Bug 156648

Summary: Kernel oops when ejecting Cardbus bridge connected Compact Flash memory
Product: [Fedora] Fedora Reporter: Matthias Saou <matthias>
Component: kernelAssignee: Dave Jones <davej>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: notting, pfrields, wtogami, zaitcev
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-17 19:42:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthias Saou 2005-05-02 21:05:31 UTC 
Description of problem:
Kernel oopses when ejecting Compact Flash memory from integrated Cardbus bridge
connected CF slot.

Version-Release number of selected component (if applicable):
pcmcia-cs-3.2.8-4.12
kernel-2.6.11-1.1276_FC4

How reproducible:
Always.

Steps to Reproduce:
1. Insert CF memory, it gets mounted and appears on the desktop, great!
2. Umount from the desktop icon.
3. Manually pull out the CF or run "cardctl eject" (same result)
  
Actual results:
The kernel oopses and things like the wireless network then stop working.

Expected results:
The CF card should be cleanly ejected.

Additional info:
Output from /var/log/messages when the card is inserted :

May  2 22:49:42 twister kernel: cs: memory probe 0xa0000000-0xa0ffffff: clean.
May  2 22:49:42 twister cardmgr[1944]: socket 0: ATA/IDE Fixed Disk
May  2 22:49:42 twister kernel: hdc: CFA, CFA DISK drive
May  2 22:49:43 twister kernel: ide1 at 0x100-0x107,0x10e on irq 3
May  2 22:49:43 twister kernel: hdc: max request size: 128KiB
May  2 22:49:43 twister kernel: hdc: 128128 sectors (65 MB) w/4KiB Cache,
CHS=1001/4/32
May  2 22:49:43 twister kernel: hdc: cache flushes not supported
May  2 22:49:43 twister kernel:  hdc: hdc1
May  2 22:49:43 twister kernel: ide-cs: hdc: Vcc = 3.3, Vpp = 0.0
May  2 22:49:43 twister cardmgr[1944]: executing: './ide start hdc 2>&1'
May  2 22:49:43 twister cardmgr[1944]: + ./ide: line 34: /sbin/ide_info: No such
file or directory
May  2 22:49:43 twister kernel:  hdc: hdc1
May  2 22:49:43 twister last message repeated 2 times
May  2 22:49:44 twister fstab-sync[3964]: added mount point /media/CANON_DC for
/dev/hdc1
May  2 22:49:44 twister kernel:  hdc: hdc1

Output from dmesg when "cardctl eject" was run just after (nothing new is
written to /var/log/messages) :

Unable to handle kernel NULL pointer dereference at virtual address 00000010
 printing eip:
c02af620
*pde = 1d761067
Oops: 0000 [#1]
Modules linked in: vfat fat ide_cs arc4 ieee80211_crypt_wep i915 drm rfcomm
l2cap hci_usb bluetooth pcmcia md5 ipv6 dm_mod video button battery ac ohci1394
ieee1394 yenta_socket rsrc_nonstatic pcmcia_core uhci_hcd ehci_hcd snd_intel8x0m
i2c_i801 i2c_core snd_intel8x0 snd_ac97_codec snd_seq_dummy snd_seq_oss
snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm
snd_timer snd soundcore snd_page_alloc ipw2200 ieee80211 ieee80211_crypt tg3
joydev ext3 jbd
CPU:    0
EIP:    0060:[<c02af620>]    Not tainted VLI
EFLAGS: 00010282   (2.6.11-1.1276_FC4)
EIP is at ide_drive_remove+0x8/0xe
eax: c04938c4   ebx: c04939d8   ecx: c04939c4   edx: 00000000
esi: c04939b4   edi: c03e9978   ebp: e51ea0ac   esp: edb8ce30
ds: 007b   es: 007b   ss: 0068
Process cardctl (pid: 4056, threadinfo=edb8c000 task=edb5aaa0)
Stack: c0288390 c03e92e0 c03e9344 c04939b4 c0288599 c04939b4 c0493d7c c0493834
       c0287795 c04939b4 00000002 c02877ca c04938c4 c02acc2b 00000000 00001000
       ede59d18 00028186 00001000 c015a0a4 ddb65108 e0a510a8 c04938c4 00000001
Call Trace:
 [<c0288390>] device_release_driver+0x4c/0x57
 [<c0288599>] bus_remove_device+0x65/0x9e
 [<c0287795>] device_del+0x65/0x92
 [<c02877ca>] device_unregister+0x8/0x10
 [<c02acc2b>] ide_unregister+0x27d/0x941
 [<c015a0a4>] poison_obj+0x20/0x3d
 [<f04047d6>] ide_release+0x1f/0x54 [ide_cs]
 [<f040488d>] ide_event+0x82/0xa1 [ide_cs]
 [<f03b9b52>] send_event_callback+0x28/0x2a [pcmcia]
 [<c0288029>] __bus_for_each_dev+0x4e/0x7f
 [<c0288111>] bus_for_each_dev+0x3b/0x57
 [<f03b9b2a>] send_event_callback+0x0/0x2a [pcmcia]
 [<f03b9b9d>] send_event+0x49/0x5c [pcmcia]
 [<f03b9b2a>] send_event_callback+0x0/0x2a [pcmcia]
 [<f03b9bf9>] ds_event+0x49/0x90 [pcmcia]
 [<f02997d7>] send_event+0x31/0x66 [pcmcia_core]
 [<f0299820>] socket_shutdown+0x8/0x27 [pcmcia_core]
 [<f0299c89>] socket_remove+0x8/0x34 [pcmcia_core]
 [<f029b9db>] pcmcia_eject_card+0x5b/0x5f [pcmcia_core]
 [<f03bb1b6>] ds_ioctl+0x381/0x656 [pcmcia]
 [<c01912df>] sys_unlink+0x33/0x119
 [<f03bae35>] ds_ioctl+0x0/0x656 [pcmcia]
 [<c0193591>] do_ioctl+0x51/0x55
 [<c0193687>] vfs_ioctl+0x50/0x1aa
 [<c019383e>] sys_ioctl+0x5d/0x6b
 [<c0103a61>] syscall_call+0x7/0xb
Code: 92 3e c0 89 44 24 0c c7 44 24 08 1b 08 00 00 c7 44 24 04 78 7d 39 c0 c7 04
24 74 03 38 c0 e8 6b 12 e7 ff 2d f0 00 00 00 8b 50 1c <ff> 52 10 31 c0 c3 55 57
56 53 83 ec 28 89 c7 81 3d 10 92 3e c0


The "/sbin/ide_info: No such file or directory" looks like a possible minor bug
in the pcmcia-cs package, but I guess the major bug is somewhere in the kernel.
Please change component as appropriate if such is the case.
Comment 1 Matthias Saou 2005-05-17 19:42:01 UTC 
Updated all packages on this little laptop as of today, and it now works like a
charm with the 2.6.11-1.1305_FC4 kernel. I've tested about 10 times in a row,
and inserting the CF card gets it detected as hdc, hdc1 gets mounted and shows
up on the desktop, unmounting it from the desktop and removing it from the CF
slot doesn't cause any more problems.
Comment 2 Pete Zaitcev 2005-05-17 19:57:50 UTC 
This cannot be happening, because I only posted the fix on May 14,
and received a confirmation from Andrew on May 15.
 http://lkml.org/lkml/2005/5/14/112
There were no time for DaveJ to scoop the fix from -mm tree.
I suspect it's something else (I know -ac had some workaround...)
I'll look closer into 1.1305 (Matthias - thanks for documenting
the actual version!)
Comment 3 Matthias Saou 2005-05-17 22:25:46 UTC 
Just in case, since I starting having some doubts after reading your reply : I
was unmounting the CF card, then directly pulling it out. But after trying (just
in case) doing an explicit "cardctl eject", it also works fine. So either there
is indeed the fix or a workaround... or it's black magic :-)