68eec dec4d202 dd97c600 d9e68ef8 dec4d225 
       dd9138dc d9e68f00 c02469e0 d9e68f10 c024156f dd9138dc dd9139f4 d9e68f24 
       c024162c 00000880 dec53e34 c0398dc0 d9e68f38 c0240a33 00000880 dec53e34 
Call Trace:
 [<dec4d202>] ? ide_cd_put+0x26/0x33 [ide_cd_mod]
 [<dec4d225>] ? ide_cd_remove+0x16/0x19 [ide_cd_mod]
 [<c02469e0>] ? generic_ide_remove+0x1a/0x1e
 [<c024156f>] ? __device_release_driver+0x59/0x7f
 [<c024162c>] ? driver_detach+0x97/0x99
 [<c0240a33>] ? bus_remove_driver+0x6f/0x8b
 [<c02419f1>] ? driver_unregister+0x2f/0x33
 [<dec50331>] ? ide_cdrom_exit+0xd/0xf [ide_cd_mod]
 [<c014265a>] ? sys_delete_module+0x10d/0x1e2
 [<c015fedc>] ? do_munmap+0x1d7/0x234
 [<c01e8684>] ? trace_hardirqs_on_thunk+0xc/0x10
 [<c0103015>] ? sysenter_do_call+0x12/0x35
 =======================
Code: c7 04 24 97 e5 35 c0 e8 fc 6b ed ff 8b 43 24 8b 40 10 83 c0 2c 89 44 24 04 c7 04 24 b0 e5 35 c0 e8 e3 6b ed ff 8b 43 24 8b 40 10 <8b> 40 2c 89 44 24 04 c7 04 24 70 2a 35 c0 e8 ca 6b ed ff 8b 43 
EIP: [<c024704f>] ide_device_put+0x61/0xc3 SS:ESP 0068:d9e68ed4
---[ end trace ad4ca87090e240bd ]---

(gdb) l *ide_device_put+0x61
0xc024704f is in ide_device_put (/home/mako/linux/lkt/sources/linux-2.6.27-rc1-mm1-dirty/drivers/ide/ide.c:728).
723             tmp = drive->hwif->host;
724             printk("drive->hwif->host: 0x%p\n", tmp);
725             tmp = drive->hwif->host->dev;
726             printk("drive->hwif->host->dev: 0x%p\n", tmp);
727             tmp = drive->hwif->host->dev[0];
728             printk("drive->hwif->host->dev[0]: 0x%p\n", tmp); <----
729             tmp = drive->hwif->host->dev[0]->driver;
730             printk("drive->hwif->host->dev[0]->driver: 0x%p\n", tmp);
731     
732             struct device *host_dev = drive->hwif->host->dev[0];


Hope that helps.

	Mariusz



> 
> > 718             struct module *module = host_dev ? host_dev->driver->owner : NULL;
> > 719     
> > 720             if (module)
> > 721                     module_put(module);
> > 
> > 	Mariusz
> 



View attachment ".config" of type "text/plain" (42577 bytes)

View attachment "dmesg.txt" of type "text/plain" (26603 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ