2009-03-02 02:15:45

by Tetsuo Handa

[permalink] [raw]
Subject: Re: linux-next-20090225: ide-cd triggers BUG at arch/x86/mm/ioremap.c:80!

Hello.

Bartlomiej Zolnierkiewicz wrote:
> Could you try to narrow down the issue by bisecting linux-next?
Below is what I tried.

# git bisect start next-20090227 v2.6.29-rc6 -- drivers/ide/
Bisecting: 82 revisions left to test after this
[014d273312ccf10311f8a95263330b20684936bc] au1xxx-ide: auide_dma_end() cleanup
# git bisect good
Bisecting: 41 revisions left to test after this
[3ddb800f6e42c0c3f9d172d50250b0c678f2baea] ide-cd: use ide_end_rq() also for failed non-fs requests
# git bisect good
Bisecting: 20 revisions left to test after this
[edf7ed742637b50e4977d7331d411fee79d2ddaf] ide: destroy DMA mappings after ending DMA (v2)
# git bisect bad
Bisecting: 10 revisions left to test after this
[cba1f97899c72442600464aaae5a24c7e0b65656] ide-cd: cleanup ide_cd_do_request()
# git bisect good
Bisecting: 5 revisions left to test after this
[7a4366a812ec85b9fb6e2d1dcc3d5b5265c1b529] ide-cd: use common completion path for DMA requests in cdrom_newpc_intr()
# git bisect bad
Bisecting: 2 revisions left to test after this
[9c23f4e08167015bcd889a1af64f751cfd67098f] ide-cd: fix non-SECTOR_SIZE-multiples PIO transfers for fs requests
# git bisect good
Bisecting: 1 revisions left to test after this
[09ba9b1c0591203d1e18821dfbc6748f6bc6c87d] ide-cd: use scatterlists for PIO transfers (non-fs requests)
# git bisect bad
Bisecting: 0 revisions left to test after this
[5057301c48092007e9f1892a8de94d1091a86517] ide-cd: merge ide_cd_prepare_rw_request() into cdrom_start_rw()
# git bisect good
09ba9b1c0591203d1e18821dfbc6748f6bc6c87d is first bad commit
commit 09ba9b1c0591203d1e18821dfbc6748f6bc6c87d
Author: Bartlomiej Zolnierkiewicz <[email protected]>
Date: Fri Feb 27 09:15:51 2009 +1100

ide-cd: use scatterlists for PIO transfers (non-fs requests)

Convert ide-cd to use scatterlists for PIO transfers and get rid of
partial completions (except on error) also for non-fs requests.

Cc: Borislav Petkov <[email protected]>
Signed-off-by: Bartlomiej Zolnierkiewicz <[email protected]>

:040000 040000 ed031364d219241aabb64458023e7b212166df72 c384309fff17ce6004f3348d6c8be94375e9f372 M drivers

Borislav Petkov wrote:
> Can you also apply the following patch and send us the output?
I applied the patch after "git bisect reset" since I couldn't apply from this
state.

[ 3.419143] ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
[ 3.424508] ide_generic: please use "probe_mask=0x3f" module parameter for probing all legacy ISA IDE ports
[ 3.429658] ide-gd driver 1.18
[ 3.433879] ide-cd driver 5.00
[ 3.440135] mapping rq to sg: dev hda: type=a, flags=82640
[ 3.441873] sector 4294967295, nr/cnr 0/0
[ 3.445288] bio (null), biotail (null), buffer (null), data f700fbc4, len 24
[ 3.452602] ide-cd: hda: ATAPI 1X CD-ROM drive, 32kB Cache
[ 3.456659] Uniform CD-ROM driver Revision: 3.20
[ 3.460913] mapping rq to sg: dev hda: type=a, flags=8a640
[ 3.464697] sector 4294967295, nr/cnr 0/0
[ 3.465881] bio (null), biotail (null), buffer (null), data (null), len 0
[ 3.472354] Pid: 1, comm: swapper Not tainted 2.6.29-rc6-next-20090227-dirty #10
[ 3.476790] Call Trace:
[ 3.477860] [<c02ef9bd>] ide_cd_do_request+0x12d/0x170
[ 3.480496] [<c02e1d28>] start_request+0xa8/0x160
[ 3.481883] [<c015d92b>] ? trace_hardirqs_on+0xb/0x10
[ 3.485680] [<c02e1f7b>] do_ide_request+0x16b/0x250
[ 3.489231] [<c025e5a5>] ? blk_remove_plug+0x75/0xf0
[ 3.492817] [<c025f770>] blk_start_queueing+0x20/0x30
[ 3.495475] [<c025d2be>] elv_insert+0x17e/0x1b0
[ 3.497088] [<c025e458>] ? blk_plug_device+0x88/0x120
[ 3.499681] [<c025d372>] __elv_add_request+0x82/0xc0
[ 3.501428] [<c0263ad0>] blk_execute_rq_nowait+0x60/0xb0
[ 3.504214] [<c0263bb6>] blk_execute_rq+0x96/0xd0
[ 3.505802] [<c0263a40>] ? blk_end_sync_rq+0x0/0x30
[ 3.508392] [<c025f59c>] ? get_request_wait+0x2c/0x160
[ 3.509883] [<c0160429>] ? __lock_acquired+0x109/0x1c0
[ 3.512691] [<c025f6f4>] ? blk_get_request+0x24/0x80
[ 3.515239] [<c02ef196>] ide_cd_queue_pc+0xb6/0x140
[ 3.516904] [<c01a9614>] ? trace+0x14/0x90
[ 3.519311] [<c01a920a>] ? check_object+0xaa/0x1c0
[ 3.521082] [<c01a8e34>] ? init_object+0x14/0x90
[ 3.523696] [<c01a9854>] ? alloc_debug_processing+0xf4/0x120
[ 3.525670] [<c02efac7>] cdrom_check_status+0x87/0x90
[ 3.528380] [<c015d92b>] ? trace_hardirqs_on+0xb/0x10
[ 3.529883] [<c02efc76>] ide_cd_read_toc+0x46/0x430
[ 3.532577] [<c02ebe61>] ? ide_add_proc_entries+0x31/0x60
[ 3.535498] [<c02f08a4>] ? ide_cdrom_setup+0x104/0x140
[ 3.537249] [<c02f0d7b>] ide_cd_probe+0x11b/0x170
[ 3.539689] [<c01fb9f0>] ? sysfs_do_create_link+0xc0/0x150
[ 3.541533] [<c015a4f4>] ? lock_release_holdtime+0x74/0xc0
[ 3.544319] [<c01fba97>] ? sysfs_create_link+0x17/0x20
[ 3.545883] [<c02e0ba4>] generic_ide_probe+0x24/0x30
[ 3.548642] [<c02be6ac>] really_probe+0x8c/0x110
[ 3.551114] [<c02be81c>] driver_probe_device+0x1c/0x30
[ 3.552862] [<c01516af>] ? down+0x2f/0x50
[ 3.555169] [<c02be964>] __driver_attach+0x74/0x80
[ 3.556805] [<c02bd625>] bus_for_each_dev+0x55/0x70
[ 3.559303] [<c02be98e>] driver_attach+0x1e/0x30
[ 3.560885] [<c02be8f0>] ? __driver_attach+0x0/0x80
[ 3.563395] [<c02bdda6>] bus_add_driver+0xb6/0x1a0
[ 3.565049] [<c02e0be0>] ? generic_ide_shutdown+0x0/0x30
[ 3.567763] [<c02e0be0>] ? generic_ide_shutdown+0x0/0x30
[ 3.569625] [<c02bee30>] driver_register+0x70/0xd0
[ 3.572256] [<c0137fcd>] ? printk+0x1d/0x30
[ 3.573718] [<c0574c80>] ? ide_cdrom_init+0x0/0x20
[ 3.576207] [<c0574c9c>] ide_cdrom_init+0x1c/0x20
[ 3.577771] [<c0101042>] do_one_initcall+0x32/0x1d0
[ 3.580310] [<c011f61f>] ? __change_page_attr_set_clr+0x2f/0x70
[ 3.583259] [<c015cb5c>] ? validate_chain+0x3fc/0x540
[ 3.584968] [<c015cb5c>] ? validate_chain+0x3fc/0x540
[ 3.587568] [<c015ea2c>] ? __lock_acquire+0x29c/0x8b0
[ 3.589353] [<c01a8eb8>] ? check_bytes+0x8/0x20
[ 3.591841] [<c01a8f49>] ? check_bytes_and_report+0x29/0xc0
[ 3.593802] [<c0198424>] ? page_address+0x14/0xe0
[ 3.596285] [<c01a9046>] ? check_pad_bytes+0x66/0x80
[ 3.597887] [<c0198424>] ? page_address+0x14/0xe0
[ 3.600524] [<c01a9614>] ? trace+0x14/0x90
[ 3.601873] [<c01a920a>] ? check_object+0xaa/0x1c0
[ 3.604398] [<c015cb5c>] ? validate_chain+0x3fc/0x540
[ 3.607023] [<c015ea2c>] ? __lock_acquire+0x29c/0x8b0
[ 3.608794] [<c015a4f4>] ? lock_release_holdtime+0x74/0xc0
[ 3.611679] [<c01f340c>] ? proc_register+0x9c/0x140
[ 3.613707] [<c015fc17>] ? __lock_release+0x47/0x70
[ 3.616361] [<c03e4c02>] ? _spin_unlock+0x22/0x30
[ 3.617890] [<c01f340c>] ? proc_register+0x9c/0x140
[ 3.620617] [<c01f3799>] ? create_proc_entry+0x69/0xa0
[ 3.623493] [<c01730f4>] ? register_irq_proc+0x14/0xd0
[ 3.625260] [<c0553a6a>] do_initcalls+0x2a/0x40
[ 3.627647] [<c0553ad0>] ? kernel_init+0x0/0xa0
[ 3.629374] [<c0553a9c>] do_basic_setup+0x1c/0x20
[ 3.631837] [<c0553b25>] kernel_init+0x55/0xa0
[ 3.633475] [<c0103d33>] kernel_thread_helper+0x7/0x10
[ 3.636655] ------------[ cut here ]------------
[ 3.639236] kernel BUG at arch/x86/mm/ioremap.c:80!
[ 3.640100] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
[ 3.640100] last sysfs file:
[ 3.640100] Modules linked in:
[ 3.640100]
[ 3.640100] Pid: 1, comm: swapper Not tainted (2.6.29-rc6-next-20090227-dirty #10) VMware Virtual Platform
[ 3.640100] EIP: 0060:[<c011e4d2>] EFLAGS: 00010213 CPU: 0
[ 3.640100] EIP is at __phys_addr+0x52/0x70
[ 3.640100] EAX: 00000000 EBX: 00000000 ECX: 00000018 EDX: 00000000
[ 3.640100] ESI: f69f4060 EDI: 00000000 EBP: f700f92c ESP: f700f92c
[ 3.640100] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[ 3.640100] Process swapper (pid: 1, ti=f700f000 task=f7030000 task.ti=f700f000)
[ 3.640100] Stack:
[ 3.640100] f700f940 c0277c23 f69f4060 f700f95c f700f99c f700f950 c02e1b62 f629b840
[ 3.640100] f700f95c f700f9a8 c02ef9a9 f6b86180 00000000 00000000 00000000 00000000
[ 3.640100] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 3.640100] Call Trace:
[ 3.640100] [<c0277c23>] ? sg_init_one+0x23/0x90
[ 3.640100] [<c02e1b62>] ? ide_map_sg+0x42/0x70
[ 3.640100] [<c02ef9a9>] ? ide_cd_do_request+0x119/0x170
[ 3.640100] [<c02e1d28>] ? start_request+0xa8/0x160
[ 3.640100] [<c015d92b>] ? trace_hardirqs_on+0xb/0x10
[ 3.640100] [<c02e1f7b>] ? do_ide_request+0x16b/0x250
[ 3.640100] [<c025e5a5>] ? blk_remove_plug+0x75/0xf0
[ 3.640100] [<c025f770>] ? blk_start_queueing+0x20/0x30
[ 3.640100] [<c025d2be>] ? elv_insert+0x17e/0x1b0
[ 3.640100] [<c025e458>] ? blk_plug_device+0x88/0x120
[ 3.640100] [<c025d372>] ? __elv_add_request+0x82/0xc0
[ 3.640100] [<c0263ad0>] ? blk_execute_rq_nowait+0x60/0xb0
[ 3.640100] [<c0263bb6>] ? blk_execute_rq+0x96/0xd0
[ 3.640100] [<c0263a40>] ? blk_end_sync_rq+0x0/0x30
[ 3.640100] [<c025f59c>] ? get_request_wait+0x2c/0x160
[ 3.640100] [<c0160429>] ? __lock_acquired+0x109/0x1c0
[ 3.640100] [<c025f6f4>] ? blk_get_request+0x24/0x80
[ 3.640100] [<c02ef196>] ? ide_cd_queue_pc+0xb6/0x140
[ 3.640100] [<c01a9614>] ? trace+0x14/0x90
[ 3.640100] [<c01a920a>] ? check_object+0xaa/0x1c0
[ 3.640100] [<c01a8e34>] ? init_object+0x14/0x90
[ 3.640100] [<c01a9854>] ? alloc_debug_processing+0xf4/0x120
[ 3.640100] [<c02efac7>] ? cdrom_check_status+0x87/0x90
[ 3.640100] [<c015d92b>] ? trace_hardirqs_on+0xb/0x10
[ 3.640100] [<c02efc76>] ? ide_cd_read_toc+0x46/0x430
[ 3.640100] [<c02ebe61>] ? ide_add_proc_entries+0x31/0x60
[ 3.640100] [<c02f08a4>] ? ide_cdrom_setup+0x104/0x140
[ 3.640100] [<c02f0d7b>] ? ide_cd_probe+0x11b/0x170
[ 3.640100] [<c01fb9f0>] ? sysfs_do_create_link+0xc0/0x150
[ 3.640100] [<c015a4f4>] ? lock_release_holdtime+0x74/0xc0
[ 3.640100] [<c01fba97>] ? sysfs_create_link+0x17/0x20
[ 3.640100] [<c02e0ba4>] ? generic_ide_probe+0x24/0x30
[ 3.640100] [<c02be6ac>] ? really_probe+0x8c/0x110
[ 3.640100] [<c02be81c>] ? driver_probe_device+0x1c/0x30
[ 3.640100] [<c01516af>] ? down+0x2f/0x50
[ 3.640100] [<c02be964>] ? __driver_attach+0x74/0x80
[ 3.640100] [<c02bd625>] ? bus_for_each_dev+0x55/0x70
[ 3.640100] [<c02be98e>] ? driver_attach+0x1e/0x30
[ 3.640100] [<c02be8f0>] ? __driver_attach+0x0/0x80
[ 3.640100] [<c02bdda6>] ? bus_add_driver+0xb6/0x1a0
[ 3.640100] [<c02e0be0>] ? generic_ide_shutdown+0x0/0x30
[ 3.640100] [<c02e0be0>] ? generic_ide_shutdown+0x0/0x30
[ 3.640100] [<c02bee30>] ? driver_register+0x70/0xd0
[ 3.640100] [<c0137fcd>] ? printk+0x1d/0x30
[ 3.640100] [<c0574c80>] ? ide_cdrom_init+0x0/0x20
[ 3.640100] [<c0574c9c>] ? ide_cdrom_init+0x1c/0x20
[ 3.640100] [<c0101042>] ? do_one_initcall+0x32/0x1d0
[ 3.640100] [<c011f61f>] ? __change_page_attr_set_clr+0x2f/0x70
[ 3.640100] [<c015cb5c>] ? validate_chain+0x3fc/0x540
[ 3.640100] [<c015cb5c>] ? validate_chain+0x3fc/0x540
[ 3.640100] [<c015ea2c>] ? __lock_acquire+0x29c/0x8b0
[ 3.640100] [<c01a8eb8>] ? check_bytes+0x8/0x20
[ 3.640100] [<c01a8f49>] ? check_bytes_and_report+0x29/0xc0
[ 3.640100] [<c0198424>] ? page_address+0x14/0xe0
[ 3.640100] [<c01a9046>] ? check_pad_bytes+0x66/0x80
[ 3.640100] [<c0198424>] ? page_address+0x14/0xe0
[ 3.640100] [<c01a9614>] ? trace+0x14/0x90
[ 3.640100] [<c01a920a>] ? check_object+0xaa/0x1c0
[ 3.640100] [<c015cb5c>] ? validate_chain+0x3fc/0x540
[ 3.640100] [<c015ea2c>] ? __lock_acquire+0x29c/0x8b0
[ 3.640100] [<c015a4f4>] ? lock_release_holdtime+0x74/0xc0
[ 3.640100] [<c01f340c>] ? proc_register+0x9c/0x140
[ 3.640100] [<c015fc17>] ? __lock_release+0x47/0x70
[ 3.640100] [<c03e4c02>] ? _spin_unlock+0x22/0x30
[ 3.640100] [<c01f340c>] ? proc_register+0x9c/0x140
[ 3.640100] [<c01f3799>] ? create_proc_entry+0x69/0xa0
[ 3.640100] [<c01730f4>] ? register_irq_proc+0x14/0xd0
[ 3.640100] [<c0553a6a>] ? do_initcalls+0x2a/0x40
[ 3.640100] [<c0553ad0>] ? kernel_init+0x0/0xa0
[ 3.640100] [<c0553a9c>] ? do_basic_setup+0x1c/0x20
[ 3.640100] [<c0553b25>] ? kernel_init+0x55/0xa0
[ 3.640100] [<c0103d33>] ? kernel_thread_helper+0x7/0x10
[ 3.640100] Code: 05 00 00 80 00 39 c2 72 ea a1 c4 34 51 c0 2d 00 30 60 00 25 00 00 c0 ff 2d 00 20 00 00 39 c2 73 d2 0f 0b 8d b6 00 00 00 00 eb fe <0f> 0b 8d b6 00 00 00 00 8d bf 00 00 00 00 eb fe 8d b4 26 00 00
[ 3.640100] EIP: [<c011e4d2>] __phys_addr+0x52/0x70 SS:ESP 0068:f700f92c
[ 3.901567] ---[ end trace 62bacdc937c3e403 ]---

Full log is at http://I-love.SAKURA.ne.jp/tmp/dmesg-2.6.29-rc6-next-20090227-dirty.txt

Config is at http://I-love.SAKURA.ne.jp/tmp/config-2.6.29-rc6-next-20090227-dirty

Regards.


2009-03-02 13:16:08

by Borislav Petkov

[permalink] [raw]
Subject: Re: linux-next-20090225: ide-cd triggers BUG at arch/x86/mm/ioremap.c:80!

Hi,

> Borislav Petkov wrote:
>> Can you also apply the following patch and send us the output?
> I applied the patch after "git bisect reset" since I couldn't apply from this
> state.
>
> [ ? ?3.419143] ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
> [ ? ?3.424508] ide_generic: please use "probe_mask=0x3f" module parameter for probing all legacy ISA IDE ports
> [ ? ?3.429658] ide-gd driver 1.18
> [ ? ?3.433879] ide-cd driver 5.00
> [ ? ?3.440135] mapping rq to sg: dev hda: type=a, flags=82640
> [ ? ?3.441873] ? sector 4294967295, nr/cnr 0/0
> [ ? ?3.445288] ? bio (null), biotail (null), buffer (null), data f700fbc4, len 24
> [ ? ?3.452602] ide-cd: hda: ATAPI 1X CD-ROM drive, 32kB Cache
> [ ? ?3.456659] Uniform CD-ROM driver Revision: 3.20
> [ ? ?3.460913] mapping rq to sg: dev hda: type=a, flags=8a640
> [ ? ?3.464697] ? sector 4294967295, nr/cnr 0/0
> [ ? ?3.465881] ? bio (null), biotail (null), buffer (null), data (null), len 0
> [ ? ?3.472354] Pid: 1, comm: swapper Not tainted 2.6.29-rc6-next-20090227-dirty #10
> [ ? ?3.476790] Call Trace:
> [ ? ?3.477860] ?[<c02ef9bd>] ide_cd_do_request+0x12d/0x170
> [ ? ?3.480496] ?[<c02e1d28>] start_request+0xa8/0x160
> [ ? ?3.481883] ?[<c015d92b>] ? trace_hardirqs_on+0xb/0x10
> [ ? ?3.485680] ?[<c02e1f7b>] do_ide_request+0x16b/0x250
> [ ? ?3.489231] ?[<c025e5a5>] ? blk_remove_plug+0x75/0xf0
> [ ? ?3.492817] ?[<c025f770>] blk_start_queueing+0x20/0x30
> [ ? ?3.495475] ?[<c025d2be>] elv_insert+0x17e/0x1b0
> [ ? ?3.497088] ?[<c025e458>] ? blk_plug_device+0x88/0x120
> [ ? ?3.499681] ?[<c025d372>] __elv_add_request+0x82/0xc0
> [ ? ?3.501428] ?[<c0263ad0>] blk_execute_rq_nowait+0x60/0xb0
> [ ? ?3.504214] ?[<c0263bb6>] blk_execute_rq+0x96/0xd0
> [ ? ?3.505802] ?[<c0263a40>] ? blk_end_sync_rq+0x0/0x30
> [ ? ?3.508392] ?[<c025f59c>] ? get_request_wait+0x2c/0x160
> [ ? ?3.509883] ?[<c0160429>] ? __lock_acquired+0x109/0x1c0
> [ ? ?3.512691] ?[<c025f6f4>] ? blk_get_request+0x24/0x80
> [ ? ?3.515239] ?[<c02ef196>] ide_cd_queue_pc+0xb6/0x140

ok, if I read the stack dump correctly, we map an rq with rq->data = NULL to an
sg. Code path starts at cdrom_check_status() and actually, we don't need a
buffer here since we send a TEST_UNIT_READY and we're only interested in the
sense returned. And this won't trigger if we haven't enabled
CONFIG_DEBUG_VIRTUAL. Yep, I know that this is a dirty hack but it fixes it
here. Tetsuo, does the following fix your problem?

diff --git a/drivers/ide/ide-io.c b/drivers/ide/ide-io.c
index 481fb1b..e6ac4cc 100644
--- a/drivers/ide/ide-io.c
+++ b/drivers/ide/ide-io.c
@@ -238,6 +238,8 @@ void ide_map_sg(ide_drive_t *drive, struct ide_cmd *cmd)
sg_init_one(sg, rq->buffer, rq->nr_sectors * SECTOR_SIZE);
cmd->sg_nents = 1;
} else if (!rq->bio) {
+ if (!rq->data)
+ rq->data = &rq->data;
sg_init_one(sg, rq->data, rq->data_len);
cmd->sg_nents = 1;
} else

@Bart: I'm open for suggestions wrt to a more elegant solution :).

--
Regards/Gruss,
Boris

Subject: Re: linux-next-20090225: ide-cd triggers BUG at arch/x86/mm/ioremap.c:80!

On Monday 02 March 2009, Borislav Petkov wrote:
> Hi,
>
> > Borislav Petkov wrote:
> >> Can you also apply the following patch and send us the output?
> > I applied the patch after "git bisect reset" since I couldn't apply from this
> > state.
> >
> > [ 3.419143] ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
> > [ 3.424508] ide_generic: please use "probe_mask=0x3f" module parameter for probing all legacy ISA IDE ports
> > [ 3.429658] ide-gd driver 1.18
> > [ 3.433879] ide-cd driver 5.00
> > [ 3.440135] mapping rq to sg: dev hda: type=a, flags=82640
> > [ 3.441873] sector 4294967295, nr/cnr 0/0
> > [ 3.445288] bio (null), biotail (null), buffer (null), data f700fbc4, len 24
> > [ 3.452602] ide-cd: hda: ATAPI 1X CD-ROM drive, 32kB Cache
> > [ 3.456659] Uniform CD-ROM driver Revision: 3.20
> > [ 3.460913] mapping rq to sg: dev hda: type=a, flags=8a640
> > [ 3.464697] sector 4294967295, nr/cnr 0/0
> > [ 3.465881] bio (null), biotail (null), buffer (null), data (null), len 0
> > [ 3.472354] Pid: 1, comm: swapper Not tainted 2.6.29-rc6-next-20090227-dirty #10
> > [ 3.476790] Call Trace:
> > [ 3.477860] [<c02ef9bd>] ide_cd_do_request+0x12d/0x170
> > [ 3.480496] [<c02e1d28>] start_request+0xa8/0x160
> > [ 3.481883] [<c015d92b>] ? trace_hardirqs_on+0xb/0x10
> > [ 3.485680] [<c02e1f7b>] do_ide_request+0x16b/0x250
> > [ 3.489231] [<c025e5a5>] ? blk_remove_plug+0x75/0xf0
> > [ 3.492817] [<c025f770>] blk_start_queueing+0x20/0x30
> > [ 3.495475] [<c025d2be>] elv_insert+0x17e/0x1b0
> > [ 3.497088] [<c025e458>] ? blk_plug_device+0x88/0x120
> > [ 3.499681] [<c025d372>] __elv_add_request+0x82/0xc0
> > [ 3.501428] [<c0263ad0>] blk_execute_rq_nowait+0x60/0xb0
> > [ 3.504214] [<c0263bb6>] blk_execute_rq+0x96/0xd0
> > [ 3.505802] [<c0263a40>] ? blk_end_sync_rq+0x0/0x30
> > [ 3.508392] [<c025f59c>] ? get_request_wait+0x2c/0x160
> > [ 3.509883] [<c0160429>] ? __lock_acquired+0x109/0x1c0
> > [ 3.512691] [<c025f6f4>] ? blk_get_request+0x24/0x80
> > [ 3.515239] [<c02ef196>] ide_cd_queue_pc+0xb6/0x140
>
> ok, if I read the stack dump correctly, we map an rq with rq->data = NULL to an
> sg. Code path starts at cdrom_check_status() and actually, we don't need a
> buffer here since we send a TEST_UNIT_READY and we're only interested in the
> sense returned. And this won't trigger if we haven't enabled
> CONFIG_DEBUG_VIRTUAL. Yep, I know that this is a dirty hack but it fixes it
> here. Tetsuo, does the following fix your problem?
>
> diff --git a/drivers/ide/ide-io.c b/drivers/ide/ide-io.c
> index 481fb1b..e6ac4cc 100644
> --- a/drivers/ide/ide-io.c
> +++ b/drivers/ide/ide-io.c
> @@ -238,6 +238,8 @@ void ide_map_sg(ide_drive_t *drive, struct ide_cmd *cmd)
> sg_init_one(sg, rq->buffer, rq->nr_sectors * SECTOR_SIZE);
> cmd->sg_nents = 1;
> } else if (!rq->bio) {
> + if (!rq->data)
> + rq->data = &rq->data;
> sg_init_one(sg, rq->data, rq->data_len);
> cmd->sg_nents = 1;
> } else
>
> @Bart: I'm open for suggestions wrt to a more elegant solution :).

Seems like we should check for blk_fs_request(fs) || rq->data_len
instead of unconditionally sg mapping all requests in ->do_request.

[ Sigh, I thought it is harmless to always call sg_init_one()...
probably because it was true back when I added this helper :) ]

Thanks,
Bart

2009-03-03 08:35:39

by Borislav Petkov

[permalink] [raw]
Subject: Re: linux-next-20090225: ide-cd triggers BUG at arch/x86/mm/ioremap.c:80!

Hi,

> > @Bart: I'm open for suggestions wrt to a more elegant solution :).
>
> Seems like we should check for blk_fs_request(fs) || rq->data_len
> instead of unconditionally sg mapping all requests in ->do_request.
>
> [ Sigh, I thought it is harmless to always call sg_init_one()...
> probably because it was true back when I added this helper :) ]

how about something like that:

We map to sg once in ide_issue_pc since all drivers call into that.
We have to exclude ide_tape for now since it doesn't do that and uses
its own io buffers-method. Then, we do for both ide-cd and ide-floppy
blk_rq_bytes(rq) in ide_init_sg_cmd() after I've fixed the partial
completions issue later.

Lightly tested with ide-cd for now.

@Tetsuo: please do test, this should fix your OOPS.

Thanks.

--

diff --git a/drivers/ide/ide-atapi.c b/drivers/ide/ide-atapi.c
index ff6adea..3c7992a 100644
--- a/drivers/ide/ide-atapi.c
+++ b/drivers/ide/ide-atapi.c
@@ -625,7 +625,7 @@ static ide_startstop_t ide_transfer_pc(ide_drive_t *drive)

ide_startstop_t ide_issue_pc(ide_drive_t *drive, struct ide_cmd *cmd)
{
- struct ide_atapi_pc *pc;
+ struct ide_atapi_pc *uninitialized_var(pc);
ide_hwif_t *hwif = drive->hwif;
ide_expiry_t *expiry = NULL;
struct request *rq = hwif->rq;
@@ -642,6 +642,7 @@ ide_startstop_t ide_issue_pc(ide_drive_t *drive, struct ide_cmd *cmd)

if (drive->dma)
drive->dma = !ide_dma_prepare(drive, cmd);
+
} else {
pc = drive->pc;

@@ -669,6 +670,17 @@ ide_startstop_t ide_issue_pc(ide_drive_t *drive, struct ide_cmd *cmd)
: WAIT_TAPE_CMD;
}

+ if (drive->media != ide_tape &&
+ !drive->dma && (blk_fs_request(rq) || rq->data_len)) {
+ ide_init_sg_cmd(cmd, blk_rq_bytes(rq));
+ ide_map_sg(drive, cmd);
+
+ if (drive->media == ide_floppy) {
+ pc->sg = hwif->sg_table;
+ pc->sg_cnt = cmd->sg_nents;
+ }
+ }
+
ide_init_packet_cmd(cmd, tf_flags, bcount, drive->dma);

(void)do_rw_taskfile(drive, cmd);
diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
index 9e19aec..e7c278c 100644
--- a/drivers/ide/ide-cd.c
+++ b/drivers/ide/ide-cd.c
@@ -916,10 +916,6 @@ static ide_startstop_t ide_cd_do_request(ide_drive_t *drive, struct request *rq,

cmd.rq = rq;

- ide_init_sg_cmd(&cmd,
- blk_fs_request(rq) ? (rq->nr_sectors << 9) : rq->data_len);
- ide_map_sg(drive, &cmd);
-
return ide_issue_pc(drive, &cmd);
out_end:
nsectors = rq->hard_nr_sectors;
diff --git a/drivers/ide/ide-floppy.c b/drivers/ide/ide-floppy.c
index b7f0206..9a58db3 100644
--- a/drivers/ide/ide-floppy.c
+++ b/drivers/ide/ide-floppy.c
@@ -244,7 +244,6 @@ static ide_startstop_t ide_floppy_do_request(ide_drive_t *drive,
struct request *rq, sector_t block)
{
struct ide_disk_obj *floppy = drive->driver_data;
- ide_hwif_t *hwif = drive->hwif;
struct ide_cmd cmd;
struct ide_atapi_pc *pc;

@@ -292,13 +291,6 @@ static ide_startstop_t ide_floppy_do_request(ide_drive_t *drive,
cmd.tf_flags |= IDE_TFLAG_WRITE;

cmd.rq = rq;
-
- ide_init_sg_cmd(&cmd, rq->nr_sectors << 9);
- ide_map_sg(drive, &cmd);
-
- pc->sg = hwif->sg_table;
- pc->sg_cnt = cmd.sg_nents;
-
pc->rq = rq;

return ide_floppy_issue_pc(drive, &cmd, pc);

2009-03-03 12:31:45

by Tetsuo Handa

[permalink] [raw]
Subject: Re: linux-next-20090225: ide-cd triggers BUG at arch/x86/mm/ioremap.c:80!

Hello.

Borislav Petkov wrote:
> ok, if I read the stack dump correctly, we map an rq with rq->data = NULL to an
> sg. Code path starts at cdrom_check_status() and actually, we don't need a
> buffer here since we send a TEST_UNIT_READY and we're only interested in the
> sense returned. And this won't trigger if we haven't enabled
> CONFIG_DEBUG_VIRTUAL. Yep, I know that this is a dirty hack but it fixes it
> here. Tetsuo, does the following fix your problem?
>
> diff --git a/drivers/ide/ide-io.c b/drivers/ide/ide-io.c
> index 481fb1b..e6ac4cc 100644
> --- a/drivers/ide/ide-io.c
> +++ b/drivers/ide/ide-io.c
> @@ -238,6 +238,8 @@ void ide_map_sg(ide_drive_t *drive, struct ide_cmd *cmd)
> sg_init_one(sg, rq->buffer, rq->nr_sectors * SECTOR_SIZE);
> cmd->sg_nents = 1;
> } else if (!rq->bio) {
> + if (!rq->data)
> + rq->data = &rq->data;
> sg_init_one(sg, rq->data, rq->data_len);
> cmd->sg_nents = 1;
> } else
>
Yes. This patch solved the problem.



You sent me another patch.
> @Tetsuo: please do test, this should fix your OOPS.
I'll try your new patch tomorrow.



Thanks.

2009-03-04 03:33:30

by Tetsuo Handa

[permalink] [raw]
Subject: Re: linux-next-20090225: ide-cd triggers BUG at arch/x86/mm/ioremap.c:80!

Hello.

Borislav Petkov wrote:
> how about something like that:
>
> We map to sg once in ide_issue_pc since all drivers call into that.
> We have to exclude ide_tape for now since it doesn't do that and uses
> its own io buffers-method. Then, we do for both ide-cd and ide-floppy
> blk_rq_bytes(rq) in ide_init_sg_cmd() after I've fixed the partial
> completions issue later.
>
> Lightly tested with ide-cd for now.
>
> @Tetsuo: please do test, this should fix your OOPS.
>
OK. This patch solved the problem.

Thank you.

2009-03-04 07:24:09

by Borislav Petkov

[permalink] [raw]
Subject: Re: linux-next-20090225: ide-cd triggers BUG at arch/x86/mm/ioremap.c:80!

On Wed, Mar 04, 2009 at 12:33:14PM +0900, Tetsuo Handa wrote:
> Hello.
>
> Borislav Petkov wrote:
> > how about something like that:
> >
> > We map to sg once in ide_issue_pc since all drivers call into that.
> > We have to exclude ide_tape for now since it doesn't do that and uses
> > its own io buffers-method. Then, we do for both ide-cd and ide-floppy
> > blk_rq_bytes(rq) in ide_init_sg_cmd() after I've fixed the partial
> > completions issue later.
> >
> > Lightly tested with ide-cd for now.
> >
> > @Tetsuo: please do test, this should fix your OOPS.
> >
> OK. This patch solved the problem.
>
> Thank you.

Hi,

Thanks a lot for patiently testing for us.


--
Regards/Gruss,
Boris.