From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steven Scholz <steven.scholz@imc-berlin.de>
Subject: Re: Crash in ide_do_request() on card removal
Date: Tue, 02 Aug 2005 13:17:37 +0200
Message-ID: <42EF5651.1040905@imc-berlin.de>
References: <42EA1AB0.6070001@imc-berlin.de> <42EF439C.5000903@imc-berlin.de> <20050802104859.GG22569@suse.de> <42EF5488.9020802@imc-berlin.de> <20050802111302.GH22569@suse.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-ide-owner@vger.kernel.org>
Received: from mail.imc-berlin.de ([217.110.46.186]:6667 "EHLO
	mail.imc-berlin.de") by vger.kernel.org with ESMTP id S261494AbVHBLRl
	(ORCPT <rfc822;linux-ide@vger.kernel.org>);
	Tue, 2 Aug 2005 07:17:41 -0400
In-Reply-To: <20050802111302.GH22569@suse.de>
Sender: linux-ide-owner@vger.kernel.org
List-Id: linux-ide@vger.kernel.org
To: Jens Axboe <axboe@suse.de>
Cc: linux-ide@vger.kernel.org

Jens Axboe wrote:

> On Tue, Aug 02 2005, Steven Scholz wrote:
> 
>>Jens Axboe wrote:
>>
>>
>>>That's not quite true, q is not invalid after this call. It will only be
>>>invalid when it is freed (which doesn't happen from here but rather from
>>>the blk_cleanup_queue() call when the reference count drops to 0).
>>>
>>>This is still not perfect, but a lot better. Does it work for you?
>>>
>>>--- linux-2.6.12/drivers/ide/ide-disk.c~	2005-08-02 
>>>12:48:16.000000000 +0200
>>>+++ linux-2.6.12/drivers/ide/ide-disk.c	2005-08-02 
>>>12:48:32.000000000 +0200
>>>@@ -1054,6 +1054,7 @@
>>>	drive->driver_data = NULL;
>>>	drive->devfs_name[0] = '\0';
>>>	g->private_data = NULL;
>>>+	g->disk = NULL;
>>>	put_disk(g);
>>>	kfree(idkp);
>>>}
>>
>>No.
>>drivers/ide/ide-disk.c: In function `ide_disk_release':
>>drivers/ide/ide-disk.c:1057: error: structure has no member named `disk'
> 
> 
> Eh, typo, should be g->queue of course :-)
> 
> --- linux-2.6.12/drivers/ide/ide-disk.c~	2005-08-02 12:48:16.000000000 +0200
> +++ linux-2.6.12/drivers/ide/ide-disk.c	2005-08-02 13:12:54.000000000 +0200
> @@ -1054,6 +1054,7 @@
>  	drive->driver_data = NULL;
>  	drive->devfs_name[0] = '\0';
>  	g->private_data = NULL;
> +	g->queue = NULL;
>  	put_disk(g);
>  	kfree(idkp);
>  }

No. That does not work:

~ # umount /mnt/pcmcia/
generic_make_request(2859) q=c02d3040
__generic_unplug_device(1447) calling q->request_fn() @ c00f97ec

do_ide_request(1281) HWIF=c01dee8c (0), HWGROUP=c089cea0 (1038681856), 
drive=c01def1c (0, 0), queue=c02d3040 (00000000)
do_ide_request(1287) HWIF is not present anymore!!!
do_ide_request(1291) DRIVE is not present anymore. SKIPPING REQUEST!!!

As you can see generic_make_request() still has the pointer to that queue!
It gets it with

	q = bdev_get_queue(bio->bi_bdev);

So the pointer is still stored soemwhere else...

-- 
Steven