On Sun, August 11, 2013, Alban Browaeys wrote:
> The oops spots commit add710e , though I cannot tell if the commit is
> at fault. That is could card from md->queue.card be null and then checks
> are missing before dereference or is the issue that card is null when it
> ought not.
> This happens when I do :
> # echo "mem" > /sys/power/state
>
> mmc1 is emmc that can be detached:
>
> dts (derived from exynos4412-odroidx and exynos4412-origen)
> mshc@12550000 {
> #address-cells = <1>;
> #size-cells = <0>;
> pinctrl-0 = <&sd4_clk &sd4_cmd &sd4_cd &sd4_bus8>;
> pinctrl-names = "default";
> vmmc-supply = <&ldo20_reg &buck8_reg>;
> status = "okay";
>
> num-slots = <1>;
> supports-highspeed;
> broken-cd;
> fifo-depth = <0x80>;
> card-detect-delay = <200>;
> samsung,dw-mshc-ciu-div = <3>;
> samsung,dw-mshc-sdr-timing = <2 3>;
> samsung,dw-mshc-ddr-timing = <1 2>;
> samsung,dw-mshc-hwreset-gpio = <&gpk1 2 1>;
>
> slot@0 {
> reg = <0>;
> bus-width = <8>;
> };
> };
>
> ie drivers/mmc/host/dw_mmc-exynos.c
>
>
> The commit that produce the issue
> commit add710eaa88606de8ba98a014d37178579e6dbaf
> Author: Johan Rudholm <[email protected]>
> Date: Fri Dec 2 08:51:06 2011 +0100
>
> mmc: boot partition ro lock support
>
> Enable boot partitions to be read-only locked until next power on
> via
> a sysfs entry. There will be one sysfs entry for each boot
> partition:
>
> /sys/block/mmcblkXbootY/ro_lock_until_next_power_on
>
> Each boot partition is locked by writing 1 to its file.
>
> Signed-off-by: Johan Rudholm <[email protected]>
> Signed-off-by: John Beckett <[email protected]>
> Signed-off-by: Chris Ball <[email protected]>
>
I think a actual cause seems from below.
'mq->card = NULL;' is done in mmc_cleanup_queue().
It needs to fix.
commit fdfa20c1631210d0ca218689204682ea80e170e3
Author: Paul Taysom <[email protected]>
Date: Tue Jun 4 14:42:40 2013 -0700
mmc: reordered shutdown sequence in mmc_bld_remove_req
We had a multi-partition SD-Card with two ext2 file systems. The partition
table was getting overwritten by a race between the card removal and
the unmount of the 2nd ext2 partition.
<...>
Addresses the problem described in http://crbug.com/240815
Signed-off-by: Paul Taysom <[email protected]>
Signed-off-by: Chris Ball <[email protected]>
Thanks,
Seungwon Jeon
>
>
> Oops:
>
> Unable to handle kernel NULL pointer dereference at virtual address 000002a8
> pgd = ecd9c000
> [000002a8] *pgd=6d082831, *pte=00000000, *ppte=00000000
> Internal error: Oops: 17 [#1] SMP ARM
> Modules linked in: bnep rfcomm smsc95xx usbnet mii bluetooth nfsd lockd
> nfs_acl exportfs auth_rpcgss
> sunrpc oid_registry vfat fat btrfs raid6_pq xor zlib_deflate
> CPU: 3 PID: 2384 Comm: bash Not tainted 3.11.0-rc4-00869-ga7143f1-dirty #60
> task: c46d9b00 ti: ecefc000 task.ti: ecefc000
> PC is at mmc_blk_remove_req+0x58/0x88
> LR is at _raw_spin_unlock_irqrestore+0xc/0x14
> pc : [<c034e7d8>] lr : [<c0494ac8>] psr: 200f0053
> sp : ecefddf8 ip : 00000000 fp : 000dc1e8
> r10: c058ead8 r9 : ecce3f18 r8 : 00100100
> r7 : 00200200 r6 : c26b7118 r5 : 00000000 r4 : c26b1dc0
> r3 : 00000002 r2 : 00000000 r1 : 200f0053 r0 : 00000000
> Flags: nzCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment user
> Control: 10c5387d Table: 6cd9c04a DAC: 00000015
> Process bash (pid: 2384, stack limit = 0xecefc240)
> Stack: (0xecefddf8 to 0xecefe000)
> dde0: c26b2058 c26b6898
> de00: c26b6898 c03512d0 d2623180 d2623188 c06bb90c c26b06d8 c26b6e80 c0351308
> de20: 00000000 c0494ac8 d2623188 c06bbd54 c06bb90c c26b06d8 00000003 c034409c
> de40: c0344084 c0265a20 c46d9b00 d26231bc d2623188 c0265a88 00000000 d2623188
> de60: c479aafc c0265410 d2623188 c26b0448 00000001 c0262c04 d2623188 c26b0440
> de80: 00000001 c034463c c26b0440 c0345124 c26b060c c0343fb0 c0343f1c fffffffc
> dea0: c06bb3f8 00000000 00000000 c00413b4 c0690fec ffffffff 00000000 00000003
> dec0: 00000004 c00417b4 00000000 c0497a70 00000003 00000003 c06c5a60 c0497a70
> dee0: 00000003 c00417e4 00000000 00000003 c06c5a60 c0059d48 00000000 c005aa9c
> df00: ed366000 00000003 c0497a70 c0059a68 00000004 ecefdf80 ecce3f00 d27f6d20
> df20: 00000004 d27f5e80 c04b06b8 c01d610c 00000004 c012b224 ed0ee000 00000004
> df40: 000af408 ecefdf80 00000000 00000000 00000000 c00d59d4 c4607900 00000001
> df60: 0000000a ed0ee000 00000000 000af408 00000004 00000000 00000000 c00d5d3c
> df80: 00000000 00000000 00000000 b6e98a78 00000004 000af408 00000004 c000ebc8
> dfa0: ecefc000 c000ea20 b6e98a78 00000004 00000001 000af408 00000004 00000000
> dfc0: b6e98a78 00000004 000af408 00000004 be9c596c 000a6094 00000000 000dc1e8
> dfe0: 00000000 be9c58ec b6e07747 b6e3f11c 40070050 00000001 429a2201 8108f000
> [<c034e7d8>] (mmc_blk_remove_req+0x58/0x88) from [<c03512d0>]
> (mmc_blk_remove_parts.isra.5+0x90/0xa8)
> [<c03512d0>] (mmc_blk_remove_parts.isra.5+0x90/0xa8) from [<c0351308>]
> (mmc_blk_remove+0x20/0x128)
> [<c0351308>] (mmc_blk_remove+0x20/0x128) from [<c034409c>]
> (mmc_bus_remove+0x18/0x20)
> [<c034409c>] (mmc_bus_remove+0x18/0x20) from [<c0265a20>]
> (__device_release_driver+0x7c/0xc8)
> [<c0265a20>] (__device_release_driver+0x7c/0xc8) from [<c0265a88>]
> (device_release_driver+0x1c/0x28)
> [<c0265a88>] (device_release_driver+0x1c/0x28) from [<c0265410>]
> (bus_remove_device+0x100/0x11c)
> [<c0265410>] (bus_remove_device+0x100/0x11c) from [<c0262c04>]
> (device_del+0x110/0x174)
> [<c0262c04>] (device_del+0x110/0x174) from [<c034463c>]
> (mmc_remove_card+0x64/0x78)
>
> [<c034463c>] (mmc_remove_card+0x64/0x78) from [<c0345124>]
> (mmc_remove+0x24/0x30)
>
> [<c0345124>] (mmc_remove+0x24/0x30) from [<c0343fb0>]
> (mmc_pm_notify+0x94/0xf8)
> [<c0343fb0>] (mmc_pm_notify+0x94/0xf8) from [<c00413b4>]
> (notifier_call_chain+0x44/0x84)
> [<c00413b4>] (notifier_call_chain+0x44/0x84) from [<c00417b4>]
> (__blocking_notifier_call_chain+0x48/0x60)
> [<c00417b4>] (__blocking_notifier_call_chain+0x48/0x60) from [<c00417e4>]
> (blocking_notifier_call_chain+0x18/0x20)
> [<c00417e4>] (blocking_notifier_call_chain+0x18/0x20) from [<c0059d48>]
> (pm_notifier_call_chain+0x14/0x2c)
> [<c0059d48>] (pm_notifier_call_chain+0x14/0x2c) from [<c005aa9c>]
> (pm_suspend+0xac/0x24c)
> [<c005aa9c>] (pm_suspend+0xac/0x24c) from [<c0059a68>] (state_store+0xb0/0xc4)
> [<c0059a68>] (state_store+0xb0/0xc4) from [<c01d610c>]
> (kobj_attr_store+0x14/0x20)
> [<c01d610c>] (kobj_attr_store+0x14/0x20) from [<c012b224>]
> (sysfs_write_file+0x118/0x164)
> [<c012b224>] (sysfs_write_file+0x118/0x164) from [<c00d59d4>]
> (vfs_write+0xd8/0x178)
> [<c00d59d4>] (vfs_write+0xd8/0x178) from [<c00d5d3c>] (SyS_write+0x40/0x68)
> [<c00d5d3c>] (SyS_write+0x40/0x68) from [<c000ea20>]
> (ret_fast_syscall+0x0/0x30)
> Code: ebfc509b e59432dc e3130002 0a000006 (e5d532a8)
>
>
> decodecode:
> Code: ebfc509b e59432dc e3130002 0a000006 (e5d532a8)
> All code
> ========
> 0: ebfc509b bl 0xfff14274
> 4: e59432dc ldr r3, [r4, #732] ; 0x2dc
> 8: e3130002 tst r3, #2
> c: 0a000006 beq 0x2c
> 10:* e5d532a8 ldrb r3, [r5, #680] ; 0x2a8 <-- trapping
> instruction
>
> Code starting with the faulting instruction
> ===========================================
> 0: e5d532a8 ldrb r3, [r5, #680] ; 0x2a8
>
> from objdump -S:
> static void mmc_blk_remove_req(struct mmc_blk_data *md)
> {
> c034e780: e92d4038 push {r3, r4, r5, lr}
> struct mmc_card *card;
>
> if (md) {
> c034e784: e2504000 subs r4, r0, #0
> c034e788: 08bd8038 popeq {r3, r4, r5, pc}
> /*
> * Flush remaining requests and free queues. It
> * is freeing the queue that stops new requests
> * from being accepted.
> */
> mmc_cleanup_queue(&md->queue);
> c034e78c: e2845014 add r5, r4, #20
> c034e790: e1a00005 mov r0, r5
> c034e794: eb000e2b bl c0352048 <mmc_cleanup_queue>
> if (md->flags & MMC_BLK_PACKED_CMD)
> c034e798: e59432a0 ldr r3, [r4, #672] ; 0x2a0
> c034e79c: e3130004 tst r3, #4
> c034e7a0: 0a000001 beq c034e7ac <mmc_blk_remove_req+0x2c>
> mmc_packed_clean(&md->queue);
> c034e7a4: e1a00005 mov r0, r5
> c034e7a8: eb000df6 bl c0351f88 <mmc_packed_clean>
> card = md->queue.card;
> if (md->disk->flags & GENHD_FL_UP) {
> c034e7ac: e5940010 ldr r0, [r4, #16]
> * from being accepted.
> */
> mmc_cleanup_queue(&md->queue);
> if (md->flags & MMC_BLK_PACKED_CMD)
> mmc_packed_clean(&md->queue);
> card = md->queue.card;
> c034e7b0: e5945014 ldr r5, [r4, #20]
> if (md->disk->flags & GENHD_FL_UP) {
> c034e7b4: e5903244 ldr r3, [r0, #580] ; 0x244
> c034e7b8: e3130010 tst r3, #16
> c034e7bc: 0a00000e beq c034e7fc <mmc_blk_remove_req+0x7c>
> device_remove_file(disk_to_dev(md->disk),
> &md->force_ro);
> c034e7c0: e2800068 add r0, r0, #104 ; 0x68
> c034e7c4: e2841faf add r1, r4, #700 ; 0x2bc
> c034e7c8: ebfc509b bl c0262a3c <device_remove_file>
> if ((md->area_type & MMC_BLK_DATA_AREA_BOOT) &&
> c034e7cc: e59432dc ldr r3, [r4, #732] ; 0x2dc
> c034e7d0: e3130002 tst r3, #2
> c034e7d4: 0a000006 beq c034e7f4 <mmc_blk_remove_req+0x74>
> c034e7d8: e5d532a8 ldrb r3, [r5, #680] ; 0x2a8
> c034e7dc: e3530000 cmp r3, #0
> c034e7e0: 0a000003 beq c034e7f4 <mmc_blk_remove_req+0x74>
> card->ext_csd.boot_ro_lockable)
> device_remove_file(disk_to_dev(md->disk),
> c034e7e4: e5940010 ldr r0, [r4, #16]
>
>
> that is r5 is "card = md->queue.card;" and is null, then on
> card->ext_csd.boot_ro_lockable oops ensue.
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-mmc" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-mmc" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
