Re: Crash in ide_do_request() on card removal

linux-ide.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Steven Scholz <steven.scholz@imc-berlin.de>
To: linux-ide@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: Crash in ide_do_request() on card removal
Date: Tue, 02 Aug 2005 11:57:48 +0200	[thread overview]
Message-ID: <42EF439C.5000903@imc-berlin.de> (raw)
In-Reply-To: <42EA1AB0.6070001@imc-berlin.de>

Steven Scholz wrote:

> Hi there,
> 
> when surprisingly removing a CF ATA card (without unmounting before) I 
> sometimes get kernel crashes in ide_do_request() (linux-2.6.13-rc4 on ARM):
> 
> cardmgr[194]: shutting down socket 0
> cardmgr[194]: executing: './ide stop hda'
> cardmgr[194]: + umount -v /dev/hda1
> Assertion '(hwgroup->drive)' failed in 
> drivers/ide/ide-io.c:ide_do_request(1130)
> Assertion '(drive)' failed in drivers/ide/ide-io.c:choose_drive(1035)
> Unable to handle kernel NULL pointer dereference at virtual address 
> 00000010
> pgd = c0e34000
> [00000010] *pgd=20eb0031, *pte=00000000, *ppte=00000000
> Internal error: Oops: 17 [#1]
> Modules linked in: ide_cs pcmcia at91_cf pcmcia_core
> CPU: 0
> PC is at ide_do_request+0x100/0x480
> LR is at 0x1
> pc : [<c00f9980>]    lr : [<00000001>]    Not tainted
> ...
> 
> As the assertions show "drive" is NULL (due to the card removal?) and 
> thus the kernel crashes ...
> 
> Upon card removal the pcmcia cardmgr tries to unmount the drive which 
> disapeared.
> 
> ("sometimes" above means that the rest of the time the kernel is not 
> dumping core, but the umount process hangs forever.)

(I think) I found the reason for this behaviour:

Upon card removal the functions

~ # cardctl eject
ide_release(398)
ide_unregister(585): index=0
blk_unregister_queue(3603)
elv_unregister_queue(549)
ide_unregister(698)
ide_detach(164)

are called. Thus the request queue for the drive is discarded which is fair 
enough. But disk->queue would still point to a (now invalid) request_queue_t 
structure. Thus if I/O requests (e.g. "umount") are started _after_ the drive 
was removed bad things can happen! So I think we should explicitly remove the 
reference to that queue by doing

void blk_unregister_queue(struct gendisk *disk)
{
	request_queue_t *q = disk->queue;

	if (q && q->request_fn) {
		elv_unregister_queue(q);
		kobject_unregister(&q->kobj);
+		disk->queue = NULL;
		kobject_put(&disk->kobj);
	}
}

in drivers/block/ll_rw_blk.c

Then instead of a crash or hang one would get

~ # umount /mnt/pcmcia/
...
generic_shutdown_super(249) calling sop->put_super @ c00ac734
fat_clusters_flush(49)
generic_make_request: Trying to access nonexistent block-device hda1 (1)
FAT: bread failed in fat_clusters_flush

Thanks a million.

--
Steven

next prev parent reply	other threads:[~2005-08-02  9:57 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-07-29 12:01 Crash in ide_do_request() on card removal Steven Scholz
2005-08-02  9:57 ` Steven Scholz [this message]
2005-08-02 10:48   ` Jens Axboe
2005-08-02 11:10     ` Steven Scholz
2005-08-02 11:13       ` Jens Axboe
2005-08-02 11:17         ` Steven Scholz
2005-08-02 11:28           ` Jens Axboe
2005-08-02 11:30             ` Steven Scholz
2005-08-02 11:33               ` Jens Axboe
2005-08-02 12:09                 ` Steven Scholz
2005-08-02 12:26                   ` Jens Axboe
2005-08-02 12:40                     ` Steven Scholz
2005-08-02 12:54                       ` Jens Axboe
2005-08-02 13:03                         ` Steven Scholz
2005-08-02 13:06                           ` Jens Axboe
2005-08-02 13:38                             ` Steven Scholz
2005-08-02 13:45                               ` Jens Axboe
2005-08-02 13:54                                 ` Steven Scholz
2005-08-02 14:11                                   ` Jens Axboe
2005-08-08  9:00                                     ` Steven Scholz
2005-08-02 13:28                       ` Bartlomiej Zolnierkiewicz
2005-08-18 12:59                         ` Steven Scholz
2006-01-31 14:28                         ` Steven Scholz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42EF439C.5000903@imc-berlin.de \
    --to=steven.scholz@imc-berlin.de \
    --cc=linux-ide@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).