2.6.3rc4 ali1535 i2c driver rmmod oops.

2.6.3rc4 ali1535 i2c driver rmmod oops.

[Dave Jones]

Erk, whats going on here ?

		Dave

kfree_debugcheck: bad ptr c0317600h.
------------[ cut here ]------------
kernel BUG at mm/slab.c:1655!
invalid operand: 0000 [#1]
CPU:    0
EIP:    0060:[<c0146d69>]    Not tainted
EFLAGS: 00010086
EIP is at kfree+0x5c/0x298
eax: c02dd380   ebx: 00007b98   ecx: 00000000   edx: c0317600
esi: c0317600   edi: c031a7d8   ebp: 00000000   esp: c2587f54
ds: 007b   es: 007b   ss: 0068
Process rmmod (pid: 1349, threadinfo=c2586000 task=c22b7940)
Stack: 00000000 00000286 c78a0980 00000000 c031a7d8 00000000 c013a805 5f633269
       31696c61 00353335 c4e4c2d8 b8079000 c014ff4d c29bc104 b807a000 c01503f9
       c4e4c314 c31fa318 c49e98f4 00000246 c4e4c2d8 00e4c300 00000000 bff32ff8
Call Trace:
 [<c013a805>] sys_delete_module+0x168/0x18a
 [<c014ff4d>] unmap_vma_list+0xe/0x17
 [<c01503f9>] do_munmap+0x17d/0x189
 [<c010b697>] syscall_call+0x7/0xb
 
Code: 0f 0b 77 06 1b c6 2d c0 a1 4c 81 3d c0 8b 5c 18 08 b8 00 e0

Re: 2.6.3rc4 ali1535 i2c driver rmmod oops.

[Linus Torvalds]

On Wed, 18 Feb 2004, Dave Jones wrote:
>
> Erk, whats going on here ?

Normally this would mean that somebody is trying to "kfree" a pointer that 
wasn't allocated with "kmalloc()". That seems unlikely in this case, so it 
might be a double free or some other internal corruption..

That "sys_delete_module()" thing seems like some stale kernel stack 
contents, so it's possible that that is the thing that messed up and left 
something in an inconsistent state.

Do you know what module it was?

			Linus

Re: 2.6.3rc4 ali1535 i2c driver rmmod oops.

[Dave Jones]

On Tue, Feb 17, 2004 at 07:47:01PM -0800, Linus Torvalds wrote:
 > 
 > 
 > On Wed, 18 Feb 2004, Dave Jones wrote:
 > >
 > > Erk, whats going on here ?
 > 
 > Normally this would mean that somebody is trying to "kfree" a pointer that 
 > wasn't allocated with "kmalloc()". That seems unlikely in this case, so it 
 > might be a double free or some other internal corruption..
 > 
 > That "sys_delete_module()" thing seems like some stale kernel stack 
 > contents, so it's possible that that is the thing that messed up and left 
 > something in an inconsistent state.
 > 
 > Do you know what module it was?

I felt masochistic, so decided to 'see what would happen' when I ran this..

for i in `find /lib/modules/2.6.2-prep/ -name *.ko`
do
	MOD=`basename $i | sed s/.ko//`
	echo module: $i
	echo inserting
	/sbin/modprobe $MOD
	sync
	echo removing
	/sbin/rmmod $MOD
	echo
	sync
	#sleep 1
done

.. And then sat back and watched the carnage.

After the ali1535 i2c module blew up and took the box with it,
I rebooted, and did a modprobe / rmmod of that module alone.
Exactly the same result. Reproducable every time.

		Dave

Re: 2.6.3rc4 ali1535 i2c driver rmmod oops.

[Linus Torvalds]

On Wed, 18 Feb 2004, Dave Jones wrote:
> 
> I felt masochistic, so decided to 'see what would happen' when I ran this..

Whee. Fun. Do you actually have the hardware for it, or did it blow up 
even without any supported hardware?

		Linus

Re: 2.6.3rc4 ali1535 i2c driver rmmod oops.

[Greg KH]

On Wed, Feb 18, 2004 at 03:15:44AM +0000, Dave Jones wrote:
> Erk, whats going on here ?

Hm, I'll try to debug this tomorrow.

Oh nevermind, that's just a dumb driver.  It's doing a release_region on
memory it didn't get.  Stupid, stupid, stupid...

Dave can you verify that this patch fixes the problem for you?

thanks,

greg k-h


===== i2c-ali1535.c 1.12 vs edited =====
--- 1.12/drivers/i2c/busses/i2c-ali1535.c	Tue Jan 20 08:58:03 2004
+++ edited/i2c-ali1535.c	Tue Feb 17 20:00:44 2004
@@ -517,6 +517,7 @@
 static void __devexit ali1535_remove(struct pci_dev *dev)
 {
 	i2c_del_adapter(&ali1535_adapter);
+	release_region(ali1535_smba, ALI1535_SMB_IOSIZE);
 }
 
 static struct pci_driver ali1535_driver = {
@@ -534,7 +535,6 @@
 static void __exit i2c_ali1535_exit(void)
 {
 	pci_unregister_driver(&ali1535_driver);
-	release_region(ali1535_smba, ALI1535_SMB_IOSIZE);
 }
 
 MODULE_AUTHOR("Frodo Looijaard <frodol@dds.nl>, "

Re: 2.6.3rc4 ali1535 i2c driver rmmod oops.

[Dave Jones]

On Tue, Feb 17, 2004 at 08:00:35PM -0800, Linus Torvalds wrote:

 > > I felt masochistic, so decided to 'see what would happen' when I ran this..
 > Whee. Fun. Do you actually have the hardware for it, or did it blow up 
 > even without any supported hardware?

-ENOHARDWARE.
Judging by the number of bugs this has thrown up, not many folks test the
'try a driver without the hardware' paths too often.

		Dave

Re: 2.6.3rc4 ali1535 i2c driver rmmod oops.

[Dave Jones]

On Tue, Feb 17, 2004 at 08:01:54PM -0800, Greg KH wrote:

 > Oh nevermind, that's just a dumb driver.  It's doing a release_region on
 > memory it didn't get.  Stupid, stupid, stupid...
 > 
 > Dave can you verify that this patch fixes the problem for you?

yep, 1 rmmod bug down, 16 billion to go.

thanks for fixing this up.

		Dave

Re: 2.6.3rc4 ali1535 i2c driver rmmod oops.

[viro]

On Wed, Feb 18, 2004 at 04:02:52AM +0000, Dave Jones wrote:
> On Tue, Feb 17, 2004 at 08:00:35PM -0800, Linus Torvalds wrote:
> 
>  > > I felt masochistic, so decided to 'see what would happen' when I ran this..
>  > Whee. Fun. Do you actually have the hardware for it, or did it blow up 
>  > even without any supported hardware?
> 
> -ENOHARDWARE.
> Judging by the number of bugs this has thrown up, not many folks test the
> 'try a driver without the hardware' paths too often.

Hell, yes.  You should've seen the crap fixed by NE* patches in drivers/net/* -
it certainly looks like the common mindset is "if this miserable box can't,
for whatever reason, run My Driver(tm) - why the fuck does it dare to exist?"

Re: 2.6.3rc4 ali1535 i2c driver rmmod oops.

[Jean Delvare]

> Oh nevermind, that's just a dumb driver.  It's doing a release_region
> on memory it didn't get.  Stupid, stupid, stupid...

While we're at it, what about fixing two other drivers that obviously
have the same problem?

(BTW I didn't get an oops as I tried reproducing the problem, only a
"Trying to free nonexistent resource" in dmesg.)

I'm backporting these fixes to the lm_sensors2 CVS repository at the
moment, thanks for pointing them out.

--- linux-2.6.3/drivers/i2c/busses/i2c-i801.c.orig	Thu Feb  5 22:24:55 2004
+++ linux-2.6.3/drivers/i2c/busses/i2c-i801.c	Sat Feb 21 08:03:28 2004
@@ -608,6 +608,7 @@
 static void __devexit i801_remove(struct pci_dev *dev)
 {
 	i2c_del_adapter(&i801_adapter);
+	release_region(i801_smba, (isich4 ? 16 : 8));
 }
 
 static struct pci_driver i801_driver = {
@@ -625,7 +626,6 @@
 static void __exit i2c_i801_exit(void)
 {
 	pci_unregister_driver(&i801_driver);
-	release_region(i801_smba, (isich4 ? 16 : 8));
 }
 
 MODULE_AUTHOR ("Frodo Looijaard <frodol@dds.nl>, "


--- linux-2.6.3/drivers/i2c/busses/i2c-sis5595.c.orig	Thu Feb  5 22:24:55 2004
+++ linux-2.6.3/drivers/i2c/busses/i2c-sis5595.c	Sat Feb 21 08:03:11 2004
@@ -391,6 +391,7 @@
 static void __devexit sis5595_remove(struct pci_dev *dev)
 {
 	i2c_del_adapter(&sis5595_adapter);
+	release_region(sis5595_base + SMB_INDEX, 2);
 }
 
 static struct pci_driver sis5595_driver = {
@@ -408,7 +409,6 @@
 static void __exit i2c_sis5595_exit(void)
 {
 	pci_unregister_driver(&sis5595_driver);
-	release_region(sis5595_base + SMB_INDEX, 2);
 }
 
 MODULE_AUTHOR("Frodo Looijaard <frodol@dds.nl>");

-- 
Jean Delvare
http://www.ensicaen.ismra.fr/~delvare/

Re: 2.6.3rc4 ali1535 i2c driver rmmod oops.

[Greg KH]

On Sat, Feb 21, 2004 at 08:19:53AM +0100, Jean Delvare wrote:
> > Oh nevermind, that's just a dumb driver.  It's doing a release_region
> > on memory it didn't get.  Stupid, stupid, stupid...
> 
> While we're at it, what about fixing two other drivers that obviously
> have the same problem?
> 
> (BTW I didn't get an oops as I tried reproducing the problem, only a
> "Trying to free nonexistent resource" in dmesg.)
> 
> I'm backporting these fixes to the lm_sensors2 CVS repository at the
> moment, thanks for pointing them out.

Applied, thanks.

greg k-h