[2.6.1] Kernel panic with ppa driver updates

[2.6.1] Kernel panic with ppa driver updates

[walt]

This panic started with the bk changesets applied by Linus yesterday.

The ppa driver works fine when compiled as a module, but when compiled in
I get this during boot:

ppa_pb_claim+0x7b/0x80
__ppa_attach+0x137/0x350
ppa_wakeup+0x0/0x70
autoremove_wake_function+0x0/0x50 [this line appears twice]
parport_register_driver+0x36/0x70
ppa_driver_init+0x23/0x30
do_initcalls+0x2c/0xa0
init_workquese+0xf/0x30
init+0x32/0x140
init+0x0/0x140
kernel_thread_helper+0x5/0xc

Code: c7 80 24 01 00 00 01 00 00 c3 8b 42 50 b9 01 00 00 00 ba
<0>Kernel panic: attempted to kill init!

When compiling ppa.c I see this warning:
in __ppa_attach 'ports' might be used unitialized

Please let me know if you need more information.

Re: [2.6.1] Kernel panic with ppa driver updates

[viro]

On Fri, Feb 06, 2004 at 09:36:24AM -0800, walt wrote:
> This panic started with the bk changesets applied by Linus yesterday.
> 
> The ppa driver works fine when compiled as a module, but when compiled in
> I get this during boot:

> ppa_pb_claim+0x7b/0x80
> __ppa_attach+0x137/0x350
> ppa_wakeup+0x0/0x70
> autoremove_wake_function+0x0/0x50 [this line appears twice]
> parport_register_driver+0x36/0x70
> ppa_driver_init+0x23/0x30
> do_initcalls+0x2c/0xa0
> init_workquese+0xf/0x30
> init+0x32/0x140
> init+0x0/0x140
> kernel_thread_helper+0x5/0xc
> 
> Code: c7 80 24 01 00 00 01 00 00 c3 8b 42 50 b9 01 00 00 00 ba
> <0>Kernel panic: attempted to kill init!

Very interesting.  So it works as a module (== finds disks and handles them
OK) and dies when it's built-in?

Could you post the actual oops?  The fun thing being, we are obviously past
the initialization of parport layer (otherwise ->attach() would not be called
at all), so init order problems should not be an issue.  And seeing that
there's no module-specific code in ppa...

Re: [2.6.1] Kernel panic with ppa driver updates

[walt]

viro@parcelfarce.linux.theplanet.co.uk wrote:
> On Fri, Feb 06, 2004 at 09:36:24AM -0800, walt wrote:
> 
>>This panic started with the bk changesets applied by Linus yesterday.
>>
>>The ppa driver works fine when compiled as a module, but when compiled in
...

> Very interesting.  So it works as a module (== finds disks and handles them
> OK) and dies when it's built-in?

Right.


> Could you post the actual oops? ...

The reason I didn't post it is that it has already scrolled off the top of
my console by the time I can read anything :-(   I can see the hex values
for the registers and hex values for the stack trace, but nothing earlier
than that.  I looked in /var/log/messages but I see that kjournald doesn't
start until well after the oops.

I thought about compiling in support for console on serial-or-parallel
port but I've never been clear on just what to plug into the serial-or-
parallel port after I've done that.  Can you give me a hint how I can
get the whole oops message for you?

Re: [2.6.1] Kernel panic with ppa driver updates

[viro]

On Fri, Feb 06, 2004 at 12:45:25PM -0800, walt wrote:
> >Could you post the actual oops? ...
> 
> The reason I didn't post it is that it has already scrolled off the top of
> my console by the time I can read anything :-(   I can see the hex values
> for the registers and hex values for the stack trace, but nothing earlier
> than that.  I looked in /var/log/messages but I see that kjournald doesn't
> start until well after the oops.
> 
> I thought about compiling in support for console on serial-or-parallel
> port but I've never been clear on just what to plug into the serial-or-
> parallel port after I've done that.  Can you give me a hint how I can
> get the whole oops message for you?

Umm...  I wouldn't mess with parallel in this case.  Serial is simple -
you stick a nullmodem in it and in serial port on another box, then
run e.g. minicom on the other end.

Re: [2.6.1] Kernel panic with ppa driver updates

[walt]

viro@parcelfarce.linux.theplanet.co.uk wrote:
> On Fri, Feb 06, 2004 at 09:36:24AM -0800, walt wrote:
> 
>>This panic started with the bk changesets applied by Linus yesterday.
>>
>>The ppa driver works fine when compiled as a module, but when compiled in
>>I get this during boot:
(panic message snipped)

> Could you post the actual oops?...

Whew!  I had to relearn everything I was happy to forget about
serial communications to get this!  I even stopped to repair a
broken RS-232 break-out box that I haven't used in years ;0)
I hope this helps:


ppa: Version 2.07 (for Linux 2.4.x)
Unable to handle kernel paging request at virtual address 7232b403
  printing eip:
c027bc25
*pde = 00000000
Oops: 0002 [#1]
CPU:    0
EIP:    0060:[<c027bc25>]    Not tainted
EFLAGS: 00010002
EIP is at got_it+0x15/0x40
eax: 7232b2df   ebx: dff92000   ecx: 00000778   edx: dfd67940
esi: dfd67940   edi: 00000286   ebp: 00000000   esp: dff93f10
ds: 007b   es: 007b   ss: 0068
Process swapper (pid: 1, threadinfo=dff92000 task=dff918c0)
Stack: c027bd3b dfd67940 dfd67940 dff93f8c dff93f6c fffffff0 c027d577 dfd67940
        c03b1a06 00000000 c027bc50 00000000 00000000 dfd67940 00001c70 00000000
        dff918c0 c011aa40 dff93f78 dff93f78 00001c70 dff92000 00001c70 00000000
Call Trace:
  [<c027bd3b>] ppa_pb_claim+0x7b/0x80
  [<c027d577>] __ppa_attach+0x127/0x350
  [<c027bc50>] ppa_wakeup+0x0/0x70
  [<c011aa40>] autoremove_wake_function+0x0/0x50
  [<c011aa40>] autoremove_wake_function+0x0/0x50
  [<c023a746>] parport_register_driver+0x36/0x70
  [<c0485b83>] ppa_driver_init+0x23/0x30
  [<c046e74c>] do_initcalls+0x2c/0xa0
  [<c012c9ff>] init_workqueues+0xf/0x30
  [<c01050d2>] init+0x32/0x140
  [<c01050a0>] init+0x0/0x140
  [<c0106fe9>] kernel_thread_helper+0x5/0xc

Code: c7 80 24 01 00 00 01 00 00 00 c3 8b 42 50 b9 01 00 00 00 ba
  <0>Kernel panic: Attempted to kill init!

Re: [2.6.1] Kernel panic with ppa driver updates

[viro]

On Sat, Feb 07, 2004 at 03:10:57PM -0800, walt wrote:
>  [<c027bd3b>] ppa_pb_claim+0x7b/0x80
>  [<c027d577>] __ppa_attach+0x127/0x350
>  [<c027bc50>] ppa_wakeup+0x0/0x70
>  [<c011aa40>] autoremove_wake_function+0x0/0x50
>  [<c011aa40>] autoremove_wake_function+0x0/0x50
>  [<c023a746>] parport_register_driver+0x36/0x70
>  [<c0485b83>] ppa_driver_init+0x23/0x30
>  [<c046e74c>] do_initcalls+0x2c/0xa0
>  [<c012c9ff>] init_workqueues+0xf/0x30
>  [<c01050d2>] init+0x32/0x140
>  [<c01050a0>] init+0x0/0x140
>  [<c0106fe9>] kernel_thread_helper+0x5/0xc
> 
> Code: c7 80 24 01 00 00 01 00 00 00 c3 8b 42 50 b9 01 00 00 00 ba
>  <0>Kernel panic: Attempted to kill init!

Ouch.  So we somehow got the call of ppa_pb_claim() with dev->cur_cmd being
0x7232b2df, which wasn't a valid address.  Better yet, we've got it from
ppa_attach() and that bugger had just explicitly zeroed *dev out.  And that
bites us only in the built-in case.

Very interesting...  Could you add
	printk("dev = %p, dev->cur_cmd = %p\n", dev, dev->cur_cmd);
right before the call of ppa_pb_claim() call in __ppa_attach(), the
same - right before if (dev->wanted) in the same function and
	printk("dev = %p, dev->cur_cmd set to %p\n", dev, dev->cur_cmd);
right after dev->cur_cmd = cmd; in ppa_queuecommand()?

Re: [2.6.1] Kernel panic with ppa driver updates

[walt]

viro@parcelfarce.linux.theplanet.co.uk wrote:

> Very interesting...  Could you add
> 	printk("dev = %p, dev->cur_cmd = %p\n", dev, dev->cur_cmd);
> right before the call of ppa_pb_claim() call in __ppa_attach(), the
> same - right before if (dev->wanted) in the same function and
> 	printk("dev = %p, dev->cur_cmd set to %p\n", dev, dev->cur_cmd);
> right after dev->cur_cmd = cmd; in ppa_queuecommand()?

Only one of the print statements was executed, apparently:

ppa: Version 2.07 (for Linux 2.4.x)
dev = dfd67940, dev->cur_cmd = 7232b2df
Unable to handle kernel paging request at virtual address 7232b403
  printing eip:
c027bc25

The remainder of the message was identical to the previous post -- no
extra printed messages anywhere.

[PATCH] Re: [2.6.1] Kernel panic with ppa driver updates

[viro]

On Sat, Feb 07, 2004 at 07:35:52PM -0800, walt wrote:
> Only one of the print statements was executed, apparently:
> 
> ppa: Version 2.07 (for Linux 2.4.x)
> dev = dfd67940, dev->cur_cmd = 7232b2df
> Unable to handle kernel paging request at virtual address 7232b403
>  printing eip:
> c027bc25
> 
> The remainder of the message was identical to the previous post -- no
> extra printed messages anywhere.

Aaaaaargh....  dev = memset(dev, 0, sizeof(dev)); - spot the bug here...

Fix follows.  Linus, apply it, please.  Amazing that it survives in modular
case...

diff -urN RC2-bk1-base/drivers/scsi/imm.c RC2-bk1-current/drivers/scsi/imm.c
--- RC2-bk1-base/drivers/scsi/imm.c	Thu Feb  5 18:48:49 2004
+++ RC2-bk1-current/drivers/scsi/imm.c	Sat Feb  7 22:44:16 2004
@@ -1153,7 +1153,7 @@
 	if (!dev)
 		return -ENOMEM;
 
-	memset(dev, 0, sizeof(dev));
+	memset(dev, 0, sizeof(imm_struct));
 
 	dev->base = -1;
 	dev->mode = IMM_AUTODETECT;
diff -urN RC2-bk1-base/drivers/scsi/ppa.c RC2-bk1-current/drivers/scsi/ppa.c
--- RC2-bk1-base/drivers/scsi/ppa.c	Thu Feb  5 18:48:57 2004
+++ RC2-bk1-current/drivers/scsi/ppa.c	Sat Feb  7 22:44:27 2004
@@ -1010,7 +1010,7 @@
 	dev = kmalloc(sizeof(ppa_struct), GFP_KERNEL);
 	if (!dev)
 		return -ENOMEM;
-	memset(dev, 0, sizeof(dev));
+	memset(dev, 0, sizeof(ppa_struct));
 	dev->base = -1;
 	dev->mode = PPA_AUTODETECT;
 	dev->recon_tmo = PPA_RECON_TMO;

Re: [PATCH] Re: [2.6.1] Kernel panic with ppa driver updates

[viro]

On Sun, Feb 08, 2004 at 03:48:55AM +0000, viro@parcelfarce.linux.theplanet.co.uk wrote:
> On Sat, Feb 07, 2004 at 07:35:52PM -0800, walt wrote:
> > Only one of the print statements was executed, apparently:
> > 
> > ppa: Version 2.07 (for Linux 2.4.x)
> > dev = dfd67940, dev->cur_cmd = 7232b2df
> > Unable to handle kernel paging request at virtual address 7232b403
> >  printing eip:
> > c027bc25
> > 
> > The remainder of the message was identical to the previous post -- no
> > extra printed messages anywhere.
> 
> Aaaaaargh....  dev = memset(dev, 0, sizeof(dev)); - spot the bug here...

s/dev = // - it's not _that_ bad ;-)