Re: Slab corruption in floppy driver module

[Vivek Goyal <vgoyal@redhat.com>]

On Fri, Jan 27, 2012 at 12:30:00PM +0100, Dirk Gouders wrote:
> Suresh Jayaraman <sjayaraman@suse.com> writes:
> 
> > On 01/27/2012 03:18 AM, Dirk Gouders wrote:
> 
> [snipped many lines]
> 
> >> Probably a rare and uncommon one but it seems that the reloading case on
> >> a machine that has a floppy controller is a different problem.  To be
> >> sure I tested the patch on a machine that has a floppy controller and
> >> when unloading and reloading the floppy module the log messages that I
> >> attached to a mail earlier in this thread are still generated.
> >> 
> >
> > Yeah, this seems like a different problem. Could you please try enabling
> > CONFIG_DEBUG_PAGEALLOC and see whether is it pointing to the problem
> > code while loading/unloading the module?
> 
> I enabled the option and it produces just one message during boot but
> nothing else while unloading/loading the floppy module.
>

Can you please try following patch and see if it fixes the issue. I could
reproduce the issue with my virtual machine. The issue seems to be that
we do not call add_disk() for all the drives/disks but we try to do
put_disk() on all the disks. Hence running into the issue of putting
extra reference during module removal.
 

floppy: Fix a crash during rmmmod

floppy driver does not call add_disk() on all the drives hence we don't take
gendisk reference on request queue for these drives. Don't call put_disk()
with disk->queue set, otherwise we try to put the reference we never took.

Reported-by: Dirk Gouders <gouders@et.bocholt.fh-gelsenkirchen.de> 
Signed-off-by: Vivek Goyal<vgoyal@redhat.com>
---
 drivers/block/floppy.c |    9 +++++++++
 1 file changed, 9 insertions(+)

Index: linux-2.6/drivers/block/floppy.c
===================================================================
--- linux-2.6.orig/drivers/block/floppy.c	2012-01-27 14:34:45.000000000 -0500
+++ linux-2.6/drivers/block/floppy.c	2012-01-27 14:39:13.729861052 -0500
@@ -4584,6 +4584,15 @@ static void __exit floppy_module_exit(vo
 			platform_device_unregister(&floppy_device[drive]);
 		}
 		blk_cleanup_queue(disks[drive]->queue);
+
+		/*
+		 * These disks have not called add_disk().  Don't put down
+		 * queue reference in put_disk().
+		 */
+		if (!(allowed_drive_mask & (1 << drive)) ||
+		    fdc_state[FDC(drive)].version == FDC_NONE)
+			disks[drive]->queue = NULL;
+
 		put_disk(disks[drive]);
 	}